Merge pull request #53 from cloudblue/LITE-25143_improve_logging

LITE-21143 obfuscate api_key in cookies

Author: ffaraone

connect/client/logger.py

@@ -6,11 +6,18 @@ class RequestLogger:
     def __init__(self, file=sys.stdout):
         self._file = file
 
-    def obfuscate(self, value):
-        if value.startswith('ApiKey SU-'):
-            return value.split(':')[0] + '*' * 10
-        else:
-            return '*' * 20
+    def obfuscate(self, key, value):
+        if key in ('authorization', 'authentication'):
+            if value.startswith('ApiKey '):
+                return value.split(':')[0] + '*' * 10
+            else:
+                return '*' * 20
+        if key in ('cookie', 'set-cookie'):
+            if 'api_key="' in value:
+                start_idx = value.index('api_key="') + len('api_key="')
+                end_idx = value.index('"', start_idx)
+                return f'{value[0:start_idx + 2]}******{value[end_idx - 2:]}'
+        return value
 
     def log_request(self, method, url, kwargs):
         other_args = {k: v for k, v in kwargs.items() if k not in ('headers', 'json', 'params')}
@@ -26,8 +33,8 @@ def log_request(self, method, url, kwargs):
 
         if 'headers' in kwargs:
             for k, v in kwargs['headers'].items():
-                if k == 'Authorization':
-                    v = self.obfuscate(v)
+                if k.lower() in ('authorization', 'authentication', 'cookie'):
+                    v = self.obfuscate(k.lower(), v)
                 lines.append(f'{k}: {v}')
 
         if 'json' in kwargs:
@@ -45,6 +52,8 @@ def log_response(self, response):
         ]
 
         for k, v in response.headers.items():
+            if k.lower() == 'set-cookie':
+                v = self.obfuscate(k.lower(), v)
             lines.append(f'{k}: {v}')
 
         if response.headers.get('Content-Type', None) == 'application/json':

tests/client/test_logger.py

@@ -36,10 +36,14 @@ def test_log_request():
     rl.log_request(
         'get',
         PATH1,
-        {'headers': {'Auth': 'None', 'Cookie': 'XXX', 'Authorization': 'SecretToken'}},
+        {'headers': {
+            'Auth': 'None',
+            'Cookie': '_ga=wathever; api_key="test@example.com:abcdefg"; _gid=whatever',
+            'Authorization': 'SecretToken',
+        }},
     )
     assert ios.getvalue() == LOG_REQUEST_HEADER + 'GET ' + PATH1 + ' \n' + """Auth: None
-Cookie: XXX
+Cookie: _ga=wathever; api_key="te******fg"; _gid=whatever
 Authorization: ********************
 
 """
@@ -100,12 +104,19 @@ def test_log_response(mocker):
     mocker.patch('requests.models.Response.json', return_value=json)
     rsp = Response()
     rsp.raw = HTTPResponse()
-    rsp.headers = {'Content-Type': 'application/json'}
+    rsp.headers = {
+        'Content-Type': 'application/json',
+        'Set-Cookie': (
+            'api_key="test@example.com:abcdefg"; '
+            'expires=Wed, 19 Oct 2022 06:56:08 GMT; HttpOnly;'
+        ),
+    }
     rsp.status_code = 200
     rsp.raw.reason = 'OK'
     rl.log_response(rsp)
     assert ios.getvalue() == LOG_RESPONSE_HEADER + """200 OK
 Content-Type: application/json
+Set-Cookie: api_key="te******fg"; expires=Wed, 19 Oct 2022 06:56:08 GMT; HttpOnly;
 {
     "id": "XX-1234",
     "name": "XXX"