Compute checksum of PRIVATE-TOKENs as to make our logs searchable by PRIVATE-TOKEN
Once a user's or GitLabber's PRIVATE-TOKEN
is compromised or has been made publicly available, the first question is where said PRIVATE-TOKEN has been used and for what.
Answering this question without having the token itself or a derivative value in our logs is very challenging if not impossible.
This issue should allow us to discuss why/when/how/to what extent to scrub PRIVATE-TOKENs.
Alternatives for logging the PRIVATE-TOKEN
header, a clear anti-pattern, would be to:
-
log
PRIVATE-TOKEN: D2lzH3Jrl2GRJUzgKNjvo3FmAqqOA
as**************************o3FmAqqOA
(paying attention to how much to scrub, etc) -
log
PRIVATE-TOKEN: D2lzH3Jrl2GRJUzgKNjvo3FmAqqOA
asshasum1(vo3FmAqqOA)
so one can look for__discarded__24a119fc7f9022faf8
during/after an incident or even while debugging.
As for the first suggestion, there are security concerns we must take into account.
As for the second, and IMO better approach, there might performance concerns related to computing hashes for every single PRIVATE-TOKEN
coming into gitlab.com.
Let's discuss pros, cons of these approaches as well as plausible alternatives.
https://gitlab.com/gitlab-cookbooks/gitlab_fluentd/blob/master/templates/default/rails.conf.erb#L152
https://gitlab.com/gitlab-org/gitlab-foss/blob/master/config/application.rb
https://gitlab.com/gitlab-org/labkit/blob/master/mask/matchers.go#L8