Merge pull request #50672 from sberyozkin/http_access_log_mask_authorization_header

sberyozkin · web-flow · commit 365da76b4c50 · 2025-10-28T10:13:11.000Z
Mask some HTTP headers in the HTTP access log
diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/AccessLogConfig.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/AccessLogConfig.java
@@ -1,6 +1,7 @@
 package io.quarkus.vertx.http.runtime;
 
 import java.util.Optional;
+import java.util.Set;
 
 import io.smallrye.config.WithDefault;
 
@@ -26,10 +27,28 @@ public interface AccessLogConfig {
      * - long: `%r\n%{ALL_REQUEST_HEADERS}`
      * <p>
      * Otherwise, consult the Quarkus documentation for the full list of variables that can be used.
+     *
+     * Note that enabling the `%{ALL_REQUEST_HEADERS}` attribute directly or with a `long` named format introduces a risk
+     * of sensitive header values being logged.
+     * <p>
+     * HTTP `Authorization` header value is always masked. Use the {@link #maskedHeaders()} property to mask other sensitive
+     * headers.
      */
     @WithDefault("common")
     String pattern();
 
+    /**
+     * Set of HTTP headers whose values must be masked when the `%{ALL_REQUEST_HEADERS}` attribute
+     * is enabled with the {@link #pattern()} property.
+     */
+    Optional<Set<String>> maskedHeaders();
+
+    /**
+     * Set of HTTP Cookie headers whose values must be masked when the `%{ALL_REQUEST_HEADERS}` attribute
+     * is enabled with the {@link #pattern()} property.
+     */
+    Optional<Set<String>> maskedCookies();
+
     /**
      * If logging should be done to a separate file.
      */
diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/attribute/AllRequestHeadersAttribute.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/attribute/AllRequestHeadersAttribute.java
@@ -1,36 +1,108 @@
 package io.quarkus.vertx.http.runtime.attribute;
 
 import java.util.Map;
+import java.util.Set;
 import java.util.StringJoiner;
+import java.util.stream.Collectors;
 
+import org.eclipse.microprofile.config.ConfigProvider;
+
+import io.quarkus.vertx.http.runtime.AccessLogConfig;
+import io.quarkus.vertx.http.runtime.VertxHttpConfig;
+import io.smallrye.config.SmallRyeConfig;
 import io.vertx.core.MultiMap;
+import io.vertx.core.http.HttpHeaders;
 import io.vertx.ext.web.RoutingContext;
 
 public class AllRequestHeadersAttribute implements ExchangeAttribute {
 
-    public static final AllRequestHeadersAttribute INSTANCE = new AllRequestHeadersAttribute();
+    private static final String AUTHORIZATION_HEADER = String.valueOf(HttpHeaders.AUTHORIZATION).toLowerCase();
+    private static final String COOKIE_HEADER = String.valueOf(HttpHeaders.COOKIE).toLowerCase();
+
+    private final Set<String> maskedHeaders;
+    private final Set<String> maskedCookies;
 
-    private AllRequestHeadersAttribute() {
+    AllRequestHeadersAttribute() {
+        this(Set.of(), Set.of());
+    }
+
+    AllRequestHeadersAttribute(AccessLogConfig config) {
+        this(config.maskedHeaders().orElse(Set.of()), config.maskedCookies().orElse(Set.of()));
+    }
 
+    AllRequestHeadersAttribute(Set<String> maskedHeaders, Set<String> maskedCookies) {
+        this.maskedHeaders = toLowerCaseStringSet(maskedHeaders);
+        this.maskedCookies = toLowerCaseStringSet(maskedCookies);
+    }
+
+    private static Set<String> toLowerCaseStringSet(Set<String> set) {
+        return set.stream().map(String::toLowerCase).collect(Collectors.toSet());
     }
 
     @Override
     public String readAttribute(RoutingContext exchange) {
-        final MultiMap headers = exchange.request().headers();
+        return readAttribute(exchange.request().headers());
+    }
 
