lhc 14.0.0 → 15.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7379ccaa5a569acd2eca8b6ea938996477391648efe913b45ff07e478f81e471
-  data.tar.gz: a277d00a29c59e3da5c9fa4fa5b130a201d253ad65ac26a75e1bc348eacf479f
+  metadata.gz: 301499c3239741a748386c3e33d552611f2817f2880579b3df9e320b336db894
+  data.tar.gz: 27c61057ca12aa70076e0fbe71da8cf8f0eac225420dcdd11ba297336aea85e8
 SHA512:
-  metadata.gz: 76713bd28a5e9ce252bfef62f77d5b04cf3820a290089d7331f2d1445a4e04ff4ebcfa6180b50d75f0ce4b0b62454f3a4bbece2f7a41f37fa2ea8158e755a196
-  data.tar.gz: e33b20e2c2d8f12b68e5ef76842bc94c61cd761be66d4d61b22b0c2501fd6dfc4041c7a9e32bff1d964e34c154d40ed6acf865cfeadb01c7318729597c96b25c
+  metadata.gz: 890dd068ed2902de6990b1b90ef5082f4f6d0c26e65022db14157615dd858f7302a8419b8457f6da403f3423aabdfa13f0838a748846f7f93e13339c0415eca6
+  data.tar.gz: e66683421af741d105294a5eb5fb33f26dbab024653b51647f3597e3256cd2bb114202d1599e4f0019f6157b08123afea794c68ddddd6f286518a99476c9dc9d

data/README.md

@@ -51,6 +51,7 @@ use it like:
   * [Configuration](#configuration)
      * [Configuring endpoints](#configuring-endpoints)
      * [Configuring placeholders](#configuring-placeholders)
+     * [Configuring scrubs](#configuring-scrubs)
   * [Interceptors](#interceptors)
      * [Quick start: Configure/Enable Interceptors](#quick-start-configureenable-interceptors)
      * [Interceptors on local request level](#interceptors-on-local-request-level)
@@ -491,6 +492,50 @@ You can configure global placeholders, that are used when generating urls from u
   LHC.get(:feedbacks) # http://datastore/v2/feedbacks
 ```
 
+### Configuring scrubs
+
+You can filter out sensitive request data from your log files and rollbar by appending them to `LHS.config.scrubs`. These values will be marked `[FILTERED]` in the log and on rollbar. Also nested parameters are being filtered.
+The scrubbing configuration affects all request done by LHC independent of the endpoint. You can scrub any attribute within `:params`, `:headers` or `:body`. For `:auth` you either can choose `:bearer` or `:basic` (default is both).
+
+LHS scrubs per default:
+- Bearer Token within the Request Header
+- Basic Auth `username` and `password` within the Request Header
+- `password` and `password_confirmation` within the Request Body
+
+Enhance the default scrubbing by pushing the name of the parameter, which should be scrubbed, as string to the existing configuration.
+You can also add multiple parameters at once by pushing multiple strings.
+
+Example:
+```ruby
+  LHC.configure do |c|
+    c.scrubs[:params] << 'api_key'
+    c.scrubs[:body].push('user_token', 'secret_key')
+  end
+```
+
+For disabling scrubbing, add following configuration:
+```ruby
+  LHC.configure do |c|
+    c.scrubs = {}
+  end
+```
+
+If you want to turn off `:bearer` or `:basic` scrubbing, then just overwrite the `:auth` configuration.
+
+Example:
+```ruby
+  LHC.configure do |c|
+    c.scrubs[:auth] = [:bearer]
+  end
+```
+
+If your app has a different authentication strategy than Bearer Authentication or Basic Authentication then you can filter the data by scrubbing the whole header:
+```ruby
+  LHC.configure do |c|
+    c.scrubs[:headers] << 'Authorization'
+  end
+```
+
 ## Interceptors
 
 To monitor and manipulate the HTTP communication done with LHC, you can define interceptors that follow the (Inteceptor Pattern)[https://en.wikipedia.org/wiki/Interceptor_pattern].
@@ -573,12 +618,18 @@ Adds the following to body of all requests:
 
 ##### Reauthenticate
 
-The current implementation can only offer reauthenticate for _client access tokens_. For this to work the following has to be given:
-
-* You have configured and implemented `LHC::Auth.refresh_client_token = -> { TokenRefreshUtil.client_access_token(true) }` which when called will force a refresh of the token and return the new value. It is also expected that this implementation will handle invalidating caches if necessary.
-* Your interceptors contain `LHC::Auth` and `LHC::Retry`, whereas `LHC::Retry` comes _after_ `LHC::Auth` in the chain.
+The current implementation offers only reauthentication for _client access tokens_.
+Make sure that your interceptors contain `LHC::Auth` and `LHC::Retry`, whereas `LHC::Retry` comes _after_ `LHC::Auth` in the chain.
+Provide the refresh token as following:
+```ruby
+LHC.get('http://local.ch', auth: { bearer: -> { access_token }, refresh_client_token: -> { TokenRefreshUtil.client_access_token(true) })
+```
+Where `TokenRefreshUtil.client_access_token(true)` forces a refresh of the token and returns the new token. It is also expected that this implementation will handle invalidating caches if necessary.
 
-##### Bearer Authentication with client access token
+You can also set a global `refresh_client_token`. This is not recommended for apps with multiple endpoint and different access tokens.
