Added new config var enable_key_logging added (TykTechnologies#1301)

If enabled, tyk logs will show direct key hashes in logs. If turned off, all hash keys will be replaced by `<hidden>`
littleyang · Nov 28, 2017 · f6d170f · f6d170f
1 parent ffc3979
commit f6d170f
Show file tree

Hide file tree

Showing 19 changed files with 255 additions and 172 deletions.
diff --git a/config/config.go b/config/config.go
@@ -260,6 +260,7 @@ type Config struct {
 	ProxyDefaultTimeout               int                                   `json:"proxy_default_timeout"`
 	LogLevel                          string                                `json:"log_level"`
 	Security                          SecurityConfig                        `json:"security"`
+	EnableKeyLogging                  bool                                  `json:"enable_key_logging"`
 }
 
 type CertData struct {

diff --git a/coprocess.go b/coprocess.go
@@ -252,11 +252,8 @@ func (m *CoProcessMiddleware) ProcessRequest(w http.ResponseWriter, r *http.Requ
 	// The CP middleware indicates this is a bad auth:
 	if returnObject.Request.ReturnOverrides.ResponseCode > 400 {
 
-		log.WithFields(logrus.Fields{
-			"path":   r.URL.Path,
-			"origin": requestIP(r),
-			"key":    token,
-		}).Info("Attempted access with invalid key.")
+		logEntry := getLogEntryForRequest(r, token, nil)
+		logEntry.Info("Attempted access with invalid key.")
 
 		// Fire Authfailed Event
 		AuthFailed(m, r, token)

diff --git a/coprocess_id_extractor.go b/coprocess_id_extractor.go
@@ -82,10 +82,8 @@ func (e *BaseExtractor) ExtractBody(r *http.Request) (bodyValue string, err erro
 
 // Error is a helper for logging the extractor errors. It always returns HTTP 400 (so we don't expose any details).
 func (e *BaseExtractor) Error(r *http.Request, err error, message string) (returnOverrides ReturnOverrides) {
-	log.WithFields(logrus.Fields{
-		"path":   r.URL.Path,
-		"origin": requestIP(r),
-	}).Info("Extractor error: ", message, ", ", err)
+	logEntry := getLogEntryForRequest(r, "", nil)
+	logEntry.Info("Extractor error: ", message, ", ", err)
 