+    String readAttribute(MultiMap headers) {
         if (headers.isEmpty()) {
             return null;
         } else {
             final StringJoiner joiner = new StringJoiner(System.lineSeparator());
 
             for (Map.Entry<String, String> header : headers) {
-                joiner.add(header.getKey() + ": " + header.getValue());
+                joiner.add(header.getKey() + ": " + maskHeaderValue(header.getKey(), header.getValue()));
             }
 
             return joiner.toString();
         }
     }
 
+    String maskHeaderValue(String headerName, String headerValue) {
+        if (headerValue == null) {
+            return null;
+        }
+
+        String headerNameLowerCase = headerName.toLowerCase();
+
+        if (AUTHORIZATION_HEADER.equals(headerNameLowerCase)) {
+            return maskAuthorizationHeaderValue(headerValue);
+        }
+
+        if (COOKIE_HEADER.equals(headerNameLowerCase)) {
+            return maskCookieHeaderValue(headerValue);
+        }
+
+        if (maskedHeaders.contains(headerNameLowerCase)) {
+            return "...";
+        }
+
+        return headerValue;
+    }
+
+    private String maskAuthorizationHeaderValue(String headerValue) {
+        int idx = headerValue.indexOf(' ');
+        final String scheme = idx > 0 ? headerValue.substring(0, idx) : null;
+
+        if (scheme != null) {
+            return scheme + " ...";
+        } else {
+            return "...";
+        }
+    }
+
+    private String maskCookieHeaderValue(String headerValue) {
+        int idx = headerValue.indexOf('=');
+
+        final String cookieName = idx > 0 ? headerValue.substring(0, idx) : null;
+
+        if (cookieName != null && maskedCookies.contains(cookieName.toLowerCase())) {
+            return cookieName + "=...";
+        }
+
+        return headerValue;
+    }
+
     @Override
     public void writeAttribute(RoutingContext exchange, String newValue) throws ReadOnlyAttributeException {
         throw new ReadOnlyAttributeException("Headers", newValue);
@@ -46,7 +118,7 @@ public String name() {
         @Override
         public ExchangeAttribute build(final String token) {
             if (token.equals("%{ALL_REQUEST_HEADERS}")) {
-                return INSTANCE;
+                return new AllRequestHeadersAttribute(getConfigMapping());
             }
             return null;
         }
@@ -55,6 +127,12 @@ public ExchangeAttribute build(final String token) {
         public int priority() {
             return 0;
         }
+
+        private static AccessLogConfig getConfigMapping() {
+            SmallRyeConfig config = ConfigProvider.getConfig().unwrap(SmallRyeConfig.class);
+            return config.getConfigMapping(VertxHttpConfig.class).accessLog();
+        }
+
     }
 
