Filter private key of Lasso Dumps before logging.

The private key in the XML dumps of Lasso is filtered before logging.
2012-04-27 11:20:07 +02:00 · 2012-04-27 11:20:07 +02:00 · 35b524db38
parent 8a8776475a
commit 35b524db38
3 changed files with 33 additions and 1 deletions
--- a/authentic2/saml/saml2utils.py
+++ b/authentic2/saml/saml2utils.py
@ -3,6 +3,16 @@ import lasso
 import x509utils
 import base64
 import binascii
+import re
+
+def filter_attribute_private_key(message):
+    return re.sub(r' (\w+:)?(PrivateKey=")([&#;\w/ +-=])+(")', '', message)
+
+def filter_element_private_key(message):
+    return re.sub(r'(<saml)(p)?(:PrivateKeyFile>-----BEGIN RSA PRIVATE KEY-----)'
+        '([&#;\w/+=\s])+'
+        '(-----END RSA PRIVATE KEY-----</saml)(p)?(:PrivateKeyFile>)',
+        '', message)

 def bool2xs(boolean):
    '''Convert a boolean value to XSchema boolean representation'''
--- a/authentic2/settings.py
+++ b/authentic2/settings.py
@ -247,9 +247,15 @@ IDP_CAS = False
 # CAS_TICKET_EXPIRATION = 240

 # Logging settings
+
 LOGGING = {
    'version': 1,
    'disable_existing_loggers': True,
+    'filters': {
+        'cleaning': {
+            '()':  'authentic2.utils.CleanLogMessage',
+        },
+    },
    'formatters': {
        'verbose': {
            'format': '[%(asctime)s] %(levelname)-8s %(name)s.%(message)s',
@ -264,22 +270,26 @@ LOGGING = {
        'console': {
            'level':'DEBUG',
            'class':'logging.StreamHandler',
-            'formatter': 'verbose'
+            'formatter': 'verbose',
+            'filters': ['cleaning'],
        },
        'local_file': {
            'level':'DEBUG',
            'class':'logging.FileHandler',
            'formatter': 'verbose',
            'filename': os.path.join(_PROJECT_PATH, 'log.log'),
+            'filters': ['cleaning'],
        },
        'syslog': {
            'level':'INFO',
            'class':'logging.handlers.SysLogHandler',
+            'filters': ['cleaning'],
        },
        'mail_admins': {
            'level': 'ERROR',
            'class': 'django.utils.log.AdminEmailHandler',
            'include_html': True,
+            'filters': ['cleaning'],
        }
    },
    'loggers': {
--- a/authentic2/utils.py
+++ b/authentic2/utils.py
@ -1,11 +1,23 @@
 import time
 import hashlib
 import datetime as dt
+import logging

 from django.views.decorators.http import condition
 from django.conf import settings
 from django.http import HttpResponse

+from authentic2.saml.saml2utils import filter_attribute_private_key, \
+    filter_element_private_key
+
+
+class CleanLogMessage(logging.Filter):
+    def filter(self, record):
+        record.msg = filter_attribute_private_key(record.msg)
+        record.msg = filter_element_private_key(record.msg)
+        return True
+
+
 class MWT(object):
    """Memoize With Timeout"""
    _caches = {}