impl: censor API key header in traces (#14755)

Author: dbolduc

google/cloud/internal/tracing_rest_client.cc

@@ -33,6 +33,19 @@ GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
 
 namespace {
 
+/**
+ * The number of characters to print in an [API key].
+ *
+ * API keys are 39 characters in length. The value is a secret, so we do not
+ * want to include the entire key in our telemetry.
+ *
+ * Providing some number of characters allows applications to confirm the
+ * correct API key is in use, given that the full API key is known.
+ *
+ * [API key]: https://cloud.google.com/docs/authentication/api-keys-use
+ */
+auto constexpr kApiKeyHintLength = 12;
+
 /**
  * Extracts information from @p value, and adds it to a span.
  *
@@ -68,6 +81,11 @@ StatusOr<std::unique_ptr<RestResponse>> EndResponseSpan(
       span->SetAttribute(name, kv.second.front().substr(0, 32));
       continue;
     }
+    if (absl::EqualsIgnoreCase(kv.first, "x-goog-api-key")) {
+      span->SetAttribute(
+          name, kv.second.front().substr(0, kApiKeyHintLength) + "...");
+      continue;
+    }
     span->SetAttribute(name, kv.second.front());
   }
   if (!request_result || !(*request_result)) {

google/cloud/internal/tracing_rest_client_test.cc

@@ -278,6 +278,48 @@ TEST(TracingRestClient, WithRestContextDetails) {
                               EventNamed("gl-cpp.curl.ssl.handshake")))));
 }
 
+TEST(TracingRestClient, CensorsAuthFields) {
+  auto span_catcher = InstallSpanCatcher();
+
+  auto impl = std::make_unique<MockRestClient>();
+  EXPECT_CALL(*impl, Delete).WillOnce([](RestContext&, RestRequest const&) {
+    auto response = std::make_unique<MockRestResponse>();
+    EXPECT_CALL(*response, StatusCode)
+        .WillRepeatedly(Return(HttpStatusCode::kOk));
+    EXPECT_CALL(*response, Headers).WillRepeatedly(Return(MockHeaders()));
+    EXPECT_CALL(std::move(*response), ExtractPayload).WillOnce([] {
+      return MakeMockHttpPayloadSuccess(MockContents());
+    });
+    return std::unique_ptr<RestResponse>(std::move(response));
+  });
+
+  auto constexpr kUrl = "https://storage.googleapis.com/storage/v1/b/my-bucket";
+  RestRequest request(kUrl);
+
+  auto client = MakeTracingRestClient(std::move(impl));
+  rest_internal::RestContext context;
+  context.AddHeader("authorization", "bearer: ABCDEFGHIJKLMNOPQRSTUVWXYZ");
+  context.AddHeader("x-goog-api-key", "ABCDEFGHIJKLMNOPQRSTUVWXYZ");
+
+  auto r = client->Delete(context, request);
+  ASSERT_STATUS_OK(r);
+  auto response = *std::move(r);
+  ASSERT_THAT(response, NotNull());
+  EXPECT_THAT(response->StatusCode(), Eq(HttpStatusCode::kOk));
+  EXPECT_THAT(response->Headers(), ElementsAreArray(MockHeaders()));
+  auto contents = ReadAll(std::move(*response).ExtractPayload());
+  EXPECT_THAT(contents, IsOkAndHolds(MockContents()));
+
+  auto spans = span_catcher->GetSpans();
+  EXPECT_THAT(
+      spans,
+      Contains(SpanHasAttributes(
+          OTelAttribute<std::string>("http.request.header.authorization",
+                                     "bearer: ABCDEFGHIJKLMNOPQRSTUVWX"),
+          OTelAttribute<std::string>("http.request.header.x-goog-api-key",
+                                     "ABCDEFGHIJKL..."))));
+}
+
 TEST(TracingRestClient, CachedConnection) {
   auto span_catcher = InstallSpanCatcher();