feat: hash sensitive info in logs (#1700)

* feat: hash sensitive info in logs

* make helper private

* add code coverage

* address PR feedback

* fix mypy type issue

Author: ohmayr

google/auth/_helpers.py

@@ -22,7 +22,7 @@
 import json
 import logging
 import sys
-from typing import Any, Mapping, Optional
+from typing import Any, Dict, Mapping, Optional, Union
 import urllib
 
 from google.auth import exceptions
@@ -298,7 +298,7 @@ def is_python_3():
     return sys.version_info > (3, 0)
 
 
-def hash_sensitive_info(data: dict) -> dict:
+def _hash_sensitive_info(data: Union[dict, list]) -> Union[dict, list, str]:
     """
     Hashes sensitive information within a dictionary.
 
@@ -307,14 +307,30 @@ def hash_sensitive_info(data: dict) -> dict:
 
     Returns:
         A new dictionary with sensitive values replaced by their SHA512 hashes.
+        If the input is a list, returns a list with each element recursively processed.
+        If the input is neither a dict nor a list, returns the type of the input as a string.
+
     """
-    hashed_data = {}
-    for key, value in data.items():
-        if key in _SENSITIVE_FIELDS:
-            hashed_data[key] = _hash_value(value, key)
-        else:
-            hashed_data[key] = value
-    return hashed_data
+    if isinstance(data, dict):
+        hashed_data : Dict[Any, Union[Optional[str], dict, list]] = {}
+        for key, value in data.items():
+            if key in _SENSITIVE_FIELDS and not isinstance(value, (dict, list)):
+                hashed_data[key] = _hash_value(value, key)
+            elif isinstance(value, (dict, list)):
+                hashed_data[key] = _hash_sensitive_info(value)
+            else:
+                hashed_data[key] = value
+        return hashed_data
+    elif isinstance(data, list):
+        hashed_list = []
+        for val in data:
+            hashed_list.append(_hash_sensitive_info(val))
+        return hashed_list
+    else:
+        # TODO(https://github.com/googleapis/google-auth-library-python/issues/1701):
+        # Investigate and hash sensitive info before logging when the data type is
+        # not a dict or a list.
+        return str(type(data))
 
 
 def _hash_value(value, field_name: str) -> Optional[str]:
@@ -358,19 +374,19 @@ def request_log(
         body: The request body (can be None).
         headers: The request headers (can be None).
     """
-    # TODO(https://github.com/googleapis/google-auth-library-python/issues/1681): Hash sensitive information.
     if is_logging_enabled(logger):
         content_type = (
             headers["Content-Type"] if headers and "Content-Type" in headers else ""
         )
         json_body = _parse_request_body(body, content_type=content_type)
+        logged_body = _hash_sensitive_info(json_body)
         logger.debug(
             "Making request...",
             extra={
                 "httpRequest": {
                     "method": method,
                     "url": url,
-                    "body": json_body,
+                    "body": logged_body,
                     "headers": headers,
                 }
             },
@@ -446,7 +462,7 @@ def response_log(logger: logging.Logger, response: Any) -> None:
         logger: The logging.Logger instance to use.
         response: The HTTP response object to log.
     """
-    # TODO(https://github.com/googleapis/google-auth-library-python/issues/1681): Hash sensitive information.
     if is_logging_enabled(logger):
         json_response = _parse_response(response)
-        logger.debug("Response received...", extra={"httpResponse": json_response})
+        logged_response = _hash_sensitive_info(json_response)
+        logger.debug("Response received...", extra={"httpResponse": logged_response})

tests/test__helpers.py

@@ -212,7 +212,7 @@ def test_hash_sensitive_info_basic():
         "scope": "https://www.googleapis.com/auth/test-api",
         "token_type": "Bearer",
     }
-    hashed_data = _helpers.hash_sensitive_info(test_data)
+    hashed_data = _helpers._hash_sensitive_info(test_data)
     assert hashed_data["expires_in"] == 3599
     assert hashed_data["scope"] == "https://www.googleapis.com/auth/test-api"
     assert hashed_data["access_token"].startswith("hashed_access_token-")
@@ -226,7 +226,7 @@ def test_hash_sensitive_info_multiple_sensitive():
         "expires_in": 3599,
         "token_type": "Bearer",
     }
-    hashed_data = _helpers.hash_sensitive_info(test_data)
+    hashed_data = _helpers._hash_sensitive_info(test_data)
     assert hashed_data["expires_in"] == 3599
     assert hashed_data["token_type"] == "Bearer"
     assert hashed_data["access_token"].startswith("hashed_access_token-")
@@ -235,21 +235,57 @@ def test_hash_sensitive_info_multiple_sensitive():
 
