diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 4600ef0437..7cb87ac68e 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -484,7 +484,7 @@ use = egg:swift#proxy_logging # by '...' in the log). # Note: reveal_sensitive_prefix will not affect the value # logged with access_log_headers=True. -# reveal_sensitive_prefix = 8192 +# reveal_sensitive_prefix = 16 # # What HTTP methods are allowed for StatsD logging (comma-sep); request methods # not in this list will have "BAD_METHOD" for the portion of the metric. diff --git a/swift/common/middleware/proxy_logging.py b/swift/common/middleware/proxy_logging.py index d8a8b8736d..b0509fe079 100644 --- a/swift/common/middleware/proxy_logging.py +++ b/swift/common/middleware/proxy_logging.py @@ -78,7 +78,6 @@ from swift.common.swob import Request from swift.common.utils import (get_logger, get_remote_client, get_valid_utf8_str, config_true_value, InputProxy, list_from_csv) -from swift.common import constraints QUOTE_SAFE = '/:' @@ -119,7 +118,7 @@ class ProxyLoggingMiddleware(object): log_route='proxy-access') self.access_logger.set_statsd_prefix('proxy-server') self.reveal_sensitive_prefix = int( - conf.get('reveal_sensitive_prefix', constraints.MAX_HEADER_SIZE)) + conf.get('reveal_sensitive_prefix', 16)) def method_from_req(self, req): return req.environ.get('swift.orig_req_method', req.method) diff --git a/test/unit/common/middleware/test_proxy_logging.py b/test/unit/common/middleware/test_proxy_logging.py index 4fa5b2b8f7..8b2b16eab6 100644 --- a/test/unit/common/middleware/test_proxy_logging.py +++ b/test/unit/common/middleware/test_proxy_logging.py @@ -23,6 +23,7 @@ from test.unit import FakeLogger from swift.common.utils import get_logger from swift.common.middleware import proxy_logging from swift.common.swob import Request, Response +from swift.common import constraints class FakeApp(object): @@ -658,7 +659,7 @@ class TestProxyLogging(unittest.TestCase): def test_log_auth_token(self): auth_token = 'b05bf940-0464-4c0e-8c70-87717d2d73e8' - # Default - no reveal_sensitive_prefix in config + # Default - reveal_sensitive_prefix is 16 # No x-auth-token header app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {}) app.access_logger = FakeLogger() @@ -675,7 +676,7 @@ class TestProxyLogging(unittest.TestCase): resp = app(req.environ, start_response) resp_body = ''.join(resp) log_parts = self._log_parts(app) - self.assertEquals(log_parts[9], auth_token) + self.assertEquals(log_parts[9], 'b05bf940-0464-4c...') # Truncate to first 8 characters app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), { @@ -707,6 +708,17 @@ class TestProxyLogging(unittest.TestCase): log_parts = self._log_parts(app) self.assertEquals(log_parts[9], auth_token) + # No effective limit on auth token + app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), { + 'reveal_sensitive_prefix': constraints.MAX_HEADER_SIZE}) + app.access_logger = FakeLogger() + req = Request.blank('/', environ={'REQUEST_METHOD': 'GET', + 'HTTP_X_AUTH_TOKEN': auth_token}) + resp = app(req.environ, start_response) + resp_body = ''.join(resp) + log_parts = self._log_parts(app) + self.assertEquals(log_parts[9], auth_token) + # Don't log x-auth-token app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), { 'reveal_sensitive_prefix': '0'})