module Mongo::Monitoring::Event::Secure
Provides behavior to redact sensitive information from commands and replies.
@since 2.1.0
Constants
- REDACTED_COMMANDS
The list of commands that has the data redacted for security.
@since 2.1.0
Public Instance Methods
Is compression allowed for a given command message.
@example Determine if compression is allowed for a given command.
secure.compression_allowed?(selector)
@param [ String, Symbol
] command_name The command name.
@return [ true, false ] Whether compression can be used.
@since 2.5.0
# File lib/mongo/monitoring/event/secure.rb, line 106 def compression_allowed?(command_name) @compression_allowed ||= !REDACTED_COMMANDS.include?(command_name.to_s) end
Redact secure information from the document if:
- its command is in the sensitive commands; - its command is a hello/legacy hello command, and speculative authentication is enabled; - corresponding started event is sensitive.
@example Get the redacted document.
secure.redacted(command_name, document)
@param [ String, Symbol
] command_name The command name. @param [ BSON::Document ] document The document.
@return [ BSON::Document ] The redacted document.
@since 2.1.0
# File lib/mongo/monitoring/event/secure.rb, line 83 def redacted(command_name, document) if %w(1 true yes).include?(ENV['MONGO_RUBY_DRIVER_UNREDACT_EVENTS']&.downcase) document elsif respond_to?(:started_event) && started_event.sensitive return BSON::Document.new elsif sensitive?(command_name: command_name, document: document) BSON::Document.new else document end end
Check whether the command is sensitive in terms of command monitoring spec. A command is detected as sensitive if it is in the list or if it is a hello/legacy hello command, and speculative authentication is enabled.
@param [ String, Symbol
] command_name The command name. @param [ BSON::Document ] document The document.
@return [ true | false ] Whether the command is sensitive.
# File lib/mongo/monitoring/event/secure.rb, line 52 def sensitive?(command_name:, document:) if REDACTED_COMMANDS.include?(command_name.to_s) true elsif %w(hello ismaster isMaster).include?(command_name.to_s) && document['speculativeAuthenticate'] then # According to Command Monitoring spec,for hello/legacy hello commands # when speculativeAuthenticate is present, their commands AND replies # MUST be redacted from the events. # See https://github.com/mongodb/specifications/blob/master/source/command-monitoring/command-monitoring.rst#security true else false end end