mask iam tokens (#10276)

Author: StekPerepolnen

ydb/mvp/core/grpc_log.h

@@ -7,6 +7,11 @@
 
 namespace NMVP {
 
+template<typename TProto>
+TString SecureShortDebugString(const TProto& request) {
+    return request.ShortDebugString();
+}
+
 template <typename TGRpcService>
 class TLoggedGrpcServiceConnection {
     std::unique_ptr<NYdbGrpc::TServiceConnection<TGRpcService>> Connection;
@@ -41,13 +46,13 @@ class TLoggedGrpcServiceConnection {
                    NYdbGrpc::IQueueClientContextProvider* provider = nullptr)
     {
         const TString& requestName = request.GetDescriptor()->name();
-        BLOG_GRPC_D(Prefix() << "Request " << requestName << " " << Trim(request.ShortDebugString()));
+        BLOG_GRPC_D(Prefix() << "Request " << requestName << " " << Trim(SecureShortDebugString(request)));
         NActors::TActorSystem* actorSystem = NActors::TlsActivationContext->ActorSystem();
         THPTimer timer;
         NYdbGrpc::TResponseCallback<TResponse> cb =
                 [actorSystem, requestName, host = host, timer = std::move(timer), prefix = Prefix(), callback = std::move(callback)](NYdbGrpc::TGrpcStatus&& status, TResponse&& response) -> void {
             if (status.Ok()) {
-                BLOG_GRPC_DC(*actorSystem, prefix << "Response " << response.GetDescriptor()->name() << " " << Trim(response.ShortDebugString()));
+                BLOG_GRPC_DC(*actorSystem, prefix << "Response " << response.GetDescriptor()->name() << " " << Trim(SecureShortDebugString(response)));
             } else {
                 BLOG_GRPC_DC(*actorSystem, prefix << "Status " << status.GRpcStatusCode << " " << status.Msg);
             }
@@ -73,13 +78,13 @@ class TLoggedGrpcServiceConnection {
                            NYdbGrpc::IQueueClientContextProvider* provider = nullptr)
     {
         const TString& requestName = request.GetDescriptor()->name();
-        BLOG_GRPC_D(Prefix() << "Request " << requestName << " " << Trim(request.ShortDebugString()));
+        BLOG_GRPC_D(Prefix() << "Request " << requestName << " " << Trim(SecureShortDebugString(request)));
         NActors::TActorSystem* actorSystem = NActors::TlsActivationContext->ActorSystem();
         THPTimer timer;
         NYdbGrpc::TAdvancedResponseCallback<TResponse> cb =
             [actorSystem, requestName, host = host, timer = std::move(timer), prefix = Prefix(), callback = std::move(callback)](const grpc::ClientContext& context, NYdbGrpc::TGrpcStatus&& status, TResponse&& response) -> void {
             if (status.Ok()) {
-                BLOG_GRPC_DC(*actorSystem, prefix << "Response " << response.GetDescriptor()->name() << " " << Trim(response.ShortDebugString()));
+                BLOG_GRPC_DC(*actorSystem, prefix << "Response " << response.GetDescriptor()->name() << " " << Trim(SecureShortDebugString(response)));
             } else {
                 BLOG_GRPC_DC(*actorSystem, prefix << "Status " << status.GRpcStatusCode << " " << status.Msg);
             }

ydb/mvp/core/mvp_tokens.cpp

@@ -1,5 +1,6 @@
 #include <contrib/libs/jwt-cpp/include/jwt-cpp/jwt.h>
 #include <ydb/library/actors/http/http_proxy.h>
+#include <ydb/library/security/util.h>
 #include <ydb/mvp/core/core_ydb.h>
 #include <ydb/public/api/grpc/ydb_auth_v1.grpc.pb.h>
 #include "mvp_tokens.h"
@@ -299,4 +300,43 @@ void TMvpTokenator::UpdateOAuthToken(const NMvp::TOAuthInfo* oauthInfo) {
                        TEvPrivate::TEvUpdateIamTokenYandex>(oauthInfo->name(), oauthInfo->endpoint(), request, &yandex::cloud::priv::iam::v1::IamTokenService::Stub::AsyncCreate);
 }
 
