fix(cubesql): Hide security context from logs (#9761)

Author: ovr

packages/cubejs-backend-native/src/auth.rs

@@ -18,6 +18,7 @@ use crate::gateway::{
     GatewayAuthContext, GatewayAuthContextRef, GatewayAuthService, GatewayAuthenticateResponse,
     GatewayCheckAuthRequest,
 };
+use crate::utils::NonDebugInRelease;
 
 #[derive(Debug)]
 pub struct NodeBridgeAuthService {
@@ -90,7 +91,7 @@ struct CheckSQLAuthTransportResponse {
 pub struct NativeSQLAuthContext {
     pub user: Option<String>,
     pub superuser: bool,
-    pub security_context: Option<serde_json::Value>,
+    pub security_context: NonDebugInRelease<Option<serde_json::Value>>,
 }
 
 impl AuthContext for NativeSQLAuthContext {
@@ -141,7 +142,7 @@ impl SqlAuthService for NodeBridgeAuthService {
             context: Arc::new(NativeSQLAuthContext {
                 user,
                 superuser: response.superuser,
-                security_context: response.security_context,
+                security_context: NonDebugInRelease::from(response.security_context),
             }),
             password: response.password,
             skip_password_check: response.skip_password_check.unwrap_or(false),

packages/cubejs-backend-native/src/node_export.rs

@@ -18,7 +18,7 @@ use crate::sql4sql::sql4sql;
 use crate::stream::OnDrainHandler;
 use crate::tokio_runtime_node;
 use crate::transport::NodeBridgeTransport;
-use crate::utils::batch_to_rows;
+use crate::utils::{batch_to_rows, NonDebugInRelease};
 use cubenativeutils::wrappers::neon::context::neon_run_with_guarded_lifetime;
 use cubenativeutils::wrappers::neon::inner_types::NeonInnerTypes;
 use cubenativeutils::wrappers::neon::object::NeonObject;
@@ -429,7 +429,7 @@ fn exec_sql(mut cx: FunctionContext) -> JsResult<JsValue> {
     let native_auth_ctx = Arc::new(NativeSQLAuthContext {
         user: Some(String::from("unknown")),
         superuser: false,
-        security_context,
+        security_context: NonDebugInRelease::from(security_context),
     });
 
     let (deferred, promise) = cx.promise();

packages/cubejs-backend-native/src/sql4sql.rs

@@ -16,6 +16,7 @@ use crate::auth::NativeSQLAuthContext;
 use crate::config::NodeCubeServices;
 use crate::cubesql_utils::with_session;
 use crate::tokio_runtime_node;
+use crate::utils::NonDebugInRelease;
 
 enum Sql4SqlQueryType {
     Regular,
@@ -208,7 +209,7 @@ pub fn sql4sql(mut cx: FunctionContext) -> JsResult<JsValue> {
     let native_auth_ctx = Arc::new(NativeSQLAuthContext {
         user: Some(String::from("unknown")),
         superuser: false,
-        security_context,
+        security_context: NonDebugInRelease::from(security_context),
     });
 
     let (deferred, promise) = cx.promise();

packages/cubejs-backend-native/src/utils.rs

@@ -1,6 +1,8 @@
 use cubesql::{compile::engine::df::scan::RecordBatch, sql::dataframe, CubeError};
 use neon::prelude::*;
 use serde_json::Value;
+use std::fmt::Debug;
+use std::ops::{Deref, DerefMut};
 
 #[inline(always)]
 pub fn call_method<'a, AS>(
@@ -38,3 +40,45 @@ pub fn batch_to_rows(batch: RecordBatch) -> Result<(Value, Vec<Value>), CubeErro
 
     Ok((columns, rows))
 }
+
+/// Allow skipping Debug output in release builds for specific field or type.
+pub struct NonDebugInRelease<T: Debug>(T);
+
+impl<T: Debug> Debug for NonDebugInRelease<T> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        if cfg!(debug_assertions) {
+            self.0.fmt(f)
+        } else {
+            f.debug_struct("skipped in release build").finish()
+        }
+    }
+}
+
+impl<T: Debug> From<T> for NonDebugInRelease<T> {
+    fn from(value: T) -> Self {
+        Self(value)
+    }
+}
+
+impl<T: Debug> Deref for NonDebugInRelease<T> {
+    type Target = T;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
+impl<T: Debug> DerefMut for NonDebugInRelease<T> {
+    fn deref_mut(&mut self) -> &mut Self::Target {
+        &mut self.0
+    }
+}
+
+impl<T: Debug> Default for NonDebugInRelease<T>
+where
+    T: Default,
+{
+    fn default() -> Self {
+        Self(T::default())
+    }
+}

rust/cubesql/cubesql/src/compile/router.rs

@@ -455,7 +455,6 @@ impl QueryRouter {
                     .session_manager
                     .server
                     .auth
-                    // TODO do we want to send actual password here?
                     .authenticate(sql_auth_request, Some(to_user.clone()), None)
                     .await
                     .map_err(|e| {
@@ -465,8 +464,13 @@ impl QueryRouter {
                     .set_auth_context(Some(authenticate_response.context));
             } else {
                 return Err(CompilationError::user(format!(
-                    "{:?} is not allowed to switch to '{}'",
-                    auth_context, to_user
+                    "user '{}' is not allowed to switch to '{}'",
+                    auth_context
+                        .user()
+                        .as_ref()
+                        .map(|v| v.as_str())
+                        .unwrap_or("not specified"),
+                    to_user
                 )));
             }
         }

rust/cubesql/cubesql/src/compile/snapshots/cubesql__compile__tests__set_bad_user.snap

@@ -1,6 +1,5 @@
 ---
 source: cubesql/src/compile/mod.rs
-assertion_line: 7213
-expression: "execute_queries_with_flags(vec![\"SET user = 'bad_user'\".to_string()],\n                    DatabaseProtocol::PostgreSQL).await.err().unwrap().to_string()"
+expression: "execute_queries_with_flags(vec![\"SET user = 'bad_user'\".to_string()],\nDatabaseProtocol::PostgreSQL).await.err().unwrap().to_string()"
 ---
-Error during planning: SQLCompilationError: User: HttpAuthContext { access_token: "access_token", base_path: "base_path" } is not allowed to switch to 'bad_user'
+Error during planning: SQLCompilationError: User: user 'not specified' is not allowed to switch to 'bad_user'