Proposed simple header filtering (#218)

* proposed header filtering * add change note
xmidt-org · Jun 10, 2021 · 23e1cb9 · 23e1cb9
1 parent b52294b
commit 23e1cb9
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 24 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+- Prevent Authorization header from getting logged. [#218](https://github.com/xmidt-org/tr1d1um/pull/218) 
 
 
 ## [v0.5.9]

diff --git a/basculeLogging.go b/basculeLogging.go
@@ -0,0 +1,40 @@
+package main
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	"github.com/go-kit/kit/log"
+	"github.com/xmidt-org/candlelight"
+	"github.com/xmidt-org/webpa-common/logging"
+)
+
+func sanitizeHeaders(headers http.Header) (filtered http.Header) {
+	filtered = headers.Clone()
+	if authHeader := filtered.Get("Authorization"); authHeader != "" {
+		filtered.Del("Authorization")
+		parts := strings.Split(authHeader, " ")
+		if len(parts) == 2 {
+			filtered.Set("Authorization-Type", parts[0])
+		}
+	}
+	return
+}
+
+func SetLogger(logger log.Logger) func(delegate http.Handler) http.Handler {
+	return func(delegate http.Handler) http.Handler {
+		return http.HandlerFunc(
+			func(w http.ResponseWriter, r *http.Request) {
+				kvs := []interface{}{"requestHeaders", sanitizeHeaders(r.Header), "requestURL", r.URL.EscapedPath(), "method", r.Method}
+				kvs, _ = candlelight.AppendTraceInfo(r.Context(), kvs)
+				ctx := r.WithContext(logging.WithLogger(r.Context(), log.With(logger, kvs...)))
+				delegate.ServeHTTP(w, ctx)
+			})
+	}
+}
+
+func GetLogger(ctx context.Context) log.Logger {
+	logger := log.With(logging.GetLogger(ctx), "ts", log.DefaultTimestampUTC, "caller", log.DefaultCaller)
+	return logger
+}
diff --git a/basculeLogging_test.go b/basculeLogging_test.go
@@ -0,0 +1,41 @@
+package main
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSanitizeHeaders(t *testing.T) {
+	testCases := []struct {
+		Description string
+		Input       http.Header
+		Expected    http.Header
+	}{
+		{
+			Description: "Filtered",
+			Input:       http.Header{"Authorization": []string{"Basic xyz"}, "HeaderA": []string{"x"}},
+			Expected:    http.Header{"HeaderA": []string{"x"}, "Authorization-Type": []string{"Basic"}},
+		},
+		{
+			Description: "Handled human error",
+			Input:       http.Header{"Authorization": []string{"BasicXYZ"}, "HeaderB": []string{"y"}},
+			Expected:    http.Header{"HeaderB": []string{"y"}},
+		},
+		{
+			Description: "Not a perfect system",
+			Input:       http.Header{"Authorization": []string{"MySecret IWantToLeakIt"}},
+			Expected:    http.Header{"Authorization-Type": []string{"MySecret"}},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Description, func(t *testing.T) {
+			assert := assert.New(t)
+			actual := sanitizeHeaders(tc.Input)
+			assert.Equal(tc.Expected, actual)
+		})
+
+	}
+}
diff --git a/go.sum b/go.sum
@@ -705,12 +705,6 @@ github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijb
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/vmware/govmomi v0.18.0/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
-github.com/xmidt-org/ancla v0.1.5 h1:BNSobhozE/Dh5zpSsAUFNGbib5fcOt8bL1gzX+NZwKE=
-github.com/xmidt-org/ancla v0.1.5/go.mod h1:pvplJrrXakh68CZyL4VNkI/YaCvOlXl3BK8s66hvYes=
-github.com/xmidt-org/ancla v0.1.6-0.20210527025012-1d09163ebd6b h1:uW2mXmP06Nc9DsPm6q46yewVJR9OBkvDvzwBEupKB9I=
-github.com/xmidt-org/ancla v0.1.6-0.20210527025012-1d09163ebd6b/go.mod h1:u2olwo9FAZwoYJ/N5MrnKNbchzOpdU5mya+ZJ4Wnn1I=
-github.com/xmidt-org/ancla v0.1.6-0.20210527052900-0b0dffdd6241 h1:w41QRnYTN3X2aOLsVHnct2YDCjo1pBqzj9o/cZhlxes=
-github.com/xmidt-org/ancla v0.1.6-0.20210527052900-0b0dffdd6241/go.mod h1:u2olwo9FAZwoYJ/N5MrnKNbchzOpdU5mya+ZJ4Wnn1I=
 github.com/xmidt-org/ancla v0.1.6 h1:Y+tWbZQ/JIe8W/sXUMAE/VD2pzwS9Qp11TcWQZfA358=
 github.com/xmidt-org/ancla v0.1.6/go.mod h1:u2olwo9FAZwoYJ/N5MrnKNbchzOpdU5mya+ZJ4Wnn1I=
 github.com/xmidt-org/argus v0.3.9 h1:zmKDRq5e3Gy/hPxym3U4S1aba4ehNnTYGmmsJYIClKU=

diff --git a/main.go b/main.go
@@ -19,7 +19,6 @@ package main
 
 import (
 	"bytes"
-	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -402,23 +401,6 @@ func createAuthAcquirer(v *viper.Viper) (acquire.Acquirer, error) {
 	return nil, errors.New("auth acquirer not configured properly")
 }
 
-func SetLogger(logger log.Logger) func(delegate http.Handler) http.Handler {
-	return func(delegate http.Handler) http.Handler {
-		return http.HandlerFunc(
-			func(w http.ResponseWriter, r *http.Request) {
-				kvs := []interface{}{"requestHeaders", r.Header, "requestURL", r.URL.EscapedPath(), "method", r.Method}
-				kvs, _ = candlelight.AppendTraceInfo(r.Context(), kvs)
-				ctx := r.WithContext(logging.WithLogger(r.Context(), log.With(logger, kvs...)))
-				delegate.ServeHTTP(w, ctx)
-			})
-	}
-}
-
-func GetLogger(ctx context.Context) log.Logger {
-	logger := log.With(logging.GetLogger(ctx), "ts", log.DefaultTimestampUTC, "caller", log.DefaultCaller)
-	return logger
-}
-
 // JWTValidator provides a convenient way to define jwt validator through config files
 type JWTValidator struct {
 	// JWTKeys is used to create the key.Resolver for JWT verification keys