From 3a416edcfa8a3a332c5ee28e85788778ecc2c19e Mon Sep 17 00:00:00 2001 From: Jonathan Date: Tue, 12 Oct 2021 17:37:22 +0200 Subject: [PATCH 1/3] 273 implement mask for base64 basic auth --- http/transport/dump_round_tripper.go | 3 +++ http/transport/dump_round_tripper_test.go | 24 +++++++++++++++++++++++ pkg/redact/pattern.go | 4 ++++ 3 files changed, 31 insertions(+) diff --git a/http/transport/dump_round_tripper.go b/http/transport/dump_round_tripper.go index 4465d10f2..f026d8c07 100644 --- a/http/transport/dump_round_tripper.go +++ b/http/transport/dump_round_tripper.go @@ -5,6 +5,7 @@ package transport import ( "encoding/hex" + "fmt" "net/http" "net/http/httputil" @@ -110,6 +111,7 @@ func (l *DumpRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) // request logging if l.DumpRequest || l.DumpRequestHEX { + fmt.Println("je suisn la ", req) reqDump, err := httputil.DumpRequest(req, l.DumpBody) if err != nil { reqDump = []byte(err.Error()) @@ -117,6 +119,7 @@ func (l *DumpRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) // in case a redactor is present, redact the content before logging if redactor != nil { + fmt.Println("je suisn oci ") reqDump = []byte(redactor.Mask(string(reqDump))) } diff --git a/http/transport/dump_round_tripper_test.go b/http/transport/dump_round_tripper_test.go index d3d16151c..eba09a7e3 100644 --- a/http/transport/dump_round_tripper_test.go +++ b/http/transport/dump_round_tripper_test.go @@ -82,6 +82,30 @@ func TestNewDumpRoundTripperRedacted(t *testing.T) { assert.Contains(t, out.String(), `"message":"HTTP Transport Dump"`) } +func TestNewDumpRoundTripperRedactedBasicAuth(t *testing.T) { + out := &bytes.Buffer{} + ctx := log.Output(out).WithContext(context.Background()) + + rt := NewDumpRoundTripper( + DumpRoundTripperOptionRequest, + DumpRoundTripperOptionResponse, + DumpRoundTripperOptionBody, + ) + + req := httptest.NewRequest("GET", "/foo", bytes.NewBufferString("Authorization: Basic ZGVtbzpwQDU1dzByZA==")) + ctx = redact.Default.WithContext(ctx) + req = req.WithContext(ctx) + rt.SetTransport(&transportWithResponse{}) + + _, err := rt.RoundTrip(req) + assert.NoError(t, err) + + assert.Contains(t, out.String(), `"level":"debug"`) + assert.Contains(t, out.String(), `"request":"GET /foo HTTP/1.1\r\nHost: example.com\r\n\r\nAuthorization: **********************ZA=="`) + assert.Contains(t, out.String(), `"response":"HTTP/0.0 000 status code 0\r\nContent-Length: 0\r\n\r\n"`) + assert.Contains(t, out.String(), `"message":"HTTP Transport Dump"`) +} + func TestNewDumpRoundTripperSimple(t *testing.T) { out := &bytes.Buffer{} ctx := log.Output(out).WithContext(context.Background()) diff --git a/pkg/redact/pattern.go b/pkg/redact/pattern.go index dab5aa598..447e95635 100644 --- a/pkg/redact/pattern.go +++ b/pkg/redact/pattern.go @@ -18,6 +18,7 @@ var AllPatterns = []*regexp.Regexp{ PatternCCDinersClub, PatternCCDiscover, PatternCCJCB, + PatternBasicAuthBase64, } var ( @@ -49,4 +50,7 @@ var ( // PatternJWT JsonWebToken PatternJWT = regexp.MustCompile(`(?:ey[a-zA-Z0-9=_-]+\.){2}[a-zA-Z0-9=_-]+`) + + //PatternBasicAuthBase match any: Basic YW55IGNhcm5hbCBwbGVhcw== does not validate base64 string + PatternBasicAuthBase64 = regexp.MustCompile(`Basic ([a-zA-Z0-9=]*)`) ) From 8c81251e2ded16c757f08464f975271077301dbb Mon Sep 17 00:00:00 2001 From: Jonathan Date: Wed, 13 Oct 2021 10:01:52 +0200 Subject: [PATCH 2/3] remove debug logs --- http/transport/dump_round_tripper.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/http/transport/dump_round_tripper.go b/http/transport/dump_round_tripper.go index f026d8c07..4465d10f2 100644 --- a/http/transport/dump_round_tripper.go +++ b/http/transport/dump_round_tripper.go @@ -5,7 +5,6 @@ package transport import ( "encoding/hex" - "fmt" "net/http" "net/http/httputil" @@ -111,7 +110,6 @@ func (l *DumpRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) // request logging if l.DumpRequest || l.DumpRequestHEX { - fmt.Println("je suisn la ", req) reqDump, err := httputil.DumpRequest(req, l.DumpBody) if err != nil { reqDump = []byte(err.Error()) @@ -119,7 +117,6 @@ func (l *DumpRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) // in case a redactor is present, redact the content before logging if redactor != nil { - fmt.Println("je suisn oci ") reqDump = []byte(redactor.Mask(string(reqDump))) } From 76f7aa6a9c88eb0ceb699beaeb172d7b7d50d7bd Mon Sep 17 00:00:00 2001 From: Jonathan Date: Wed, 13 Oct 2021 10:10:18 +0200 Subject: [PATCH 3/3] add authorization to regex pattern --- http/transport/dump_round_tripper_test.go | 2 +- pkg/redact/pattern.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/http/transport/dump_round_tripper_test.go b/http/transport/dump_round_tripper_test.go index eba09a7e3..65d180215 100644 --- a/http/transport/dump_round_tripper_test.go +++ b/http/transport/dump_round_tripper_test.go @@ -101,7 +101,7 @@ func TestNewDumpRoundTripperRedactedBasicAuth(t *testing.T) { assert.NoError(t, err) assert.Contains(t, out.String(), `"level":"debug"`) - assert.Contains(t, out.String(), `"request":"GET /foo HTTP/1.1\r\nHost: example.com\r\n\r\nAuthorization: **********************ZA=="`) + assert.Contains(t, out.String(), `"request":"GET /foo HTTP/1.1\r\nHost: example.com\r\n\r\n*************************************ZA=="`) assert.Contains(t, out.String(), `"response":"HTTP/0.0 000 status code 0\r\nContent-Length: 0\r\n\r\n"`) assert.Contains(t, out.String(), `"message":"HTTP Transport Dump"`) } diff --git a/pkg/redact/pattern.go b/pkg/redact/pattern.go index 447e95635..e64e79036 100644 --- a/pkg/redact/pattern.go +++ b/pkg/redact/pattern.go @@ -52,5 +52,5 @@ var ( PatternJWT = regexp.MustCompile(`(?:ey[a-zA-Z0-9=_-]+\.){2}[a-zA-Z0-9=_-]+`) //PatternBasicAuthBase match any: Basic YW55IGNhcm5hbCBwbGVhcw== does not validate base64 string - PatternBasicAuthBase64 = regexp.MustCompile(`Basic ([a-zA-Z0-9=]*)`) + PatternBasicAuthBase64 = regexp.MustCompile(`Authorization: Basic ([a-zA-Z0-9=]*)`) )