+```ruby
+LHC::Auth.refresh_client_token = -> { TokenRefreshUtil.client_access_token(true) }
+```
 
 Reauthentication will be initiated if:
 

data/lhc.gemspec

@@ -24,6 +24,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency 'activesupport', '>= 5.2'
   s.add_dependency 'addressable'
+  s.add_dependency 'local_uri'
   s.add_dependency 'typhoeus', '>= 0.11'
 
   s.add_development_dependency 'geminabox'

data/lib/lhc/config.rb

@@ -5,9 +5,12 @@ require 'singleton'
 class LHC::Config
   include Singleton
 
+  attr_accessor :scrubs
+
   def initialize
     @endpoints = {}
     @placeholders = {}
+    @scrubs = default_scrubs
   end
 
   def endpoint(name, url, options = {})
@@ -42,9 +45,19 @@ class LHC::Config
     @interceptors = interceptors
   end
 
+  def default_scrubs
+    {
+      auth: [:bearer, :basic],
+      params: [],
+      headers: [],
+      body: ['password', 'password_confirmation']
+    }
+  end
+
   def reset
     @endpoints = {}
     @placeholders = {}
     @interceptors = nil
+    @scrubs = default_scrubs
   end
 end

data/lib/lhc/error.rb

@@ -72,13 +72,12 @@ class LHC::Error < StandardError
 
     debug = []
     debug << [request.method, request.url].map { |str| self.class.fix_invalid_encoding(str) }.join(' ')
-    debug << "Options: #{request.options}"
-    debug << "Headers: #{request.headers}"
+    debug << "Options: #{request.scrubbed_options}"
+    debug << "Headers: #{request.scrubbed_headers}"
     debug << "Response Code: #{response.code} (#{response.options[:return_code]})"
-    debug << "Response Options: #{response.options}"
+    debug << "Response Options: #{response.scrubbed_options}"
     debug << response.body
     debug << _message
-
     debug.map { |str| self.class.fix_invalid_encoding(str) }.join("\n")
   end
 end

data/lib/lhc/interceptors/auth.rb

@@ -30,7 +30,7 @@ class LHC::Auth < LHC::Interceptor
   def basic_authentication!
     auth = auth_options[:basic]
     credentials = "#{auth[:username]}:#{auth[:password]}"
-    set_authorization_header("Basic #{Base64.strict_encode64(credentials).chomp}")
+    set_basic_authorization_header(Base64.strict_encode64(credentials).chomp)
   end
 
   def bearer_authentication!
@@ -44,7 +44,13 @@ class LHC::Auth < LHC::Interceptor
     request.headers['Authorization'] = value
   end
 
+  def set_basic_authorization_header(base_64_encoded_credentials)
+    request.options[:auth][:basic].merge!(base_64_encoded_credentials: base_64_encoded_credentials)
+    set_authorization_header("Basic #{base_64_encoded_credentials}")
+  end
+
   def set_bearer_authorization_header(token)
+    request.options[:auth].merge!(bearer_token: token)
     set_authorization_header("Bearer #{token}")
   end
   # rubocop:enable Style/AccessorMethodName

data/lib/lhc/interceptors/logging.rb

@@ -14,8 +14,8 @@ class LHC::Logging < LHC::Interceptor
         "<#{request.object_id}>",
         request.method.upcase,
         "#{request.url} at #{Time.now.iso8601}",
-        "Params=#{request.params}",
-        "Headers=#{request.headers}",
+        "Params=#{request.scrubbed_params}",
+        "Headers=#{request.scrubbed_headers}",
         request.source ? "\nCalled from #{request.source}" : nil
       ].compact.join(' ')
     )

data/lib/lhc/interceptors/rollbar.rb

@@ -23,8 +23,8 @@ class LHC::Rollbar < LHC::Interceptor
       request: {
         url: request.url,
         method: request.method,
-        headers: request.headers,
-        params: request.params
+        headers: request.scrubbed_headers,
+        params: request.scrubbed_params
       }
     }.merge additional_params
     begin

data/lib/lhc/request.rb

@@ -12,7 +12,13 @@ class LHC::Request
 
   TYPHOEUS_OPTIONS ||= [:params, :method, :body, :headers, :follow_location, :params_encoding]
 
-  attr_accessor :response, :options, :raw, :format, :error_handler, :errors_ignored, :source
+  attr_accessor :response,
+                :options,
+                :raw,
+                :format,
+                :error_handler,
+                :errors_ignored,
+                :source
 
   def initialize(options, self_executing = true)
     self.errors_ignored = (options.fetch(:ignore, []) || []).to_a.compact
@@ -56,6 +62,24 @@ class LHC::Request
     raw.run
   end
 
+  def scrubbed_params
+    LHC::ParamsScrubber.new(params.deep_dup).scrubbed
+  end
+
+  def scrubbed_headers
+    LHC::HeadersScrubber.new(headers.deep_dup, options[:auth]).scrubbed
+  end
+
+  def scrubbed_options
+    scrubbed_options = options.deep_dup
+    scrubbed_options[:cache] = LHC::CacheScrubber.new(scrubbed_options[:cache]).scrubbed
+    scrubbed_options[:params] = LHC::ParamsScrubber.new(scrubbed_options[:params]).scrubbed
+    scrubbed_options[:headers] = LHC::HeadersScrubber.new(scrubbed_options[:headers], scrubbed_options[:auth]).scrubbed
+    scrubbed_options[:auth] = LHC::AuthScrubber.new(scrubbed_options[:auth]).scrubbed
+    scrubbed_options[:body] = LHC::BodyScrubber.new(scrubbed_options[:body]).scrubbed
+    scrubbed_options
+  end
+
   private
 
   attr_accessor :interceptors

data/lib/lhc/response.rb

@@ -54,6 +54,12 @@ class LHC::Response
     request.format
   end
 
+  def scrubbed_options
+    scrubbed_options = options.deep_dup
+    scrubbed_options[:effective_url] = LHC::EffectiveUrlScrubber.new(scrubbed_options[:effective_url]).scrubbed
+    scrubbed_options
+  end
+
   private
 
   attr_accessor :raw

data/lib/lhc/scrubber.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+class LHC::Scrubber
+  attr_accessor :scrubbed
+
+  SCRUB_DISPLAY = '[FILTERED]'
+
+  def initialize(data)
+    @scrubbed = data
+  end
+
+  private
+
+  def scrub_auth_elements
+    LHC.config.scrubs.dig(:auth)
+  end
+
+  def scrub!