 }
diff --git a/extensions/vertx-http/runtime/src/test/java/io/quarkus/vertx/http/runtime/attribute/AllRequestHeadersAttributeTest.java b/extensions/vertx-http/runtime/src/test/java/io/quarkus/vertx/http/runtime/attribute/AllRequestHeadersAttributeTest.java
@@ -0,0 +1,43 @@
+package io.quarkus.vertx.http.runtime.attribute;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import org.junit.jupiter.api.Test;
+
+import io.vertx.core.MultiMap;
+
+class AllRequestHeadersAttributeTest {
+
+    @Test
+    void testHeaderValueNotMasked() {
+        MultiMap headers = MultiMap.caseInsensitiveMultiMap();
+        headers.add("Content-Type", "application/json");
+        String attribute = new AllRequestHeadersAttribute().readAttribute(headers);
+        assertEquals("Content-Type: application/json", attribute);
+    }
+
+    @Test
+    void testAuthorizationBearerValueMasked() {
+        MultiMap headers = MultiMap.caseInsensitiveMultiMap();
+        headers.add("Authorization", "Bearer token");
+        String attribute = new AllRequestHeadersAttribute().readAttribute(headers);
+        assertEquals("Authorization: Bearer ...", attribute);
+    }
+
+    @Test
+    void testAuthorizationSchemeValueMasked() {
+        MultiMap headers = MultiMap.caseInsensitiveMultiMap();
+        headers.add("Authorization", "DPoP token");
+        String attribute = new AllRequestHeadersAttribute().readAttribute(headers);
+        assertEquals("Authorization: DPoP ...", attribute);
+    }
+
+    @Test
+    void testAuthorizationValueMasked() {
+        MultiMap headers = MultiMap.caseInsensitiveMultiMap();
+        headers.add("authorization", "token");
+        String attribute = new AllRequestHeadersAttribute().readAttribute(headers);
+        assertEquals("authorization: ...", attribute);
+    }
+
+}
diff --git a/integration-tests/vertx-http/src/main/resources/application.properties b/integration-tests/vertx-http/src/main/resources/application.properties
@@ -17,6 +17,9 @@ quarkus.http.access-log.enabled=true
 quarkus.http.access-log.log-to-file=true
 quarkus.http.access-log.base-file-name=quarkus-access-log
 quarkus.http.access-log.log-directory=target
+quarkus.http.access-log.pattern=%h %l %u %t "%r" %s %b \n%{ALL_REQUEST_HEADERS}
+quarkus.http.access-log.masked-headers=X-token
+quarkus.http.access-log.masked-cookies=session
 quarkus.http.cors.enabled=true
 quarkus.http.cors.origins=*
 quarkus.http.cors.methods=POST,GET,PUT,OPTIONS,DELETE
diff --git a/integration-tests/vertx-http/src/test/java/io/quarkus/it/vertx/AccessLogTestCase.java b/integration-tests/vertx-http/src/test/java/io/quarkus/it/vertx/AccessLogTestCase.java
@@ -29,7 +29,12 @@ public void testAccessLogContent() {
         final Path accessLogFilePath = logDirectory.resolve("quarkus-access-log.log");
         final String queryParamVal = UUID.randomUUID().toString();
         final String targetUri = "/simple/access-log-test-endpoint?foo=" + queryParamVal;
-        RestAssured.when().get(targetUri).then().body(containsString("passed"));
+        RestAssured.given().auth().oauth2("bearer-access-token").accept("text/plain")
+                .header("x-Token", "xtoken")
+                .header("Cookie", "Session=encrypted")
+                .header("Cookie", "visitcount=1")
+                .get(targetUri)
+                .then().body(containsString("passed"));
         Awaitility.given().pollInterval(100, TimeUnit.MILLISECONDS)
                 .atMost(10, TimeUnit.SECONDS)
                 .untilAsserted(new ThrowingRunnable() {
@@ -48,6 +53,16 @@ public void run() throws Throwable {
                                 "access log is missing query params");
                         Assertions.assertFalse(line.contains("?foo=" + queryParamVal + "?foo=" + queryParamVal),
                                 "access log contains duplicated query params");
+                        Assertions.assertTrue(line.contains("Accept: text/plain"),
+                                "access log doesn't contain the HTTP Accept header with a text/plain media type");
+                        Assertions.assertTrue(line.contains("Authorization: Bearer ..."),
+                                "access log must contain a masked value of the HTTP Authorizaton header's Bearer scheme");
+                        Assertions.assertTrue(line.contains("x-Token: ..."),
+                                "access log must contain a masked value of the HTTP X-Token header");
+                        Assertions.assertTrue(line.contains("Cookie: visitcount=1"),
+                                "access log doesn't contain the HTTP Cookie visitorcount header with a value 1");
+                        Assertions.assertTrue(line.contains("Cookie: Session=..."),
+                                "access log must contain a masked value of the HTTP Cookie session header");
                     }
                 });
     }
