From 502eb90b0977736bfdbbb6b528db93ba3e5d44f5 Mon Sep 17 00:00:00 2001 From: yang-g Date: Wed, 9 Nov 2016 13:13:13 -0800 Subject: redact json key --- .../lib/security/credentials/jwt/jwt_credentials.c | 51 ++++++++++++++++++---- 1 file changed, 42 insertions(+), 9 deletions(-) (limited to 'src/core/lib/security/credentials/jwt/jwt_credentials.c') diff --git a/src/core/lib/security/credentials/jwt/jwt_credentials.c b/src/core/lib/security/credentials/jwt/jwt_credentials.c index f87ba0ce8d..01c349cd75 100644 --- a/src/core/lib/security/credentials/jwt/jwt_credentials.c +++ b/src/core/lib/security/credentials/jwt/jwt_credentials.c @@ -144,17 +144,50 @@ grpc_service_account_jwt_access_credentials_create_from_auth_json_key( return &c->base; } +static char *redact_private_key(const char *json_key) { + const char *json_key_end = json_key + strlen(json_key); + const char *begin_cue = "BEGIN PRIVATE KEY"; + const char *end_cue = "END PRIVATE KEY"; + const char *redacted = " "; + const char *begin_redact = strstr(json_key, begin_cue); + const char *end_redact = strstr(json_key, end_cue); + if (!begin_redact) { + begin_redact = json_key; + } else { + begin_redact += strlen(begin_cue); + } + if (!end_redact) { + end_redact = json_key_end; + } + GPR_ASSERT(end_redact - begin_redact >= 0); + size_t result_length = + strlen(json_key) - (size_t)(end_redact - begin_redact) + strlen(redacted); + char *clean_json = (char *)gpr_malloc(result_length + 1); + clean_json[result_length] = 0; + char *current = clean_json; + memcpy(current, json_key, (size_t)(begin_redact - json_key)); + current += (begin_redact - json_key); + memcpy(current, redacted, strlen(redacted)); + current += strlen(redacted); + memcpy(current, end_redact, (size_t)(json_key_end - end_redact)); + return clean_json; +} + grpc_call_credentials *grpc_service_account_jwt_access_credentials_create( const char *json_key, gpr_timespec token_lifetime, void *reserved) { - GRPC_API_TRACE( - "grpc_service_account_jwt_access_credentials_create(" - "json_key=%s, " - "token_lifetime=" - "gpr_timespec { tv_sec: %" PRId64 - ", tv_nsec: %d, clock_type: %d }, " - "reserved=%p)", - 5, (json_key, token_lifetime.tv_sec, token_lifetime.tv_nsec, - (int)token_lifetime.clock_type, reserved)); + if (grpc_api_trace) { + char *clean_json = redact_private_key(json_key); + gpr_log(GPR_INFO, + "grpc_service_account_jwt_access_credentials_create(" + "json_key=%s, " + "token_lifetime=" + "gpr_timespec { tv_sec: %" PRId64 + ", tv_nsec: %d, clock_type: %d }, " + "reserved=%p)", + clean_json, token_lifetime.tv_sec, token_lifetime.tv_nsec, + (int)token_lifetime.clock_type, reserved); + gpr_free(clean_json); + } GPR_ASSERT(reserved == NULL); return grpc_service_account_jwt_access_credentials_create_from_auth_json_key( grpc_auth_json_key_create_from_string(json_key), token_lifetime); -- cgit v1.2.3 From 35d5dfcb263753917707288de24e7ff7191ac288 Mon Sep 17 00:00:00 2001 From: yang-g Date: Thu, 10 Nov 2016 14:29:17 -0800 Subject: parse json instead --- .../lib/security/credentials/jwt/jwt_credentials.c | 40 +++++++++------------- 1 file changed, 17 insertions(+), 23 deletions(-) (limited to 'src/core/lib/security/credentials/jwt/jwt_credentials.c') diff --git a/src/core/lib/security/credentials/jwt/jwt_credentials.c b/src/core/lib/security/credentials/jwt/jwt_credentials.c index 01c349cd75..3daf0f4ef7 100644 --- a/src/core/lib/security/credentials/jwt/jwt_credentials.c +++ b/src/core/lib/security/credentials/jwt/jwt_credentials.c @@ -145,31 +145,25 @@ grpc_service_account_jwt_access_credentials_create_from_auth_json_key( } static char *redact_private_key(const char *json_key) { - const char *json_key_end = json_key + strlen(json_key); - const char *begin_cue = "BEGIN PRIVATE KEY"; - const char *end_cue = "END PRIVATE KEY"; - const char *redacted = " "; - const char *begin_redact = strstr(json_key, begin_cue); - const char *end_redact = strstr(json_key, end_cue); - if (!begin_redact) { - begin_redact = json_key; - } else { - begin_redact += strlen(begin_cue); + char *json_copy = gpr_strdup(json_key); + grpc_json *json = grpc_json_parse_string(json_copy); + if (!json) { + gpr_free(json_copy); + return gpr_strdup(""); } - if (!end_redact) { - end_redact = json_key_end; + const char *redacted = ""; + grpc_json *current = json->child; + while (current) { + if (current->type == GRPC_JSON_STRING && + strcmp(current->key, "private_key") == 0) { + current->value = (char *)redacted; + break; + } + current = current->next; } - GPR_ASSERT(end_redact - begin_redact >= 0); - size_t result_length = - strlen(json_key) - (size_t)(end_redact - begin_redact) + strlen(redacted); - char *clean_json = (char *)gpr_malloc(result_length + 1); - clean_json[result_length] = 0; - char *current = clean_json; - memcpy(current, json_key, (size_t)(begin_redact - json_key)); - current += (begin_redact - json_key); - memcpy(current, redacted, strlen(redacted)); - current += strlen(redacted); - memcpy(current, end_redact, (size_t)(json_key_end - end_redact)); + char *clean_json = grpc_json_dump_to_string(json, 2); + gpr_free(json_copy); + grpc_json_destroy(json); return clean_json; } -- cgit v1.2.3