+template<>
+TString SecureShortDebugString(const yandex::cloud::priv::iam::v1::CreateIamTokenRequest& request) {
+    yandex::cloud::priv::iam::v1::CreateIamTokenRequest copy = request;
+    switch (copy.identity_case()) {
+    case yandex::cloud::priv::iam::v1::CreateIamTokenRequest::kYandexPassportOauthToken:
+        copy.set_yandex_passport_oauth_token(NKikimr::MaskTicket(copy.yandex_passport_oauth_token()));
+        break;
+    case yandex::cloud::priv::iam::v1::CreateIamTokenRequest::kJwt:
+        copy.set_jwt(NKikimr::MaskTicket(copy.jwt()));
+        break;
+    case yandex::cloud::priv::iam::v1::CreateIamTokenRequest::kIamCookie:
+    case yandex::cloud::priv::iam::v1::CreateIamTokenRequest::kYandexPassportCookies:
+    case yandex::cloud::priv::iam::v1::CreateIamTokenRequest::IDENTITY_NOT_SET:
+        break;
+    }
+    return copy.ShortDebugString();
+}
+
+template<>
+TString SecureShortDebugString(const yandex::cloud::priv::iam::v1::CreateIamTokenResponse& request) {
+    yandex::cloud::priv::iam::v1::CreateIamTokenResponse copy = request;
+    copy.set_iam_token(NKikimr::MaskTicket(copy.iam_token()));
+    return copy.ShortDebugString();
+}
+
+template<>
+TString SecureShortDebugString(const nebius::iam::v1::ExchangeTokenRequest& request) {
+    nebius::iam::v1::ExchangeTokenRequest copy = request;
+    copy.set_subject_token(NKikimr::MaskTicket(copy.subject_token()));
+    return copy.ShortDebugString();
+}
+
+template<>
+TString SecureShortDebugString(const nebius::iam::v1::CreateTokenResponse& request) {
+    nebius::iam::v1::CreateTokenResponse copy = request;
+    copy.set_access_token(NKikimr::MaskTicket(copy.access_token()));
+    return copy.ShortDebugString();
+}
+
 }

ydb/mvp/core/ya.make

@@ -53,6 +53,7 @@ PEERDIR(
     ydb/library/actors/core
     ydb/library/actors/http
     ydb/library/actors/protos
+    ydb/library/security
     library/cpp/lwtrace/protos
     library/cpp/lfalloc/alloc_profiler
     ydb/core/viewer/json

ydb/mvp/oidc_proxy/oidc_protected_page_yandex.cpp

@@ -1,4 +1,5 @@
 #include <ydb/library/actors/http/http.h>
+#include <ydb/library/security/util.h>
 #include <ydb/mvp/core/mvp_tokens.h>
 #include <ydb/mvp/core/appdata.h>
 #include <ydb/mvp/core/mvp_log.h>
@@ -85,4 +86,19 @@ bool THandlerSessionServiceCheckYandex::NeedSendSecureHttpRequest(const NHttp::T
 }
 
 }  // NOIDC
+
+template<>
+TString SecureShortDebugString(const yandex::cloud::priv::oauth::v1::CheckSessionRequest& request) {
+    yandex::cloud::priv::oauth::v1::CheckSessionRequest copy = request;
+    copy.clear_cookie_header();
+    return copy.ShortDebugString();
+}
+
+template<>
+TString SecureShortDebugString(const yandex::cloud::priv::oauth::v1::CheckSessionResponse& request) {
+    yandex::cloud::priv::oauth::v1::CheckSessionResponse copy = request;
+    copy.mutable_iam_token()->set_iam_token(NKikimr::MaskTicket(copy.iam_token().iam_token()));
+    return copy.ShortDebugString();
+}
+
 }  // NMVP

ydb/mvp/oidc_proxy/oidc_session_create_yandex.cpp

@@ -1,5 +1,6 @@
 #include <ydb/library/actors/http/http.h>
 #include <ydb/library/grpc/client/grpc_client_low.h>
+#include <ydb/library/security/util.h>
 #include <ydb/mvp/core/mvp_tokens.h>
 #include <ydb/mvp/core/appdata.h>
 #include <ydb/mvp/core/mvp_log.h>
@@ -79,4 +80,19 @@ void THandlerSessionCreateYandex::HandleError(TEvPrivate::TEvErrorResponse::TPtr
 }
 
 } // NOIDC
+
+template<>
+TString SecureShortDebugString(const yandex::cloud::priv::oauth::v1::CreateSessionRequest& request) {
+    yandex::cloud::priv::oauth::v1::CreateSessionRequest copy = request;
+    copy.set_access_token(NKikimr::MaskTicket(copy.access_token()));
+    return copy.ShortDebugString();
+}
+
+template<>
+TString SecureShortDebugString(const yandex::cloud::priv::oauth::v1::CreateSessionResponse& request) {
+    yandex::cloud::priv::oauth::v1::CreateSessionResponse copy = request;
+    copy.clear_set_cookie_header();
+    return copy.ShortDebugString();
+}
+
 } // NMVP