From d643058a6c12f3825082df1a3c16be77d606f67a Mon Sep 17 00:00:00 2001
From: Ivan Bodrov <ibodrov@gmail.com>
Date: Thu, 19 Dec 2024 08:57:23 -0500
Subject: [PATCH] runtime-v2: mask workDir value in logs by default

Add workDirMasking option to concord-agent.conf to enable masking of
workDir values in logs. The actual path is replaced with a `$WORK_DIR`
literal.
---
 .../concord/agent/cfg/AgentConfiguration.java |  6 ++
 .../agent/executors/JobExecutorFactory.java   |  1 +
 .../agent/executors/runner/RunnerJob.java     |  1 +
 .../executors/runner/RunnerJobExecutor.java   |  2 +
 agent/src/main/resources/concord-agent.conf   |  3 +
 .../v2/processMetadataSend/debug_logback.xml  |  2 +-
 .../common/cfg/LoggingConfiguration.java      |  9 +++
 .../runtime/v2/runner/InjectorFactory.java    |  5 ++
 .../v2/runner/logging/CustomLayout.java       | 61 +++++++++++++++++++
 .../logging/MaskingSensitiveDataLayout.java   | 40 ------------
 .../v2/runner/src/main/resources/logback.xml  |  4 +-
 11 files changed, 91 insertions(+), 43 deletions(-)
 create mode 100644 runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/logging/CustomLayout.java
 delete mode 100644 runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/logging/MaskingSensitiveDataLayout.java

diff --git a/agent/src/main/java/com/walmartlabs/concord/agent/cfg/AgentConfiguration.java b/agent/src/main/java/com/walmartlabs/concord/agent/cfg/AgentConfiguration.java
index 9a06ff13df..f92339fd44 100644
--- a/agent/src/main/java/com/walmartlabs/concord/agent/cfg/AgentConfiguration.java
+++ b/agent/src/main/java/com/walmartlabs/concord/agent/cfg/AgentConfiguration.java
@@ -53,6 +53,7 @@ public class AgentConfiguration {
 
     private final Path logDir;
     private final long logMaxDelay;
+    private final boolean workDirMasking;
 
     private final int workersCount;
     private final long pollInterval;
@@ -81,6 +82,7 @@ public AgentConfiguration(Config cfg) {
 
         this.logDir = getOrCreatePath(cfg, "logDir");
         this.logMaxDelay = cfg.getDuration("logMaxDelay", TimeUnit.MILLISECONDS);
+        this.workDirMasking = cfg.getBoolean("workDirMasking");
 
         this.workersCount = cfg.getInt("workersCount");
         this.maintenanceModeListenerHost = cfg.getString("maintenanceModeListenerHost");
@@ -136,6 +138,10 @@ public long getLogMaxDelay() {
         return logMaxDelay;
     }
 
+    public boolean isWorkDirMaskings() {
+        return workDirMasking;
+    }
+
     public int getWorkersCount() {
         return workersCount;
     }
diff --git a/agent/src/main/java/com/walmartlabs/concord/agent/executors/JobExecutorFactory.java b/agent/src/main/java/com/walmartlabs/concord/agent/executors/JobExecutorFactory.java
index c537ce81c7..9f8997ff6d 100644
--- a/agent/src/main/java/com/walmartlabs/concord/agent/executors/JobExecutorFactory.java
+++ b/agent/src/main/java/com/walmartlabs/concord/agent/executors/JobExecutorFactory.java
@@ -124,6 +124,7 @@ public JobExecutor create(JobRequest.Type jobType) {
                     .exposeDockerDaemon(dockerCfg.exposeDockerDaemon())
                     .maxHeartbeatInterval(serverCfg.getMaxNoHeartbeatInterval())
                     .segmentedLogs(segmentedLogs)
+                    .workDirMasking(agentCfg.isWorkDirMaskings())
                     .persistentWorkDir(runnerCfg.getPersistentWorkDir())
                     .preforkEnabled(preForkCfg.isEnabled())
                     .cleanRunnerDescendants(runnerCfg.getCleanRunnerDescendants())
diff --git a/agent/src/main/java/com/walmartlabs/concord/agent/executors/runner/RunnerJob.java b/agent/src/main/java/com/walmartlabs/concord/agent/executors/runner/RunnerJob.java
index 4ff4515aad..8e429be3e0 100644
--- a/agent/src/main/java/com/walmartlabs/concord/agent/executors/runner/RunnerJob.java
+++ b/agent/src/main/java/com/walmartlabs/concord/agent/executors/runner/RunnerJob.java
@@ -184,6 +184,7 @@ private static RunnerConfiguration createRunnerConfiguration(RunnerJobExecutorCo
                 .logging(LoggingConfiguration.builder()
                         .sendSystemOutAndErrToSLF4J(true)
                         .segmentedLogs(execCfg.segmentedLogs())
+                        .workDirMasking(execCfg.workDirMasking())
                         .build())
                 .build();
     }
diff --git a/agent/src/main/java/com/walmartlabs/concord/agent/executors/runner/RunnerJobExecutor.java b/agent/src/main/java/com/walmartlabs/concord/agent/executors/runner/RunnerJobExecutor.java
index d0abb0155e..439584d869 100644
--- a/agent/src/main/java/com/walmartlabs/concord/agent/executors/runner/RunnerJobExecutor.java
+++ b/agent/src/main/java/com/walmartlabs/concord/agent/executors/runner/RunnerJobExecutor.java
@@ -759,6 +759,8 @@ public interface RunnerJobExecutorConfiguration {
 
         boolean segmentedLogs();
 
