Added Sha3 as alternative (#2480)

* Added Sha3 as alternative

* Added crypto x dependency to modules.txt

* CI not picking up explicit module def

* CI not picking up explicit module def

* CI not picking up explicit module def

* add x/crypto/sha3/ to vendor dir

* Implemented review feedback

* doc fix

* Update docs/sources/clients/promtail/stages/replace.md

Co-authored-by: Ed Welch <[email protected]>

* Update docs/sources/clients/promtail/stages/template.md

Co-authored-by: Ed Welch <[email protected]>

Co-authored-by: Ed Welch <[email protected]>

docs/sources/clients/promtail/stages/replace.md

@@ -128,25 +128,25 @@ The log line would become
 
 ### With `replace` value in `template` format with hashing for obfuscating data
 
-To obfuscate sensitive data, you can combine the `replace` stage with the `Sha256` template method
+To obfuscate sensitive data, you can combine the `replace` stage with the `Hash` template method.
 
 ```yaml
 - replace:
     # SSN
     expression: '([0-9]{3}-[0-9]{2}-[0-9]{4})'
-    replace: '*SSN*{{ .Value | Sha256 "salt" }}*'
+    replace: '*SSN*{{ .Value | Hash "salt" }}*'
 - replace:
     # IP4
     expression: '(\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3})'
-    replace: '*IP4*{{ .Value | Sha256 "salt" }}*'    
+    replace: '*IP4*{{ .Value | Hash "salt" }}*'    
 - replace:
     # email
     expression: '([\w\.=-]+@[\w\.-]+\.[\w]{2,64})'
-    replace: '*email*{{ .Value | Sha256 "salt" }}*'  
+    replace: '*email*{{ .Value | Hash "salt" }}*'  
 - replace:
     # creditcard
     expression: '((?:\d[ -]*?){13,16})'
-    replace: '*creditcard*{{ .Value | Sha256 "salt" }}*'  
+    replace: '*creditcard*{{ .Value | Hash "salt" }}*'  
 ```
 
 ### `replace` with named captured group
@@ -243,4 +243,3 @@ The log line becomes
 ```
 11.11.11.11 - [25/Jan/2000:14:00:01 -0500] "GET /1986.js HTTP/1.1" 200 932 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 GTB6"
 ```
-

docs/sources/clients/promtail/stages/template.md

@@ -179,12 +179,22 @@ and trailing white space removed, as defined by Unicode.
     template: '{{ regexReplaceAllLiteral "(ts=)" .Value "timestamp=" }}'
 ```
 
-### Sha256
+### Hash and Sha2Hash
 
-`Sha256` returns a Sha256 hash of the string, represented as a hexadecimal number of 64 digits. It can be used to obfuscate sensitive data / PII in the logs. It requires a (fixed) salt value, to add complexity to low input domains (e.g. all possible Social Security Numbers)
+`Hash` returns a Sha3_256 hash of the string, represented as a hexadecimal number of 64 digits. You can use it to obfuscate sensitive data / PII in the logs. It requires a (fixed) salt value, to add complexity to low input domains (e.g. all possible Social Security Numbers).
 
 ```yaml
 - template:
     source: output
-    template: '{{ Sha256 .Value "salt" }}'
+    template: '{{ Hash .Value "salt" }}'
+```
+
+Alternatively, you can use `Sha2Hash` for calculating the Sha2_256 of the string. Sha2_256 is faster and requires less CPU than Sha3_256, however it is less secure. 
+
+We recommend using `Hash` as it has a stronger hashing algorithm which we plan to keep strong over time without requiring client config changes.
+
+```yaml
+- template:
+    source: output
+    template: '{{ Sha2Hash .Value "salt" }}'
 ```

go.mod

@@ -56,6 +56,7 @@ require (
 	github.com/weaveworks/common v0.0.0-20200625145055-4b1847531bc9
 	go.etcd.io/bbolt v1.3.5-0.20200615073812-232d8fc87f50
 	go.uber.org/atomic v1.6.0
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
 	golang.org/x/net v0.0.0-20200707034311-ab3426394381
 	google.golang.org/grpc v1.30.0
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6

pkg/logentry/stages/template.go

@@ -15,6 +15,8 @@ import (
 	"github.com/go-kit/kit/log/level"
 	"github.com/mitchellh/mapstructure"
 	"github.com/prometheus/common/model"
+
+	"golang.org/x/crypto/sha3"
 )
 
 // Config Errors
@@ -34,8 +36,12 @@ var (
 		"TrimPrefix": strings.TrimPrefix,
 		"TrimSuffix": strings.TrimSuffix,
 		"TrimSpace":  strings.TrimSpace,
-		"Sha256": func(salt string, s string) string {
-			hash := sha256.Sum256([]byte(salt + s))
+		"Hash": func(salt string, input string) string {
+			hash := sha3.Sum256([]byte(salt + input))
+			return hex.EncodeToString(hash[:])
+		},
+		"Sha2Hash": func(salt string, input string) string {
+			hash := sha256.Sum256([]byte(salt + input))
 			return hex.EncodeToString(hash[:])
 		},
 		"regexReplaceAll": func(regex string, s string, repl string) string {

pkg/logentry/stages/template_test.go

@@ -342,10 +342,10 @@ func TestTemplateStage_Process(t *testing.T) {
 			map[string]interface{}{},
 			map[string]interface{}{},
 		},
-		"Sha256": {
+		"Sha2Hash": {
 			TemplateConfig{
 				Source:   "testval",
-				Template: "{{ Sha256 .Value \"salt\" }}",
+				Template: "{{ Sha2Hash .Value \"salt\" }}",
 			},
 			map[string]interface{}{
 				"testval": "this is PII data",
@@ -354,6 +354,18 @@ func TestTemplateStage_Process(t *testing.T) {
 				"testval": "5526fd6f8ad457279cf8ff06453c6cb61bf479fa826e3b099caa6c846f9376f2",
 			},
 		},
+		"Hash": {
+			TemplateConfig{
+				Source:   "testval",
+				Template: "{{ Hash .Value \"salt\" }}",
+			},
+			map[string]interface{}{
+				"testval": "this is PII data",
+			},
+			map[string]interface{}{
+				"testval": "0807ea24e992127128b38e4930f7155013786a4999c73a25910318a793847658",
+			},
+		},
 	}
 	for name, test := range tests {
 		test := test