From e0c59beaf241c6f3b8b947c385433cdcf85e71c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Sporny?= Date: Tue, 25 Feb 2025 16:33:46 +0100 Subject: [PATCH] test: redact sensitive data in test logs --- e2e-tests/src/log_filter.py | 22 ++++++++++++++++++++++ e2e-tests/src/password_filter.py | 13 ------------- e2e-tests/tests/conftest.py | 6 +----- e2e-tests/tests/log_filter.py | 19 ------------------- 4 files changed, 23 insertions(+), 37 deletions(-) create mode 100644 e2e-tests/src/log_filter.py delete mode 100644 e2e-tests/src/password_filter.py delete mode 100644 e2e-tests/tests/log_filter.py diff --git a/e2e-tests/src/log_filter.py b/e2e-tests/src/log_filter.py new file mode 100644 index 000000000..3bf77378b --- /dev/null +++ b/e2e-tests/src/log_filter.py @@ -0,0 +1,22 @@ +import logging +import re + + +class SensitiveDataFilter(logging.Filter): + def __init__(self, patterns): + super().__init__() + self.patterns = patterns + + def filter(self, record): + message = record.getMessage() + for pattern, replacement in self.patterns: + message = re.sub(pattern, replacement, message) + record.msg = message + return True + + +mc_vkey_pattern = (r"mc_vkey='([^']*)'", "mc_vkey='[REDACTED]'") +signing_key_arg_pattern = (re.compile(r"(--signing-key\s+|--mainchain-signing-key\s+|--sidechain-signing-key\s+)[^\s]+", re.IGNORECASE), r"\1[REDACTED]") +signing_key_file_pattern = (re.compile(r"(SigningKey.*?cborHex.: .)([0-9a-fA-F]+)(.)", re.IGNORECASE | re.DOTALL), r"\1[REDACTED]\3") + +sensitive_filter = SensitiveDataFilter([mc_vkey_pattern, signing_key_arg_pattern, signing_key_file_pattern]) diff --git a/e2e-tests/src/password_filter.py b/e2e-tests/src/password_filter.py deleted file mode 100644 index da4298de0..000000000 --- a/e2e-tests/src/password_filter.py +++ /dev/null @@ -1,13 +0,0 @@ -import re -import logging - - -class PasswordFilter(logging.Filter): - """Filter class to obscure sensitive information from logging.""" - - def __init__(self, pattern): - self.pattern = pattern - - def filter(self, record): - record.msg = re.sub(self.pattern, r"\1********", str(record.msg)) - return True diff --git a/e2e-tests/tests/conftest.py b/e2e-tests/tests/conftest.py index 6292f19cc..e9cfba465 100644 --- a/e2e-tests/tests/conftest.py +++ b/e2e-tests/tests/conftest.py @@ -1,14 +1,12 @@ import os import json import logging -import re import subprocess from omegaconf import OmegaConf from pytest import fixture, skip, Config, Metafunc, UsageError -from .log_filter import sensitive_filter +from src.log_filter import sensitive_filter from src.blockchain_api import BlockchainApi, Wallet from src.blockchain_types import BlockchainTypes -from src.password_filter import PasswordFilter from src.pc_epoch_calculator import PartnerChainEpochCalculator from src.partner_chain_rpc import PartnerChainRpc from config.api_config import ApiConfig @@ -78,11 +76,9 @@ def pytest_configure(config: Config): raise UsageError("Options --latest-mc-epoch, --mc-epoch, and --pc-epoch are mutually exclusive.") # Mask sensitive data in logs - password_pattern = re.compile(r"((pass|skey|signing-key|private-key|secret).*?[=: ]\s*)\s*\S+\b", re.IGNORECASE) paramiko_logger = logging.getLogger("paramiko") paramiko_logger.setLevel(logging.ERROR) logger = logging.getLogger() - logger.addFilter(PasswordFilter(password_pattern)) logger.addFilter(sensitive_filter) # create objects needed for collection phase diff --git a/e2e-tests/tests/log_filter.py b/e2e-tests/tests/log_filter.py deleted file mode 100644 index 1ac42c1bb..000000000 --- a/e2e-tests/tests/log_filter.py +++ /dev/null @@ -1,19 +0,0 @@ -import logging -import re - - -class SensitiveDataFilter(logging.Filter): - def __init__(self, patterns): - super().__init__() - self.patterns = patterns - - def filter(self, record): - message = record.getMessage() - for pattern, replacement in self.patterns: - message = re.sub(pattern, replacement, message) - record.msg = message - return True - - -# Create the filter with a pattern to match mc_vkey -sensitive_filter = SensitiveDataFilter([(r"mc_vkey='([^']*)'", "mc_vkey='[REDACTED]'")])