fix: Recursively redact unsafe payloads from logs (#13189)

dazuma · web-flow · commit 041c8997a8f3 · 2023-01-06T23:23:17.000-08:00
diff --git a/google-apis-core/lib/google/apis/core/http_command.rb b/google-apis-core/lib/google/apis/core/http_command.rb
@@ -264,7 +264,7 @@ def decode_response_body(_content_type, body)
         # @return [Object] result if no block given
         # @yield [result, nil] if block given
         def success(result, &block)
-          logger.debug { sprintf('Success - %s', safe_object_representation(result)) }
+          logger.debug { sprintf('Success - %s', safe_pretty_representation(result)) }
           block.call(result, nil) if block_given?
           result
         end
@@ -317,7 +317,7 @@ def execute_once(client)
                                        header: request_header,
                                        follow_redirect: true)
             logger.debug { @http_res.status }
-            logger.debug { safe_response_representation @http_res }
+            logger.debug { safe_single_line_representation @http_res }
             response = process_response(@http_res.status.to_i, @http_res.header, @http_res.body)
             success(response)
           rescue => e
@@ -351,21 +351,37 @@ def allow_form_encoding?
           "Google::Apis::SecretmanagerV1beta1::SecretPayload"
         ]
 
-        def safe_object_representation obj
-          name = obj.class.name
-          if UNSAFE_CLASS_NAMES.include? name
-            "#<#{name} (fields redacted)>"
-          else
-            PP.pp(obj, "")
+        module RedactingPPMethods
+          def pp_object obj
+            return super unless UNSAFE_CLASS_NAMES.include? obj.class.name
+            object_address_group obj do
+              text "(fields redacted)"
+            end
           end
         end
 
-        def safe_response_representation http_res
-          if respond_to?(:response_class) && response_class.is_a?(Class) &&
-             UNSAFE_CLASS_NAMES.include?(response_class.name)
-            return "#<#{http_res.class.name} (fields redacted)>"
-          end
-          http_res.inspect
+        class RedactingPP < PP
+          include RedactingPPMethods
+        end
+
+        class RedactingSingleLine < PP::SingleLine
+          include RedactingPPMethods
+        end
+
+        def safe_pretty_representation obj
+          out = ""
+          printer = RedactingPP.new out, 79
+          printer.guard_inspect_key { printer.pp obj }
+          printer.flush
+          out << "\n"
+        end
+
+        def safe_single_line_representation obj
+          out = ""
+          printer = RedactingSingleLine.new out
+          printer.guard_inspect_key { printer.pp obj }
+          printer.flush
+          out
         end
 
         def opencensus_begin_span
diff --git a/google-apis-core/spec/google/apis/core/http_command_spec.rb b/google-apis-core/spec/google/apis/core/http_command_spec.rb
@@ -17,8 +17,10 @@
 
 module Google
   module Apis
-    module CloudkmsV1
-      class DecryptResponse
+    module SecretmanagerV1
+      class AccessSecretVersionResponse
+      end
+      class SecretPayload
       end
     end
   end
@@ -526,23 +528,75 @@ class DecryptResponse
     command.execute(client)
   end
 
-  describe "#safe_object_representation" do
+  describe "#safe_pretty_representation" do
+    let(:command) do
+      Google::Apis::Core::HttpCommand.new(:get, 'https://www.googleapis.com/zoo/animals')
+    end
+
+    it "should show fields in a normal object" do
+      obj = Google::Apis::SecretmanagerV1::AccessSecretVersionResponse.new
+      obj.instance_variable_set(:@payload, "hello")
+      str = command.send(:safe_pretty_representation, obj)
+      expect(str).to include("@payload")
+      expect(str).not_to include("(fields redacted)")
+      expect(str).to include("\n")
+    end
+
+    it "should not show fields in a restricted object" do
+      obj = Google::Apis::SecretmanagerV1::SecretPayload.new
+      obj.instance_variable_set(:@payload, "hello")
+      str = command.send(:safe_pretty_representation, obj)
+      expect(str).not_to include("@payload")
+      expect(str).to include("(fields redacted)")
+      expect(str).to include("\n")
+    end
+
+    it "should not show fields in a nested restricted object" do
+      obj = Google::Apis::SecretmanagerV1::AccessSecretVersionResponse.new
+      payload = Google::Apis::SecretmanagerV1::SecretPayload.new
+      payload.instance_variable_set(:@data, "whoops")
+      obj.instance_variable_set(:@payload, payload)
+      str = command.send(:safe_pretty_representation, obj)
+      expect(str).to include("@payload")
+      expect(str).not_to include("@data")
+      expect(str).to include("(fields redacted)")
+      expect(str).to include("\n")
+    end
+  end
+
+  describe "#safe_single_line_representation" do
     let(:command) do
       Google::Apis::Core::HttpCommand.new(:get, 'https://www.googleapis.com/zoo/animals')
     end
 
     it "should show fields in a normal object" do
-      obj = Object.new
-      obj.instance_variable_set(:@foobar, "hi")
-      str = command.send(:safe_object_representation, obj)
-      expect(str).to match /@foobar/
+      obj = Google::Apis::SecretmanagerV1::AccessSecretVersionResponse.new
+      obj.instance_variable_set(:@payload, "hello")
+      str = command.send(:safe_single_line_representation, obj)
+      expect(str).to include("@payload")
+      expect(str).not_to include("(fields redacted)")
+      expect(str).not_to include("\n")
     end
 
     it "should not show fields in a restricted object" do
-      obj = Google::Apis::CloudkmsV1::DecryptResponse.new
-      obj.instance_variable_set(:@foobar, "hi")
-      str = command.send(:safe_object_representation, obj)
-      expect(str).not_to match /@foobar/
+      obj = Google::Apis::SecretmanagerV1::SecretPayload.new
+      obj.instance_variable_set(:@payload, "hello")
+      str = command.send(:safe_single_line_representation, obj)
+      expect(str).not_to include("@payload")
+      expect(str).to include("(fields redacted)")
+      expect(str).not_to include("\n")
+    end
+
+    it "should not show fields in a nested restricted object" do
+      obj = Google::Apis::SecretmanagerV1::AccessSecretVersionResponse.new
+      payload = Google::Apis::SecretmanagerV1::SecretPayload.new
+      payload.instance_variable_set(:@data, "whoops")
+      obj.instance_variable_set(:@payload, payload)
+      str = command.send(:safe_single_line_representation, obj)
+      expect(str).to include("@payload")
+      expect(str).not_to include("@data")
+      expect(str).to include("(fields redacted)")
+      expect(str).not_to include("\n")
     end
   end
 end
