Clear sensitive data in replication's description (ydb-platform#3044)

CyberROFL · Jun 6, 2024 · a969cfc · a969cfc
1 parent abe1cda
commit a969cfc
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/ydb/core/tx/schemeshard/schemeshard_path_describer.cpp b/ydb/core/tx/schemeshard/schemeshard_path_describer.cpp
@@ -4,6 +4,7 @@
 #include <ydb/core/engine/mkql_proto.h>
 #include <ydb/core/protos/flat_tx_scheme.pb.h>
 #include <ydb/core/scheme/scheme_types_proto.h>
+#include <ydb/public/api/protos/annotations/sensitive.pb.h>
 
 #include <util/stream/format.h>
 
@@ -1282,6 +1283,26 @@ void TSchemeShard::DescribeReplication(const TPathId& pathId, const TString& nam
     DescribeReplication(pathId, name, it->second, desc);
 }
 
+static void ClearSensitiveFields(google::protobuf::Message* message) {
+    const auto* desc = message->GetDescriptor();
+    const auto* self = message->GetReflection();
+
+    for (int i = 0; i < desc->field_count(); ++i) {
+        const auto* field = desc->field(i);
+        if (field->options().GetExtension(Ydb::sensitive)) {
+            self->ClearField(message, field);
+        } else if (field->message_type()) {
+            if (!field->is_repeated() && self->HasField(*message, field)) {
+                ClearSensitiveFields(self->MutableMessage(message, field));
+            } else if (field->is_repeated()) {
+                for (int j = 0, size = self->FieldSize(*message, field); j < size; ++j) {
+                    ClearSensitiveFields(self->MutableRepeatedMessage(message, field, j));
+                }
+            }
+        }
+    }
+}
+
 void TSchemeShard::DescribeReplication(const TPathId& pathId, const TString& name, TReplicationInfo::TPtr info,
         NKikimrSchemeOp::TReplicationDescription& desc)
 {
@@ -1290,6 +1311,7 @@ void TSchemeShard::DescribeReplication(const TPathId& pathId, const TString& nam
         << " name# " << name);
 
     desc = info->Description;
+    ClearSensitiveFields(&desc);
 
     desc.SetName(name);
     PathIdFromPathId(pathId, desc.MutablePathId());

diff --git a/ydb/core/tx/schemeshard/ut_replication/ut_replication.cpp b/ydb/core/tx/schemeshard/ut_replication/ut_replication.cpp
@@ -1,3 +1,4 @@
+#include <ydb/core/protos/replication.pb.h>
 #include <ydb/core/tx/schemeshard/ut_helpers/helpers.h>
 
 using namespace NSchemeShardUT_Private;
@@ -138,6 +139,19 @@ Y_UNIT_TEST_SUITE(TReplicationTests) {
         }
     }
 
+    Y_UNIT_TEST(Describe) {
+        TTestBasicRuntime runtime;
+        TTestEnv env(runtime, TTestEnvOptions().InitYdbDriver(true));
+        ui64 txId = 100;
+
+        TestCreateReplication(runtime, ++txId, "/MyRoot", DefaultScheme("Replication")); // default with user & password
+        env.TestWaitNotification(runtime, txId);
+
+        const auto desc = DescribePath(runtime, "/MyRoot/Replication");
+        const auto& params = desc.GetPathDescription().GetReplicationDescription().GetConfig().GetSrcConnectionParams();
+        UNIT_ASSERT(!params.GetStaticCredentials().HasPassword());
+    }
+
     void CreateReplicatedTable(NKikimrSchemeOp::TTableReplicationConfig::EReplicationMode mode) {
         TTestBasicRuntime runtime;
         TTestEnv env(runtime);

diff --git a/ydb/core/tx/schemeshard/ut_replication/ya.make b/ydb/core/tx/schemeshard/ut_replication/ya.make
@@ -14,6 +14,7 @@ ELSE()
 ENDIF()
 
 PEERDIR(
+    ydb/core/protos
     ydb/core/tx/schemeshard/ut_helpers
     ydb/library/yql/sql/pg_dummy
 )