Do not reveal auth token in swiftclient log messages by default

Currently the swiftclient logs sensitive info in headers when logging HTTP requests. This patch hides sensitive info in headers such as 'X-Auth-Token' in a similar way to swift itself (we add a 'reveal_sensitive_prefix' configuration to the client). With this patch, tokens are truncated by removing the specified number of characters, after which '...' is appended to the logged token to indicate that it has been redacted. Co-Authored-By: Li Cheng <shcli@cn.ibm.com> Co-Authored-By: Zack M. Davis <zdavis@swiftstack.com> Change-Id: I43dd7254f7281d4db59b286aa2145643c64e1705 Closes-bug: #1516692
author: Joel Wright <joel.wright@sohonet.com> 2016-02-19 13:18:15 +0000
committer: Joel Wright <joel.wright@sohonet.com> 2016-02-22 17:55:51 +0000
commit: 4d44dcf36086add13d3353915c014f095ab99c6d (patch)
tree: e69ce7034e152e57c4f7c388d04364f486cc4f82 /tests/unit/test_swiftclient.py
parent: da0aa24f28da8508283da85b6a45e29912a927cf (diff)
download: python-swiftclient-4d44dcf36086add13d3353915c014f095ab99c6d.tar.gz
1 files changed, 74 insertions, 2 deletions
diff --git a/tests/unit/test_swiftclient.py b/tests/unit/test_swiftclient.py
index a272465..77cf607 100644
--- a/tests/unit/test_swiftclient.py
+++ b/tests/unit/test_swiftclient.py
@@ -987,7 +987,7 @@ class TestPutObject(MockHttpTest):
                 mock_file)
         text = u'\u5929\u7a7a\u4e2d\u7684\u4e4c\u4e91'
         headers = {'X-Header1': text,
-                   'X-2': 1, 'X-3': {'a': 'b'}, 'a-b': '.x:yz mn:fg:lp'}
+                   'X-2': '1', 'X-3': "{'a': 'b'}", 'a-b': '.x:yz mn:fg:lp'}
 
         resp = MockHttpResponse()
         conn[1].getresponse = resp.fake_response
@@ -1221,7 +1221,7 @@ class TestPostObject(MockHttpTest):
         text = u'\u5929\u7a7a\u4e2d\u7684\u4e4c\u4e91'
         headers = {'X-Header1': text,
                    b'X-Header2': 'value',
-                   'X-2': '1', 'X-3': {'a': 'b'}, 'a-b': '.x:yz mn:kl:qr',
+                   'X-2': '1', 'X-3': "{'a': 'b'}", 'a-b': '.x:yz mn:kl:qr',
                    'X-Object-Meta-Header-not-encoded': text,
                    b'X-Object-Meta-Header-encoded': 'value'}
 
@@ -2188,6 +2188,78 @@ class TestLogging(MockHttpTest):
                               'http://www.test.com', 'asdf', 'asdf', 'asdf')
         self.assertEqual(e.http_status, 404)
 
+    def test_redact_token(self):
+        with mock.patch('swiftclient.client.logger.debug') as mock_log:
+            token_value = 'tkee96b40a8ca44fc5ad72ec5a7c90d9b'
+            unicode_token_value = (u'\u5929\u7a7a\u4e2d\u7684\u4e4c\u4e91'
+                                   u'\u5929\u7a7a\u4e2d\u7684\u4e4c\u4e91'
+                                   u'\u5929\u7a7a\u4e2d\u7684\u4e4c')
+            set_cookie_value = 'X-Auth-Token=%s' % token_value
+            c.http_log(
+                ['GET'],
+                {'headers': {
+                    'X-Auth-Token': token_value,
+                    'X-Storage-Token': unicode_token_value
+                }},
+                MockHttpResponse(
+                    status=200,
+                    headers={
+                        'X-Auth-Token': token_value,
+                        'X-Storage-Token': unicode_token_value,
+                        'Etag': b'mock_etag',
+                        'Set-Cookie': set_cookie_value
+                    }
+                ),
+                ''
+            )
+            out = []
+            for _, args, kwargs in mock_log.mock_calls:
+                for arg in args:
+                    out.append(u'%s' % arg)
+            output = u''.join(out)
+            self.assertIn('X-Auth-Token', output)
+            self.assertIn(token_value[:16] + '...', output)
+            self.assertIn('X-Storage-Token', output)
+            self.assertIn(unicode_token_value[:8] + '...', output)
+            self.assertIn('Set-Cookie', output)
+            self.assertIn(set_cookie_value[:16] + '...', output)
+            self.assertNotIn(token_value, output)
+            self.assertNotIn(unicode_token_value, output)
+            self.assertNotIn(set_cookie_value, output)
+
+    def test_show_token(self):
+        with mock.patch('swiftclient.client.logger.debug') as mock_log:
+            token_value = 'tkee96b40a8ca44fc5ad72ec5a7c90d9b'
+            unicode_token_value = (u'\u5929\u7a7a\u4e2d\u7684\u4e4c\u4e91'
+                                   u'\u5929\u7a7a\u4e2d\u7684\u4e4c\u4e91'
+                                   u'\u5929\u7a7a\u4e2d\u7684\u4e4c')
+            c.logger_settings['redact_sensitive_tokens'] = False
+            c.http_log(
+                ['GET'],
+                {'headers': {
+                    'X-Auth-Token': token_value,
+                    'X-Storage-Token': unicode_token_value
+                }},
+                MockHttpResponse(
+                    status=200,
+                    headers=[
+                        ('X-Auth-Token', token_value),
+                        ('X-Storage-Token', unicode_token_value),
+                        ('Etag', b'mock_etag')
+                    ]
+                ),
+                ''
+            )
+            out = []
+            for _, args, kwargs in mock_log.mock_calls:
+                for arg in args:
+                    out.append(u'%s' % arg)
+            output = u''.join(out)
+            self.assertIn('X-Auth-Token', output)
+            self.assertIn(token_value, output)
+            self.assertIn('X-Storage-Token', output)
+            self.assertIn(unicode_token_value, output)
+
 
 class TestCloseConnection(MockHttpTest):
author	Joel Wright <joel.wright@sohonet.com>	2016-02-19 13:18:15 +0000
committer	Joel Wright <joel.wright@sohonet.com>	2016-02-22 17:55:51 +0000
commit	4d44dcf36086add13d3353915c014f095ab99c6d (patch)
tree	e69ce7034e152e57c4f7c388d04364f486cc4f82 /tests/unit/test_swiftclient.py
parent	da0aa24f28da8508283da85b6a45e29912a927cf (diff)
download	python-swiftclient-4d44dcf36086add13d3353915c014f095ab99c6d.tar.gz