grainier opened a new pull request, #2931: URL: https://github.com/apache/iggy/pull/2931
## Which issue does this PR close? <!-- We generally require a GitHub issue to be filed for all bug fixes and enhancements. You can link an issue to this PR using the GitHub syntax. For example `Closes #123` indicates that this PR will close issue #123. --> Closes #2728 ## Rationale <!-- Why is this change needed? If the issue explains it well, a one-liner is fine. --> Passwords, tokens, and connection strings were stored as plain `String`, risking exposure via `Debug`, `Display`, logs, and error messages. ## What changed? <!-- 2-4 sentences. Problem first (before), then solution (after). GOOD: "Messages were unavailable when background message_saver committed the journal and started async disk I/O before completion. Polling during this window found neither journal nor disk data. The fix freezes journal batches in the in-flight buffer before async persist." GOOD: "When many small messages accumulate in the journal, the flush passes thousands of IO vectors to writev(), exceeding IOV_MAX (1024 on Linux)." BAD: - Walls of text - "This PR adds..." (we can see the diff) --> Sensitive credential fields (passwords, PATs, connection URIs, API keys) were plain `String` values that could leak through derived `Debug`, log interpolation, or error formatting. All such fields now use `secrecy::SecretString`, which redacts in `Debug` and requires explicit `expose_secret()` to access the inner value. Custom `Debug` impls were added for types that hold sensitive `String` fields not converted to `SecretString` (e.g., `RawPersonalAccessToken`, `TokenInfo`). A `serde_secret` helper module was added for fields that must be serialized over the wire. ## Local Execution - Passed except for https://github.com/apache/iggy/discussions/2930. It was failing on fresh master as well. - Pre-commit hooks ran. <!-- You must run your code locally before submitting. "Relying on CI" is not acceptable - PRs from authors who haven't run the code will be closed. Did you have `prek` installed? It runs automatically on commit and covers all project languages. See [CONTRIBUTING.md](https://github.com/apache/iggy/blob/master/CONTRIBUTING.md). --> All quality checks mentioned in CONTRIBUTING.md pass locally: - `cargo fmt --all` - `cargo clippy --all-targets --all-features -- -D warnings` - `cargo build` - `cargo test` - `cargo machete` - `cargo sort --workspace` - `typos` ## AI Usage <!-- If AI tools were used, please answer: 1. Which tools? (e.g., GitHub Copilot, Claude, ChatGPT) 2. Scope of usage? (e.g., autocomplete, generated functions, entire implementation) 3. How did you verify the generated code works correctly? 4. Can you explain every line of the code if asked? If no AI tools were used, write "None" or delete this section. --> 1. Claude Code (CLI) 2. Used to identify/verify all locations where `String` passwords/tokens needed conversion to `SecretString`, for documentation (i.e. core/common/src/utils/serde_secret.rs doc string), and commit review. 3. Verified by running all checks mentioned in CONTRIBUTING.md. 4. Yes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