+    return if scrub_elements.blank?
+    return if scrubbed.blank?
+
+    LHC::Scrubber.scrub_hash!(scrub_elements, scrubbed) if scrubbed.is_a?(Hash)
+    LHC::Scrubber.scrub_array!(scrub_elements, scrubbed) if scrubbed.is_a?(Array)
+  end
+
+  def self.scrub_array!(scrub_elements, scrubbed)
+    scrubbed.each do |scrubbed_hash|
+      LHC::Scrubber.scrub_hash!(scrub_elements, scrubbed_hash)
+    end
+  end
+
+  def self.scrub_hash!(scrub_elements, scrubbed)
+    scrub_elements.each do |scrub_element|
+      if scrubbed.key?(scrub_element.to_s)
+        key = scrub_element.to_s
+      elsif scrubbed.key?(scrub_element.to_sym)
+        key = scrub_element.to_sym
+      end
+      next if key.blank? || scrubbed[key].blank?
+
+      scrubbed[key] = SCRUB_DISPLAY
+    end
+    scrubbed.values.each { |v| LHC::Scrubber.scrub_hash!(scrub_elements, v) if v.instance_of?(Hash) }
+  end
+end

data/lib/lhc/scrubbers/auth_scrubber.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+class LHC::AuthScrubber < LHC::Scrubber
+  def initialize(data)
+    super(data)
+    scrub_auth_options!
+  end
+
+  private
+
+  def scrub_auth_options!
+    return if scrubbed.blank?
+    return if scrub_auth_elements.blank?
+
+    scrub_basic_auth_options! if scrub_auth_elements.include?(:basic)
+    scrub_bearer_auth_options! if scrub_auth_elements.include?(:bearer)
+  end
+
+  def scrub_basic_auth_options!
+    return if scrubbed[:basic].blank?
+
+    scrubbed[:basic][:username] = SCRUB_DISPLAY
+    scrubbed[:basic][:password] = SCRUB_DISPLAY
+    scrubbed[:basic][:base_64_encoded_credentials] = SCRUB_DISPLAY
+  end
+
+  def scrub_bearer_auth_options!
+    return if scrubbed[:bearer].blank?
+
+    scrubbed[:bearer] = SCRUB_DISPLAY if scrubbed[:bearer].is_a?(String)
+    scrubbed[:bearer_token] = SCRUB_DISPLAY
+  end
+end

data/lib/lhc/scrubbers/body_scrubber.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class LHC::BodyScrubber < LHC::Scrubber
+  def initialize(data)
+    super(data)
+    parse!
+    scrub!
+  end
+
+  private
+
+  def scrub_elements
+    LHC.config.scrubs[:body]
+  end
+
+  def parse!
+    return if scrubbed.nil? || scrubbed.is_a?(Hash) || scrubbed.is_a?(Array)
+
+    if scrubbed.is_a?(String)
+      json = scrubbed
+    else
+      json = scrubbed.to_json
+    end
+
+    parsed = JSON.parse(json)
+    self.scrubbed = parsed if parsed.is_a?(Hash) || parsed.is_a?(Array)
+  end
+end

data/lib/lhc/scrubbers/cache_scrubber.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+class LHC::CacheScrubber < LHC::Scrubber
+  def initialize(data)
+    super(data)
+    scrub_cache_options!
+  end
+
+  private
+
+  def scrub_cache_options!
+    return if scrubbed.blank?
+    return if scrub_elements.blank?
+
+    scrub_cache_key!
+  end
+
+  def scrub_cache_key!
+    return if scrubbed[:key].blank?
+
+    scrub_elements.each do |scrub_element|
+      matches = scrubbed[:key].match(/:#{scrub_element}=>"(.*?)"/)
+      next if matches.nil?
+
+      value = matches[-1]
+      scrubbed[:key].gsub!(value, SCRUB_DISPLAY)
+    end
+  end
+
+  def scrub_elements
+    # The cache key includes the whole request url inklusive params.
+    # We need to scrub those params from the cache key.
+    LHC.config.scrubs[:params]
+  end
+end

data/lib/lhc/scrubbers/effective_url_scrubber.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+class LHC::EffectiveUrlScrubber < LHC::Scrubber
+  def initialize(data)
+    super(data)
+    scrub_effective_url_options!
+  end
+
+  private
+
+  def scrub_effective_url_options!
+    return if scrubbed.blank?
+    return if scrub_elements.blank?
+
+    scrub_effective_url!
+  end
+
+  def scrub_effective_url!
+    return if scrubbed.blank?
+
+    scrub_elements.each do |scrub_element|
+      uri = LocalUri::URI.new(scrubbed)
+      self.scrubbed = CGI.unescape(uri.query.merge(scrub_element => SCRUB_DISPLAY).to_s)
+    end
+  end
+
+  def scrub_elements
+    # The effective url includes the params of the request
+    # so we need to scrub those params from the effective url.
+    LHC.config.scrubs[:params]
+  end
+end

data/lib/lhc/scrubbers/headers_scrubber.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+class LHC::HeadersScrubber < LHC::Scrubber
+  def initialize(data, auth_options)
+    super(data)
+    @auth_options = auth_options
+    scrub!
