This is an automated email from the ASF dual-hosted git repository.
mneumann pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/arrow-rs.git
The following commit(s) were added to refs/heads/master by this push:
new 97ae9d778b fix: azure sas token visible in logs (#6323)
97ae9d778b is described below
commit 97ae9d778b5f1d1fcc0c7beb91b2b1a6ed741194
Author: Alex Wilcoxson <[email protected]>
AuthorDate: Mon Sep 2 04:28:32 2024 -0500
fix: azure sas token visible in logs (#6323)
---
object_store/src/azure/client.rs | 47 +++++++++++++++++++++++++++++++++---
object_store/src/azure/credential.rs | 12 +++++++++
2 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/object_store/src/azure/client.rs b/object_store/src/azure/client.rs
index b5e82c2a85..0499051554 100644
--- a/object_store/src/azure/client.rs
+++ b/object_store/src/azure/client.rs
@@ -226,11 +226,16 @@ impl<'a> PutRequest<'a> {
async fn send(self) -> Result<Response> {
let credential = self.config.get_credential().await?;
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
let response = self
.builder
.header(CONTENT_LENGTH, self.payload.content_length())
.with_azure_authorization(&credential, &self.config.account)
.retryable(&self.config.retry_config)
+ .sensitive(sensitive)
.idempotent(self.idempotent)
.payload(Some(self.payload))
.send()
@@ -356,12 +361,18 @@ impl AzureClient {
let credential = self.get_credential().await?;
let url = self.config.path_url(path);
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
self.client
.request(Method::DELETE, url)
.query(query)
.header(&DELETE_SNAPSHOTS, "include")
.with_azure_authorization(&credential, &self.config.account)
- .send_retry(&self.config.retry_config)
+ .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
+ .send()
.await
.context(DeleteRequestSnafu {
path: path.as_ref(),
@@ -392,9 +403,14 @@ impl AzureClient {
builder = builder.header(IF_NONE_MATCH, "*");
}
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
builder
.with_azure_authorization(&credential, &self.config.account)
.retryable(&self.config.retry_config)
+ .sensitive(sensitive)
.idempotent(overwrite)
.send()
.await
@@ -423,6 +439,10 @@ impl AzureClient {
));
body.push_str("</KeyInfo>");
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
let response = self
.client
.request(Method::POST, url)
@@ -430,6 +450,7 @@ impl AzureClient {
.query(&[("restype", "service"), ("comp", "userdelegationkey")])
.with_azure_authorization(&credential, &self.config.account)
.retryable(&self.config.retry_config)
+ .sensitive(sensitive)
.idempotent(true)
.send()
.await
@@ -482,12 +503,18 @@ impl AzureClient {
pub async fn get_blob_tagging(&self, path: &Path) -> Result<Response> {
let credential = self.get_credential().await?;
let url = self.config.path_url(path);
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
let response = self
.client
.request(Method::GET, url)
.query(&[("comp", "tags")])
.with_azure_authorization(&credential, &self.config.account)
- .send_retry(&self.config.retry_config)
+ .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
+ .send()
.await
.context(GetRequestSnafu {
path: path.as_ref(),
@@ -536,10 +563,16 @@ impl GetClient for AzureClient {
builder = builder.query(&[("versionid", v)])
}
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
let response = builder
.with_get_options(options)
.with_azure_authorization(&credential, &self.config.account)
- .send_retry(&self.config.retry_config)
+ .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
+ .send()
.await
.context(GetRequestSnafu {
path: path.as_ref(),
@@ -590,12 +623,18 @@ impl ListClient for AzureClient {
query.push(("marker", token))
}
+ let sensitive = credential
+ .as_deref()
+ .map(|c| c.sensitive_request())
+ .unwrap_or_default();
let response = self
.client
.request(Method::GET, url)
.query(&query)
.with_azure_authorization(&credential, &self.config.account)
- .send_retry(&self.config.retry_config)
+ .retryable(&self.config.retry_config)
+ .sensitive(sensitive)
+ .send()
.await
.context(ListRequestSnafu)?
.bytes()
diff --git a/object_store/src/azure/credential.rs
b/object_store/src/azure/credential.rs
index c8212a9290..7808c7c4a7 100644
--- a/object_store/src/azure/credential.rs
+++ b/object_store/src/azure/credential.rs
@@ -130,6 +130,18 @@ pub enum AzureCredential {
BearerToken(String),
}
+impl AzureCredential {
+ /// Determines if the credential requires the request be treated as
sensitive
+ pub fn sensitive_request(&self) -> bool {
+ match self {
+ Self::AccessKey(_) => false,
+ Self::BearerToken(_) => false,
+ // SAS tokens are sent as query parameters in the url
+ Self::SASToken(_) => true,
+ }
+ }
+}
+
/// A list of known Azure authority hosts
pub mod authority_hosts {
/// China-based Azure Authority Host
