Merge pull request #4 from bkorty/obscure-password

Obscure password
sprockets · Sep 1, 2020 · 69b806f · 69b806f
2 parents ce6e2ec + 4bbcf51
commit 69b806f
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 4 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.4.0
+1.4.1
diff --git a/sprockets_postgres.py b/sprockets_postgres.py
@@ -444,7 +444,9 @@ async def _postgres_connect(self) -> bool:
         if self._postgres_pool:
             self._postgres_pool.close()
 
-        LOGGER.debug('Connecting to %s', url)
+        safe_url = self._obscure_url_password(url)
+        LOGGER.debug('Connecting to %s', safe_url)
+
         try:
             self._postgres_pool = await pool.Pool.from_pool_fill(
                 url,
@@ -475,13 +477,25 @@ async def _postgres_connect(self) -> bool:
                         DEFAULT_POSTGRES_CONNECTION_TTL)))
         except (psycopg2.OperationalError,
                 psycopg2.Error) as error:  # pragma: nocover
-            LOGGER.warning('Error connecting to PostgreSQL on startup: %s',
-                           error)
+            LOGGER.warning(
+                'Error connecting to PostgreSQL on startup with %s: %s',
+                safe_url, error)
             return False
         self._postgres_connected.set()
         LOGGER.debug('Connected to Postgres')
         return True
 
+    @staticmethod
+    def _obscure_url_password(url):
+        """Generate log safe url with password obscured."""
+        parsed = parse.urlparse(url)
+        if parsed.password:
+            netloc = '{}:*****@{}:{}'.format(parsed.username,
+                                             parsed.hostname,
+                                             parsed.port)
+            url = parse.urlunparse(parsed._replace(netloc=netloc))
+        return url
+
     async def _postgres_on_start(self,
                                  _app: web.Application,
                                  loop: ioloop.IOLoop):

diff --git a/tests.py b/tests.py
@@ -579,6 +579,22 @@ def test_that_stop_is_invoked(self):
         obj.stop.assert_called_once()
 
 
+class ObscurePasswordUrlTestCase(unittest.TestCase):
+
+    def test_passwords_obscured(self):
+        for url, expected in {
+            'postgresql://server:5432/database':
+                'postgresql://server:5432/database',
+            'postgresql://username:password@server:5432/database':
+                'postgresql://username:*****@server:5432/database',
+            'postgresql://username@server/database':
+                'postgresql://username@server/database'
+        }.items():
+            result = \
+                sprockets_postgres.ApplicationMixin._obscure_url_password(url)
+            self.assertEqual(result, expected)
+
+
 SRV = collections.namedtuple(
     'SRV', ['host', 'port', 'priority', 'weight', 'ttl'])