Feature disable ssotrace (#3455)

* added feature flag REDACT_SSO_TRACE_FILEDS to control fileds logged into sso trace * Fixed linting error * Fixed type review comment * Chnaged environment variable to REDACT_SSO_TRACE * minor rename tweaks * Added support to configure traces TTL * sso traces ttl converted to hours * tweak env var names to group them * ssoTrace -> ssoTraces --------- Co-authored-by: Deepak Prabhakara <[email protected]>
boxyhq · Dec 22, 2024 · bd56d37 · bd56d37
1 parent 5641752
commit bd56d37
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 8 deletions.
diff --git a/.env.example b/.env.example
@@ -118,4 +118,7 @@ ENTERPRISE_ORY_PROJECT_ID=
 #OPENID_REQUEST_FORWARD_PARAMS=true
 
 # disable logging into sso trace
-# DISABLE_SSO_TRACE=true
+# SSO_TRACES_DISABLE=true
+# SSO_TRACES_REDACT=true
+# traces ttl in hours
+# SSO_TRACES_TTL=1
diff --git a/lib/env.ts b/lib/env.ts
@@ -1,4 +1,10 @@
-import type { DatabaseEngine, DatabaseOption, DatabaseType, JacksonOption } from '@boxyhq/saml-jackson';
+import type {
+  DatabaseEngine,
+  DatabaseOption,
+  DatabaseType,
+  JacksonOption,
+  SSOTracesOption,
+} from '@boxyhq/saml-jackson';
 
 const samlPath = '/api/oauth/saml';
 const oidcPath = '/api/oauth/oidc';
@@ -10,7 +16,6 @@ const hostUrl = process.env.HOST_URL || 'localhost';
 const hostPort = Number(process.env.PORT || '5225');
 const externalUrl = process.env.EXTERNAL_URL || 'http://' + hostUrl + ':' + hostPort;
 const apiKeys = (process.env.JACKSON_API_KEYS || '').split(',');
-const disableSSOTrace = process.env.DISABLE_SSO_TRACE === 'true';
 
 let ssl;
 if (process.env.DB_SSL === 'true') {
@@ -54,6 +59,13 @@ const db: DatabaseOption = {
   manualMigration: process.env.DB_MANUAL_MIGRATION === 'true',
 };
 
+// ssoTraces options
+const ssoTraces: SSOTracesOption = {
+  disable: process.env.SSO_TRACES_DISABLE === 'true',
+  redact: process.env.SSO_TRACES_REDACT === 'true',
+  ttl: process.env.SSO_TRACES_TTL ? Number(process.env.SSO_TRACES_TTL) * 60 * 60 : undefined,
+};
+
 /** Indicates if the Jackson instance is hosted (i.e. not self-hosted) */
 export const boxyhqHosted = process.env.BOXYHQ_HOSTED === '1';
 
@@ -118,7 +130,7 @@ const jacksonOptions: JacksonOption = {
     projectId: process.env.ENTERPRISE_ORY_PROJECT_ID,
     sdkToken: process.env.ENTERPRISE_ORY_SDK_TOKEN,
   },
-  disableSSOTrace,
+  ssoTraces,
 };
 
 const adminPortalSSODefaults = {

diff --git a/npm/src/index.ts b/npm/src/index.ts
@@ -21,7 +21,7 @@ import EventController from './event';
 import { ProductController } from './ee/product';
 import { OryController } from './ee/ory/ory';
 
-const tracesTTL = 7 * 24 * 60 * 60;
+const TRACES_TTL_DEFAULT = 7 * 24 * 60 * 60;
 
 const defaultOpts = (opts: JacksonOption): JacksonOption => {
   const newOpts = {
@@ -55,6 +55,9 @@ const defaultOpts = (opts: JacksonOption): JacksonOption => {
 
   newOpts.boxyhqLicenseKey = newOpts.boxyhqLicenseKey || undefined;
 
+  newOpts.ssoTraces = newOpts.ssoTraces || {};
+  newOpts.ssoTraces.ttl = newOpts.ssoTraces?.ttl || TRACES_TTL_DEFAULT;
+
   return newOpts;
 };
 
@@ -90,7 +93,7 @@ export const controllers = async (
   const certificateStore = db.store('x509:certificates');
   const settingsStore = db.store('portal:settings');
   const productStore = db.store('product:config');
-  const tracesStore = db.store('saml:tracer', tracesTTL);
+  const tracesStore = db.store('saml:tracer', opts.ssoTraces?.ttl);
 
   const ssoTraces = new SSOTraces({ tracesStore, opts });
   const eventController = new EventController({ opts });

diff --git a/npm/src/sso-traces/index.ts b/npm/src/sso-traces/index.ts
@@ -7,6 +7,7 @@ import { JacksonError } from '../controller/error';
 
 const INTERVAL_1_WEEK_MS = 7 * 24 * 60 * 60 * 1000;
 const INTERVAL_1_DAY_MS = 24 * 60 * 60 * 1000;
+const SSO_TRACES_REDACT_KEYS = ['profile', 'oidcTokenSet', 'samlResponse'];
 
 /**
  * @swagger
@@ -70,12 +71,16 @@ class SSOTraces {
   }
 
   public async saveTrace(payload: SSOTrace) {
-    if (this.opts.disableSSOTrace) {
+    if (this.opts.ssoTraces?.disable) {
       return;
     }
 
     try {
       const { context } = payload;
+
+      if (this.opts.ssoTraces?.redact) {
+        SSO_TRACES_REDACT_KEYS.forEach((key) => delete context[key]);
+      }
       // Friendly trace id
       const traceId: string = await generateMnemonic();
       // If timestamp present in payload use that value, else generate the current timestamp

diff --git a/npm/src/typings.ts b/npm/src/typings.ts
@@ -508,7 +508,7 @@ export interface JacksonOption {
     projectId: string | undefined;
     sdkToken: string | undefined;
   };
-  disableSSOTrace?: boolean;
+  ssoTraces?: SSOTracesOption;
 }
 
 export interface SLORequestParams {
@@ -653,3 +653,9 @@ export interface ProductConfig {
   ory: OryConfig | null;
   development?: boolean;
 }
+
+export interface SSOTracesOption {
+  disable?: boolean;
+  redact?: boolean;
+  ttl?: number;
+}