Mask sensitive data

[fkunzmann]

I want to mask the password in my Open Policy Agent (OPA) logs.

This is my input data:

{
"decision_id":"71e99093-b980-4c67-bd0c-87fcc071571a",
"input":{
  "attributes":{
     .....
     ,
     "request":{
        "http":{
           "body":"{\r\n    \"username\": \"MyUsername\",\r\n    \"password\": \"MySecetPassword\"\r\n}",
           "headers":{
           ....
           },
           "method":"POST",
           "path":"/login",
           "protocol":"HTTP/1.1",
           "scheme":"http",
           "size":"63"
        },
        "time":"2022-09-06T05:51:13.802770Z"
     },
     ...
  },
  "parsed_body":{
     "password":"MySecetPassword",
     "username":"MyUsername"
  },
  "parsed_path":[
     "login"
  ],
  "parsed_query":{
     
  },
  "truncated_body":false,
  "version":{
     "encoding":"protojson",
     "ext_authz":"v3"
  }
},
"labels":{
  "id":"3987b552-f128-47f2-9b96-34289d677d76",
  "version":"0.35.0-envoy"
},
"level":"info",
"metrics":{
  "timer_rego_query_eval_ns":49451,
  "timer_server_handler_ns":395446
},
"msg":"Decision Log",
"path":"istio/authz/allow",
"requested_by":"",
"result":true,
"time":"2022-09-06T05:51:13Z",
"timestamp":"2022-09-06T05:51:13.804132822Z",
"type":"openpolicyagent.org/decision_logs"
}

My OPA mask rule:

mask[{"op": "upsert", "path": "/input/attributes/request/http/body", "value": x}] {
    # conditionally upsert password if it existed in the orginal event
    contains(input.attributes.request.http.body, "password")
    x := "***CENSORED***"
}

mask[{"op": "upsert", "path": "/input/parsed_body/password", "value": x}] {
    # conditionally upsert password if it existed in the orginal event
    input.parsed_body.password
    x := "***CENSORED***"
}

But when OPA checks the request, the sensitive data won't be masked with the new text. Any idea?!

I checked the rule in the The Rego Playground (https://play.openpolicyagent.org/) which was fine...

[anderseknert]

Hi @fkunzmann 👋

I've answered the same on StackOverflow, but posting here as well for posterity.

From the OPA docs on the topic, you'll see that the original input attribute may be referenced under input.input (i.e. not just input, as that's the input attribute for the masking policy itself).

package system.log

mask["/input/password"] {
  # OPA provides the entire decision log event as input to the masking policy.
  # Refer to the original input document under input.input.
  input.input.resource == "user"
}

Changing input.attributes.request.http.body to input.input.attributes.request.http.body should do it.

[anderseknert]

Yes, that is the problem then. The masking policy must be in the system.log package, like in my example.

[fkunzmann]

Hmmm ... Even with two files it doesn't work :-/

policy.rego

    package istio.authz

    import input.attributes.request.http as http_request
    import input.parsed_path

    default allow = false
    default http_method_get_post = false
    default http_method_get_put = false
    default http_method_get_post_delete = false
    default http_method_post_put_delete = false
    default http_method_put_delete = false

    ####################################################################
    ### PUBLIC #########################################################
    ####################################################################

    ### HEALTH
    allow {
        parsed_path[0] == "health"
        http_request.method == "GET"
    }
    .....

and log.rego:

    package system.log
    
    ####################################################################
    ### MASK SENSITIVE DATA ############################################
    ####################################################################

    mask[{"op": "upsert", "path": "/input/attributes/request/http/body", "value": x}] {
        # conditionally upsert password if it existed in the orginal event
        contains(input.input.attributes.request.http.body, "password")
        x := "***CENSORED***"
    }

    mask[{"op": "upsert", "path": "/input/parsed_body/password", "value": x}] {
        # conditionally upsert password if it existed in the orginal event
        input.input.parsed_body.password
        x := "***CENSORED***"
    }

Both files will be mounted to /policy in my container.
This command will be executed: "run --server --config-file=/config/config.yaml --addr=localhost:8181 --diagnostic-addr=0.0.0.0:8282 /policy/policy.rego

Do I have to mention the log.rego file as well ?

UPDATE:

My config.yaml file:

    plugins:
      envoy_ext_authz_grpc:
        addr: :9191
        path: istio/authz/allow
    decision_logs:
      console: true

[anderseknert]

Do I have to mention the log.rego file as well ?

Yeah, just point to the directory instead of the file, e.g.

run --server --config-file=/config/config.yaml --addr=localhost:8181 --diagnostic-addr=0.0.0.0:8282 /policy/

[fkunzmann]

Now it works!

But I have to add the second rego file instead if pointing to the directory
=> run --server --config-file=/config/config.yaml --addr=localhost:8181 --diagnostic-addr=0.0.0.0:8282 /policy/policy.rego /policy/log.rego

When pointing to the directory, I could some errors multiple default rules named ....

Thank you very much!
5* rating for you ;-)

[anderseknert]

That would indicate that there's something else in that directory, I guess. Either way, happy you got it working! 👍
While it might not be complete — doing follow-ups on SO is hard after all — perhaps you could mark the question as resolved there too? 🙂