Module: Mongo::Monitoring::Event::Secure
- Included in:
- CommandFailed, CommandStarted, CommandSucceeded, Protocol::Msg, Protocol::Query
- Defined in:
- build/ruby-driver-v2.19/lib/mongo/monitoring/event/secure.rb
Overview
Provides behavior to redact sensitive information from commands and replies.
Constant Summary collapse
- REDACTED_COMMANDS =
The list of commands that has the data redacted for security.
[ 'authenticate', 'saslStart', 'saslContinue', 'getnonce', 'createUser', 'updateUser', 'copydbgetnonce', 'copydbsaslstart', 'copydb' ].freeze
Instance Method Summary collapse
-
#compression_allowed?(command_name) ⇒ true, false
Is compression allowed for a given command message.
-
#redacted(command_name, document) ⇒ BSON::Document
Redact secure information from the document if: - its command is in the sensitive commands; - its command is a hello/legacy hello command, and speculative authentication is enabled; - corresponding started event is sensitive.
-
#sensitive?(command_name:, document:) ⇒ true | false
Check whether the command is sensitive in terms of command monitoring spec.
Instance Method Details
#compression_allowed?(command_name) ⇒ true, false
Is compression allowed for a given command message.
106 107 108 |
# File 'build/ruby-driver-v2.19/lib/mongo/monitoring/event/secure.rb', line 106 def compression_allowed?(command_name) @compression_allowed ||= !REDACTED_COMMANDS.include?(command_name.to_s) end |
#redacted(command_name, document) ⇒ BSON::Document
Redact secure information from the document if:
- its command is in the sensitive commands;
- its command is a hello/legacy hello command, and
speculative authentication is enabled;
- corresponding started event is sensitive.
83 84 85 86 87 88 89 90 91 92 93 |
# File 'build/ruby-driver-v2.19/lib/mongo/monitoring/event/secure.rb', line 83 def redacted(command_name, document) if %w(1 true yes).include?(ENV['MONGO_RUBY_DRIVER_UNREDACT_EVENTS']&.downcase) document elsif respond_to?(:started_event) && started_event.sensitive return BSON::Document.new elsif sensitive?(command_name: command_name, document: document) BSON::Document.new else document end end |
#sensitive?(command_name:, document:) ⇒ true | false
Check whether the command is sensitive in terms of command monitoring spec. A command is detected as sensitive if it is in the list or if it is a hello/legacy hello command, and speculative authentication is enabled.
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
# File 'build/ruby-driver-v2.19/lib/mongo/monitoring/event/secure.rb', line 52 def sensitive?(command_name:, document:) if REDACTED_COMMANDS.include?(command_name.to_s) true elsif %w(hello ismaster isMaster).include?(command_name.to_s) && document['speculativeAuthenticate'] then # According to Command Monitoring spec,for hello/legacy hello commands # when speculativeAuthenticate is present, their commands AND replies # MUST be redacted from the events. # See https://github.com/mongodb/specifications/blob/master/source/command-monitoring/command-monitoring.rst#security true else false end end |