Fix: Security tokens are logged verbatim (DataBiosphere/azul-private#377)

[hannes-ucsc]

Linked issues: DataBiosphere/azul-private#377

Checklist

Author

• PR is assigned to the author
• Status of PR is In progress
• PR is a draft
• Target branch is develop
• Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
• PR is linked to all issues it (partially) resolves
• Status of linked issues is In progress
• PR description links to linked issues
• PR title matches¹ that of a linked issue _{or comment in PR explains why they're different}
• PR title references all linked issues
• For each linked issue, there is at least one commit whose title references that issue

¹ when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (partiality)

• Added p tag to titles of partial commits
• This PR is labeled partial _{or completely resolves all linked issues}
• This PR partially resolves each of the linked issues _{or does not have the partial label}

Author (reindex)

• Added r tag to commit title _{or the changes introduced by this PR will not require reindexing of any deployment}
• This PR is labeled reindex:dev _{or the changes introduced by it will not require reindexing of dev}
• This PR is labeled reindex:anvildev _{or the changes introduced by it will not require reindexing of anvildev}
• This PR is labeled reindex:anvilprod _{or the changes introduced by it will not require reindexing of anvilprod}
• This PR is labeled reindex:prod _{or the changes introduced by it will not require reindexing of prod}
• This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod _{or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod}

Author (mirror)

• This PR is labeled mirror:dev _{or the changes introduced by it will not require mirroring of dev}
• This PR is labeled mirror:anvildev _{or the changes introduced by it will not require mirroring of anvildev}
• This PR is labeled mirror:anvilprod _{or the changes introduced by it will not require mirroring of anvilprod}
• This PR is labeled mirror:prod _{or the changes introduced by it will not require mirroring of prod}
• This PR is labeled mirror:partial and its description documents the specific mirroring procedure for dev, anvildev, anvilprod and prod _{or requires a full mirroring or carries none of the labels mirror:dev, mirror:anvildev, mirror:anvilprod and mirror:prod}

Author (API changes)

• This PR and its linked issues are labeled API _{or this PR does not modify a REST API}
• Added a (A) tag to commit title for backwards (in)compatible changes _{or this PR does not modify a REST API}
• Updated REST API version number in app.py _{or this PR does not modify a REST API}

Author (upgrading deployments)

• Ran make docker_images.json and committed the resulting changes _{or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable}
• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading deployments}
• Added u tag to commit title _{or this PR does not require upgrading deployments}
• This PR is labeled upgrade _{or does not require upgrading deployments}
• This PR is labeled deploy:shared _{or does not modify docker_images.json, and does not require deploying the shared component for any other reason}
• This PR is labeled deploy:gitlab _{or does not require deploying the gitlab component}
• This PR is labeled deploy:runner _{or does not require deploying the runner image}

Author (hotfixes)

• Added F tag to main commit title _{or this PR does not include permanent fix for a temporary hotfix}
• Reverted the temporary hotfixes for any linked issues _{or the none of the stable branches (anvilprod and prod) have temporary hotfixes for any of the issues linked to this PR}

Author (before every review)

• Rebased PR branch on develop, squashed fixups from prior reviews
• Ran make requirements_update _{or this PR does not modify Dockerfile, environment, requirements*.txt, common.mk, Makefile or environment.boot}
• Added R tag to commit title _{or this PR does not modify requirements*.txt}
• This PR is labeled reqs _{or does not modify requirements*.txt}
• make integration_test passes in personal deployment _{or this PR does not modify functionality that could affect the IT outcome}
• PR is awaiting requested review from a peer
• Status of PR is Review requested
• PR is assigned to only the peer and the author

Peer reviewer (after approval)

Note that after requesting changes, the PR must be assigned to only the author.

