St2 auth logs leak sensitive information

[nzlosh]

SUMMARY

St2 writes http requests with unsanitised username/password pair to st2.auth.log when log level set to DEBUG.

STACKSTORM VERSION

st2 3.8.0, on Python 3.6.9

OS, environment, install method

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:        18.04
Codename:       bionic

Install method: manual (https://docs.stackstorm.com/install/u18.html)

Steps to reproduce the problem

1. Configure st2.conf auth section using LDAP backend

[auth]
host = 127.0.0.1
port = 9100
use_ssl = False
debug = True
enable = True
logging = /etc/st2/logging.auth.conf

mode = standalone
backend = ldap
backend_kwargs = { "bind_dn": "cn=st2,dc=example,dc=net", "bind_password": "xxxx", "base_ou": "dc=example,dc=com", "group_dns": ["cn=stackstorm users", "cn=stackstorm admins"], "host": "localhost", "port": 389, "use_ssl": false }

2. Login via st2 cli
   st2 auth st2admin -t

3. Review log entries in st2.auth.log

Logged http request contains Authorization header with username/password.

2023-05-13 09:52:17,208 140432424245856 DEBUG router [-] Received call with WebOb: POST /tokens HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Basic c3QyYWRtaW46TGVha2VkUGFzc3dvcmQK
Connection: keep-alive
Content-Length: 2
Content-Type: application/json
Host: 127.0.0.1:9100
User-Agent: python-requests/2.25.1
X-Request-Id: 52ad53f1-9942-4b31-95c6-cb12e442f77a

{}

Authorization is plain text base64 encoded: base64 -d <<<c3QyYWRtaW46TGVha2VkUGFzc3dvcmQK st2admin:LeakedPassword

Expected Results

In order of preference:

1. remove/obfuscate the ``Authorization` header
2. don't log the request, just the call url.

Actual Results

Authentication secrets leaked in plain text through logs.