+        boolean workDirMasking();
+
         @Value.Default
         default List<String> extraDockerVolumes() {
             return Collections.emptyList();
diff --git a/agent/src/main/resources/concord-agent.conf b/agent/src/main/resources/concord-agent.conf
index 63d453d1db..218d57348f 100644
--- a/agent/src/main/resources/concord-agent.conf
+++ b/agent/src/main/resources/concord-agent.conf
@@ -61,6 +61,9 @@ concord-agent {
     # determines how ofter the logs are send back to the server
     logMaxDelay = "2 seconds"
 
+    # replace the current process' workDir in logs with literal "$WORK_DIR"
+    workDirMasking = true
+
     # maximum number of concurrent processes
     workersCount = 3
     workersCount = ${?WORKERS_COUNT}
diff --git a/it/runtime-v2/src/test/resources/com/walmartlabs/concord/it/runtime/v2/processMetadataSend/debug_logback.xml b/it/runtime-v2/src/test/resources/com/walmartlabs/concord/it/runtime/v2/processMetadataSend/debug_logback.xml
index 01b7c54f8a..959dcca4df 100644
--- a/it/runtime-v2/src/test/resources/com/walmartlabs/concord/it/runtime/v2/processMetadataSend/debug_logback.xml
+++ b/it/runtime-v2/src/test/resources/com/walmartlabs/concord/it/runtime/v2/processMetadataSend/debug_logback.xml
@@ -3,7 +3,7 @@
         <filter class="com.walmartlabs.concord.runtime.v2.runner.logging.LogLevelFilter" />
 
         <encoder class="com.walmartlabs.concord.runtime.v2.runner.logging.ConcordLogEncoder">
-            <layout class="com.walmartlabs.concord.runtime.v2.runner.logging.MaskingSensitiveDataLayout">
+            <layout class="com.walmartlabs.concord.runtime.v2.runner.logging.CustomLayout">
                 <!-- the UI expects log timestamps in a specific format to be able to convert it to the local time -->
                 <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC} [%-5level] %msg%n%rEx{full, com.sun, sun}</pattern>
             </layout>
diff --git a/runtime/common/src/main/java/com/walmartlabs/concord/runtime/common/cfg/LoggingConfiguration.java b/runtime/common/src/main/java/com/walmartlabs/concord/runtime/common/cfg/LoggingConfiguration.java
index 87fc6a6df6..d4a6b8c192 100644
--- a/runtime/common/src/main/java/com/walmartlabs/concord/runtime/common/cfg/LoggingConfiguration.java
+++ b/runtime/common/src/main/java/com/walmartlabs/concord/runtime/common/cfg/LoggingConfiguration.java
@@ -53,6 +53,15 @@ default boolean sendSystemOutAndErrToSLF4J() {
         return true;
     }
 
