From c3f06417049e17a8d45ee5926c5043cb6c8aa9ef Mon Sep 17 00:00:00 2001
From: Tim Burke <tim.burke@gmail.com>
Date: Wed, 24 Feb 2016 16:56:55 -0800
Subject: [PATCH] Follow-up to patch 282363
* Improve some formatting
* Be more explicit about how much will be revealed when
* Rename redact_sensitive_tokens to redact_sensitive_headers, as it
affects more than tokens.
Change-Id: I02b375d914e9f0a210d038ecb31188d09a8ffce3
---
swiftclient/client.py | 19 ++++++++++++-------
swiftclient/shell.py | 2 +-
tests/unit/test_swiftclient.py | 2 +-
3 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/swiftclient/client.py b/swiftclient/client.py
index 9ebdef9c..8375fede 100644
--- a/swiftclient/client.py
+++ b/swiftclient/client.py
@@ -72,13 +72,18 @@ if StrictVersion(requests.__version__) < StrictVersion('2.0.0'):
logger = logging.getLogger("swiftclient")
logger.addHandler(NullHandler())
-#: Default behaviour is to redact tokens, showing only the initial 16 chars.
-#: To disable, set the value of 'redact_sensitive_tokens' to False.
-#: When token redaction is enabled 'reveal_sensitive_prefix' configures the
-#: maximum length of any sensitive token data sent to the logs (if the token
-#: is less than 32 chars long then int(len(token)/2) chars will be logged,
+#: Default behaviour is to redact header values known to contain secrets,
+#: such as ``X-Auth-Key`` and ``X-Auth-Token``. Up to the first 16 chars
+#: may be revealed.
+#:
+#: To disable, set the value of ``redact_sensitive_headers`` to ``False``.
+#:
+#: When header redaction is enabled, ``reveal_sensitive_prefix`` configures the
+#: maximum length of any sensitive header data sent to the logs. If the header
+#: is less than twice this length, only ``int(len(value)/2)`` chars will be
+#: logged; if it is less than 15 chars long, even less will be logged.
logger_settings = {
- 'redact_sensitive_tokens': True,
+ 'redact_sensitive_headers': True,
'reveal_sensitive_prefix': 16
}
#: A list of sensitive headers to redact in logs. Note that when extending this
@@ -124,7 +129,7 @@ def scrub_headers(headers):
(parse_header_string(key), parse_header_string(val))
for (key, val) in headers
]
- if not logger_settings.get('redact_sensitive_tokens', True):
+ if not logger_settings.get('redact_sensitive_headers', True):
return dict(headers)
if logger_settings.get('reveal_sensitive_prefix', 16) < 0:
logger_settings['reveal_sensitive_prefix'] = 16
diff --git a/swiftclient/shell.py b/swiftclient/shell.py
index 02f49dde..15be20ae 100755
--- a/swiftclient/shell.py
+++ b/swiftclient/shell.py
@@ -1108,7 +1108,7 @@ def parse_args(parser, args, enforce_requires=True):
if options.debug:
logging.basicConfig(level=logging.DEBUG)
logging.getLogger('iso8601').setLevel(logging.WARNING)
- client_logger_settings['redact_sensitive_tokens'] = False
+ client_logger_settings['redact_sensitive_headers'] = False
elif options.info:
logging.basicConfig(level=logging.INFO)
diff --git a/tests/unit/test_swiftclient.py b/tests/unit/test_swiftclient.py
index 77cf6076..ae144e24 100644
--- a/tests/unit/test_swiftclient.py
+++ b/tests/unit/test_swiftclient.py
@@ -2233,7 +2233,7 @@ class TestLogging(MockHttpTest):
unicode_token_value = (u'\u5929\u7a7a\u4e2d\u7684\u4e4c\u4e91'
u'\u5929\u7a7a\u4e2d\u7684\u4e4c\u4e91'
u'\u5929\u7a7a\u4e2d\u7684\u4e4c')
- c.logger_settings['redact_sensitive_tokens'] = False
+ c.logger_settings['redact_sensitive_headers'] = False
c.http_log(
['GET'],
{'headers': {