 	return ReturnOverrides{
 		ResponseCode:  400,

diff --git a/lint/schema.go b/lint/schema.go
@@ -658,6 +658,9 @@ const confSchema = `{
 				}
 			}
 		}
+	},
+	"enable_key_logging": {
+		"type": "boolean"
 	}
 }
 }`
diff --git a/log_helpers.go b/log_helpers.go
@@ -0,0 +1,36 @@
+package main
+
+import (
+	"net/http"
+
+	"github.com/Sirupsen/logrus"
+
+	"github.com/TykTechnologies/tyk/config"
+)
+
+// identifies that field value was hidden before output to the log
+const (
+	logHiddenValue = "<hidden>"
+)
+
+func getLogEntryForRequest(r *http.Request, key string, data map[string]interface{}) *logrus.Entry {
+	// populate http request fields
+	fields := logrus.Fields{
+		"path":   r.URL.Path,
+		"origin": requestIP(r),
+	}
+	// add key to log if configured to do so
+	if key != "" {
+		fields["key"] = key
+		if !config.Global.EnableKeyLogging {
+			fields["key"] = logHiddenValue
+		}
+	}
+	// add to log additional fields if any passed
+	if data != nil && len(data) > 0 {
+		for key, val := range data {
+			fields[key] = val
+		}
+	}
+	return log.WithFields(fields)
+}
diff --git a/log_helpers_test.go b/log_helpers_test.go
@@ -0,0 +1,134 @@
+package main
+
+import (
+	"net/http/httptest"
+	"testing"
+
+	"github.com/Sirupsen/logrus"
+
+	"github.com/TykTechnologies/tyk/config"
+)
+
+func TestGetLogEntryForRequest(t *testing.T) {
+	testReq := httptest.NewRequest("GET", "http://tyk.io/test", nil)
+	testReq.RemoteAddr = "127.0.0.1:80"
+	testData := []struct {
+		EnableKeyLogging bool
+		Key              string
+		Data             map[string]interface{}
+		Result           *logrus.Entry
+	}{
+		// enable_key_logging is set, key passed, no additional data fields
+		{
+			EnableKeyLogging: true,
+			Key:              "abc",
+			Data:             nil,
+			Result: logrus.WithFields(logrus.Fields{
+				"path":   "/test",
+				"origin": "127.0.0.1",
+				"key":    "abc",
+			}),
+		},
+		// enable_key_logging is set, key is not passed, no additional data fields
+		{
+			EnableKeyLogging: true,
+			Key:              "",
+			Data:             nil,
+			Result: logrus.WithFields(logrus.Fields{
+				"path":   "/test",
+				"origin": "127.0.0.1",
+			}),
+		},
+		// enable_key_logging is set, key passed, additional data fields are passed
+		{
+			EnableKeyLogging: true,
+			Key:              "abc",
+			Data:             map[string]interface{}{"a": 1, "b": "test"},
+			Result: logrus.WithFields(logrus.Fields{
+				"path":   "/test",
+				"origin": "127.0.0.1",
+				"key":    "abc",
+				"a":      1,
+				"b":      "test",
+			}),
+		},
+		// enable_key_logging is set, key is not passed, additional data fields are passed
+		{
+			EnableKeyLogging: true,
+			Key:              "",
+			Data:             map[string]interface{}{"a": 1, "b": "test"},
+			Result: logrus.WithFields(logrus.Fields{
+				"path":   "/test",
+				"origin": "127.0.0.1",
+				"a":      1,
+				"b":      "test",
+			}),
+		},
+		// enable_key_logging is not set, key passed, no additional data field
+		{
+			EnableKeyLogging: false,
+			Key:              "abc",
+			Data:             nil,
+			Result: logrus.WithFields(logrus.Fields{
+				"path":   "/test",
+				"origin": "127.0.0.1",
+				"key":    logHiddenValue,
+			}),
+		},
+		// enable_key_logging is not set, key is not passed, no additional data field
+		{
+			EnableKeyLogging: false,
+			Key:              "",
+			Data:             nil,
+			Result: logrus.WithFields(logrus.Fields{
+				"path":   "/test",
+				"origin": "127.0.0.1",
+			}),
+		},
+		// enable_key_logging is not set, key passed, additional data fields are passed
+		{
+			EnableKeyLogging: false,
+			Key:              "abc",
+			Data:             map[string]interface{}{"a": 1, "b": "test"},
+			Result: logrus.WithFields(logrus.Fields{
+				"path":   "/test",
+				"origin": "127.0.0.1",
+				"a":      1,
+				"b":      "test",
+				"key":    logHiddenValue,
+			}),
+		},
+		// enable_key_logging is not set, key is not passed, additional data fields are passed
+		{
+			EnableKeyLogging: false,
+			Key:              "",
+			Data:             map[string]interface{}{"a": 1, "b": "test"},
+			Result: logrus.WithFields(logrus.Fields{
+				"path":   "/test",
+				"origin": "127.0.0.1",
+				"a":      1,
+				"b":      "test",
+			}),
+		},
+	}
+	for _, test := range testData {
+		config.Global.EnableKeyLogging = test.EnableKeyLogging
+		logEntry := getLogEntryForRequest(testReq, test.Key, test.Data)
+		if logEntry.Data["path"] != test.Result.Data["path"] {
+			t.Error("Expected 'path':", test.Result.Data["path"], "Got:", logEntry.Data["path"])
+		}
+		if logEntry.Data["origin"] != test.Result.Data["origin"] {
+			t.Error("Expected 'origin':", test.Result.Data["origin"], "Got:", logEntry.Data["origin"])
+		}
+		if logEntry.Data["key"] != test.Result.Data["key"] {
+			t.Error("Expected 'key':", test.Result.Data["key"], "Got:", logEntry.Data["key"])
+		}
+		if test.Data != nil {
+			for key, val := range test.Data {
+				if logEntry.Data[key] != val {
+					t.Error("Expected data key:", key, "with value:", val, "Got:", logEntry.Data[key])
+				}
+			}
+		}
+	}
+}
diff --git a/mw_access_rights.go b/mw_access_rights.go
@@ -3,8 +3,6 @@ package main
 import (
 	"errors"
 	"net/http"
-
-	"github.com/Sirupsen/logrus"
 )
 
