Redact sensitive information from configs when printing, etc.

2025-07-09 23:25:58 +00:00 · 2025-01-02 11:40:48 -08:00 · 2025-01-02 11:40:48 -08:00 · e3f187fb83
commit e3f187fb83
parent d9f75cc98f
13 changed files with 54 additions and 21 deletions
--- a/llama_stack/distribution/library_client.py
+++ b/llama_stack/distribution/library_client.py
@ -39,6 +39,7 @@ from llama_stack.distribution.server.endpoints import get_all_api_endpoints
 from llama_stack.distribution.stack import (
    construct_stack,
    get_stack_run_config_from_template,
+    redact_sensitive_fields,
    replace_env_vars,
 )

@ -273,7 +274,10 @@ class AsyncLlamaStackAsLibraryClient(AsyncLlamaStackClient):

        console = Console()
        console.print(f"Using config [blue]{self.config_path_or_template_name}[/blue]:")
-        console.print(yaml.dump(self.config.model_dump(), indent=2))
+
+        # Redact sensitive information before printing
+        safe_config = redact_sensitive_fields(self.config.model_dump())
+        console.print(yaml.dump(safe_config, indent=2))

        endpoints = get_all_api_endpoints()
        endpoint_impls = {}
--- a/llama_stack/distribution/server/server.py
+++ b/llama_stack/distribution/server/server.py
@ -35,6 +35,7 @@ from llama_stack.distribution.request_headers import set_request_provider_data
 from llama_stack.distribution.resolver import InvalidProviderError
 from llama_stack.distribution.stack import (
    construct_stack,
+    redact_sensitive_fields,
    replace_env_vars,
    validate_env_pair,
 )
@ -280,7 +281,8 @@ def main():
        config = StackRunConfig(**config)

    print("Run configuration:")
-    print(yaml.dump(config.model_dump(), indent=2))
+    safe_config = redact_sensitive_fields(config.model_dump())
+    print(yaml.dump(safe_config, indent=2))

    app = FastAPI(lifespan=lifespan)
    app.add_middleware(TracingMiddleware)
--- a/llama_stack/distribution/stack.py
+++ b/llama_stack/distribution/stack.py
@ -112,6 +112,26 @@ class EnvVarError(Exception):
        )


+def redact_sensitive_fields(data: Dict[str, Any]) -> Dict[str, Any]:
+    """Redact sensitive information from config before printing."""
+    sensitive_patterns = ["api_key", "api_token", "password", "secret"]
+
+    def _redact_dict(d: Dict[str, Any]) -> Dict[str, Any]:
+        result = {}
+        for k, v in d.items():
+            if isinstance(v, dict):
+                result[k] = _redact_dict(v)
+            elif isinstance(v, list):
+                result[k] = [_redact_dict(i) if isinstance(i, dict) else i for i in v]
+            elif any(pattern in k.lower() for pattern in sensitive_patterns):
+                result[k] = "********"
+            else:
+                result[k] = v
+        return result
+
+    return _redact_dict(data)
+
+
 def replace_env_vars(config: Any, path: str = "") -> Any:
    if isinstance(config, dict):
        result = {}