test: redact sensitive data in test logs

input-output-hk · Feb 25, 2025 · e0c59be · e0c59be
1 parent 74bad6d
commit e0c59be
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 37 deletions.
diff --git a/e2e-tests/src/log_filter.py b/e2e-tests/src/log_filter.py
@@ -0,0 +1,22 @@
+import logging
+import re
+
+
+class SensitiveDataFilter(logging.Filter):
+    def __init__(self, patterns):
+        super().__init__()
+        self.patterns = patterns
+
+    def filter(self, record):
+        message = record.getMessage()
+        for pattern, replacement in self.patterns:
+            message = re.sub(pattern, replacement, message)
+        record.msg = message
+        return True
+
+
+mc_vkey_pattern = (r"mc_vkey='([^']*)'", "mc_vkey='[REDACTED]'")
+signing_key_arg_pattern = (re.compile(r"(--signing-key\s+|--mainchain-signing-key\s+|--sidechain-signing-key\s+)[^\s]+", re.IGNORECASE), r"\1[REDACTED]") 
+signing_key_file_pattern = (re.compile(r"(SigningKey.*?cborHex.: .)([0-9a-fA-F]+)(.)", re.IGNORECASE | re.DOTALL), r"\1[REDACTED]\3")
+
+sensitive_filter = SensitiveDataFilter([mc_vkey_pattern, signing_key_arg_pattern, signing_key_file_pattern])
diff --git a/e2e-tests/src/password_filter.py b/e2e-tests/src/password_filter.py
diff --git a/e2e-tests/tests/conftest.py b/e2e-tests/tests/conftest.py
@@ -1,14 +1,12 @@
 import os
 import json
 import logging
-import re
 import subprocess
 from omegaconf import OmegaConf
 from pytest import fixture, skip, Config, Metafunc, UsageError
-from .log_filter import sensitive_filter
+from src.log_filter import sensitive_filter
 from src.blockchain_api import BlockchainApi, Wallet
 from src.blockchain_types import BlockchainTypes
-from src.password_filter import PasswordFilter
 from src.pc_epoch_calculator import PartnerChainEpochCalculator
 from src.partner_chain_rpc import PartnerChainRpc
 from config.api_config import ApiConfig
@@ -78,11 +76,9 @@ def pytest_configure(config: Config):
         raise UsageError("Options --latest-mc-epoch, --mc-epoch, and --pc-epoch are mutually exclusive.")
 
     # Mask sensitive data in logs
-    password_pattern = re.compile(r"((pass|skey|signing-key|private-key|secret).*?[=: ]\s*)\s*\S+\b", re.IGNORECASE)
     paramiko_logger = logging.getLogger("paramiko")
     paramiko_logger.setLevel(logging.ERROR)
     logger = logging.getLogger()
-    logger.addFilter(PasswordFilter(password_pattern))
     logger.addFilter(sensitive_filter)
 
     # create objects needed for collection phase

diff --git a/e2e-tests/tests/log_filter.py b/e2e-tests/tests/log_filter.py