Mask access token in logs

hosuaby · hosuaby · commit dee0fb8cc917 · 2025-02-25T17:37:42.000+01:00
diff --git a/oauth2/src/main/java/feign/ConfidentialLogger.java b/oauth2/src/main/java/feign/ConfidentialLogger.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright © 2012 The Feign Authors (feign@commonhaus.dev)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package feign;
+
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
+public final class ConfidentialLogger extends Logger {
+  private static final String AUTHORIZATION_HEADER = "Authorization";
+  private static final Pattern ACCESS_TOKEN_PATTERN =
+      Pattern.compile("^Bearer [A-Za-z0-9-_]+\\.[A-Za-z0-9-_]+\\.[A-Za-z0-9-_]+$");
+
+  private final Logger delegate;
+
+  public ConfidentialLogger(final Logger delegate) {
+    this.delegate = delegate;
+  }
+
+  @Override
+  protected void logRequest(final String configKey, final Level logLevel, final Request request) {
+    final Map<String, Collection<String>> filteredHeaders = filterHeaders(request.headers());
+
+    final Request copyRequest =
+        Request.create(
+            request.httpMethod(),
+            request.url(),
+            filteredHeaders,
+            request.body(),
+            request.charset(),
+            request.requestTemplate());
+
+    super.logRequest(configKey, logLevel, copyRequest);
+  }
+
+  @Override
+  protected void log(final String configKey, final String format, final Object... args) {
+    delegate.log(configKey, format, args);
+  }
+
+  static Map<String, Collection<String>> filterHeaders(
+      final Map<String, Collection<String>> headers) {
+    final Map<String, Collection<String>> filteredHeaders = new HashMap<>(headers);
+    filteredHeaders.computeIfPresent(
+        AUTHORIZATION_HEADER,
+        (ignored, values) ->
+            values.stream()
+                .map(
+                    value ->
+                        ACCESS_TOKEN_PATTERN.matcher(value).matches()
+                            ? "Bearer <access token>"
+                            : value)
+                .collect(Collectors.toList()));
+    return filteredHeaders;
+  }
+}
diff --git a/oauth2/src/main/java/feign/auth/oauth2/OAuth2Authentication.java b/oauth2/src/main/java/feign/auth/oauth2/OAuth2Authentication.java
@@ -25,14 +25,19 @@
 import java.time.temporal.ChronoUnit;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeoutException;
+import java.util.logging.Level;
 
 public class OAuth2Authentication implements Capability {
+  private static final java.util.logging.Logger JAVA_LOGGER =
+      java.util.logging.Logger.getLogger(OAuth2Authentication.class.getName());
+
   protected ClientRegistration clientRegistration;
   protected OAuth2IDPClient idpClient;
 
   protected AsyncClient<Object> httpClient;
   protected Request.Options httpOptions;
   protected Decoder jsonDecoder;
+  protected Logger logger;
 
   private OAuth2TokenResponse oAuth2TokenResponse = null;
   private Instant expiresAt = null;
@@ -65,6 +70,12 @@ public Decoder enrich(final Decoder decoder) {
     return decoder;
   }
 
+  @Override
+  public Logger enrich(final Logger logger) {
+    this.logger = new ConfidentialLogger(logger);
+    return this.logger;
+  }
+
   @Override
   public <B extends BaseBuilder<B, T>, T> B beforeBuild(final B baseBuilder) {
     if (httpClient == null) {
@@ -84,12 +95,14 @@ public <B extends BaseBuilder<B, T>, T> B beforeBuild(final B baseBuilder) {
     return baseBuilder
         .requestInterceptor(new AuthenticationInterceptor())
         .retryer(new UnauthorizedRetryer())
-        .errorDecoder(UnauthorizedErrorDecoder.INSTANCE);
+        .errorDecoder(UnauthorizedErrorDecoder.INSTANCE)
+        .logger(this.logger);
   }
 
