mirror of
https://github.com/GAM-team/GAM.git
synced 2026-06-03 22:01:39 +00:00
config debug_redaction removes credentials in debug output
This commit is contained in:
Jay Lee
@@ -49,7 +49,7 @@ from email.policy import SMTP as policySMTP
|
||||
import hashlib
|
||||
from html.entities import name2codepoint
|
||||
from html.parser import HTMLParser
|
||||
import http.client as http_client
|
||||
import http.client
|
||||
import importlib
|
||||
from importlib.metadata import version as lib_version
|
||||
import io
|
||||
@@ -375,6 +375,31 @@ YUBIKEY_VALUE_ERROR_RC = 85
|
||||
YUBIKEY_MULTIPLE_CONNECTED_RC = 86
|
||||
YUBIKEY_NOT_FOUND_RC = 87
|
||||
|
||||
def redact_sensitive_google_text(text):
|
||||
patterns = [
|
||||
r'ya29.[0-9A-Za-z-_]+', # Access token
|
||||
r'1/[0-9A-Za-z-]{43}|1/[0-9A-Za-z-]{64}', # Refresh token
|
||||
r'4/[0-9A-Za-z-_]+', # Auth code
|
||||
r'GOCSPX-[0-9a-zA-Z-_]{28}', # Client secret
|
||||
r'AIza[0-9A-Za-z-_]{35}', # API key
|
||||
]
|
||||
for pattern in patterns:
|
||||
text = re.sub(pattern, '****', text)
|
||||
return text
|
||||
|
||||
def redactable_debug_print(*args):
|
||||
processed_args = []
|
||||
for arg in args:
|
||||
if arg.startswith('b\''):
|
||||
sbytes = arg[2:-1]
|
||||
sbytes = bytes(sbytes, 'utf-8')
|
||||
arg = sbytes.decode()
|
||||
arg = arg.replace('\\r\\n', "\n ")
|
||||
if GC.Values[GC.DEBUG_REDACTION]:
|
||||
arg = redact_sensitive_google_text(arg)
|
||||
processed_args.append(arg)
|
||||
print(*processed_args)
|
||||
|
||||
# Multiprocessing lock
|
||||
mplock = None
|
||||
|
||||
@@ -4124,6 +4149,8 @@ def SetGlobalVariables():
|
||||
GM.Globals[GM.OAUTH2_TXT_LOCK] = f'{GC.Values[GC.OAUTH2_TXT]}.lock'
|
||||
# Override httplib2 settings
|
||||
httplib2.debuglevel = GC.Values[GC.DEBUG_LEVEL]
|
||||
# Use our own print function for http.client so we can redact and cleanup
|
||||
http.client.print = redactable_debug_print
|
||||
# Reset global variables if required
|
||||
if prevExtraArgsTxt != GC.Values[GC.EXTRA_ARGS]:
|
||||
GM.Globals[GM.EXTRA_ARGS_LIST] = [('prettyPrint', GC.Values[GC.DEBUG_LEVEL] > 0)]
|
||||
@@ -4775,7 +4802,7 @@ def getService(api, httpObj):
|
||||
waitOnFailure(n, triesLimit, INVALID_JSON_RC, str(e))
|
||||
continue
|
||||
systemErrorExit(INVALID_JSON_RC, str(e))
|
||||
except (http_client.ResponseNotReady, OSError, googleapiclient.errors.HttpError) as e:
|
||||
except (http.client.ResponseNotReady, OSError, googleapiclient.errors.HttpError) as e:
|
||||
errMsg = f'Connection error: {str(e) or repr(e)}'
|
||||
if n != triesLimit:
|
||||
waitOnFailure(n, triesLimit, SOCKET_ERROR_RC, errMsg)
|
||||
@@ -5088,7 +5115,7 @@ def callGData(service, function,
|
||||
e = e.args[0]
|
||||
handleOAuthTokenError(e, GDATA.SERVICE_NOT_APPLICABLE in throwErrors)
|
||||
raise GDATA.ERROR_CODE_EXCEPTION_MAP[GDATA.SERVICE_NOT_APPLICABLE](str(e))
|
||||
except (http_client.ResponseNotReady, OSError) as e:
