arti: add support for safe-logging configuration

Here we add a config option to disable safe logging, and ensure that safe logging is disabled when we are formatting an error message on exit (since we assume it's safe to write sensitive info to stderr.)

arti: add support for safe-logging configuration
7e34692a · Nick Mathewson · 4679023c · 7e34692a · 7e34692a
Commit 7e34692a authored 2 years ago by Nick Mathewson
--- a/crates/arti/src/lib.rs
+++ b/crates/arti/src/lib.rs
@@ -130,6 +130,7 @@ pub use logging::{LoggingConfig, LoggingConfigBuilder};

 use arti_client::{TorClient, TorClientConfig};
 use arti_config::default_config_file;
+use safelog::with_safe_logging_suppressed;
 use tor_rtcompat::{BlockOn, Runtime};

 use anyhow::{Context, Result};
@@ -364,5 +365,5 @@ pub fn main_main() -> Result<()> {

 /// Main program, callable directly from a binary crate's `main`
 pub fn main() {
-    main_main().unwrap_or_else(tor_error::report_and_exit);
+    main_main().unwrap_or_else(|e| with_safe_logging_suppressed(|| tor_error::report_and_exit(e)));
 }
--- a/crates/arti/src/logging.rs
+++ b/crates/arti/src/logging.rs
@@ -7,7 +7,7 @@ use std::path::Path;
 use std::str::FromStr;
 use tor_config::{define_list_builder_accessors, define_list_builder_helper};
 use tor_config::{CfgPath, ConfigBuildError};
-use tracing::Subscriber;
+use tracing::{warn, Subscriber};
 use tracing_appender::non_blocking::WorkerGuard;
 use tracing_subscriber::layer::SubscriberExt;
 use tracing_subscriber::prelude::*;
@@ -40,6 +40,16 @@ pub struct LoggingConfig {
    #[builder_field_attr(serde(default))]
    #[builder(sub_builder, setter(custom))]
    files: LogfileListConfig,
+
+    /// If set to true, we disable safe logging on _all logs_, and store
+    /// potentially sensitive information at level `info` or higher.
+    ///
+    /// This can be useful for debugging, but it increases the value of your
+    /// logs to an attacker.  Do not turn this on in production unless you have
+    /// a good log rotation mechanism.
+    #[builder_field_attr(serde(default))]
+    #[builder(default)]
+    log_sensitive_information: bool,
 }

 /// Return a default tracing filter value for `logging.console`.
@@ -234,6 +244,10 @@ pub struct LogGuards {
    /// The actual list of guards we're returning.
    #[allow(unused)]
    guards: Vec<WorkerGuard>,
+
+    /// A safelog guard, for use if we have decided to disable safe logging.
+    #[allow(unused)]
+    safelog_guard: Option<safelog::Guard>,
 }

 /// Set up logging.
@@ -259,5 +273,22 @@ pub fn setup_logging(config: &LoggingConfig, cli: Option<&str>) -> Result<LogGua

    registry.init();

-    Ok(LogGuards { guards })
+    let safelog_guard = if config.log_sensitive_information {
+        match safelog::disable_safe_logging() {
+            Ok(guard) => Some(guard),
+            Err(e) => {
+                // We don't need to propagate this error; it isn't the end of
+                // the world if we were unable to disable safe logging.
+                warn!("Unable to disable safe logging: {}", e);
+                None
+            }
+        }
+    } else {
+        None
+    };
+
+    Ok(LogGuards {
+        guards,
+        safelog_guard,
+    })
 }