 // AccessRightsCheck is a middleware that will check if the key bing used to access the API has
@@ -29,12 +27,14 @@ func (a *AccessRightsCheck) ProcessRequest(w http.ResponseWriter, r *http.Reques
 		// Otherwise, run auth checks
 		versionList, apiExists := session.AccessRights[a.Spec.APIID]
 		if !apiExists {
-			log.WithFields(logrus.Fields{
-				"path":      r.URL.Path,
-				"origin":    requestIP(r),
-				"key":       token,
-				"api_found": false,
-			}).Info("Attempted access to unauthorised API.")
+			logEntry := getLogEntryForRequest(
+				r,
+				token,
+				map[string]interface{}{
+					"api_found": false,
+				},
+			)
+			logEntry.Info("Attempted access to unauthorised API.")
 
 			return errors.New("Access to this API has been disallowed"), 403
 		}
@@ -55,13 +55,15 @@ func (a *AccessRightsCheck) ProcessRequest(w http.ResponseWriter, r *http.Reques
 
 		if !found {
 			// Not found? Bounce
-			log.WithFields(logrus.Fields{
-				"path":          r.URL.Path,
-				"origin":        requestIP(r),
-				"key":           token,
-				"api_found":     true,
-				"version_found": false,
-			}).Info("Attempted access to unauthorised API version.")
+			logEntry := getLogEntryForRequest(
+				r,
+				token,
+				map[string]interface{}{
+					"api_found":     true,
+					"version_found": false,
+				},
+			)
+			logEntry.Info("Attempted access to unauthorised API version.")
 
 			return errors.New("Access to this API has been disallowed"), 403
 		}

diff --git a/mw_api_rate_limit.go b/mw_api_rate_limit.go
@@ -5,8 +5,6 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/Sirupsen/logrus"
-
 	"strconv"
 	"time"
 
@@ -44,11 +42,8 @@ func (k *RateLimitForAPI) EnabledForSpec() bool {
 }
 
 func (k *RateLimitForAPI) handleRateLimitFailure(r *http.Request, token string) (error, int) {
-	log.WithFields(logrus.Fields{
-		"path":   r.URL.Path,
-		"origin": requestIP(r),
-		"key":    token,
-	}).Info("API rate limit exceeded.")
+	logEntry := getLogEntryForRequest(r, token, nil)
+	logEntry.Info("API rate limit exceeded.")
 
 	// Fire a rate limit exceeded event
 	k.FireEvent(EventRateLimitExceeded, EventKeyFailureMeta{

diff --git a/mw_auth_key.go b/mw_auth_key.go
@@ -5,8 +5,6 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/Sirupsen/logrus"
-
 	"github.com/TykTechnologies/tyk/apidef"
 	"github.com/TykTechnologies/tyk/certs"
 )
@@ -76,10 +74,8 @@ func (k *AuthKey) ProcessRequest(w http.ResponseWriter, r *http.Request, _ inter
 
 	if key == "" {
 		// No header value, fail
-		log.WithFields(logrus.Fields{
-			"path":   r.URL.Path,
-			"origin": requestIP(r),
-		}).Info("Attempted access with malformed header, no auth header found.")
+		logEntry := getLogEntryForRequest(r, "", nil)
+		logEntry.Info("Attempted access with malformed header, no auth header found.")
 
 		return errors.New("Authorization field missing"), 401
 	}
@@ -90,11 +86,8 @@ func (k *AuthKey) ProcessRequest(w http.ResponseWriter, r *http.Request, _ inter
 	// Check if API key valid
 	session, keyExists := k.CheckSessionAndIdentityForValidKey(key)
 	if !keyExists {
-		log.WithFields(logrus.Fields{
-			"path":   r.URL.Path,
-			"origin": requestIP(r),
-			"key":    key,
-		}).Info("Attempted access with non-existent key.")
+		logEntry := getLogEntryForRequest(r, key, nil)
+		logEntry.Info("Attempted access with non-existent key.")
 
 		// Fire Authfailed Event
 		AuthFailed(k, r, key)
-Original file line number
+Diff line change
@@ Expand Up / @@ -658,6 +658,9 @@ const confSchema = `{ @@
     				}
     			}
     		}
+    	},
+    	"enable_key_logging": {
+    		"type": "boolean"
     	}
     }
     }`