Merge "Change the default token logged length to 16"

2014-05-21 12:08:38 +00:00 · 2014-05-21 12:08:38 +00:00 · dab96bec6d
commit dab96bec6d
parent 4acce68e33 5f0160bdde
3 changed files with 16 additions and 5 deletions
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@ -484,7 +484,7 @@ use = egg:swift#proxy_logging
 # by '...' in the log).
 # Note: reveal_sensitive_prefix will not affect the value
 # logged with access_log_headers=True.
-# reveal_sensitive_prefix = 8192
+# reveal_sensitive_prefix = 16
 #
 # What HTTP methods are allowed for StatsD logging (comma-sep); request methods
 # not in this list will have "BAD_METHOD" for the <verb> portion of the metric.
--- a/swift/common/middleware/proxy_logging.py
+++ b/swift/common/middleware/proxy_logging.py
@ -78,7 +78,6 @@ from swift.common.swob import Request
 from swift.common.utils import (get_logger, get_remote_client,
                                get_valid_utf8_str, config_true_value,
                                InputProxy, list_from_csv)
-from swift.common import constraints

 QUOTE_SAFE = '/:'

@ -119,7 +118,7 @@ class ProxyLoggingMiddleware(object):
                                                  log_route='proxy-access')
        self.access_logger.set_statsd_prefix('proxy-server')
        self.reveal_sensitive_prefix = int(
-            conf.get('reveal_sensitive_prefix', constraints.MAX_HEADER_SIZE))
+            conf.get('reveal_sensitive_prefix', 16))

    def method_from_req(self, req):
        return req.environ.get('swift.orig_req_method', req.method)
--- a/test/unit/common/middleware/test_proxy_logging.py
+++ b/test/unit/common/middleware/test_proxy_logging.py
@ -23,6 +23,7 @@ from test.unit import FakeLogger
 from swift.common.utils import get_logger
 from swift.common.middleware import proxy_logging
 from swift.common.swob import Request, Response
+from swift.common import constraints


 class FakeApp(object):
@ -658,7 +659,7 @@ class TestProxyLogging(unittest.TestCase):
    def test_log_auth_token(self):
        auth_token = 'b05bf940-0464-4c0e-8c70-87717d2d73e8'

-        # Default - no reveal_sensitive_prefix in config
+        # Default - reveal_sensitive_prefix is 16
        # No x-auth-token header
        app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {})
        app.access_logger = FakeLogger()
@ -675,7 +676,7 @@ class TestProxyLogging(unittest.TestCase):
        resp = app(req.environ, start_response)
        resp_body = ''.join(resp)
        log_parts = self._log_parts(app)
-        self.assertEquals(log_parts[9], auth_token)
+        self.assertEquals(log_parts[9], 'b05bf940-0464-4c...')

        # Truncate to first 8 characters
        app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
@ -707,6 +708,17 @@ class TestProxyLogging(unittest.TestCase):
        log_parts = self._log_parts(app)
        self.assertEquals(log_parts[9], auth_token)

+        # No effective limit on auth token
+        app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
+            'reveal_sensitive_prefix': constraints.MAX_HEADER_SIZE})
+        app.access_logger = FakeLogger()
+        req = Request.blank('/', environ={'REQUEST_METHOD': 'GET',
+                                          'HTTP_X_AUTH_TOKEN': auth_token})
+        resp = app(req.environ, start_response)
+        resp_body = ''.join(resp)
+        log_parts = self._log_parts(app)
+        self.assertEquals(log_parts[9], auth_token)
+
        # Don't log x-auth-token
        app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
            'reveal_sensitive_prefix': '0'})