+    scrub_auth_headers!
+  end
+
+  private
+
+  attr_reader :auth_options
+
+  def scrub_elements
+    LHC.config.scrubs[:headers]
+  end
+
+  def scrub_auth_headers!
+    return if scrub_auth_elements.blank?
+    return if auth_options.blank?
+
+    scrub_basic_authentication_headers! if scrub_auth_elements.include?(:basic)
+    scrub_bearer_authentication_headers! if scrub_auth_elements.include?(:bearer)
+  end
+
+  def scrub_basic_authentication_headers!
+    return if !scrub_basic_authentication_headers?
+
+    scrubbed['Authorization'].gsub!(auth_options[:basic][:base_64_encoded_credentials], SCRUB_DISPLAY)
+  end
+
+  def scrub_bearer_authentication_headers!
+    return if !scrub_bearer_authentication_headers?
+
+    scrubbed['Authorization'].gsub!(auth_options[:bearer_token], SCRUB_DISPLAY)
+  end
+
+  def scrub_basic_authentication_headers?
+    auth_options[:basic].present? &&
+      scrubbed['Authorization'].present? &&
+      scrubbed['Authorization'].include?(auth_options[:basic][:base_64_encoded_credentials])
+  end
+
+  def scrub_bearer_authentication_headers?
+    auth_options[:bearer].present? &&
+      scrubbed['Authorization'].present? &&
+      scrubbed['Authorization'].include?(auth_options[:bearer_token])
+  end
+end

data/lib/lhc/scrubbers/params_scrubber.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class LHC::ParamsScrubber < LHC::Scrubber
+  def initialize(data)
+    super(data)
+    scrub!
+  end
+
+  private
+
+  def scrub_elements
+    LHC.config.scrubs[:params]
+  end
+end

data/lib/lhc/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module LHC
-  VERSION ||= '14.0.0'
+  VERSION ||= '15.1.1'
 end

data/lib/lhc.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'local_uri'
 require 'typhoeus'
 require 'active_support/core_ext/object/blank'
 require 'active_support/core_ext/hash/keys'
@@ -113,6 +114,21 @@ module LHC
   autoload :UnknownError,
            'lhc/errors/unknown_error'
 
+  autoload :Scrubber,
+           'lhc/scrubber'
+  autoload :AuthScrubber,
+           'lhc/scrubbers/auth_scrubber'
+  autoload :BodyScrubber,
+           'lhc/scrubbers/body_scrubber'
+  autoload :CacheScrubber,
+           'lhc/scrubbers/cache_scrubber'
+  autoload :EffectiveUrlScrubber,
+           'lhc/scrubbers/effective_url_scrubber'
+  autoload :HeadersScrubber,
+           'lhc/scrubbers/headers_scrubber'
+  autoload :ParamsScrubber,
+           'lhc/scrubbers/params_scrubber'
+
   autoload :Interceptor,
            'lhc/interceptor'
   autoload :Interceptors,

data/spec/config/scrubs_spec.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe LHC do
+  it 'has a default value for scrubs' do
+    expect(LHC.config.scrubs[:auth]).to eq [:bearer, :basic]
+    expect(LHC.config.scrubs[:params]).to eq []
+    expect(LHC.config.scrubs[:headers]).to eq []
+    expect(LHC.config.scrubs[:body]).to eq ['password', 'password_confirmation']
+  end
+
+  describe 'auth' do
+    context 'when only bearer auth should get scrubbed' do
+      before(:each) do
+        LHC.configure do |c|
+          c.scrubs[:auth] = [:bearer]
+        end
+      end
+
+      it 'has only bearer auth in scrubs' do
+        expect(LHC.config.scrubs[:auth]).to eq([:bearer])
+        expect(LHC.config.scrubs[:params]).to eq []
+        expect(LHC.config.scrubs[:headers]).to eq []
+        expect(LHC.config.scrubs[:body]).to eq ['password', 'password_confirmation']
+      end
+    end
+  end
+
+  context 'params' do
+    context 'when additional param "api_key" should be scrubbed' do
+      before(:each) do
+        LHC.configure do |c|
+          c.scrubs[:params] << 'api_key'
+        end
+      end
+
+      it 'has "api_key" in scrubs' do
+        expect(LHC.config.scrubs[:auth]).to eq [:bearer, :basic]
+        expect(LHC.config.scrubs[:params]).to eq ['api_key']
+        expect(LHC.config.scrubs[:headers]).to eq []
+        expect(LHC.config.scrubs[:body]).to eq ['password', 'password_confirmation']
+      end
+    end
+  end
+
+  context 'headers' do
+    context 'when additional header "private_key" should be scrubbed' do
+      before(:each) do
+        LHC.configure do |c|
+          c.scrubs[:headers] << 'private_key'
+        end
+      end
+
+      it 'has "private_key" in scrubs' do
+        expect(LHC.config.scrubs[:auth]).to eq [:bearer, :basic]
+        expect(LHC.config.scrubs[:params]).to eq []
+        expect(LHC.config.scrubs[:headers]).to eq ['private_key']
+        expect(LHC.config.scrubs[:body]).to eq ['password', 'password_confirmation']
+      end
+    end
+  end
+
+  context 'body' do
+    context 'when only password should get scrubbed' do
+      before(:each) do
+        LHC.configure do |c|
+          c.scrubs[:body] = ['password']
+        end
+      end
+
+      it 'has password in scrubs' do
+        expect(LHC.config.scrubs[:auth]).to eq [:bearer, :basic]
+        expect(LHC.config.scrubs[:params]).to eq []
+        expect(LHC.config.scrubs[:headers]).to eq []
+        expect(LHC.config.scrubs[:body]).to eq(['password'])
+      end
+    end
+
+    context 'when "user_token" should be scrubbed' do
+      before(:each) do
+        LHC.configure do |c|
+          c.scrubs[:body] << 'user_token'
+        end
+      end
+
+      it 'has user_token in scrubs' do
+        expect(LHC.config.scrubs[:auth]).to eq [:bearer, :basic]