|
||||
except (http.client.ResponseNotReady, OSError) as e:
|
||||
errMsg = f'Connection error: {str(e) or repr(e)}'
|
||||
if n != triesLimit:
|
||||
waitOnFailure(n, triesLimit, SOCKET_ERROR_RC, errMsg)
|
||||
@@ -5398,7 +5425,7 @@ def callGAPI(service, function,
|
||||
e = e.args[0]
|
||||
handleOAuthTokenError(e, GAPI.SERVICE_NOT_AVAILABLE in throwReasons)
|
||||
raise GAPI.REASON_EXCEPTION_MAP[GAPI.SERVICE_NOT_AVAILABLE](str(e))
|
||||
except (http_client.ResponseNotReady, OSError) as e:
|
||||
except (http.client.ResponseNotReady, OSError) as e:
|
||||
errMsg = f'Connection error: {str(e) or repr(e)}'
|
||||
if n != triesLimit:
|
||||
waitOnFailure(n, triesLimit, SOCKET_ERROR_RC, errMsg)
|
||||
|
||||
@@ -149,6 +149,8 @@ CSV_OUTPUT_USERS_AUDIT = 'csv_output_users_audit'
|
||||
CUSTOMER_ID = 'customer_id'
|
||||
# If debug_level > 0: extra_args['prettyPrint'] = True, httplib2.debuglevel = gam_debug_level, appsObj.debug = True
|
||||
DEBUG_LEVEL = 'debug_level'
|
||||
# redact sensitive credentials from debug output
|
||||
DEBUG_REDACTION = 'debug_redaction'
|
||||
# Developer Preview API Key
|
||||
DEVELOPER_PREVIEW_API_KEY = 'developer_preview_api_key'
|
||||
# When retrieving lists of ChromeOS devices from API, how many should be retrieved in each chunk
|
||||
@@ -378,6 +380,7 @@ Defaults = {
|
||||
CSV_OUTPUT_USERS_AUDIT: FALSE,
|
||||
CUSTOMER_ID: MY_CUSTOMER,
|
||||
DEBUG_LEVEL: '0',
|
||||
DEBUG_REDACTION: True,
|
||||
DEVELOPER_PREVIEW_API_KEY: '',
|
||||
DEVICE_MAX_RESULTS: '200',
|
||||
DOMAIN: '',
|
||||
@@ -547,6 +550,7 @@ VAR_INFO = {
|
||||
CSV_OUTPUT_USERS_AUDIT: {VAR_TYPE: TYPE_BOOLEAN},
|
||||
CUSTOMER_ID: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'CUSTOMER_ID', VAR_LIMITS: (0, None)},
|
||||
DEBUG_LEVEL: {VAR_TYPE: TYPE_INTEGER, VAR_SIGFILE: 'debug.gam', VAR_LIMITS: (0, None), VAR_SFFT: ('0', '4')},
|
||||
DEBUG_REDACTION: {VAR_TYPE: TYPE_BOOLEAN},
|
||||
DEVELOPER_PREVIEW_API_KEY: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
|
||||
DEVICE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
|
||||
DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
|
||||
|
||||
@@ -107,6 +107,8 @@ CURRENT_SVCACCT_USER = 'csa'
|
||||
DATETIME_NOW = 'dtno'
|
||||
# If debug_level > 0: extra_args['prettyPrint'] = True, httplib2.debuglevel = gam_debug_level, appsObj.debug = True
|
||||
DEBUG_LEVEL = 'dbgl'
|
||||
# Whether debug output should redact sensitive credentials
|
||||
DEBUG_REDACTION = 'dbrd'
|
||||
# Decoded ID token
|
||||
DECODED_ID_TOKEN = 'didt'
|
||||
# Index of start of <UserTypeEntity> in command line
|
||||
@@ -263,6 +265,7 @@ Globals = {
|
||||
CURRENT_SVCACCT_USER: None,
|
||||
DATETIME_NOW: None,
|
||||
DEBUG_LEVEL: 0,
|
||||
DEBUG_REDACTION: True,
|
||||
DECODED_ID_TOKEN: None,
|
||||
ENTITY_CL_DELAY_START: 1,
|
||||
ENTITY_CL_START: 1,
|
||||
|
||||
Reference in New Issue
Block a user