SNOW-1657037: Remove secrets from debug logs. (#2058)

Author: sfc-gh-jrose

src/snowflake/connector/auth/_auth.py

@@ -112,6 +112,18 @@
 ID_TOKEN = "ID_TOKEN"
 MFA_TOKEN = "MFATOKEN"
 
+AUTHENTICATION_REQUEST_KEY_WHITELIST = {
+    "ACCOUNT_NAME",
+    "AUTHENTICATOR",
+    "CLIENT_APP_ID",
+    "CLIENT_APP_VERSION",
+    "CLIENT_ENVIRONMENT",
+    "EXT_AUTHN_DUO_METHOD",
+    "LOGIN_NAME",
+    "SESSION_PARAMETERS",
+    "SVN_REVISION",
+}
+
 
 class Auth:
     """Snowflake Authenticator."""
@@ -205,7 +217,6 @@ def authenticate(
 
         body = copy.deepcopy(body_template)
         # updating request body
-        logger.debug("assertion content: %s", auth_instance.assertion_content)
         auth_instance.update_body(body)
 
         logger.debug(
@@ -243,7 +254,10 @@ def authenticate(
 
         logger.debug(
             "body['data']: %s",
-            {k: v for (k, v) in body["data"].items() if k != "PASSWORD"},
+            {
+                k: v if k in AUTHENTICATION_REQUEST_KEY_WHITELIST else "******"
+                for (k, v) in body["data"].items()
+            },
         )
 
         try:

src/snowflake/connector/secret_detector.py

@@ -33,14 +33,14 @@ class SecretDetector(logging.Formatter):
         flags=re.IGNORECASE,
     )
     PRIVATE_KEY_PATTERN = re.compile(
-        r"-----BEGIN PRIVATE KEY-----\\n([a-z0-9/+=\\n]{32,})\\n-----END PRIVATE KEY-----",
+        r"-{3,}BEGIN [A-Z ]*PRIVATE KEY-{3,}\n([\s\S]*?)\n-{3,}END [A-Z ]*PRIVATE KEY-{3,}",
         flags=re.MULTILINE | re.IGNORECASE,
     )
     PRIVATE_KEY_DATA_PATTERN = re.compile(
         r'"privateKeyData": "([a-z0-9/+=\\n]{10,})"', flags=re.MULTILINE | re.IGNORECASE
     )
     CONNECTION_TOKEN_PATTERN = re.compile(
-        r"(token|assertion content)" r"([\'\"\s:=]+)" r"([a-z0-9=/_\-\+]{8,})",
+        r"(token|assertion content)" r"([\'\"\s:=]+)" r"([a-z0-9=/_\-\+\.]{8,})",
         flags=re.IGNORECASE,
     )
 

test/unit/test_log_secret_detector.py

@@ -92,6 +92,31 @@ def test_mask_token():
         "XdJYuI8vhg=f0bKSq7AhQ2Bh"
     )
 
+    rsa_key = (
+        "-----BEGIN RSA PRIVATE KEY-----\n"
+        "MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEA0pCa0rw1n4GBjylx\n"
+        "sBJPVCrsKO7SowkgJ52Lc8K3hMHNKXvYiqwgizbXFBQA27kvpEVSeRQVC3FAPRU5\n"
+        "gjtLRwIDAQABAkBHZbz5o9PS6AjUUEs6VpsLgRpersxBeACtLiBw+h9cJfUerR//\n"
+        "tTmNsQ9LlamMu2lOlfbO3R2J45ybF7z94A+hAiEA8piucvAlo9YJ4VViQGRTVvr+\n"
+        "xZKekSEYRJBn2czeP+kCIQDeMt1PVk/p0NEcNvQMbO0vJ3+U+lITJRwmtJ9Fs1Lj\n"
+        "rwIgJeTdkwyaBI6BepY4w7AoKHUKaNgvNqJBxSv9XNMYgEkCIG2rl1YgWOMkAQI3\n"
+        "EW/Ml6jtiugiQT5X07Q69F33q5LbAiEArZM7htafpt0RVia+nC9aY+73wpW0Be9e\n"
+        "pDz0yVv8s/Q=\n"
+        "-----END RSA PRIVATE KEY-----\n"
+    )
+
+    json_token = (
+        "{'TOKEN': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFt"
+        "ZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'}"
+    )
+
+    masked, masked_str, err_str = SecretDetector.mask_secrets(rsa_key)
+    assert masked
+    assert err_str is None
+    assert (
+        masked_str == "-----BEGIN PRIVATE KEY-----\\nXXXX\\n-----END PRIVATE KEY-----\n"
+    )
+
     token_str_w_prefix = "Token =" + long_token
     masked, masked_str, err_str = SecretDetector.mask_secrets(token_str_w_prefix)
     assert masked
@@ -122,6 +147,11 @@ def test_mask_token():
     assert err_str is None
     assert masked_str == "assertion content:****"
 
+    masked, masked_str, err_str = SecretDetector.mask_secrets(json_token)
+    assert masked
+    assert err_str is None
+    assert masked_str == "{'TOKEN': '****'}"
+
 
 def test_token_false_positives():
     false_positive_token_str = (