+    /**
+     * If {@code true}, any ${workDir} value will be replaced with literal
+     * "$WORK_DIR" string. Reduces noise in the logs.
+     */
+    @Value.Default
+    default boolean workDirMasking() {
+        return true;
+    }
+
     static ImmutableLoggingConfiguration.Builder builder() {
         return ImmutableLoggingConfiguration.builder();
     }
diff --git a/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/InjectorFactory.java b/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/InjectorFactory.java
index a4e8e958a8..398b4c5fc0 100644
--- a/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/InjectorFactory.java
+++ b/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/InjectorFactory.java
@@ -32,6 +32,7 @@
 import com.walmartlabs.concord.runtime.v2.runner.guice.CurrentClasspathModule;
 import com.walmartlabs.concord.runtime.v2.runner.guice.DefaultRunnerModule;
 import com.walmartlabs.concord.runtime.v2.runner.guice.ProcessDependenciesModule;
+import com.walmartlabs.concord.runtime.v2.runner.logging.CustomLayout;
 import com.walmartlabs.concord.runtime.v2.runner.tasks.V2;
 import com.walmartlabs.concord.runtime.v2.sdk.ProcessConfiguration;
 import com.walmartlabs.concord.runtime.v2.sdk.Task;
@@ -123,6 +124,10 @@ private ConfigurationModule(WorkingDirectory workDir,
         @Override
         protected void configure() {
             bind(WorkingDirectory.class).toInstance(workDir);
+            if (runnerCfg.logging().workDirMasking()) {
+                CustomLayout.enableWorkingDirectoryMasking(workDir);
+            }
+
             bind(RunnerConfiguration.class).toInstance(runnerCfg);
             bind(ProcessConfiguration.class).toProvider(processCfgProvider);
             bind(InstanceId.class).toProvider(InstanceIdProvider.class);
diff --git a/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/logging/CustomLayout.java b/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/logging/CustomLayout.java
new file mode 100644
index 0000000000..595bd89bba
--- /dev/null
+++ b/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/logging/CustomLayout.java
@@ -0,0 +1,61 @@
+package com.walmartlabs.concord.runtime.v2.runner.logging;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2023 Walmart Inc.
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import ch.qos.logback.classic.PatternLayout;
+import ch.qos.logback.classic.spi.ILoggingEvent;
+import com.walmartlabs.concord.runtime.v2.runner.SensitiveDataHolder;
+import com.walmartlabs.concord.runtime.v2.sdk.WorkingDirectory;
+
+import static java.util.Objects.requireNonNull;
+
+public class CustomLayout extends PatternLayout {
+
+    private static volatile String workDirToReplace;
+
+    /**
+     * Enables masking of ${workDir} values in logs. Such values often add noise to logs.
+     */
+    public static void enableWorkingDirectoryMasking(WorkingDirectory workDir) {
+        requireNonNull(workDir);
+
+        var workDirToReplace = workDir.getValue().toString();
+        if (CustomLayout.workDirToReplace != null && !CustomLayout.workDirToReplace.equals(workDirToReplace)) {
+            System.err.printf("CustomLayout: an attempt to override existing workDir value by thread %s%n", Thread.currentThread());
+            return;
+        }
+
+        CustomLayout.workDirToReplace = workDirToReplace;
+    }
+
+    @Override
+    public String doLayout(ILoggingEvent event) {
+        var sensitiveData = SensitiveDataHolder.getInstance().get();
+        var msg = super.doLayout(event);
+        for (var sensitiveString : sensitiveData) {
+            msg = msg.replace(sensitiveString, "******");
+        }
+        if (CustomLayout.workDirToReplace != null) {
+            msg = msg.replace(workDirToReplace, "$WORK_DIR");
+        }
+        return msg;
+    }
+}
diff --git a/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/logging/MaskingSensitiveDataLayout.java b/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/logging/MaskingSensitiveDataLayout.java
deleted file mode 100644
index 04fe12371d..0000000000
--- a/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/logging/MaskingSensitiveDataLayout.java
+++ /dev/null
@@ -1,40 +0,0 @@
-package com.walmartlabs.concord.runtime.v2.runner.logging;
-
-/*-
- * *****
- * Concord
- * -----
- * Copyright (C) 2017 - 2023 Walmart Inc.
- * -----
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *      http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * =====
- */
-
-import ch.qos.logback.classic.PatternLayout;
-import ch.qos.logback.classic.spi.ILoggingEvent;
-import com.walmartlabs.concord.runtime.v2.runner.SensitiveDataHolder;
-
-import java.util.Collection;
-
-public class MaskingSensitiveDataLayout extends PatternLayout {
-
-    @Override
-    public String doLayout(ILoggingEvent event) {
-        Collection<String> sensitiveData = SensitiveDataHolder.getInstance().get();
-        String msg = super.doLayout(event);
-        for (String d : sensitiveData) {
-            msg = msg.replace(d, "******");
-        }
-        return msg;
-    }
-}
diff --git a/runtime/v2/runner/src/main/resources/logback.xml b/runtime/v2/runner/src/main/resources/logback.xml
index 786e6f9436..86387525fb 100644
--- a/runtime/v2/runner/src/main/resources/logback.xml
+++ b/runtime/v2/runner/src/main/resources/logback.xml
@@ -3,7 +3,7 @@
         <filter class="com.walmartlabs.concord.runtime.v2.runner.logging.LogLevelFilter" />
 
         <encoder class="com.walmartlabs.concord.runtime.v2.runner.logging.ConcordLogEncoder">
-            <layout class="com.walmartlabs.concord.runtime.v2.runner.logging.MaskingSensitiveDataLayout">
+            <layout class="com.walmartlabs.concord.runtime.v2.runner.logging.CustomLayout">
                 <!-- the UI expects log timestamps in a specific format to be able to convert it to the local time -->
                 <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC} [%-5level] %msg%n%rEx{full, com.sun, sun}</pattern>
             </layout>
@@ -14,7 +14,7 @@
         <filter class="com.walmartlabs.concord.runtime.v2.runner.logging.LogLevelFilter" />
 
         <encoder class="com.walmartlabs.concord.runtime.v2.runner.logging.ConcordLogEncoder">
-            <layout class="com.walmartlabs.concord.runtime.v2.runner.logging.MaskingSensitiveDataLayout">
+            <layout class="com.walmartlabs.concord.runtime.v2.runner.logging.CustomLayout">
                 <!-- the UI expects log timestamps in a specific format to be able to convert it to the local time -->
                 <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC} %msg%n</pattern>
             </layout>