Skip to content

Commit

Permalink
SNOW-1657037: Remove secrets from debug logs. (#2058)
Browse files Browse the repository at this point in the history
  • Loading branch information
sfc-gh-jrose authored Oct 22, 2024
1 parent 7ddbf31 commit dbc9284
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 4 deletions.
18 changes: 16 additions & 2 deletions src/snowflake/connector/auth/_auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,18 @@
ID_TOKEN = "ID_TOKEN"
MFA_TOKEN = "MFATOKEN"

AUTHENTICATION_REQUEST_KEY_WHITELIST = {
"ACCOUNT_NAME",
"AUTHENTICATOR",
"CLIENT_APP_ID",
"CLIENT_APP_VERSION",
"CLIENT_ENVIRONMENT",
"EXT_AUTHN_DUO_METHOD",
"LOGIN_NAME",
"SESSION_PARAMETERS",
"SVN_REVISION",
}


class Auth:
"""Snowflake Authenticator."""
Expand Down Expand Up @@ -205,7 +217,6 @@ def authenticate(

body = copy.deepcopy(body_template)
# updating request body
logger.debug("assertion content: %s", auth_instance.assertion_content)
auth_instance.update_body(body)

logger.debug(
Expand Down Expand Up @@ -243,7 +254,10 @@ def authenticate(

logger.debug(
"body['data']: %s",
{k: v for (k, v) in body["data"].items() if k != "PASSWORD"},
{
k: v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******"
for (k, v) in body["data"].items()
},
)

try:
Expand Down
4 changes: 2 additions & 2 deletions src/snowflake/connector/secret_detector.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,14 @@ class SecretDetector(logging.Formatter):
flags=re.IGNORECASE,
)
PRIVATE_KEY_PATTERN = re.compile(
r"-----BEGIN PRIVATE KEY-----\\n([a-z0-9/+=\\n]{32,})\\n-----END PRIVATE KEY-----",
r"-{3,}BEGIN [A-Z ]*PRIVATE KEY-{3,}\n([\s\S]*?)\n-{3,}END [A-Z ]*PRIVATE KEY-{3,}",
flags=re.MULTILINE | re.IGNORECASE,
)
PRIVATE_KEY_DATA_PATTERN = re.compile(
r'"privateKeyData": "([a-z0-9/+=\\n]{10,})"', flags=re.MULTILINE | re.IGNORECASE
)
CONNECTION_TOKEN_PATTERN = re.compile(
r"(token|assertion content)" r"([\'\"\s:=]+)" r"([a-z0-9=/_\-\+]{8,})",
r"(token|assertion content)" r"([\'\"\s:=]+)" r"([a-z0-9=/_\-\+\.]{8,})",
flags=re.IGNORECASE,
)

Expand Down
30 changes: 30 additions & 0 deletions test/unit/test_log_secret_detector.py
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,31 @@ def test_mask_token():
"XdJYuI8vhg=f0bKSq7AhQ2Bh"
)

rsa_key = (
"-----BEGIN RSA PRIVATE KEY-----\n"
"MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEA0pCa0rw1n4GBjylx\n"
"sBJPVCrsKO7SowkgJ52Lc8K3hMHNKXvYiqwgizbXFBQA27kvpEVSeRQVC3FAPRU5\n"
"gjtLRwIDAQABAkBHZbz5o9PS6AjUUEs6VpsLgRpersxBeACtLiBw+h9cJfUerR//\n"
"tTmNsQ9LlamMu2lOlfbO3R2J45ybF7z94A+hAiEA8piucvAlo9YJ4VViQGRTVvr+\n"
"xZKekSEYRJBn2czeP+kCIQDeMt1PVk/p0NEcNvQMbO0vJ3+U+lITJRwmtJ9Fs1Lj\n"
"rwIgJeTdkwyaBI6BepY4w7AoKHUKaNgvNqJBxSv9XNMYgEkCIG2rl1YgWOMkAQI3\n"
"EW/Ml6jtiugiQT5X07Q69F33q5LbAiEArZM7htafpt0RVia+nC9aY+73wpW0Be9e\n"
"pDz0yVv8s/Q=\n"
"-----END RSA PRIVATE KEY-----\n"
)

json_token = (
"{'TOKEN': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFt"
"ZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'}"
)

masked, masked_str, err_str = SecretDetector.mask_secrets(rsa_key)
assert masked
assert err_str is None
assert (
masked_str == "-----BEGIN PRIVATE KEY-----\\nXXXX\\n-----END PRIVATE KEY-----\n"
)

token_str_w_prefix = "Token =" + long_token
masked, masked_str, err_str = SecretDetector.mask_secrets(token_str_w_prefix)
assert masked
Expand Down Expand Up @@ -122,6 +147,11 @@ def test_mask_token():
assert err_str is None
assert masked_str == "assertion content:****"

masked, masked_str, err_str = SecretDetector.mask_secrets(json_token)
assert masked
assert err_str is None
assert masked_str == "{'TOKEN': '****'}"


def test_token_false_positives():
false_positive_token_str = (
Expand Down

0 comments on commit dbc9284

Please sign in to comment.