Merge "Change the default token logged length to 16"

etc/proxy-server.conf-sample

@@ -484,7 +484,7 @@ use = egg:swift#proxy_logging
 # by '...' in the log).
 # Note: reveal_sensitive_prefix will not affect the value
 # logged with access_log_headers=True.
-# reveal_sensitive_prefix = 8192
+# reveal_sensitive_prefix = 16
 #
 # What HTTP methods are allowed for StatsD logging (comma-sep); request methods
 # not in this list will have "BAD_METHOD" for the <verb> portion of the metric.

swift/common/middleware/proxy_logging.py

@@ -78,7 +78,6 @@ from swift.common.swob import Request
 from swift.common.utils import (get_logger, get_remote_client,
                                 get_valid_utf8_str, config_true_value,
                                 InputProxy, list_from_csv)
-from swift.common import constraints
 
 QUOTE_SAFE = '/:'
 
@@ -119,7 +118,7 @@ class ProxyLoggingMiddleware(object):
                                                   log_route='proxy-access')
         self.access_logger.set_statsd_prefix('proxy-server')
         self.reveal_sensitive_prefix = int(
-            conf.get('reveal_sensitive_prefix', constraints.MAX_HEADER_SIZE))
+            conf.get('reveal_sensitive_prefix', 16))
 
     def method_from_req(self, req):
         return req.environ.get('swift.orig_req_method', req.method)

test/unit/common/middleware/test_proxy_logging.py

@@ -23,6 +23,7 @@ from test.unit import FakeLogger
 from swift.common.utils import get_logger
 from swift.common.middleware import proxy_logging
 from swift.common.swob import Request, Response
+from swift.common import constraints
 
 
 class FakeApp(object):
@@ -658,7 +659,7 @@ class TestProxyLogging(unittest.TestCase):
     def test_log_auth_token(self):
         auth_token = 'b05bf940-0464-4c0e-8c70-87717d2d73e8'
 
-        # Default - no reveal_sensitive_prefix in config
+        # Default - reveal_sensitive_prefix is 16
         # No x-auth-token header
         app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {})
         app.access_logger = FakeLogger()
@@ -675,7 +676,7 @@ class TestProxyLogging(unittest.TestCase):
         resp = app(req.environ, start_response)
         resp_body = ''.join(resp)
         log_parts = self._log_parts(app)
-        self.assertEquals(log_parts[9], auth_token)
+        self.assertEquals(log_parts[9], 'b05bf940-0464-4c...')
 
         # Truncate to first 8 characters
         app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
@@ -707,6 +708,17 @@ class TestProxyLogging(unittest.TestCase):
         log_parts = self._log_parts(app)
         self.assertEquals(log_parts[9], auth_token)
 
+        # No effective limit on auth token
+        app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
+            'reveal_sensitive_prefix': constraints.MAX_HEADER_SIZE})
+        app.access_logger = FakeLogger()
+        req = Request.blank('/', environ={'REQUEST_METHOD': 'GET',
+                                          'HTTP_X_AUTH_TOKEN': auth_token})
+        resp = app(req.environ, start_response)
+        resp_body = ''.join(resp)
+        log_parts = self._log_parts(app)
+        self.assertEquals(log_parts[9], auth_token)
+
         # Don't log x-auth-token
         app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
             'reveal_sensitive_prefix': '0'})