forked from baron/baron-sso
81 lines
2.2 KiB
Go
81 lines
2.2 KiB
Go
package logger
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"log/slog"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestAuditLogEntry_RedactsSensitiveFields(t *testing.T) {
|
|
buf := &bytes.Buffer{}
|
|
previous := slog.Default()
|
|
slog.SetDefault(slog.New(slog.NewJSONHandler(buf, nil)))
|
|
defer slog.SetDefault(previous)
|
|
|
|
ale := &AuditLogEntry{
|
|
RequestID: "req-1",
|
|
Stage: "login",
|
|
Token: "tok-secret",
|
|
RefreshToken: "refresh-secret",
|
|
SessionJwt: "session-secret",
|
|
AccessJwt: "access-secret",
|
|
SetCookieName: "sid",
|
|
SetCookieValue: "cookie-secret",
|
|
ParsedCookieDSRF: "dsrf-secret",
|
|
LoginIDs: map[string]string{
|
|
"loginId": "user@example.com",
|
|
},
|
|
Query: map[string]string{
|
|
"token": "query-token",
|
|
"locale": "ko",
|
|
},
|
|
Headers: map[string]string{
|
|
"Authorization": "Bearer secret",
|
|
"Cookie": "session=secret",
|
|
},
|
|
}
|
|
|
|
ale.Log(slog.LevelInfo, "test")
|
|
|
|
line := strings.TrimSpace(buf.String())
|
|
require.NotEmpty(t, line)
|
|
|
|
var payload map[string]any
|
|
require.NoError(t, json.Unmarshal([]byte(line), &payload))
|
|
|
|
assert.NotContains(t, payload, "token")
|
|
assert.NotContains(t, payload, "refresh_token")
|
|
assert.NotContains(t, payload, "session_jwt")
|
|
assert.NotContains(t, payload, "access_jwt")
|
|
assert.NotContains(t, payload, "set_cookie_value")
|
|
assert.NotContains(t, payload, "parsed_cookie_DSRF")
|
|
assert.NotContains(t, payload, "request_body")
|
|
assert.NotContains(t, payload, "new_password")
|
|
|
|
assert.Equal(t, true, payload["has_token"])
|
|
assert.Equal(t, true, payload["has_refresh_token"])
|
|
assert.Equal(t, true, payload["has_session_jwt"])
|
|
assert.Equal(t, true, payload["has_access_jwt"])
|
|
assert.Equal(t, true, payload["has_set_cookie_value"])
|
|
assert.Equal(t, true, payload["has_parsed_cookie_DSRF"])
|
|
|
|
loginIDs, ok := payload["login_ids"].(map[string]any)
|
|
require.True(t, ok)
|
|
assert.Equal(t, "user@example.com", loginIDs["loginId"])
|
|
|
|
query, ok := payload["query"].(map[string]any)
|
|
require.True(t, ok)
|
|
assert.Equal(t, "*****", query["token"])
|
|
assert.Equal(t, "ko", query["locale"])
|
|
|
|
headers, ok := payload["headers"].(map[string]any)
|
|
require.True(t, ok)
|
|
assert.Equal(t, "*****", headers["Authorization"])
|
|
assert.Equal(t, "*****", headers["Cookie"])
|
|
}
|