From 10949b13804fd83591aaecb9eeaa57302e1d69f6 Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Mon, 13 Oct 2025 09:12:13 -0400
Subject: [PATCH] Check all paths for sensitive keys and change sensitive keys
 to a set

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../security/auditlog/impl/AuditMessage.java    | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
index 81b701bd7f..04de3d680e 100644
--- a/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
+++ b/src/main/java/org/opensearch/security/auditlog/impl/AuditMessage.java
@@ -22,6 +22,7 @@
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Objects;
+import java.util.Set;
 import java.util.regex.Pattern;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -56,21 +57,18 @@
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
 
-import static org.opensearch.security.OpenSearchSecurityPlugin.LEGACY_OPENDISTRO_PREFIX;
-import static org.opensearch.security.OpenSearchSecurityPlugin.PLUGINS_PREFIX;
-
 public final class AuditMessage {
 
     private static final Logger log = LogManager.getLogger(AuditMessage.class);
 
     // clustername and cluster uuid
     private static final WildcardMatcher AUTHORIZATION_HEADER = WildcardMatcher.from("Authorization").ignoreCase();
-    private static final String SENSITIVE_KEY = "password";
+    private static final Set<String> SENSITIVE_KEYS = Set.of("password", "openai_key");
     private static final String SENSITIVE_REPLACEMENT_VALUE = "__SENSITIVE__";
 
-    private static final Pattern SENSITIVE_PATHS = Pattern.compile(
-        "/(" + LEGACY_OPENDISTRO_PREFIX + "|" + PLUGINS_PREFIX + ")/api/(account.*|internalusers.*|user.*)"
-    );
+    private static boolean containsSensitiveKey(String requestBody) {
+        return SENSITIVE_KEYS.stream().anyMatch(requestBody::contains);
+    }
 
     @VisibleForTesting
     public static final String BCRYPT_REGEX = "\\$2[ayb]\\$.{56}";
@@ -417,10 +415,7 @@ void addRestRequestInfo(final SecurityRequest request, final AuditConfig.Filter
                 try {
                     final Tuple<MediaType, BytesReference> xContentTuple = restRequest.contentOrSourceParam();
                     final String requestBody = XContentHelper.convertToJson(xContentTuple.v2(), false, xContentTuple.v1());
-                    if (path != null
-                        && requestBody != null
-                        && SENSITIVE_PATHS.matcher(path).matches()
-                        && requestBody.contains(SENSITIVE_KEY)) {
+                    if (requestBody != null && containsSensitiveKey(requestBody)) {
                         auditInfo.put(REQUEST_BODY, SENSITIVE_REPLACEMENT_VALUE);
                     } else {
                         auditInfo.put(REQUEST_BODY, requestBody);