zhmcclient / python-zhmcclient / test-4447 / 6
77%
master: 77%

DEFAULT BRANCH: master
Ran
Files 62
Run time 4s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 77.147% (-0.4%) from 77.555%
test-4447.6

push

github

web-flow 
Improved checking for sensitive properties in logs (#2118)

The following sensitive data is now blanked out that was not blanked out before:

In the HTTP operation logging:
  - "Create SSO Server Definition" operation:
    - `client-secret` request field - OIDC client secret for the SSO server

In the API call logging:
  - SSOServerDefinitionManager.create():
    - `client-secret` property - OIDC client secret for the SSO server

Note that the support for SSO server definitions is new and has not yet
been released. So this is not an externally documented fix.

Details:

* Changed the approach for blanking out sensitive properties in logs for
  API calls and return values: Instead of using the blanked_properties
  argument of the logged_api_call decorator to point to specific properties,
  the blanking out is now done when the string representation of the
  argument or return value has been created, by matching certain
  property names using a regexp in the repr() string of the arguments or
  return values.

  The blanked_properties argument in the logged_api_call decorator still
  exists in case it is needed in the future for additional properties, but
  it is not currently used.

* Changed the approach for blanking out sensitive properties in logs for
  HTTP requests and responses: Instead of checking for a set of specific
  sensitive property names in the dict representation of the request and
  response bodies, the sensitive properties are now detected by matching
  certain property names using a regexp in the JSON string of the body.

* In the test_logging.py unit test module, changed the use of .msg for
  accessing the expanded log message to using .getMessage(). It is not
  clear why that worked before, but getMessage() is the official way to
  get at the expanded log message.

* Improved performance in _log_http_request() and _log_http_response()
  by not executing the code when debug logging is disabled.

Signed-off-by: Andreas Maier <maiera@de.ibm.com>

1821 of 2810 branches covered (64.8%)

Branch coverage included in aggregate %.

9464 of 11818 relevant lines covered (80.08%)

0.8 hits per line

Source Files on job ubuntu-latest,3.9,minimum - test-4447.6