From bfa9efdd50389f26b63739bd996eba813c71e64d Mon Sep 17 00:00:00 2001 From: Jamison Date: Thu, 19 Sep 2024 11:52:35 -0700 Subject: [PATCH] SNOW-1657037: Filter debug logs. --- src/snowflake/connector/auth/_auth.py | 18 +++++++++++-- src/snowflake/connector/secret_detector.py | 4 +-- test/unit/test_log_secret_detector.py | 30 ++++++++++++++++++++++ 3 files changed, 48 insertions(+), 4 deletions(-) diff --git a/src/snowflake/connector/auth/_auth.py b/src/snowflake/connector/auth/_auth.py index b8aa8f485..e0cc71499 100644 --- a/src/snowflake/connector/auth/_auth.py +++ b/src/snowflake/connector/auth/_auth.py @@ -112,6 +112,18 @@ ID_TOKEN = "ID_TOKEN" MFA_TOKEN = "MFATOKEN" +AUTHENTICATION_REQUEST_KEY_WHITELIST = { + "ACCOUNT_NAME", + "AUTHENTICATOR", + "CLIENT_APP_ID", + "CLIENT_APP_VERSION", + "CLIENT_ENVIRONMENT", + "EXT_AUTHN_DUO_METHOD", + "LOGIN_NAME", + "SESSION_PARAMETERS", + "SVN_REVISION", +} + class Auth: """Snowflake Authenticator.""" @@ -205,7 +217,6 @@ def authenticate( body = copy.deepcopy(body_template) # updating request body - logger.debug("assertion content: %s", auth_instance.assertion_content) auth_instance.update_body(body) logger.debug( @@ -243,7 +254,10 @@ def authenticate( logger.debug( "body['data']: %s", - {k: v for (k, v) in body["data"].items() if k != "PASSWORD"}, + { + k: v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******" + for (k, v) in body["data"].items() + }, ) try: diff --git a/src/snowflake/connector/secret_detector.py b/src/snowflake/connector/secret_detector.py index 6633cda65..a9e3d8123 100644 --- a/src/snowflake/connector/secret_detector.py +++ b/src/snowflake/connector/secret_detector.py @@ -33,14 +33,14 @@ class SecretDetector(logging.Formatter): flags=re.IGNORECASE, ) PRIVATE_KEY_PATTERN = re.compile( - r"-----BEGIN PRIVATE KEY-----\\n([a-z0-9/+=\\n]{32,})\\n-----END PRIVATE KEY-----", + r"-{3,}BEGIN [A-Z ]*PRIVATE KEY-{3,}\n([\s\S]*?)\n-{3,}END [A-Z ]*PRIVATE KEY-{3,}", flags=re.MULTILINE | re.IGNORECASE, ) PRIVATE_KEY_DATA_PATTERN = re.compile( r'"privateKeyData": "([a-z0-9/+=\\n]{10,})"', flags=re.MULTILINE | re.IGNORECASE ) CONNECTION_TOKEN_PATTERN = re.compile( - r"(token|assertion content)" r"([\'\"\s:=]+)" r"([a-z0-9=/_\-\+]{8,})", + r"(token|assertion content)" r"([\'\"\s:=]+)" r"([a-z0-9=/_\-\+\.]{8,})", flags=re.IGNORECASE, ) diff --git a/test/unit/test_log_secret_detector.py b/test/unit/test_log_secret_detector.py index 58de63095..a6e62cb18 100644 --- a/test/unit/test_log_secret_detector.py +++ b/test/unit/test_log_secret_detector.py @@ -92,6 +92,31 @@ def test_mask_token(): "XdJYuI8vhg=f0bKSq7AhQ2Bh" ) + rsa_key = ( + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEA0pCa0rw1n4GBjylx\n" + "sBJPVCrsKO7SowkgJ52Lc8K3hMHNKXvYiqwgizbXFBQA27kvpEVSeRQVC3FAPRU5\n" + "gjtLRwIDAQABAkBHZbz5o9PS6AjUUEs6VpsLgRpersxBeACtLiBw+h9cJfUerR//\n" + "tTmNsQ9LlamMu2lOlfbO3R2J45ybF7z94A+hAiEA8piucvAlo9YJ4VViQGRTVvr+\n" + "xZKekSEYRJBn2czeP+kCIQDeMt1PVk/p0NEcNvQMbO0vJ3+U+lITJRwmtJ9Fs1Lj\n" + "rwIgJeTdkwyaBI6BepY4w7AoKHUKaNgvNqJBxSv9XNMYgEkCIG2rl1YgWOMkAQI3\n" + "EW/Ml6jtiugiQT5X07Q69F33q5LbAiEArZM7htafpt0RVia+nC9aY+73wpW0Be9e\n" + "pDz0yVv8s/Q=\n" + "-----END RSA PRIVATE KEY-----\n" + ) + + json_token = ( + "{'TOKEN': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFt" + "ZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'}" + ) + + masked, masked_str, err_str = SecretDetector.mask_secrets(rsa_key) + assert masked + assert err_str is None + assert ( + masked_str == "-----BEGIN PRIVATE KEY-----\\nXXXX\\n-----END PRIVATE KEY-----\n" + ) + token_str_w_prefix = "Token =" + long_token masked, masked_str, err_str = SecretDetector.mask_secrets(token_str_w_prefix) assert masked @@ -122,6 +147,11 @@ def test_mask_token(): assert err_str is None assert masked_str == "assertion content:****" + masked, masked_str, err_str = SecretDetector.mask_secrets(json_token) + assert masked + assert err_str is None + assert masked_str == "{'TOKEN': '****'}" + def test_token_false_positives(): false_positive_token_str = (