From bd56d37c7ab9efb0b3532f6f5da56caec7ae91db Mon Sep 17 00:00:00 2001 From: Nitendra Date: Sun, 22 Dec 2024 15:39:00 +0530 Subject: [PATCH] Feature disable ssotrace (#3455) * added feature flag REDACT_SSO_TRACE_FILEDS to control fileds logged into sso trace * Fixed linting error * Fixed type review comment * Chnaged environment variable to REDACT_SSO_TRACE * minor rename tweaks * Added support to configure traces TTL * sso traces ttl converted to hours * tweak env var names to group them * ssoTrace -> ssoTraces --------- Co-authored-by: Deepak Prabhakara --- .env.example | 5 ++++- lib/env.ts | 18 +++++++++++++++--- npm/src/index.ts | 7 +++++-- npm/src/sso-traces/index.ts | 7 ++++++- npm/src/typings.ts | 8 +++++++- 5 files changed, 37 insertions(+), 8 deletions(-) diff --git a/.env.example b/.env.example index 86dad24df..52af72c8d 100644 --- a/.env.example +++ b/.env.example @@ -118,4 +118,7 @@ ENTERPRISE_ORY_PROJECT_ID= #OPENID_REQUEST_FORWARD_PARAMS=true # disable logging into sso trace -# DISABLE_SSO_TRACE=true \ No newline at end of file +# SSO_TRACES_DISABLE=true +# SSO_TRACES_REDACT=true +# traces ttl in hours +# SSO_TRACES_TTL=1 \ No newline at end of file diff --git a/lib/env.ts b/lib/env.ts index 8dee4b500..d72c03185 100644 --- a/lib/env.ts +++ b/lib/env.ts @@ -1,4 +1,10 @@ -import type { DatabaseEngine, DatabaseOption, DatabaseType, JacksonOption } from '@boxyhq/saml-jackson'; +import type { + DatabaseEngine, + DatabaseOption, + DatabaseType, + JacksonOption, + SSOTracesOption, +} from '@boxyhq/saml-jackson'; const samlPath = '/api/oauth/saml'; const oidcPath = '/api/oauth/oidc'; @@ -10,7 +16,6 @@ const hostUrl = process.env.HOST_URL || 'localhost'; const hostPort = Number(process.env.PORT || '5225'); const externalUrl = process.env.EXTERNAL_URL || 'http://' + hostUrl + ':' + hostPort; const apiKeys = (process.env.JACKSON_API_KEYS || '').split(','); -const disableSSOTrace = process.env.DISABLE_SSO_TRACE === 'true'; let ssl; if (process.env.DB_SSL === 'true') { @@ -54,6 +59,13 @@ const db: DatabaseOption = { manualMigration: process.env.DB_MANUAL_MIGRATION === 'true', }; +// ssoTraces options +const ssoTraces: SSOTracesOption = { + disable: process.env.SSO_TRACES_DISABLE === 'true', + redact: process.env.SSO_TRACES_REDACT === 'true', + ttl: process.env.SSO_TRACES_TTL ? Number(process.env.SSO_TRACES_TTL) * 60 * 60 : undefined, +}; + /** Indicates if the Jackson instance is hosted (i.e. not self-hosted) */ export const boxyhqHosted = process.env.BOXYHQ_HOSTED === '1'; @@ -118,7 +130,7 @@ const jacksonOptions: JacksonOption = { projectId: process.env.ENTERPRISE_ORY_PROJECT_ID, sdkToken: process.env.ENTERPRISE_ORY_SDK_TOKEN, }, - disableSSOTrace, + ssoTraces, }; const adminPortalSSODefaults = { diff --git a/npm/src/index.ts b/npm/src/index.ts index 220f4fc64..56e3260de 100644 --- a/npm/src/index.ts +++ b/npm/src/index.ts @@ -21,7 +21,7 @@ import EventController from './event'; import { ProductController } from './ee/product'; import { OryController } from './ee/ory/ory'; -const tracesTTL = 7 * 24 * 60 * 60; +const TRACES_TTL_DEFAULT = 7 * 24 * 60 * 60; const defaultOpts = (opts: JacksonOption): JacksonOption => { const newOpts = { @@ -55,6 +55,9 @@ const defaultOpts = (opts: JacksonOption): JacksonOption => { newOpts.boxyhqLicenseKey = newOpts.boxyhqLicenseKey || undefined; + newOpts.ssoTraces = newOpts.ssoTraces || {}; + newOpts.ssoTraces.ttl = newOpts.ssoTraces?.ttl || TRACES_TTL_DEFAULT; + return newOpts; }; @@ -90,7 +93,7 @@ export const controllers = async ( const certificateStore = db.store('x509:certificates'); const settingsStore = db.store('portal:settings'); const productStore = db.store('product:config'); - const tracesStore = db.store('saml:tracer', tracesTTL); + const tracesStore = db.store('saml:tracer', opts.ssoTraces?.ttl); const ssoTraces = new SSOTraces({ tracesStore, opts }); const eventController = new EventController({ opts }); diff --git a/npm/src/sso-traces/index.ts b/npm/src/sso-traces/index.ts index b57ffa437..874253950 100644 --- a/npm/src/sso-traces/index.ts +++ b/npm/src/sso-traces/index.ts @@ -7,6 +7,7 @@ import { JacksonError } from '../controller/error'; const INTERVAL_1_WEEK_MS = 7 * 24 * 60 * 60 * 1000; const INTERVAL_1_DAY_MS = 24 * 60 * 60 * 1000; +const SSO_TRACES_REDACT_KEYS = ['profile', 'oidcTokenSet', 'samlResponse']; /** * @swagger @@ -70,12 +71,16 @@ class SSOTraces { } public async saveTrace(payload: SSOTrace) { - if (this.opts.disableSSOTrace) { + if (this.opts.ssoTraces?.disable) { return; } try { const { context } = payload; + + if (this.opts.ssoTraces?.redact) { + SSO_TRACES_REDACT_KEYS.forEach((key) => delete context[key]); + } // Friendly trace id const traceId: string = await generateMnemonic(); // If timestamp present in payload use that value, else generate the current timestamp diff --git a/npm/src/typings.ts b/npm/src/typings.ts index 2e2712029..f38269ade 100644 --- a/npm/src/typings.ts +++ b/npm/src/typings.ts @@ -508,7 +508,7 @@ export interface JacksonOption { projectId: string | undefined; sdkToken: string | undefined; }; - disableSSOTrace?: boolean; + ssoTraces?: SSOTracesOption; } export interface SLORequestParams { @@ -653,3 +653,9 @@ export interface ProductConfig { ory: OryConfig | null; development?: boolean; } + +export interface SSOTracesOption { + disable?: boolean; + redact?: boolean; + ttl?: number; +}