Change the default token logged length to 16
Based on comments from deployers at the Juno OpenStack summit, limiting the default logged token length (to, by default, prevent tokens from being fully logged) is a good idea. Change-Id: I58980e85329d99de41f1c08f75e85973452317b1
This commit is contained in:
parent
e294538c20
commit
5f0160bdde
@ -484,7 +484,7 @@ use = egg:swift#proxy_logging
|
|||||||
# by '...' in the log).
|
# by '...' in the log).
|
||||||
# Note: reveal_sensitive_prefix will not affect the value
|
# Note: reveal_sensitive_prefix will not affect the value
|
||||||
# logged with access_log_headers=True.
|
# logged with access_log_headers=True.
|
||||||
# reveal_sensitive_prefix = 8192
|
# reveal_sensitive_prefix = 16
|
||||||
#
|
#
|
||||||
# What HTTP methods are allowed for StatsD logging (comma-sep); request methods
|
# What HTTP methods are allowed for StatsD logging (comma-sep); request methods
|
||||||
# not in this list will have "BAD_METHOD" for the <verb> portion of the metric.
|
# not in this list will have "BAD_METHOD" for the <verb> portion of the metric.
|
||||||
|
@ -78,7 +78,6 @@ from swift.common.swob import Request
|
|||||||
from swift.common.utils import (get_logger, get_remote_client,
|
from swift.common.utils import (get_logger, get_remote_client,
|
||||||
get_valid_utf8_str, config_true_value,
|
get_valid_utf8_str, config_true_value,
|
||||||
InputProxy, list_from_csv)
|
InputProxy, list_from_csv)
|
||||||
from swift.common import constraints
|
|
||||||
|
|
||||||
QUOTE_SAFE = '/:'
|
QUOTE_SAFE = '/:'
|
||||||
|
|
||||||
@ -119,7 +118,7 @@ class ProxyLoggingMiddleware(object):
|
|||||||
log_route='proxy-access')
|
log_route='proxy-access')
|
||||||
self.access_logger.set_statsd_prefix('proxy-server')
|
self.access_logger.set_statsd_prefix('proxy-server')
|
||||||
self.reveal_sensitive_prefix = int(
|
self.reveal_sensitive_prefix = int(
|
||||||
conf.get('reveal_sensitive_prefix', constraints.MAX_HEADER_SIZE))
|
conf.get('reveal_sensitive_prefix', 16))
|
||||||
|
|
||||||
def method_from_req(self, req):
|
def method_from_req(self, req):
|
||||||
return req.environ.get('swift.orig_req_method', req.method)
|
return req.environ.get('swift.orig_req_method', req.method)
|
||||||
|
@ -23,6 +23,7 @@ from test.unit import FakeLogger
|
|||||||
from swift.common.utils import get_logger
|
from swift.common.utils import get_logger
|
||||||
from swift.common.middleware import proxy_logging
|
from swift.common.middleware import proxy_logging
|
||||||
from swift.common.swob import Request, Response
|
from swift.common.swob import Request, Response
|
||||||
|
from swift.common import constraints
|
||||||
|
|
||||||
|
|
||||||
class FakeApp(object):
|
class FakeApp(object):
|
||||||
@ -658,7 +659,7 @@ class TestProxyLogging(unittest.TestCase):
|
|||||||
def test_log_auth_token(self):
|
def test_log_auth_token(self):
|
||||||
auth_token = 'b05bf940-0464-4c0e-8c70-87717d2d73e8'
|
auth_token = 'b05bf940-0464-4c0e-8c70-87717d2d73e8'
|
||||||
|
|
||||||
# Default - no reveal_sensitive_prefix in config
|
# Default - reveal_sensitive_prefix is 16
|
||||||
# No x-auth-token header
|
# No x-auth-token header
|
||||||
app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {})
|
app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {})
|
||||||
app.access_logger = FakeLogger()
|
app.access_logger = FakeLogger()
|
||||||
@ -675,7 +676,7 @@ class TestProxyLogging(unittest.TestCase):
|
|||||||
resp = app(req.environ, start_response)
|
resp = app(req.environ, start_response)
|
||||||
resp_body = ''.join(resp)
|
resp_body = ''.join(resp)
|
||||||
log_parts = self._log_parts(app)
|
log_parts = self._log_parts(app)
|
||||||
self.assertEquals(log_parts[9], auth_token)
|
self.assertEquals(log_parts[9], 'b05bf940-0464-4c...')
|
||||||
|
|
||||||
# Truncate to first 8 characters
|
# Truncate to first 8 characters
|
||||||
app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
|
app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
|
||||||
@ -707,6 +708,17 @@ class TestProxyLogging(unittest.TestCase):
|
|||||||
log_parts = self._log_parts(app)
|
log_parts = self._log_parts(app)
|
||||||
self.assertEquals(log_parts[9], auth_token)
|
self.assertEquals(log_parts[9], auth_token)
|
||||||
|
|
||||||
|
# No effective limit on auth token
|
||||||
|
app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
|
||||||
|
'reveal_sensitive_prefix': constraints.MAX_HEADER_SIZE})
|
||||||
|
app.access_logger = FakeLogger()
|
||||||
|
req = Request.blank('/', environ={'REQUEST_METHOD': 'GET',
|
||||||
|
'HTTP_X_AUTH_TOKEN': auth_token})
|
||||||
|
resp = app(req.environ, start_response)
|
||||||
|
resp_body = ''.join(resp)
|
||||||
|
log_parts = self._log_parts(app)
|
||||||
|
self.assertEquals(log_parts[9], auth_token)
|
||||||
|
|
||||||
# Don't log x-auth-token
|
# Don't log x-auth-token
|
||||||
app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
|
app = proxy_logging.ProxyLoggingMiddleware(FakeApp(), {
|
||||||
'reveal_sensitive_prefix': '0'})
|
'reveal_sensitive_prefix': '0'})
|
||||||
|
Loading…
Reference in New Issue
Block a user