From ba7c12c23aebb003ea771facb06620617984f765 Mon Sep 17 00:00:00 2001 From: Sriduth Jayhari Date: Tue, 16 Apr 2019 16:28:54 +0000 Subject: [PATCH] * Added API to specify regex based masking logic in accesslog. * Implemented regex access log masking for file access logs. --- api/envoy/config/accesslog/v2/file.proto | 10 +++++++++- include/envoy/access_log/access_log.h | 15 +++++++++++++++ source/common/access_log/BUILD | 1 + .../common/access_log/access_log_manager_impl.cc | 7 +++++++ source/extensions/access_loggers/file/config.cc | 14 ++++++++++++-- .../access_loggers/file/file_access_log_impl.cc | 16 +++++++++++++--- .../access_loggers/file/file_access_log_impl.h | 5 ++++- 7 files changed, 61 insertions(+), 7 deletions(-) diff --git a/api/envoy/config/accesslog/v2/file.proto b/api/envoy/config/accesslog/v2/file.proto index 48a1841a9614..e8d7a1c09e6f 100644 --- a/api/envoy/config/accesslog/v2/file.proto +++ b/api/envoy/config/accesslog/v2/file.proto @@ -18,7 +18,15 @@ import "google/protobuf/struct.proto"; message FileAccessLog { // A path to a local file to which to write the access log entries. string path = 1 [(validate.rules).string.min_bytes = 1]; - + + repeated LogLineMask masks = 5; + + message LogLineMask { + string name = 1; + string regex = 2; + string mask_with = 3; + } + // Access log format. Envoy supports :ref:`custom access log formats // ` as well as a :ref:`default format // `. diff --git a/include/envoy/access_log/access_log.h b/include/envoy/access_log/access_log.h index 952265933065..641f9d187af7 100644 --- a/include/envoy/access_log/access_log.h +++ b/include/envoy/access_log/access_log.h @@ -2,6 +2,7 @@ #include #include +#include #include "envoy/common/pure.h" #include "envoy/http/header_map.h" @@ -139,5 +140,19 @@ class FormatterProvider { using FormatterProviderPtr = std::unique_ptr; + /** + * See file.proto for the definition + */ +class AccessLogMask { +public: + AccessLogMask(const std::string& name, + const std::string& regex, + const std::string& replacer); + + std::string name_; + std::regex regex_; + std::string replace_with_; +}; + } // namespace AccessLog } // namespace Envoy diff --git a/source/common/access_log/BUILD b/source/common/access_log/BUILD index 2de71c912d53..695e2acd26db 100644 --- a/source/common/access_log/BUILD +++ b/source/common/access_log/BUILD @@ -32,6 +32,7 @@ envoy_cc_library( "//include/envoy/api:api_interface", "//source/common/buffer:buffer_lib", "//source/common/common:thread_lib", + "//source/common/http:utility_lib" ], ) diff --git a/source/common/access_log/access_log_manager_impl.cc b/source/common/access_log/access_log_manager_impl.cc index cbf5f8caa4a6..2279a50ee4fd 100644 --- a/source/common/access_log/access_log_manager_impl.cc +++ b/source/common/access_log/access_log_manager_impl.cc @@ -6,10 +6,17 @@ #include "common/common/fmt.h" #include "common/common/lock_guard.h" #include "common/common/stack_array.h" +#include "common/common/utility.h" namespace Envoy { namespace AccessLog { + +AccessLogMask::AccessLogMask(const std::string& name, + const std::string& regex, + const std::string& replacer) + : name_(name), regex_(RegexUtil::parseRegex(regex)), replace_with_(replacer) {} + void AccessLogManagerImpl::reopen() { for (auto& access_log : access_logs_) { access_log.second->reopen(); diff --git a/source/extensions/access_loggers/file/config.cc b/source/extensions/access_loggers/file/config.cc index d04f3965a008..afb7ac795eea 100644 --- a/source/extensions/access_loggers/file/config.cc +++ b/source/extensions/access_loggers/file/config.cc @@ -2,7 +2,7 @@ #include #include - +#include #include "envoy/config/accesslog/v2/file.pb.validate.h" #include "envoy/registry/registry.h" #include "envoy/server/filter_config.h" @@ -44,8 +44,18 @@ FileAccessLogFactory::createAccessLogInstance(const Protobuf::Message& config, "Invalid access_log format provided. Only 'format' and 'json_format' are supported."); } + auto masks = fal_config.masks(); + + std::vector parsed_masks; + + for(int i=0;i(fal_config.path(), std::move(filter), std::move(formatter), - context.accessLogManager()); + context.accessLogManager(), parsed_masks); } ProtobufTypes::MessagePtr FileAccessLogFactory::createEmptyConfigProto() { diff --git a/source/extensions/access_loggers/file/file_access_log_impl.cc b/source/extensions/access_loggers/file/file_access_log_impl.cc index 75409f34dadc..1cd1ba259d08 100644 --- a/source/extensions/access_loggers/file/file_access_log_impl.cc +++ b/source/extensions/access_loggers/file/file_access_log_impl.cc @@ -1,6 +1,9 @@ #include "extensions/access_loggers/file/file_access_log_impl.h" #include "common/http/header_map_impl.h" +#include "common/common/utility.h" + +#include namespace Envoy { namespace Extensions { @@ -9,9 +12,11 @@ namespace File { FileAccessLog::FileAccessLog(const std::string& access_log_path, AccessLog::FilterPtr&& filter, AccessLog::FormatterPtr&& formatter, - AccessLog::AccessLogManager& log_manager) + AccessLog::AccessLogManager& log_manager, + const std::vector& log_line_masks) : filter_(std::move(filter)), formatter_(std::move(formatter)) { log_file_ = log_manager.createAccessLog(access_log_path); + log_line_masks_ = log_line_masks; } void FileAccessLog::log(const Http::HeaderMap* request_headers, @@ -35,8 +40,13 @@ void FileAccessLog::log(const Http::HeaderMap* request_headers, } } - log_file_->write( - formatter_->format(*request_headers, *response_headers, *response_trailers, stream_info)); + std::string log_line = formatter_->format(*request_headers, *response_headers, *response_trailers, stream_info); + + for(AccessLog::AccessLogMask mask : log_line_masks_) { + log_line = std::regex_replace(log_line, mask.regex_, mask.replace_with_); + } + + log_file_->write(log_line); } } // namespace File diff --git a/source/extensions/access_loggers/file/file_access_log_impl.h b/source/extensions/access_loggers/file/file_access_log_impl.h index b14b396befd8..3d9759aab8d4 100644 --- a/source/extensions/access_loggers/file/file_access_log_impl.h +++ b/source/extensions/access_loggers/file/file_access_log_impl.h @@ -1,6 +1,7 @@ #pragma once #include "envoy/access_log/access_log.h" +#include namespace Envoy { namespace Extensions { @@ -13,7 +14,8 @@ namespace File { class FileAccessLog : public AccessLog::Instance { public: FileAccessLog(const std::string& access_log_path, AccessLog::FilterPtr&& filter, - AccessLog::FormatterPtr&& formatter, AccessLog::AccessLogManager& log_manager); + AccessLog::FormatterPtr&& formatter, AccessLog::AccessLogManager& log_manager, + const std::vector& log_line_masks = std::vector()); // AccessLog::Instance void log(const Http::HeaderMap* request_headers, const Http::HeaderMap* response_headers, @@ -24,6 +26,7 @@ class FileAccessLog : public AccessLog::Instance { AccessLog::AccessLogFileSharedPtr log_file_; AccessLog::FilterPtr filter_; AccessLog::FormatterPtr formatter_; + std::vector log_line_masks_; }; } // namespace File