cmd: add new subcommand for redacting logs (#51759)

xhebox · web-flow · commit d6de9646d0a3 · 2024-03-14T06:06:53.000Z
close #51758
diff --git a/cmd/tidb-server/BUILD.bazel b/cmd/tidb-server/BUILD.bazel
@@ -48,6 +48,7 @@ go_library(
         "//pkg/util/memory",
         "//pkg/util/metricsutil",
         "//pkg/util/printer",
+        "//pkg/util/redact",
         "//pkg/util/sem",
         "//pkg/util/signal",
         "//pkg/util/stmtsummary/v2:stmtsummary",
diff --git a/cmd/tidb-server/main.go b/cmd/tidb-server/main.go
@@ -72,6 +72,7 @@ import (
 	"github.com/pingcap/tidb/pkg/util/memory"
 	"github.com/pingcap/tidb/pkg/util/metricsutil"
 	"github.com/pingcap/tidb/pkg/util/printer"
+	"github.com/pingcap/tidb/pkg/util/redact"
 	"github.com/pingcap/tidb/pkg/util/sem"
 	"github.com/pingcap/tidb/pkg/util/signal"
 	stmtsummaryv2 "github.com/pingcap/tidb/pkg/util/stmtsummary/v2"
@@ -122,6 +123,8 @@ const (
 	nmRepairList       = "repair-list"
 	nmTempDir          = "temp-dir"
 
+	nmRedact = "redact"
+
 	nmProxyProtocolNetworks      = "proxy-protocol-networks"
 	nmProxyProtocolHeaderTimeout = "proxy-protocol-header-timeout"
 	nmProxyProtocolFallbackable  = "proxy-protocol-fallbackable"
@@ -173,6 +176,9 @@ var (
 	metricsAddr     *string
 	metricsInterval *uint
 
+	// subcommand collect-log
+	redactFlag *bool
+
 	// PROXY Protocol
 	proxyProtocolNetworks      *string
 	proxyProtocolHeaderTimeout *uint
@@ -227,6 +233,9 @@ func initFlagSet() *flag.FlagSet {
 	metricsAddr = fset.String(nmMetricsAddr, "", "prometheus pushgateway address, leaves it empty will disable prometheus push.")
 	metricsInterval = fset.Uint(nmMetricsInterval, 15, "prometheus client push interval in second, set \"0\" to disable prometheus push.")
 
+	// subcommand collect-log
+	redactFlag = flagBoolean(fset, nmRedact, false, "remove sensitive words from marked tidb logs, if `./tidb-server --redact=xxx collect-log <input> <output>` subcommand is used")
+
 	// PROXY Protocol
 	proxyProtocolNetworks = fset.String(nmProxyProtocolNetworks, "", "proxy protocol networks allowed IP or *, empty mean disable proxy protocol support")
 	proxyProtocolHeaderTimeout = fset.Uint(nmProxyProtocolHeaderTimeout, 5, "proxy protocol header read timeout, unit is second. (Deprecated: as proxy protocol using lazy mode, header read timeout no longer used)")
@@ -253,6 +262,16 @@ func initFlagSet() *flag.FlagSet {
 
 func main() {
 	fset := initFlagSet()
+	if args := fset.Args(); len(args) != 0 {
+		if args[0] == "collect-logs" && len(args) > 1 {
+			output := "-"
+			if len(args) > 2 {
+				output = args[2]
+			}
+			terror.MustNil(redact.DeRedactFile(*redactFlag, args[1], output))
+			return
+		}
+	}
 	config.InitializeConfig(*configPath, *configCheck, *configStrict, overrideConfig, fset)
 	if *version {
 		setVersions()
diff --git a/pkg/util/redact/BUILD.bazel b/pkg/util/redact/BUILD.bazel
@@ -5,6 +5,7 @@ go_library(
     srcs = ["redact.go"],
     importpath = "github.com/pingcap/tidb/pkg/util/redact",
     visibility = ["//visibility:public"],
+    deps = ["@com_github_pingcap_errors//:errors"],
 )
 
 go_test(
diff --git a/pkg/util/redact/redact.go b/pkg/util/redact/redact.go
@@ -15,8 +15,15 @@
 package redact
 
 import (
+	"bufio"
+	"bytes"
 	"fmt"
+	"io"
+	"os"
+	"path/filepath"
 	"strings"
+
+	"github.com/pingcap/errors"
 )
 