+        expect(LHC.config.scrubs[:params]).to eq []
+        expect(LHC.config.scrubs[:headers]).to eq []
+        expect(LHC.config.scrubs[:body]).to eq(['password', 'password_confirmation', 'user_token'])
+      end
+    end
+  end
+
+  context 'when nothing should be scrubbed' do
+    before(:each) do
+      LHC.configure do |c|
+        c.scrubs = {}
+      end
+    end
+
+    it 'does not have scrubs' do
+      expect(LHC.config.scrubs.blank?).to be true
+      expect(LHC.config.scrubs[:auth]).to be nil
+    end
+  end
+end

data/spec/error/to_s_spec.rb

@@ -48,17 +48,19 @@ describe LHC::Error do
         double('LHC::Request',
                method: 'GET',
                url: 'http://example.com/sessions',
-               headers: { 'Bearer Token' => "aaaaaaaa-bbbb-cccc-dddd-eeee" },
-               options: { followlocation: true,
-                          auth: { bearer: "aaaaaaaa-bbbb-cccc-dddd-eeee" },
-                          params: { limit: 20 }, url: "http://example.com/sessions" })
+               scrubbed_headers: { 'Bearer Token' => LHC::Scrubber::SCRUB_DISPLAY },
+               scrubbed_options: { followlocation: true,
+                                   auth: { bearer: LHC::Scrubber::SCRUB_DISPLAY },
+                                   params: { limit: 20 }, url: "http://example.com/sessions" })
       end
 
       let(:response) do
+        options = { return_code: :internal_error, response_headers: "" }
         double('LHC::Response',
                request: request,
                code: 500,
-               options: { return_code: :internal_error, response_headers: "" },
+               options: options,
+               scrubbed_options: options,
                body: '{"status":500,"message":"undefined"}')
       end
 
@@ -72,8 +74,8 @@ describe LHC::Error do
       it 'produces correct debug output' do
         expect(subject.to_s.split("\n")).to eq(<<-MSG.strip_heredoc.split("\n"))
           GET http://example.com/sessions
-          Options: {:followlocation=>true, :auth=>{:bearer=>"aaaaaaaa-bbbb-cccc-dddd-eeee"}, :params=>{:limit=>20}, :url=>"http://example.com/sessions"}
-          Headers: {"Bearer Token"=>"aaaaaaaa-bbbb-cccc-dddd-eeee"}
+          Options: {:followlocation=>true, :auth=>{:bearer=>"#{LHC::Scrubber::SCRUB_DISPLAY}"}, :params=>{:limit=>20}, :url=>"http://example.com/sessions"}
+          Headers: {"Bearer Token"=>"#{LHC::Scrubber::SCRUB_DISPLAY}"}
           Response Code: 500 (internal_error)
           Response Options: {:return_code=>:internal_error, :response_headers=>""}
           {"status":500,"message":"undefined"}

data/spec/interceptors/logging/main_spec.rb

@@ -8,7 +8,7 @@ describe LHC::Logging do
   before(:each) do
     LHC.config.interceptors = [LHC::Logging]
     LHC::Logging.logger = logger
-    stub_request(:get, 'http://local.ch').to_return(status: 200)
+    stub_request(:get, /http:\/\/local.ch.*/).to_return(status: 200)
   end
 
   it 'does log information before and after every request made with LHC' do
@@ -34,4 +34,24 @@ describe LHC::Logging do
       )
     end
   end
+
+  context 'sensitive data' do
+    before :each do
+      LHC.config.scrubs[:params] << 'api_key'
+      LHC.config.scrubs[:headers] << 'private_key'
+      LHC.get('http://local.ch', params: { api_key: '123-abc' }, headers: { private_key: 'abc-123' })
+    end
+
+    it 'does not log sensitive params information' do
+      expect(logger).to have_received(:info).once.with(
+        a_string_including("Params={:api_key=>\"#{LHC::Scrubber::SCRUB_DISPLAY}\"}")
+      )
+    end
+
+    it 'does not log sensitive header information' do
+      expect(logger).to have_received(:info).once.with(
+        a_string_including(":private_key=>\"#{LHC::Scrubber::SCRUB_DISPLAY}\"")
+      )
+    end
+  end
 end

data/spec/interceptors/rollbar/main_spec.rb

@@ -36,22 +36,34 @@ describe LHC::Rollbar do
         )
     end
 
-    context 'additional params' do
-      it 'does report errors to rollbar with additional data' do
-        stub_request(:get, 'http://local.ch')
-          .to_return(status: 400)
-        expect(-> { LHC.get('http://local.ch', rollbar: { additional: 'data' }) })
-          .to raise_error LHC::BadRequest
-        expect(::Rollbar).to have_received(:warning)
-          .with(
-            'Status: 400 URL: http://local.ch',
-            hash_including(
-              response: anything,
-              request: anything,
-              additional: 'data'
-            )
+    it 'does report errors to rollbar with additional data' do
+      stub_request(:get, 'http://local.ch')
+        .to_return(status: 400)
+      expect(-> { LHC.get('http://local.ch', rollbar: { additional: 'data' }) })
+        .to raise_error LHC::BadRequest
+      expect(::Rollbar).to have_received(:warning)
+        .with(
+          'Status: 400 URL: http://local.ch',
+          hash_including(
+            response: anything,
+            request: anything,
+            additional: 'data'
           )
-      end
+        )
+    end
+
+    it 'scrubs sensitive data' do
+      LHC.config.scrubs[:params] << 'api_key'
+      LHC.config.scrubs[:headers] << 'private_key'
+      stub_request(:get, 'http://local.ch?api_key=123-abc').to_return(status: 400)
