github.com/lukasheimann/cloudfoundrycli@v7.1.0+incompatible/cf/net/request_dumper_test.go (about)

     1  package net_test
     2  
     3  import (
     4  	"bytes"
     5  	"net/http"
     6  	"strings"
     7  
     8  	. "code.cloudfoundry.org/cli/cf/net"
     9  	"code.cloudfoundry.org/cli/cf/trace"
    10  	. "github.com/onsi/ginkgo"
    11  	. "github.com/onsi/gomega"
    12  )
    13  
    14  var _ = Describe("RequestDumper", func() {
    15  	Describe("DumpRequest", func() {
    16  		var (
    17  			printer trace.Printer
    18  			buffer  *bytes.Buffer
    19  			dumper  RequestDumper
    20  		)
    21  
    22  		BeforeEach(func() {
    23  			buffer = new(bytes.Buffer)
    24  			printer = trace.NewWriterPrinter(buffer, false)
    25  			dumper = NewRequestDumper(printer)
    26  		})
    27  
    28  		When("the request body is JSON", func() {
    29  			var (
    30  				request *http.Request
    31  				reqErr  error
    32  			)
    33  
    34  			BeforeEach(func() {
    35  				bodyString := `{"password":"verysecret","some-field":"some-value"}`
    36  				request, reqErr = http.NewRequest("GET", "example.com?code=code-from-uri", strings.NewReader(bodyString))
    37  				request.Header.Set("Content-Type", "application/json")
    38  				request.Header.Set("Authorization", "bearer: some-secret-token")
    39  				request.Header.Set("Set-Cookie", "some-secret-cookie")
    40  				request.Header.Set("Location", "https://api.cli.fun?code=secret-ssh-code")
    41  				Expect(reqErr).ToNot(HaveOccurred())
    42  			})
    43  
    44  			JustBeforeEach(func() {
    45  				dumper.DumpRequest(request)
    46  			})
    47  
    48  			It("redacts code=* from all headers", func() {
    49  				Expect(buffer.String()).To(ContainSubstring("?code="))
    50  				Expect(buffer.String()).ToNot(ContainSubstring("secret-ssh-code"))
    51  			})
    52  
    53  			It("redacts code=* from the uri", func() {
    54  				Expect(buffer.String()).To(ContainSubstring("?code="))
    55  				Expect(buffer.String()).ToNot(ContainSubstring("code-from-uri"))
    56  			})
    57  
    58  			It("redacts values from the key 'password'", func() {
    59  				Expect(buffer.String()).To(ContainSubstring("password"))
    60  				Expect(buffer.String()).ToNot(ContainSubstring("verysecret"))
    61  			})
    62  
    63  			It("redacts the authorization header", func() {
    64  				Expect(buffer.String()).To(ContainSubstring("Authorization"))
    65  				Expect(buffer.String()).ToNot(ContainSubstring("some-secret-token"))
    66  			})
    67  
    68  			It("redacts Set-Cookie headers", func() {
    69  				Expect(buffer.String()).To(ContainSubstring("Set-Cookie: "))
    70  				Expect(buffer.String()).ToNot(ContainSubstring("some-secret-cookie"))
    71  			})
    72  		})
    73  
    74  		When("the request body is x-www-form-urlencoded", func() {
    75  			var (
    76  				request *http.Request
    77  				reqErr  error
    78  			)
    79  
    80  			BeforeEach(func() {
    81  				bodyString := `grant_type=password&password=somesecret&scope=&username=admin&refresh_token=secret-refresh-token&access_token=secret-access-token`
    82  				request, reqErr = http.NewRequest("GET", "example.com", strings.NewReader(bodyString))
    83  				request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
    84  				request.Header.Set("Authorization", "bearer: some-secret-token")
    85  				Expect(reqErr).ToNot(HaveOccurred())
    86  			})
    87  
    88  			JustBeforeEach(func() {
    89  				dumper.DumpRequest(request)
    90  			})
    91  
    92  			It("redacts the value from keys called 'password'", func() {
    93  				Expect(buffer.String()).To(ContainSubstring("password"))
    94  				Expect(buffer.String()).ToNot(ContainSubstring("somesecret"))
    95  			})
    96  
    97  			It("redacts the authorization header", func() {
    98  				Expect(buffer.String()).To(ContainSubstring("Authorization: "))
    99  				Expect(buffer.String()).ToNot(ContainSubstring("some-secret-token"))
   100  			})
   101  
   102  			It("redacts fields containing 'token'", func() {
   103  				Expect(buffer.String()).To(ContainSubstring("refresh_token="))
   104  				Expect(buffer.String()).ToNot(ContainSubstring("secret-refresh-token"))
   105  				Expect(buffer.String()).To(ContainSubstring("access_token="))
   106  				Expect(buffer.String()).ToNot(ContainSubstring("secret-access-token"))
   107  			})
   108  		})
   109  	})
   110  })