 var (
@@ -60,3 +67,108 @@ func (s redactStringer) String() string {
 func Stringer(mode string, input fmt.Stringer) redactStringer {
 	return redactStringer{mode, input}
 }
+
+// DeRedactFile will deredact the input file, either removing marked contents, or remove the marker. It works line by line.
+func DeRedactFile(remove bool, input string, output string) error {
+	ifile, err := os.Open(filepath.Clean(input))
+	if err != nil {
+		return errors.WithStack(err)
+	}
+	defer ifile.Close()
+
+	var ofile io.Writer
+	if output == "-" {
+		ofile = os.Stdout
+	} else {
+		//nolint: gosec
+		file, err := os.OpenFile(filepath.Clean(output), os.O_TRUNC|os.O_CREATE|os.O_WRONLY, 0644)
+		if err != nil {
+			return errors.WithStack(err)
+		}
+		defer file.Close()
+		ofile = file
+	}
+
+	return DeRedact(remove, ifile, ofile, "\n")
+}
+
+// DeRedact is similar to DeRedactFile, but act on reader/writer, it works line by line.
+func DeRedact(remove bool, input io.Reader, output io.Writer, sep string) error {
+	sc := bufio.NewScanner(input)
+	out := bufio.NewWriter(output)
+	defer out.Flush()
+	buf := bytes.NewBuffer(nil)
+	s := bufio.NewReader(nil)
+
+	for sc.Scan() {
+		s.Reset(strings.NewReader(sc.Text()))
+		start := false
+		for {
+			ch, _, err := s.ReadRune()
+			if err == io.EOF {
+				break
+			}
+			if err != nil {
+				return errors.WithStack(err)
+			}
+			if ch == '‹' {
+				if start {
+					// must be '<'
+					pch, _, err := s.ReadRune()
+					if err != nil {
+						return errors.WithStack(err)
+					}
+					if pch == ch {
+						_, _ = buf.WriteRune(ch)
+					} else {
+						_, _ = buf.WriteRune(ch)
+						_, _ = buf.WriteRune(pch)
+					}
+				} else {
+					start = true
+					buf.Reset()
+				}
+			} else if ch == '›' {
+				if start {
+					// peek the next
+					pch, _, err := s.ReadRune()
+					if err != nil && err != io.EOF {
+						return errors.WithStack(err)
+					}
+					if pch == ch {
+						_, _ = buf.WriteRune(ch)
+					} else {
+						start = false
+						if err != io.EOF {
+							// unpeek it
+							if err := s.UnreadRune(); err != nil {
+								return errors.WithStack(err)
+							}
+						}
+						if remove {
+							_ = out.WriteByte('?')
+						} else {
+							_, err = io.Copy(out, buf)
+							if err != nil {
+								return errors.WithStack(err)
+							}
+						}
+					}
+				} else {
+					_, _ = out.WriteRune(ch)
+				}
+			} else if start {
+				_, _ = buf.WriteRune(ch)
+			} else {
+				_, _ = out.WriteRune(ch)
+			}
+		}
+		if start {
+			_, _ = out.WriteRune('‹')
+			_, _ = out.WriteString(buf.String())
+		}
+		_, _ = out.WriteString(sep)
+	}
+
+	return nil
+}
diff --git a/pkg/util/redact/redact_test.go b/pkg/util/redact/redact_test.go
@@ -15,6 +15,8 @@
 package redact
 
 import (
+	"bytes"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -44,3 +46,32 @@ func TestRedact(t *testing.T) {
 		require.Equal(t, c.output, Stringer(c.mode, &testStringer{c.input}).String())
 	}
 }
+
+func TestDeRedact(t *testing.T) {
+	for _, c := range []struct {
+		remove bool
+		input  string
+		output string
+	}{
+		{true, "‹fxcv›ggg", "?ggg"},
+		{false, "‹fxcv›ggg", "fxcvggg"},
+		{true, "fxcv", "fxcv"},
+		{false, "fxcv", "fxcv"},
+		{true, "‹fxcv›ggg‹fxcv›eee", "?ggg?eee"},
+		{false, "‹fxcv›ggg‹fxcv›eee", "fxcvgggfxcveee"},
+		{true, "‹›", "?"},
+		{false, "‹›", ""},
+		{true, "gg‹ee", "gg‹ee"},
+		{false, "gg‹ee", "gg‹ee"},
+		{true, "gg›ee", "gg›ee"},
+		{false, "gg›ee", "gg›ee"},
+		{true, "gg‹ee‹ee", "gg‹ee‹ee"},
+		{false, "gg‹ee‹gg", "gg‹ee‹gg"},
+		{true, "gg›ee›gg", "gg›ee›gg"},
+		{false, "gg›ee›ee", "gg›ee›ee"},
+	} {
+		w := bytes.NewBuffer(nil)
+		require.NoError(t, DeRedact(c.remove, strings.NewReader(c.input), w, ""))
+		require.Equal(t, c.output, w.String())
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ go_library(`
`5`	`5`	`srcs = ["redact.go"],`
`6`	`6`	`importpath = "github.com/pingcap/tidb/pkg/util/redact",`
`7`	`7`	`visibility = ["//visibility:public"],`
	`8`	`+ deps = ["@com_github_pingcap_errors//:errors"],`
`8`	`9`	`)`
`9`	`10`
`10`	`11`	`go_test(`