feat: add functionality to hash data (#1677)

* feat: add functionality to hash data

* change sensitive fields to private

* update to sha512

* update docstring

Author: ohmayr

google/auth/_helpers.py

@@ -18,6 +18,7 @@
 import calendar
 import datetime
 from email.message import Message
+import hashlib
 import sys
 import urllib
 
@@ -27,6 +28,7 @@
 # expiry.
 REFRESH_THRESHOLD = datetime.timedelta(minutes=3, seconds=45)
 
+_SENSITIVE_FIELDS = {"accessToken", "access_token", "id_token", "client_id", "refresh_token", "client_secret"}
 
 def copy_docstring(source_class):
     """Decorator that copies a method's docstring from another class.
@@ -271,3 +273,33 @@ def is_python_3():
         bool: True if the Python interpreter is Python 3 and False otherwise.
     """
     return sys.version_info > (3, 0)
+
+
+def hash_sensitive_info(data: dict) -> dict:
+    """
+    Hashes sensitive information within a dictionary.
+
+    Args:
+        data: The dictionary containing data to be processed.
+
+    Returns:
+        A new dictionary with sensitive values replaced by their SHA512 hashes.
+    """
+    hashed_data = {}
+    for key, value in data.items():
+        if key in _SENSITIVE_FIELDS:
+            hashed_data[key] = _hash_value(value, key)
+        else:
+            hashed_data[key] = value
+    return hashed_data
+
+
+def _hash_value(value, field_name: str) -> str:
+    """Hashes a value and returns a formatted hash string."""
+    if value is None:
+        return None
+    encoded_value = str(value).encode("utf-8")
+    hash_object = hashlib.sha512()
+    hash_object.update(encoded_value)
+    hex_digest = hash_object.hexdigest()
+    return f"hashed_{field_name}-{hex_digest}"

tests/test__helpers.py

@@ -194,3 +194,66 @@ def test_unpadded_urlsafe_b64encode():
 
     for case, expected in cases:
         assert _helpers.unpadded_urlsafe_b64encode(case) == expected
+
+def test_hash_sensitive_info_basic():
+    test_data = {
+        "expires_in": 3599,
+        "access_token": "access-123",
+        "scope": "https://www.googleapis.com/auth/test-api",
+        "token_type": "Bearer",
+    }
+    hashed_data = _helpers.hash_sensitive_info(test_data)
+    assert hashed_data["expires_in"] == 3599
+    assert hashed_data["scope"] == "https://www.googleapis.com/auth/test-api"
+    assert hashed_data["access_token"].startswith("hashed_access_token-")
+    assert hashed_data["token_type"] == "Bearer"
+
+def test_hash_sensitive_info_multiple_sensitive():
+    test_data = {
+        "access_token": "some_long_token",
+        "id_token": "1234-5678-9012-3456",
+        "expires_in": 3599,
+        "token_type": "Bearer",
+    }
+    hashed_data = _helpers.hash_sensitive_info(test_data)
+    assert hashed_data["expires_in"] == 3599
+    assert hashed_data["token_type"] == "Bearer"
+    assert hashed_data["access_token"].startswith("hashed_access_token-")
+    assert hashed_data["id_token"].startswith("hashed_id_token-")
+
+
+def test_hash_sensitive_info_none_value():
+    test_data = {"username": "user3", "secret": None, "normal_data": "abc"}
+    hashed_data = _helpers.hash_sensitive_info(test_data)
+    assert hashed_data["secret"] is None
+    assert hashed_data["normal_data"] == "abc"
+
+
+def test_hash_sensitive_info_non_string_value():
+    test_data = {"username": "user4", "access_token": 12345, "normal_data": "def"}
+    hashed_data = _helpers.hash_sensitive_info(test_data)
+    assert hashed_data["access_token"].startswith("hashed_access_token-")
+    assert hashed_data["normal_data"] == "def"
+
+def test_hash_sensitive_info_empty_dict():
+    test_data = {}
+    hashed_data = _helpers.hash_sensitive_info(test_data)
+    assert hashed_data == {}
+
+def test_hash_value_consistent_hashing():
+    value = "test_value"
+    field_name = "test_field"
+    hash1 = _helpers._hash_value(value, field_name)
+    hash2 = _helpers._hash_value(value, field_name)
+    assert hash1 == hash2
+
+def test_hash_value_different_hashing():
+    value1 = "test_value1"
+    value2 = "test_value2"
+    field_name = "test_field"
+    hash1 = _helpers._hash_value(value1, field_name)
+    hash2 = _helpers._hash_value(value2, field_name)
+    assert hash1 != hash2
+
+def test_hash_value_none():
+    assert _helpers._hash_value(None, "test") is None