fix: strip service account token

cvvz · k8s-infra-cherrypick-robot · commit ada8a6257bd8 · 2024-03-26T11:44:39.000Z
diff --git a/pkg/csi-common/utils.go b/pkg/csi-common/utils.go
@@ -17,6 +17,7 @@ limitations under the License.
 package csicommon
 
 import (
+	"encoding/json"
 	"fmt"
 	"net"
 	"os"
@@ -101,7 +102,7 @@ func getLogLevel(method string) int32 {
 func LogGRPC(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
 	level := klog.Level(getLogLevel(info.FullMethod))
 	klog.V(level).Infof("GRPC call: %s", info.FullMethod)
-	klog.V(level).Infof("GRPC request: %s", protosanitizer.StripSecrets(req))
+	klog.V(level).Infof("GRPC request: %s", stripServiceAccountToken(protosanitizer.StripSecrets(req)))
 
 	resp, err := handler(ctx, req)
 	if err != nil {
@@ -111,3 +112,30 @@ func LogGRPC(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, h
 	}
 	return resp, err
 }
+
+func stripServiceAccountToken(req fmt.Stringer) string {
+	var parsed map[string]interface{}
+
+	err := json.Unmarshal([]byte(req.String()), &parsed)
+	if err != nil || parsed == nil {
+		return req.String()
+	}
+
+	volumeContext, ok := parsed["volume_context"].(map[string]interface{})
+	if !ok {
+		return req.String()
+	}
+
+	if _, ok := volumeContext["csi.storage.k8s.io/serviceAccount.tokens"]; !ok {
+		return req.String()
+	}
+
+	volumeContext["csi.storage.k8s.io/serviceAccount.tokens"] = "***stripped***"
+
+	b, err := json.Marshal(parsed)
+	if err != nil {
+		return req.String()
+	}
+
+	return string(b)
+}
diff --git a/pkg/csi-common/utils_test.go b/pkg/csi-common/utils_test.go
@@ -119,6 +119,44 @@ func TestLogGRPC(t *testing.T) {
 			},
 			`GRPC request: {"starting_token":"testtoken"}`,
 		},
+		{
+			"NodeStageVolumeRequest with service account token",
+			&csi.NodeStageVolumeRequest{
+				VolumeContext: map[string]string{
+					"csi.storage.k8s.io/serviceAccount.tokens": "testtoken",
+					"csi.storage.k8s.io/testfield":             "testvalue",
+				},
+				XXX_sizecache: 100,
+			},
+			`GRPC request: {"volume_context":{"csi.storage.k8s.io/serviceAccount.tokens":"***stripped***","csi.storage.k8s.io/testfield":"testvalue"}}`,
+		},
+		{
+			"NodePublishVolumeRequest with service account token",
+			&csi.NodePublishVolumeRequest{
+				VolumeContext: map[string]string{
+					"csi.storage.k8s.io/serviceAccount.tokens": "testtoken",
+					"csi.storage.k8s.io/testfield":             "testvalue",
+				},
+				XXX_sizecache: 100,
+			},
+			`GRPC request: {"volume_context":{"csi.storage.k8s.io/serviceAccount.tokens":"***stripped***","csi.storage.k8s.io/testfield":"testvalue"}}`,
+		},
+		{
+			"with secrets and service account token",
+			&csi.NodeStageVolumeRequest{
+				VolumeId: "vol_1",
+				Secrets: map[string]string{
+					"account_name": "k8s",
+					"account_key":  "testkey",
+				},
+				VolumeContext: map[string]string{
+					"csi.storage.k8s.io/serviceAccount.tokens": "testtoken",
+					"csi.storage.k8s.io/testfield":             "testvalue",
+				},
+				XXX_sizecache: 100,
+			},
+			`GRPC request: {"secrets":"***stripped***","volume_context":{"csi.storage.k8s.io/serviceAccount.tokens":"***stripped***","csi.storage.k8s.io/testfield":"testvalue"},"volume_id":"vol_1"}`,
+		},
 	}
 
 	for _, test := range tests {