   private synchronized String getAccessToken() {
     if (expiresAt != null && expiresAt.minus(10, ChronoUnit.SECONDS).isBefore(Instant.now())) {
       // Access token is expired or about to expire
+      JAVA_LOGGER.log(Level.INFO, "Access token is about to be expired. Refreshing token.");
       expiresAt = null;
       oAuth2TokenResponse = null;
     }
@@ -102,6 +115,8 @@ private synchronized String getAccessToken() {
   }
 
   private synchronized String forceAuthentication() {
+    JAVA_LOGGER.log(Level.INFO, "Perform authentication against IDP.");
+
     try {
       oAuth2TokenResponse =
           idpClient
@@ -136,9 +151,14 @@ public void continueOrPropagate(final RetryableException unauthorizedException)
       }
 
       if (reauthenticated) {
+        JAVA_LOGGER.log(
+            Level.WARNING,
+            "Client still unauthorized event after access token was updated. Fail request.");
         throw unauthorizedException;
       }
 
+      JAVA_LOGGER.log(
+          Level.INFO, "Request was unauthorized by Resource Server. Refresh access token.");
       final String accessToken = forceAuthentication();
 
       final RequestTemplate requestTemplate = unauthorizedException.request().requestTemplate();
diff --git a/oauth2/src/test/java/feign/ConfidentialLoggerTest.java b/oauth2/src/test/java/feign/ConfidentialLoggerTest.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright © 2012 The Feign Authors (feign@commonhaus.dev)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package feign;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Map;
+import org.junit.jupiter.api.Test;
+
+public class ConfidentialLoggerTest {
+
+  @Test
+  void testFilterHeaders() {
+
+    /* Given */
+    Map<String, Collection<String>> headers =
+        Collections.singletonMap(
+            "Authorization",
+            Collections.singleton(
+                "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ0dlhpald3X0tWSnZHY1B5N25mUlg4SjBpRDcxSTZEUWVFR0VjczJwbWxRIn0.eyJleHAiOjE3NDA1MDA0MzgsImlhdCI6MTc0MDUwMDQyOCwianRpIjoiMzljOTVhNzAtNDk4Yi00MWFjLTlmMTctOTA3Yjk4MmIzNDNkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMjc5MC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImMzZjU5ZjA3LWE4NTItNGY1Ny1hZjEwLTI0OGJjNjg4YWMxYSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImZlaWduLWNsaWVudC1zZWNyZXQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtbWFzdGVyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE3Mi4xNy4wLjEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtZmVpZ24tY2xpZW50LXNlY3JldCIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTcuMC4xIiwiY2xpZW50X2lkIjoiZmVpZ24tY2xpZW50LXNlY3JldCJ9.mcRl0ex7p4bPd-Kk1KwJoFOWYfkxwtEmAO9X9kdgGq4iCY6UUWGINqYXwI_D0QObclJ9J2ka9qCxo225MfV-zmza60IC3w6tfgsm7mnEZgec47GSoQjUqTLna4pDGdLq4c9QIedzkrhLqI9_qJi1V6iGYd6CNb6Y1u0G0QBoLejzHGVf5avxrlrRHTkGMUvphe7N0WAq5N9JjFrB6pqFsL1a9gMBkyThM6SpOwe1O2rXA07J7IgcL50AHU-4MxXRroz779GYObhm7o9RY7iPgs0BlBjVKxj75R8R57YNJo0LEPqBuCn5tAD7VJRPgCrM91Jfdv4X7mrg39JIndsyAw"));
+
+    /* When */
+    Map<String, Collection<String>> filteredHeaders = ConfidentialLogger.filterHeaders(headers);
+
+    /* Then */
+    assertThat(filteredHeaders).isNotNull().isNotEmpty().hasSize(1).containsKey("Authorization");
+    assertThat(filteredHeaders.get("Authorization"))
+        .isNotNull()
+        .isNotEmpty()
+        .hasSize(1)
+        .contains("Bearer <access token>");
+  }
+}