 def test_hash_sensitive_info_none_value():
     test_data = {"username": "user3", "secret": None, "normal_data": "abc"}
-    hashed_data = _helpers.hash_sensitive_info(test_data)
+    hashed_data = _helpers._hash_sensitive_info(test_data)
     assert hashed_data["secret"] is None
     assert hashed_data["normal_data"] == "abc"
 
 
 def test_hash_sensitive_info_non_string_value():
     test_data = {"username": "user4", "access_token": 12345, "normal_data": "def"}
-    hashed_data = _helpers.hash_sensitive_info(test_data)
+    hashed_data = _helpers._hash_sensitive_info(test_data)
     assert hashed_data["access_token"].startswith("hashed_access_token-")
     assert hashed_data["normal_data"] == "def"
 
 
+def test_hash_sensitive_info_list_value():
+    test_data = [
+        {"name": "Alice", "access_token": "12345"},
+        {"name": "Bob", "client_id": "1141"},
+    ]
+    hashed_data = _helpers._hash_sensitive_info(test_data)
+    assert hashed_data[0]["access_token"].startswith("hashed_access_token-")
+    assert hashed_data[1]["client_id"].startswith("hashed_client_id-")
+
+
+def test_hash_sensitive_info_nested_list_value():
+    test_data = [{"names": ["Alice", "Bob"], "tokens": [{"access_token": "1234"}]}]
+    hashed_data = _helpers._hash_sensitive_info(test_data)
+    assert hashed_data[0]["tokens"][0]["access_token"].startswith(
+        "hashed_access_token-"
+    )
+
+
+def test_hash_sensitive_info_int_value():
+    test_data = 123
+    hashed_data = _helpers._hash_sensitive_info(test_data)
+    assert hashed_data == "<class 'int'>"
+
+
+def test_hash_sensitive_info_bool_value():
+    test_data = True
+    hashed_data = _helpers._hash_sensitive_info(test_data)
+    assert hashed_data == "<class 'bool'>"
+
+
+def test_hash_sensitive_info_byte_value():
+    test_data = b"1243"
+    hashed_data = _helpers._hash_sensitive_info(test_data)
+    assert hashed_data == "<class 'bytes'>"
+
+
 def test_hash_sensitive_info_empty_dict():
     test_data = {}
-    hashed_data = _helpers.hash_sensitive_info(test_data)
+    hashed_data = _helpers._hash_sensitive_info(test_data)
     assert hashed_data == {}
 
 
@@ -321,6 +357,27 @@ def test_request_log_debug_enabled(logger, caplog):
     }
 
 
+def test_request_log_plain_text_debug_enabled(logger, caplog):
+    logger.setLevel(logging.DEBUG)
+    with mock.patch("google.auth._helpers.CLIENT_LOGGING_SUPPORTED", True):
+        _helpers.request_log(
+            logger,
+            "GET",
+            "http://example.com",
+            b"This is plain text.",
+            {"Authorization": "Bearer token", "Content-Type": "text/plain"},
+        )
+    assert len(caplog.records) == 1
+    record = caplog.records[0]
+    assert record.message == "Making request..."
+    assert record.httpRequest == {
+        "method": "GET",
+        "url": "http://example.com",
+        "body": "<class 'str'>",
+        "headers": {"Authorization": "Bearer token", "Content-Type": "text/plain"},
+    }
+
+
 def test_request_log_debug_disabled(logger, caplog):
     logger.setLevel(logging.INFO)
     with mock.patch("google.auth._helpers.CLIENT_LOGGING_SUPPORTED", True):
@@ -365,7 +422,7 @@ def json(self):
     assert len(caplog.records) == 1
     record = caplog.records[0]
     assert record.message == "Response received..."
-    assert record.httpResponse == ["item1", "item2", "item3"]
+    assert record.httpResponse == ["<class 'str'>", "<class 'str'>", "<class 'str'>"]
 
 
 def test_parse_request_body_bytes_valid():