Configurable masking token, perf improvements, refactoring. #4586
Conversation
michaelcfanning
changed the title
|
|
||
| namespace Agent.Sdk.SecretMasking | ||
| { | ||
| /// <summary> | ||
| /// Extended secret masker service, that allows to log origins of secrets | ||
| /// </summary> | ||
| public class LoggedSecretMasker : ILoggedSecretMasker | ||
| public class LoggedSecretMasker : SecretMasker, ILoggedSecretMasker |
There was a problem hiding this comment.
The logged secret masker (as opposed to the legacy logged secret masker) can extend SecretMasker rather than wrapping it (because no other ILoggedSecretMasker will be wrapped by this class). This change will help us switch over to using a SecretMasker instance that 1ES provides that lives in a different repo (https://github.com/microsoft/security-utilities).
| void AddValue(String value, string origin); | ||
| void AddValueEncoder(ValueEncoder encoder, string origin); | ||
| void SetTrace(ITraceWriter trace); | ||
| IDictionary<string, string> GetTelemetry(); |
| @@ -8,5 +8,5 @@ internal interface ISecret | |||
| /// <summary> | |||
| /// Returns one item (start, length) for each match found in the input string. | |||
| /// </summary> | |||
| IEnumerable<ReplacementPosition> GetPositions(String input); | |||
| IEnumerable<Replacement> GetReplacements(String input); | |||
I can't find the use of secret masker clones in the code, does this utilization exist? One difference now between the legacy masker and the current is that the legacy masker doesn't retain elapsed masking time on clone. Is that an issue? Refers to: src/Agent.Sdk/SecretMasking/LegacyLoggedSecretMasker.cs:134 in a95cc17. [](commit_id = a95cc17, deletion_comment = False) |
| } | ||
|
|
||
| Sdk.SecretMasking.ISecretMasker Sdk.SecretMasking.ISecretMasker.Clone() | ||
| { | ||
| return new LegacyLoggedSecretMasker(this._secretMasker.Clone()); | ||
| } | ||
|
|
||
| public IDictionary<string, string> GetTelemetry() |
There was a problem hiding this comment.
| @@ -50,7 +50,7 @@ public void IsUserInfoMaskedCorrectly() | |||
| var testSecretMasker = initSecretMasker(); | |||
|
|
|||
| Assert.Equal( | |||
| "https://user:***@example.com", | |||
| "https://user:+++@example.com", | |||
| return this._secretMasker.MaskSecrets(input); | ||
| var stopwatch = Stopwatch.StartNew(); | ||
| string result = this._secretMasker.MaskSecrets(input); | ||
| Interlocked.Exchange(ref elapsedMaskingTime, stopwatch.ElapsedTicks); |
| } | ||
|
|
||
| // Replace | ||
| var stringBuilder = new StringBuilder(); |
There was a problem hiding this comment.
| { | ||
| startIndex = match.Index + 1; | ||
| yield return new ReplacementPosition(match.Index, match.Length); | ||
| if (input.IndexOf(sniffLiteral, StringComparison.Ordinal) != -1) |
There was a problem hiding this comment.
A simple IndexOf check is 15x+ faster than something like RE2 in a typical perf test. And so using it as a first pass filter to decide whether to run a follow-on regex is likely to yield performance gains. These are typically 4o% or more in other scan scenarios 1ES owns that use the technique.
…for deleted agent knob.
| @@ -347,6 +348,9 @@ public async Task<TaskResult> RunAsync(Pipelines.AgentJobRequestMessage message, | |||
| finally | |||
| { | |||
| Trace.Info("Finalize job."); | |||
|
|
|||
| PublishSecretsMaskingTelemetry(jobContext); | |||
There was a problem hiding this comment.
Looks good to me, considering we upload logs just after (UploadDiagnosticLogsAsync)
This change:
LoggedSecretMaskerderive fromSecretMaskerrather than wrapping an instance of this class.ReplacementPositionclass (now simple renamed toReplacement). For secret values, we retain the existing default redaction string***. For regexes that have no explicit rule information (an id and friendly name, together which comprise amoniker), we use the string+++. This change will allow users to easily search for logs looking for evidence of automatically redacted secrets. These secrets either should have been protected as secured variables OR there is an upstream leak of the secret in a script/dependency, etc.