+      expect(-> { LHC.get('http://local.ch', params: { api_key: '123-abc' }, headers: { private_key: 'abc-123' }) })
+        .to raise_error LHC::BadRequest
+      expect(::Rollbar).to have_received(:warning)
+        .with(
+          'Status: 400 URL: http://local.ch',
+          response: hash_including(body: anything, code: anything, headers: anything, time: anything, timeout?: anything),
+          request: hash_including(url: anything, method: anything, headers: hash_including(private_key: LHC::Scrubber::SCRUB_DISPLAY), params: { api_key: LHC::Scrubber::SCRUB_DISPLAY })
+        )
     end
   end
 end

data/spec/request/scrubbed_headers_spec.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe LHC::Request do
+  let(:headers) { { private_key: 'xyz-123' } }
+  let(:response) { LHC.get(:local, headers: headers) }
+  let(:auth) { {} }
+
+  before :each do
+    LHC.config.endpoint(:local, 'http://local.ch', auth: auth)
+    stub_request(:get, 'http://local.ch').with(headers: headers)
+  end
+
+  it 'scrubs "private_key"' do
+    LHC.config.scrubs[:headers] << 'private_key'
+    expect(response.request.scrubbed_headers).to include(private_key: LHC::Scrubber::SCRUB_DISPLAY)
+  end
+
+  it 'does not add a new attribute when a non existing header should be scrubbed' do
+    LHC.config.scrubs[:headers] << 'anything'
+    expect(response.request.scrubbed_headers).not_to include('anything' => LHC::Scrubber::SCRUB_DISPLAY)
+  end
+
+  context 'when strings instead of symbols are provided' do
+    let(:headers) { { 'private_key' => 'xyz-123' } }
+
+    it 'scrubs "private_key"' do
+      LHC.config.scrubs[:headers] << 'private_key'
+      expect(response.request.scrubbed_headers).to include('private_key' => LHC::Scrubber::SCRUB_DISPLAY)
+    end
+  end
+
+  context 'other authentication strategy' do
+    let(:api_key) { '123456' }
+    let(:authorization_header) { { 'Authorization' => "Apikey #{api_key}" } }
+    let(:headers) { authorization_header }
+
+    it 'provides srubbed Authorization header' do
+      LHC.config.scrubs[:headers] << 'Authorization'
+      expect(response.request.scrubbed_headers).to include('Authorization' => LHC::Scrubber::SCRUB_DISPLAY)
+      expect(response.request.headers).to include(authorization_header)
+    end
+  end
+
+  describe 'auth' do
+    before :each do
+      LHC.config.interceptors = [LHC::Auth]
+      stub_request(:get, 'http://local.ch').with(headers: authorization_header)
+    end
+
+    let(:request) do
+      response = LHC.get(:local)
+      response.request
+    end
+
+    context 'bearer authentication' do
+      let(:bearer_token) { '123456' }
+      let(:authorization_header) { { 'Authorization' => "Bearer #{bearer_token}" } }
+      let(:auth) { { bearer: -> { bearer_token } } }
+
+      it 'scrubs only the bearer token' do
+        expect(request.scrubbed_headers).to include('Authorization' => "Bearer #{LHC::Scrubber::SCRUB_DISPLAY}")
+        expect(request.headers).to include(authorization_header)
+      end
+
+      it 'scrubs whole "Authorization" header' do
+        LHC.config.scrubs[:headers] << 'Authorization'
+        expect(request.scrubbed_headers).to include('Authorization' => LHC::Scrubber::SCRUB_DISPLAY)
+        expect(request.headers).to include(authorization_header)
+      end
+
+      it 'scrubs nothing' do
+        LHC.config.scrubs = {}
+        expect(request.scrubbed_headers).to include(authorization_header)
+      end
+    end
+
+    context 'basic authentication' do
+      let(:username) { 'steve' }
+      let(:password) { 'abcdefg' }
+      let(:credentials_base_64_codiert) { Base64.strict_encode64("#{username}:#{password}").chomp }
+      let(:authorization_header) { { 'Authorization' => "Basic #{credentials_base_64_codiert}" } }
+      let(:auth) { { basic: { username: username, password: password } } }
+
+      it 'scrubs only credentials' do
+        expect(request.scrubbed_headers).to include('Authorization' => "Basic #{LHC::Scrubber::SCRUB_DISPLAY}")
+        expect(request.headers).to include(authorization_header)
+      end
+
+      it 'scrubs whole "Authorization" header' do
+        LHC.config.scrubs[:headers] << 'Authorization'
+        expect(request.scrubbed_headers).to include('Authorization' => LHC::Scrubber::SCRUB_DISPLAY)
+        expect(request.headers).to include(authorization_header)
+      end
+
+      it 'scrubs nothing' do
+        LHC.config.scrubs = {}
+        expect(request.scrubbed_headers).to include(authorization_header)
+      end
+    end
+  end
+end

data/spec/request/scrubbed_options_spec.rb

@@ -0,0 +1,214 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe LHC::Request do
+  before :each do
+    LHC.config.interceptors = [LHC::Auth]
+    LHC.config.endpoint(:local, 'http://local.ch', auth: auth)
+    LHC.config.scrubs[:params] << 'api_key'
+    LHC.config.scrubs[:headers] << 'private_key'
+    LHC.config.scrubs[:body] << 'user_token'
+    stub_request(:post, "http://local.ch?#{params.to_query}").with(headers: authorization_header.merge(headers), body: body.to_json)
+  end
+
+  let(:bearer_token) { '123456' }
+  let(:authorization_header) { { 'Authorization' => "Bearer #{bearer_token}" } }
+  let(:auth) { { bearer: -> { bearer_token } } }
+  let(:params) { { api_key: 'api-key-params' } }
+  let(:headers) { { private_key: 'private-key-header' } }
