Cherry-pick #25066 to 7.x: Strip Azure EventHub connection string in …

…debug logs (#25077) * Strip Azure EventHub connection string in debug logs (#25066)
elastic · Apr 15, 2021 · 2f7734e · 2f7734e
1 parent 29fea22
commit 2f7734e
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -242,6 +242,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix S3 input validation for non amazonaws.com domains. {issue}24420[24420] {pull}24861[24861]
 - Fix google_workspace and okta modules pagination when next page template is empty. {pull}24967[24967]
 - Fix IPtables Pipeline and Ubiquiti dashboard. {issue}24878[24878] {pull}24928[24928]
+- Strip Azure Eventhub connection string in debug logs. {pulll}25066[25066]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/input/azureeventhub/input.go b/x-pack/filebeat/input/azureeventhub/input.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strings"
 	"sync"
 	"time"
 
@@ -80,7 +81,7 @@ func NewInput(
 
 	in := &azureInput{
 		config:       config,
-		log:          logp.NewLogger(fmt.Sprintf("%s input", inputName)).With("connection string", config.ConnectionString),
+		log:          logp.NewLogger(fmt.Sprintf("%s input", inputName)).With("connection string", stripConnectionString(config.ConnectionString)),
 		context:      inputContext,
 		workerCtx:    workerCtx,
 		workerCancel: workerCancel,
@@ -235,3 +236,17 @@ func (a *azureInput) parseMultipleMessages(bMessage []byte) []string {
 	}
 	return messages
 }
+
+// Strip connection string to remove sensitive information
+// A connection string should look like this:
+// Endpoint=sb://dummynamespace.servicebus.windows.net/;SharedAccessKeyName=DummyAccessKeyName;SharedAccessKey=5dOntTRytoC24opYThisAsit3is2B+OGY1US/fuL3ly=
+// This code will remove everything after ';' so key information is stripped
+func stripConnectionString(c string) string {
+	if parts := strings.SplitN(c, ";", 2); len(parts) == 2 {
+		return parts[0]
+	}
+
+	// We actually expect the string to have the documented format
+	// if we reach here something is wrong, so let's stay on the safe side
+	return "(redacted)"
+}
diff --git a/x-pack/filebeat/input/azureeventhub/input_test.go b/x-pack/filebeat/input/azureeventhub/input_test.go
@@ -120,6 +120,30 @@ func TestNewInputDone(t *testing.T) {
 	inputtest.AssertNotStartedInputCanBeDone(t, NewInput, &config)
 }
 
+func TestStripConnectionString(t *testing.T) {
+	tests := []struct {
+		connectionString, expected string
+	}{
+		{
+			"Endpoint=sb://something",
+			"(redacted)",
+		},
+		{
+			"Endpoint=sb://dummynamespace.servicebus.windows.net/;SharedAccessKeyName=DummyAccessKeyName;SharedAccessKey=5dOntTRytoC24opYThisAsit3is2B+OGY1US/fuL3ly=",
+			"Endpoint=sb://dummynamespace.servicebus.windows.net/",
+		},
+		{
+			"Endpoint=sb://dummynamespace.servicebus.windows.net/;SharedAccessKey=5dOntTRytoC24opYThisAsit3is2B+OGY1US/fuL3ly=",
+			"Endpoint=sb://dummynamespace.servicebus.windows.net/",
+		},
+	}
+
+	for _, tt := range tests {
+		res := stripConnectionString(tt.connectionString)
+		assert.Equal(t, res, tt.expected)
+	}
+}
+
 type stubOutleter struct {
 	sync.Mutex
 	cond   *sync.Cond