config loaded debug statement logs secrets

[pflynn-virtru]

Expected: no secrets from opentdf.yaml should be logged

Actual:

time=2024-05-06T14:22:09.179-04:00 level=DEBUG msg="config loaded" config="&{DB:{Host:localhost Port:5432 Database:opentdf User:postgres Password:changeme RunMigrations:true SSLMode:prefer Schema:opentdf VerifyConnection:true MigrationsFS:<nil>} OPA:{Path:./opentdf-opa.yaml Embedded:true Logger:<nil>} Server:{Auth:{Enabled:true PublicRoutes:[] AuthNConfig:{EnforceDPoP:false Issuer:http://localhost:8888/auth/realms/master Audience:http://localhost:8080 OIDCConfiguration:{Issuer: AuthorizationEndpoint: TokenEndpoint: JwksURI: ResponseTypesSupported:[] SubjectTypesSupported:[] IDTokenSigningAlgValuesSupported:[] RequireRequestURIRegistration:false} Policy:{Default: RoleClaim: RoleMap:map[] Csv: Model:} CacheRefresh:15m}} GRPC:{ReflectionEnabled:true} CryptoProvider:{Type:standard HSMConfig:{Enabled:false ModulePath: PIN: SlotID:0 SlotLabel: Keys:map[]} StandardConfig:{RSAKeys:map[123:{PrivateKeyPath:../kas-private.pem PublicKeyPath:../kas-cert.pem} 456:{PrivateKeyPath:../kas-private.pem PublicKeyPath:../kas-cert.pem}] ECKeys:map[123:{PrivateKeyPath:../kas-ec-private.pem PublicKeyPath:../kas-ec-cert.pem}]}} TLS:{Enabled:false Cert: Key:} CORS:{Enabled:true AllowedOrigins: AllowedMethods: AllowedHeaders: ExposedHeaders: AllowCredentials:false MaxAge:0} WellKnownConfigRegister:<nil> Port:8080 Host:} Logger:{Level:debug Output:stdout Type:text} Services:map[authorization:{Enabled:true Remote:{Endpoint:} ExtraProps:map[client:tdf-entity-resolution legacy:true realm:opentdf secret:secret url:http://localhost:8888]} kas:{Enabled:true Remote:{Endpoint:} ExtraProps:map[]} policy:{Enabled:true Remote:{Endpoint:} ExtraProps:map[]}]}"

Please add masking secrets during logging of the fields

[strantalis]

@pflynn-virtru Is this something you have solved before? I just found this pkg https://github.com/m-mizutani/masq.

[cassandrabailey293]

• log the config but let's go field-by-field in the config object logged above to determine what fields actually need to be logged, removing secrets entirely
• tags in structs to indicate that certain fields are secrets, so they won't be logged

[dmihalcik-virtru]

Possible library fix: https://github.com/m-mizutani/masq

[strantalis]

I am still seeing secrets logged from the config. I think because extraProps is a map[string]any we might need to think about something else.

[mustyantsev]

I am still seeing secrets logged from the config. I think because extraProps is a map[string]any we might need to think about something else.

My very first commit (custom traversing) was able to mask all secrets. Should we use that approach? https://github.com/opentdf/platform/pull/1010/commits/ce5e1381b62fdbb46887e26af142b53c286a00fe