redact json key

1 files changed, 42 insertions, 9 deletions

diff --git a/src/core/lib/security/credentials/jwt/jwt_credentials.c b/src/core/lib/security/credentials/jwt/jwt_credentials.c
index f87ba0ce8d..01c349cd75 100644
--- a/src/core/lib/security/credentials/jwt/jwt_credentials.c
+++ b/src/core/lib/security/credentials/jwt/jwt_credentials.c
@@ -144,17 +144,50 @@ grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
   return &c->base;
 }
 
+static char *redact_private_key(const char *json_key) {
+  const char *json_key_end = json_key + strlen(json_key);
+  const char *begin_cue = "BEGIN PRIVATE KEY";
+  const char *end_cue = "END PRIVATE KEY";
+  const char *redacted = " <redacted> ";
+  const char *begin_redact = strstr(json_key, begin_cue);
+  const char *end_redact = strstr(json_key, end_cue);
+  if (!begin_redact) {
+    begin_redact = json_key;
+  } else {
+    begin_redact += strlen(begin_cue);
+  }
+  if (!end_redact) {
+    end_redact = json_key_end;
+  }
+  GPR_ASSERT(end_redact - begin_redact >= 0);
+  size_t result_length =
+      strlen(json_key) - (size_t)(end_redact - begin_redact) + strlen(redacted);
+  char *clean_json = (char *)gpr_malloc(result_length + 1);
+  clean_json[result_length] = 0;
+  char *current = clean_json;
+  memcpy(current, json_key, (size_t)(begin_redact - json_key));
+  current += (begin_redact - json_key);
+  memcpy(current, redacted, strlen(redacted));
+  current += strlen(redacted);
+  memcpy(current, end_redact, (size_t)(json_key_end - end_redact));
+  return clean_json;
+}
+
 grpc_call_credentials *grpc_service_account_jwt_access_credentials_create(
     const char *json_key, gpr_timespec token_lifetime, void *reserved) {
-  GRPC_API_TRACE(
-      "grpc_service_account_jwt_access_credentials_create("
-      "json_key=%s, "
-      "token_lifetime="
-      "gpr_timespec { tv_sec: %" PRId64
-      ", tv_nsec: %d, clock_type: %d }, "
-      "reserved=%p)",
-      5, (json_key, token_lifetime.tv_sec, token_lifetime.tv_nsec,
-          (int)token_lifetime.clock_type, reserved));
+  if (grpc_api_trace) {
+    char *clean_json = redact_private_key(json_key);
+    gpr_log(GPR_INFO,
+            "grpc_service_account_jwt_access_credentials_create("
+            "json_key=%s, "
+            "token_lifetime="
+            "gpr_timespec { tv_sec: %" PRId64
+            ", tv_nsec: %d, clock_type: %d }, "
+            "reserved=%p)",
+            clean_json, token_lifetime.tv_sec, token_lifetime.tv_nsec,
+            (int)token_lifetime.clock_type, reserved);
+    gpr_free(clean_json);
+  }
   GPR_ASSERT(reserved == NULL);
   return grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
       grpc_auth_json_key_create_from_string(json_key), token_lifetime);