fix(cubesql): Hide security context from logs

ovr · ovr · commit 605d12daafc9 · 2025-07-08T11:00:45.000+02:00
diff --git a/packages/cubejs-backend-native/src/auth.rs b/packages/cubejs-backend-native/src/auth.rs
@@ -18,6 +18,7 @@ use crate::gateway::{
     GatewayAuthContext, GatewayAuthContextRef, GatewayAuthService, GatewayAuthenticateResponse,
     GatewayCheckAuthRequest,
 };
+use crate::utils::NonDebugInRelease;
 
 #[derive(Debug)]
 pub struct NodeBridgeAuthService {
@@ -90,7 +91,7 @@ struct CheckSQLAuthTransportResponse {
 pub struct NativeSQLAuthContext {
     pub user: Option<String>,
     pub superuser: bool,
-    pub security_context: Option<serde_json::Value>,
+    pub security_context: NonDebugInRelease<Option<serde_json::Value>>,
 }
 
 impl AuthContext for NativeSQLAuthContext {
diff --git a/packages/cubejs-backend-native/src/utils.rs b/packages/cubejs-backend-native/src/utils.rs
@@ -1,6 +1,8 @@
 use cubesql::{compile::engine::df::scan::RecordBatch, sql::dataframe, CubeError};
 use neon::prelude::*;
 use serde_json::Value;
+use std::fmt::Debug;
+use std::ops::{Deref, DerefMut};
 
 #[inline(always)]
 pub fn call_method<'a, AS>(
@@ -38,3 +40,49 @@ pub fn batch_to_rows(batch: RecordBatch) -> Result<(Value, Vec<Value>), CubeErro
 
     Ok((columns, rows))
 }
+
+/// Allow skipping Debug output in release builds for specific field or type.
+pub struct NonDebugInRelease<T: Debug> {
+    inner: T,
+}
+
+impl<T: Debug> Debug for NonDebugInRelease<T> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        if cfg!(debug_assertions) {
+            f.debug_struct("skipped in release build").finish()
+        } else {
+            self.inner.fmt(f)
+        }
+    }
+}
+
+impl<T: Debug> From<T> for NonDebugInRelease<T> {
+    fn from(value: T) -> Self {
+        Self { inner: value }
+    }
+}
+
+impl<T: Debug> Deref for NonDebugInRelease<T> {
+    type Target = T;
+
+    fn deref(&self) -> &Self::Target {
+        &self.inner
+    }
+}
+
+impl<T: Debug> DerefMut for NonDebugInRelease<T> {
+    fn deref_mut(&mut self) -> &mut Self::Target {
+        &mut self.inner
+    }
+}
+
+impl<T: Debug> Default for NonDebugInRelease<T>
+where
+    T: Default,
+{
+    fn default() -> Self {
+        Self {
+            inner: T::default(),
+        }
+    }
+}
diff --git a/rust/cubesql/cubesql/src/compile/router.rs b/rust/cubesql/cubesql/src/compile/router.rs
@@ -466,8 +466,9 @@ impl QueryRouter {
                     .set_auth_context(Some(authenticate_response.context));
             } else {
                 return Err(CompilationError::user(format!(
-                    "{:?} is not allowed to switch to '{}'",
-                    auth_context, to_user
+                    "user '{:?}' is not allowed to switch to '{}'",
+                    auth_context.user(),
+                    to_user
                 )));
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -466,8 +466,9 @@ impl QueryRouter {`
`466`	`466`	`.set_auth_context(Some(authenticate_response.context));`
`467`	`467`	`} else {`
`468`	`468`	`return Err(CompilationError::user(format!(`
`469`		`- "{:?} is not allowed to switch to '{}'",`
`470`		`- auth_context, to_user`
	`469`	`+ "user '{:?}' is not allowed to switch to '{}'",`
	`470`	`+ auth_context.user(),`
	`471`	`+ to_user`
`471`	`472`	`)));`
`472`	`473`	`}`
`473`	`474`	`}`