• Actually approved the PR
• PR is not a draft
• PR is awaiting requested review from system administrator
• Status of PR is Review requested
• PR is assigned to only the system administrator and the author

System administrator (after approval)

• Actually approved the PR
• Labeled linked issues as demo or no demo
• Commented on linked issues about demo expectations _{or all linked issues are labeled no demo}
• Decided if PR can be labeled no sandbox
• A comment to this PR details the completed security design review
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Status of PR is Approved
• PR is assigned to only the operator and the author

Operator

• Checked reindex:… labels and r commit title tag
• Checked mirror:… labels
• Checked that demo expectations are clear _{or all linked issues are labeled no demo}
• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub

Operator (deploy .shared and .gitlab components)

• Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply _{or this PR is not labeled deploy:gitlab}
• Checked the items in the next section _{or this PR is labeled deploy:gitlab}
• PR is assigned to only the system administrator and the author _{or this PR is not labeled deploy:gitlab}

System administrator (post-deploy of .gitlab component)

• Background migrations for dev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• Background migrations for anvildev.gitlab are complete _{or this PR is not labeled deploy:gitlab}
• PR is assigned to only the operator and the author

Operator (deploy runner image)

• Ran _select dev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}
• Ran _select anvildev.gitlab && make -C terraform/gitlab/runner _{or this PR is not labeled deploy:runner}

Operator (sandbox build)

• Added sandbox label _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab dev _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes in sandbox deployment _{or PR is labeled no sandbox}
• Build passes in anvilbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in sandbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in anvilbox deployment _{or PR is labeled no sandbox}
• Applied upgrade instructions from UPGRADING.rst to sandbox _{or this PR is not labeled upgrade, or upgrade instructions do not apply to sandbox}
• Applied upgrade instructions from UPGRADING.rst to anvilbox _{or this PR is not labeled upgrade, or upgrade instructions do not apply to anvilbox}
• Deleted unreferenced indices in sandbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in sandbox}
• Deleted unreferenced indices in anvilbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices in anvilbox}
• Started reindex in sandbox _{or this PR is not labeled reindex:dev}
• Started reindex in anvilbox _{or this PR is not labeled reindex:anvildev}
• Checked for failures in sandbox _{or this PR is not labeled reindex:dev}
• Checked for failures in anvilbox _{or this PR is not labeled reindex:anvildev}
• Started mirroring in sandbox _{or this PR is not labeled mirror:dev}
• Started mirroring in anvilbox _{or this PR is not labeled mirror:anvildev}
• Checked for failures in sandbox _{or this PR is not labeled mirror:dev}
• Checked for failures in anvilbox _{or this PR is not labeled mirror:anvildev}

Operator (merge the branch)

• All status checks passed and the PR is mergeable
• The title of the merge commit starts with the title of this PR
• Added PR # reference to merge commit title
• Collected commit title tags in merge commit title _{but only included p if the PR is also labeled partial}
• Pushed merge commit to GitHub
• Status of PR is Merged lower
• Status of blocked issues is Triage _{or no issues are blocked on the linked issues}

Operator (main build)

• Pushed merge commit to GitLab dev
• Pushed merge commit to GitLab anvildev
• Build passes on GitLab dev
• Reviewed build logs for anomalies on GitLab dev
• Build passes on GitLab anvildev
• Reviewed build logs for anomalies on GitLab anvildev
• Applied upgrade instructions from UPGRADING.rst to dev _{or this PR is not labeled upgrade, or upgrade instructions do not apply to dev}
• Applied upgrade instructions from UPGRADING.rst to anvildev _{or this PR is not labeled upgrade, or upgrade instructions do not apply to anvildev}
• Notified developers to apply upgrade instructions from UPGRADING.rst to their personal deployments _{or this PR is not labeled upgrade, or upgrade instructions do not apply to personal deployments}
• Ran _select dev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Ran _select anvildev.shared && make -C terraform/shared apply _{or this PR is not labeled deploy:shared}
• Deleted PR branch from GitHub
• PR is assigned to only the operator
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev
• Status of linked issues is Lower, or Triage, if PR is partial

Operator (reindex)

• Deindexed all unreferenced catalogs in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed all unreferenced catalogs in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Deindexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Deindexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Indexed specific sources in dev _{or this PR is neither labeled reindex:partial nor reindex:dev}
• Indexed specific sources in anvildev _{or this PR is neither labeled reindex:partial nor reindex:anvildev}
• Started reindex in dev _{or this PR does not require reindexing dev}
• Started reindex in anvildev _{or this PR does not require reindexing anvildev}
• Checked for, triaged and possibly requeued messages in both fail queues in dev _{or this PR does not require reindexing dev}
• Checked for, triaged and possibly requeued messages in both fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Emptied fail queues in dev _{or this PR does not require reindexing dev}
• Emptied fail queues in anvildev _{or this PR does not require reindexing anvildev}
• Restarted the Data Browser pipeline for the ucsc/hca/dev branch on GitLab in dev _{or this PR does not require reindexing dev}
• Restarted the Data Browser pipeline for the ucsc/lungmap/dev branch on GitLab in dev _{or this PR does not require reindexing dev}
• Restarted deploy_browser job in the GitLab pipeline for this PR in dev _{or this PR does not require reindexing dev}
• Restarted the Data Browser pipeline for the ucsc/anvil/anvildev branch on GitLab in anvildev _{or this PR does not require reindexing anvildev}
• Restarted deploy_browser job in the GitLab pipeline for this PR in anvildev _{or this PR does not require reindexing anvildev}