+  let(:body) { { user_token: 'user-token-body' } }
+  let(:cache) do
+    { key: "LHS_REQUEST_CYCLE_CACHE(v1) POST http://local.ch?#{params}" }
+  end
+
+  let(:request) do
+    response = LHC.post(:local, params: params, headers: headers, body: body, cache: cache)
+    response.request
+  end
+
+  it 'provides srubbed request options' do
+    expect(request.scrubbed_options[:params]).to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+    expect(request.scrubbed_options[:headers]).to include(private_key: LHC::Scrubber::SCRUB_DISPLAY)
+    expect(request.scrubbed_options[:body]).to include(user_token: LHC::Scrubber::SCRUB_DISPLAY)
+    expect(request.scrubbed_options[:auth][:bearer_token]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+    expect(request.scrubbed_options[:auth][:basic]).to be nil
+    expect(request.scrubbed_options[:cache])
+      .to include(key: "LHS_REQUEST_CYCLE_CACHE(v1) POST http://local.ch?{:api_key=>\"[FILTERED]\"}")
+  end
+
+  context 'when bearer auth is not a proc' do
+    let(:auth) { { bearer: bearer_token } }
+
+    it 'also scrubbes the bearer' do
+      expect(request.scrubbed_options[:auth][:bearer]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:bearer_token]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+    end
+  end
+
+  context 'when options do not have auth' do
+    let(:authorization_header) { {} }
+    let(:auth) { nil }
+
+    it 'provides srubbed request options' do
+      expect(request.scrubbed_options[:params]).to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:headers]).to include(private_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:body]).to include(user_token: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth]).to be nil
+    end
+  end
+
+  context 'when parameter should not get scrubbed' do
+    let(:params) { { any_parameter: 'any-parameter' } }
+
+    let(:cache) do
+      { key: "LHS_REQUEST_CYCLE_CACHE(v1) POST http://local.ch?#{params}" }
+    end
+
+    it 'does not scrubb the parameter' do
+      expect(request.scrubbed_options[:cache])
+        .to include(key: "LHS_REQUEST_CYCLE_CACHE(v1) POST http://local.ch?#{params}")
+    end
+  end
+
+  context 'when body data is nested' do
+    let(:body) do
+      {
+        data: {
+          attributes: {
+            employee: {
+              name: 'Muster',
+              surname: 'Hans',
+              password: 'test-1234',
+              password_confirmation: 'test-1234'
+            }
+          }
+        }
+      }
+    end
+
+    it 'srubbes nested attributes' do
+      expect(request.scrubbed_options[:params]).to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:headers]).to include(private_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:body][:data][:attributes][:employee]).to include(password: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:body][:data][:attributes][:employee]).to include(password_confirmation: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:bearer_token]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:basic]).to be nil
+    end
+  end
+
+  context 'basic authentication' do
+    let(:username) { 'steve' }
+    let(:password) { 'abcdefg' }
+    let(:credentials_base_64_codiert) { Base64.strict_encode64("#{username}:#{password}").chomp }
+    let(:authorization_header) { { 'Authorization' => "Basic #{credentials_base_64_codiert}" } }
+    let(:auth) { { basic: { username: username, password: password } } }
+
+    it 'provides srubbed request headers' do
+      expect(request.scrubbed_options[:auth][:basic][:username]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:basic][:password]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:basic][:base_64_encoded_credentials]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:bearer]).to be nil
+    end
+  end
+
+  context 'when nothing should get scrubbed' do
+    before :each do
+      LHC.config.scrubs = {}
+    end
+
+    it 'does not filter anything' do
+      expect(request.scrubbed_options[:params]).not_to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:headers]).not_to include(private_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:body]).not_to include(user_token: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:bearer_token]).not_to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:cache])
+        .not_to include(key: "LHS_REQUEST_CYCLE_CACHE(v1) POST http://local.ch?{:api_key=>\"[FILTERED]\"}")
+    end
+  end
+
+  context 'custom data structures that respond to as_json (like LHS data or record)' do
+    before do
+      class CustomStructure
+
+        def initialize(data)
+          @data = data
+        end
+
+        def as_json
+          @data.as_json
+        end
+
+        def to_json
+          as_json.to_json
+        end
+      end
+
+      stub_request(:post, 'http://local.ch').with(body: custom_structure.to_json)
+    end
+
+    let(:custom_structure) do
+      CustomStructure.new(user_token: '12345')
+    end
+
+    let(:request) do
+      response = LHC.post(:local, body: custom_structure)
+      response.request
+    end
+
+    it 'provides srubbed request options' do
+      expect(request.scrubbed_options[:body]).to include('user_token' => LHC::Scrubber::SCRUB_DISPLAY)
+    end
+  end
+
+  context 'encoded data hash' do
+    let(:body) { { user_token: 'user-token-body' } }
