Restore component.redactLine

kleimkuhler · kleimkuhler · commit d25a7940c2b8 · 2026-02-12T20:31:35.000-07:00
diff --git a/internal/component/loki/secretfilter/secretfilter.go b/internal/component/loki/secretfilter/secretfilter.go
@@ -2,6 +2,7 @@ package secretfilter
 
 import (
 	"context"
+	"crypto/sha1"
 	"fmt"
 	"strings"
 	"sync"
@@ -33,6 +34,8 @@ func init() {
 // Arguments holds values which are used to configure the secretfilter component.
 type Arguments struct {
 	ForwardTo   []loki.LogsReceiver `alloy:"forward_to,attr"`
+	RedactWith  string              `alloy:"redact_with,attr,optional"`  // Redact the secret with this string. Use $SECRET_NAME and $SECRET_HASH to include the secret name and hash
+	PartialMask uint                `alloy:"partial_mask,attr,optional"` // Show the first N characters of the secret (default: 0)
 	OriginLabel string              `alloy:"origin_label,attr,optional"` // The label name to use for tracking metrics by origin (if empty, no origin metrics are collected)
 }
 
@@ -217,15 +220,8 @@ func (c *Component) processEntry(entry loki.Entry) loki.Entry {
 	// Redact all found secrets
 	redactedLine := entry.Line
 	for _, finding := range findings {
-		// Store the original secret before redaction
-		originalSecret := finding.Secret
-
-		// Redact 80% of the secret
-		//
-		// todo(kleimkuhler): Add configuration for redaction percentage
-		finding.Redact(20)
-
-		redactedLine = strings.ReplaceAll(redactedLine, originalSecret, finding.Secret)
+		// Redact the secret using our custom redaction logic
+		redactedLine = c.redactLine(redactedLine, finding.Secret, finding.RuleID)
 
 		// Record metrics for the redacted secret
 		c.metrics.secretsRedactedTotal.Inc()
@@ -243,6 +239,41 @@ func (c *Component) processEntry(entry loki.Entry) loki.Entry {
 	return entry
 }
 
+func (c *Component) redactLine(line string, secret string, ruleName string) string {
+	var redactWith = "<REDACTED-SECRET:" + ruleName + ">"
+	if c.args.RedactWith != "" {
+		redactWith = c.args.RedactWith
+		redactWith = strings.ReplaceAll(redactWith, "$SECRET_NAME", ruleName)
+		redactWith = strings.ReplaceAll(redactWith, "$SECRET_HASH", hashSecret(secret))
+	}
+
+	// If partialMask is set, show the first N characters of the secret
+	partialMask := int(c.args.PartialMask)
+	if partialMask < 0 {
+		partialMask = 0
+	}
+	runesSecret := []rune(secret)
+	// Only do it if the secret is long enough
+	if partialMask > 0 && len(runesSecret) >= 6 {
+		// Show at most half of the secret
+		if partialMask > len(runesSecret)/2 {
+			partialMask = len(runesSecret) / 2
+		}
+		prefix := string(runesSecret[:partialMask])
+		redactWith = prefix + redactWith
+	}
+
+	line = strings.ReplaceAll(line, secret, redactWith)
+
+	return line
+}
+
+func hashSecret(secret string) string {
+	hasher := sha1.New()
+	hasher.Write([]byte(secret))
+	return fmt.Sprintf("%x", hasher.Sum(nil))
+}
+
 // Update implements component.Component.
 func (c *Component) Update(args component.Arguments) error {
 	newArgs := args.(Arguments)
diff --git a/internal/component/loki/secretfilter/secretfilter_test.go b/internal/component/loki/secretfilter/secretfilter_test.go
@@ -620,6 +620,71 @@ func TestMetricsMultipleEntries(t *testing.T) {
 			"loki_secretfilter_secrets_redacted_by_origin"))
 }
 
+func TestPartialMasking(t *testing.T) {
+	// Start testing with common cases
+	component := &Component{}
+	component.args = Arguments{PartialMask: 4}
+
+	// Too short to be partially masked
+	redacted := component.redactLine("This is a very short secret ab in a log line", "ab", "test-rule")
+	require.Equal(t, "This is a very short secret <REDACTED-SECRET:test-rule> in a log line", redacted)
+
+	// Too short to be partially masked
+	redacted = component.redactLine("This is a short secret abc12 in a log line", "abc12", "test-rule")
+	require.Equal(t, "This is a short secret <REDACTED-SECRET:test-rule> in a log line", redacted)
+
+	// Will be partially masked (limited by secret length)
+	redacted = component.redactLine("This is a longer secret abc123 in a log line", "abc123", "test-rule")
+	require.Equal(t, "This is a longer secret abc<REDACTED-SECRET:test-rule> in a log line", redacted)
+
+	// Will be partially masked
+	redacted = component.redactLine("This is a long enough secret abcd1234 in a log line", "abcd1234", "test-rule")
+	require.Equal(t, "This is a long enough secret abcd<REDACTED-SECRET:test-rule> in a log line", redacted)
+
+	// Will be partially masked
+	redacted = component.redactLine("This is the longest secret abcdef12345678 in a log line", "abcdef12345678", "test-rule")
+	require.Equal(t, "This is the longest secret abcd<REDACTED-SECRET:test-rule> in a log line", redacted)
+
+	// Test with a non-ASCII character
+	redacted = component.redactLine("This is a line with a complex secret aBc\U0001f512De\U0001f5124 in a log line", "aBc\U0001f512De\U0001f5124", "test-rule")
+	require.Equal(t, "This is a line with a complex secret aBc\U0001f512<REDACTED-SECRET:test-rule> in a log line", redacted)
+
+	// Test with different secret lengths and partial masking values
+	for partialMasking := range 20 {
+		for secretLength := range 50 {
+			if secretLength < 2 {
+				continue
+			}
+			expectedPrefixLength := 0
+			if secretLength >= 6 {
+				expectedPrefixLength = min(secretLength/2, partialMasking)
+			}
+			checkPartialMasking(t, partialMasking, secretLength, expectedPrefixLength)
+		}
+	}
+}
+
+func checkPartialMasking(t *testing.T, partialMasking int, secretLength int, expectedPrefixLength int) {
+	component := &Component{}
+	component.args = Arguments{PartialMask: uint(partialMasking)}
+
+	// Test with a simple ASCII character
+	secret := strings.Repeat("A", secretLength)
+	inputLog := fmt.Sprintf("This is a test with a secret %s in a log line", secret)
+	redacted := component.redactLine(inputLog, secret, "test-rule")
+	prefix := strings.Repeat("A", expectedPrefixLength)
+	expectedLog := fmt.Sprintf("This is a test with a secret %s<REDACTED-SECRET:test-rule> in a log line", prefix)
+	require.Equal(t, expectedLog, redacted)
+
+	// Test with a non-ASCII character
+	secret = strings.Repeat("\U0001f512", secretLength)
+	inputLog = fmt.Sprintf("This is a test with a secret %s in a log line", secret)
+	redacted = component.redactLine(inputLog, secret, "test-rule")
+	prefix = strings.Repeat("\U0001f512", expectedPrefixLength)
+	expectedLog = fmt.Sprintf("This is a test with a secret %s<REDACTED-SECRET:test-rule> in a log line", prefix)
+	require.Equal(t, expectedLog, redacted)
+}
+
 // TestArgumentsUpdate validates that the secretfilter component works correctly
 // when its arguments are updated multiple times during runtime
 func TestArgumentsUpdate(t *testing.T) {