Operator (mirroring)

• Started mirroring in dev _{or this PR is not labelled mirror:dev}
• Started mirroring in anvildev _{or this PR is not labelled mirror:anvildev}
• Checked for, triaged and possibly requeued messages in mirror fail queue in dev _{or this PR is not labelled mirror:dev}
• Checked for, triaged and possibly requeued messages in mirror fail queue in anvildev _{or this PR is not labelled mirror:anvildev}
• Emptied mirror fail queue in dev _{or this PR is not labelled mirror:dev}
• Emptied mirror fail queue in anvildev _{or this PR is not labelled mirror:anvildev}

Operator

• Propagated the upgrade and API labels to the next promotion PRs _{or this PR carries neither of these labels}
• Propagated the deploy:shared, deploy:gitlab, deploy:runner, reindex:partial, reindex:anvilprod, reindex:prod, mirror:partial, mirror:anvilprod and mirror:prod labels to the next promotion PRs _{or this PR carries none of these labels}
• Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, reindex:partial, reindex:anvilprod, reindex:prod, mirror:partial, mirror:anvilprod and mirror:prod labels, from the description of this PR to that of the next promotion PRs _{or this PR carries none of these labels}
• PR is assigned to no one

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[coveralls]

coverage: 84.791% (-0.008%) from 84.799% — issues/hannes-ucsc/377-redact into develop

[codecov]

Codecov Report

❌ Patch coverage is 90.00000% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.71%. Comparing base (7c48a44) to head (a5572b9).

Files with missing lines	Patch %	Lines
src/azul/oauth2.py	16.66%	5 Missing ⚠️
src/azul/auth.py	83.33%	2 Missing ⚠️
test/integration_test.py	0.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #8085      +/-   ##
===========================================
- Coverage    84.72%   84.71%   -0.01%     
===========================================
  Files          165      165              
  Lines        24254    24294      +40     
===========================================
+ Hits         20548    20580      +32     
- Misses        3706     3714       +8     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hannes-ucsc]

(Posted by Claude Code)

Security Design Review: Secret Redaction in Logs (#377)

Objective

Prevent APATs (JWTs), OAuth 2.0 access tokens, refresh tokens, and authorization codes from appearing unredacted in CloudWatch and GitLab CI logs.

Threat Model

Secrets logged verbatim can be exfiltrated by anyone with read access to CloudWatch log groups or GitLab CI job logs, enabling token replay attacks.

Changes Reviewed

13 files changed across the branch (14 commits, excluding CI-only changes).

Findings

1. Redaction coverage — ADEQUATE

All identified log emission sites are now covered:

• Request headers (chalice.py — _LogJSONEncoder)
• Request/response headers (http.py — _redact_headers / _redact_header)
• Request/response bodies (logging.py — http_body_log_message)
• HTTP client URLs (http.py — LoggingHttpClient.urlopen)
• Authentication objects (auth.py — __str__ vs __repr__ convention)
• User service log statements (user_service.py — 8 call sites switched from %r/.redacted() to %s)
• Integration test curl command (integration_test.py)
• Boto3/DynamoDB request/response bodies (deployment.py — via http_body_log_message)

2. Regex pattern specificity — ACCEPTABLE with caveats

• JWTs (ey[IJ]...): Strong prefix, low false-positive risk.
• Access tokens (ya29.): Strong prefix, low false-positive risk.
• Refresh tokens (1// + 2 digits + exactly 98 base64url chars): Tight constraint, low false-positive risk.
• Authorization codes (4/ + 1 digit + exactly 70 base64url chars): Tight constraint. The initial unbounded 4/ pattern caused a false positive (4/site-packages), correctly caught and fixed.
• Risk: These patterns are based on observed token formats, not documented specifications. The assert_redactable assertions at validation sites mitigate this — if Google changes token formats, assertions will fire before unredacted tokens reach logs.

3. Fallback in _redact_header — SECURE

When redact(value, fullmatch=True) doesn't match on an authorization header (unrecognized auth scheme), the entire value is replaced with 'REDACTED'. This is the correct fail-closed behavior. Non-authorization headers that don't match are passed through unchanged.

4. fullmatch=True optimization — CORRECT

Used at sites where the string is known to be an isolated token (header values, redact_json values, BearerTokenAuthentication.__str__). This avoids unnecessary scanning and cannot miss secrets since the entire string is the token.

5. OpenSearch redact=False — ACCEPTABLE

OpenSearch request/response bodies don't contain user secrets (they contain index data). Skipping redaction avoids a performance penalty on potentially large bodies. This is a conscious, documented trade-off.

6. repr() vs str() convention on Authentication — SECURE

str() produces redacted output (safe for logs), repr() produces unredacted output (for debugging). The __str__ method is abstract on Authentication, forcing all subclasses to implement it. All log statements use %s (which calls str()).

7. No secret leakage in assertion messages — VERIFIED

assert_redactable does not include the secret value in its error message.

Residual Risks

• URL signatures: The FIXME comments mentioned "URL signatures" alongside access tokens in HTTP client URLs. The redact() regex won't match URL signatures (e.g., SAS tokens or signed URLs) unless they happen to contain a recognized token pattern. This is a known gap.
• boto3.resources.action logger: The LambdaLogFilter.truncate path (for large S3 upload parts at debug level 2) does not apply redaction. This is acceptable since S3 upload bodies are binary data, not tokens.

Verdict

The changes are sound. The defense-in-depth approach (regex-based scanning at log sites + assert_redactable at validation sites + fail-closed fallback for unknown auth schemes) provides strong protection against the identified threat. The residual risks are minor and clearly scoped.

[hannes-ucsc]

Residual Risks

• URL signatures: The FIXME comments mentioned "URL signatures" alongside access tokens in HTTP client URLs. The redact() regex won't match URL signatures (e.g., SAS tokens or signed URLs) unless they happen to contain a recognized token pattern. This is a known gap.

I decided to not redact signed URLs for now.

Post-poned to https://github.com/DataBiosphere/azul-private/issues/390

[hannes-ucsc]

Security design review

• Security design review completed; this PR does not …
  • … affect authentication; for example:
    • OAuth 2.0 with the application (API or Swagger UI)
    • Authentication of developers with Google Cloud APIs
    • Authentication of developers with AWS APIs
    • Authentication with a GitLab instance in the system
    • Password and 2FA authentication with GitHub
    • API access token authentication with GitHub
    • Authentication with Terra
  • … affect the permissions of internal users like access to
    • Cloud resources on AWS and GCP
    • GitLab repositories, projects and groups, administration
    • an EC2 instance via SSH
    • GitHub issues, pull requests, commits, commit statuses, wikis, repositories, organizations
  • … affect the permissions of external users like access to
    • TDR snapshots
  • … affect permissions of service or bot accounts
    • Cloud resources on AWS and GCP
  • … affect audit logging in the system, like Fix: Security tokens are logged verbatim (DataBiosphere/azul-private#377) #8085 (comment)
    • adding, removing or changing a log message that represents an auditable event
    • changing the routing of log messages through the system
  • … affect monitoring of the system
  • … introduce a new software dependency like
    • Python packages on PYPI
    • Command-line utilities
    • Docker images
    • Terraform providers
  • … add an interface that exposes sensitive or confidential data at the security boundary
  • … affect the encryption of data at rest
  • … require persistence of sensitive or confidential data that might require encryption at rest
  • … require unencrypted transmission of data within the security boundary
  • … affect the network security layer; for example by
    • modifying, adding or removing firewall rules
    • modifying, adding or removing security groups
    • changing or adding a port a service, proxy or load balancer listens on
• Documentation on any unchecked boxes is provided in comments below

[hannes-ucsc]

Clearing the approved queue in preparation for the higher-priority #7794.

[dsotirho-ucsc]

Pro forma approval