+
+    let(:request) do
+      response = LHC.post(:local, body: body.to_json)
+      response.request
+    end
+
+    before :each do
+      stub_request(:post, 'http://local.ch').with(body: body.to_json)
+    end
+
+    it 'provides srubbed request options' do
+      expect(request.scrubbed_options[:body]).to include('user_token' => LHC::Scrubber::SCRUB_DISPLAY)
+    end
+  end
+
+  context 'array' do
+    let(:body) { [{ user_token: 'user-token-body' }] }
+
+    let(:request) do
+      response = LHC.post(:local, body: body)
+      response.request
+    end
+
+    before :each do
+      stub_request(:post, 'http://local.ch').with(body: body.to_json)
+    end
+
+    it 'provides srubbed request options' do
+      expect(request.scrubbed_options[:body]).to eq([user_token: LHC::Scrubber::SCRUB_DISPLAY])
+    end
+  end
+
+  context 'encoded array' do
+    let(:body) { [{ user_token: 'user-token-body' }] }
+
+    let(:request) do
+      response = LHC.post(:local, body: body.to_json)
+      response.request
+    end
+
+    before :each do
+      stub_request(:post, 'http://local.ch').with(body: body.to_json)
+    end
+
+    it 'provides srubbed request options' do
+      expect(request.scrubbed_options[:body]).to eq(['user_token' => LHC::Scrubber::SCRUB_DISPLAY])
+    end
+  end
+end

data/spec/request/scrubbed_params_spec.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe LHC::Request do
+  let(:params) { { api_key: 'xyz-123', secret_key: '123-xyz' } }
+  let(:response) { LHC.get(:local, params: params) }
+
+  before :each do
+    LHC.config.endpoint(:local, 'http://local.ch')
+    stub_request(:get, "http://local.ch?#{params.to_query}")
+  end
+
+  it 'scrubs "api_key"' do
+    LHC.config.scrubs[:params] << 'api_key'
+    expect(response.request.scrubbed_params).to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+    expect(response.request.scrubbed_params).to include(secret_key: '123-xyz')
+  end
+
+  it 'scrubs "api_key" and "secret_key"' do
+    LHC.config.scrubs[:params].push('api_key', 'secret_key')
+    expect(response.request.scrubbed_params).to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+    expect(response.request.scrubbed_params).to include(secret_key: LHC::Scrubber::SCRUB_DISPLAY)
+  end
+
+  context 'when value is empty' do
+    let(:params) { { api_key: nil, secret_key: '' } }
+
+    it 'does not filter the value' do
+      LHC.config.scrubs[:params].push('api_key', 'secret_key')
+      expect(response.request.scrubbed_params).to include(api_key: nil)
+      expect(response.request.scrubbed_params).to include(secret_key: '')
+    end
+  end
+end

data/spec/response/scrubbed_options_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe LHC::Response do
+  let(:options) do
+    { effective_url: 'http://local.ch?api_key=api-key' }
+  end
+
+  let(:raw_response) { OpenStruct.new(options: options) }
+
+  before do
+    LHC.config.scrubs[:params] << 'api_key'
+  end
+
+  it 'scrubbes effective url' do
+    response = LHC::Response.new(raw_response, nil)
+    expect(response.scrubbed_options[:effective_url]).to eq "http://local.ch?api_key=#{LHC::Scrubber::SCRUB_DISPLAY}"
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lhc
 version: !ruby/object:Gem::Version
-  version: 14.0.0
+  version: 15.1.1
 platform: ruby
 authors:
 - https://github.com/local-ch/lhc/contributors
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-11 00:00:00.000000000 Z
+date: 2021-11-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -38,6 +38,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: local_uri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: typhoeus
   requirement: !ruby/object:Gem::Requirement
@@ -270,6 +284,13 @@ files:
 - lib/lhc/response/data/collection.rb
 - lib/lhc/response/data/item.rb
 - lib/lhc/rspec.rb
+- lib/lhc/scrubber.rb
+- lib/lhc/scrubbers/auth_scrubber.rb
+- lib/lhc/scrubbers/body_scrubber.rb
+- lib/lhc/scrubbers/cache_scrubber.rb
+- lib/lhc/scrubbers/effective_url_scrubber.rb
+- lib/lhc/scrubbers/headers_scrubber.rb
+- lib/lhc/scrubbers/params_scrubber.rb
 - lib/lhc/test/cache_helper.rb
 - lib/lhc/version.rb
 - script/ci/build.sh
@@ -281,6 +302,7 @@ files:
 - spec/basic_methods/request_without_rails_spec.rb
 - spec/config/endpoints_spec.rb
 - spec/config/placeholders_spec.rb
+- spec/config/scrubs_spec.rb
 - spec/core_ext/hash/deep_transform_values_spec.rb
 - spec/dummy/README.rdoc
 - spec/dummy/Rakefile
@@ -382,6 +404,9 @@ files:
 - spec/request/parallel_requests_spec.rb
 - spec/request/params_encoding_spec.rb
 - spec/request/request_without_rails_spec.rb
+- spec/request/scrubbed_headers_spec.rb
+- spec/request/scrubbed_options_spec.rb
+- spec/request/scrubbed_params_spec.rb
 - spec/request/url_patterns_spec.rb
 - spec/request/user_agent_spec.rb
 - spec/request/user_agent_without_rails_spec.rb
@@ -392,6 +417,7 @@ files:
 - spec/response/effective_url_spec.rb
 - spec/response/headers_spec.rb
 - spec/response/options_spec.rb
+- spec/response/scrubbed_options_spec.rb
 - spec/response/success_spec.rb
 - spec/response/time_spec.rb
 - spec/spec_helper.rb
@@ -436,6 +462,7 @@ test_files:
 - spec/basic_methods/request_without_rails_spec.rb
 - spec/config/endpoints_spec.rb
 - spec/config/placeholders_spec.rb
+- spec/config/scrubs_spec.rb
 - spec/core_ext/hash/deep_transform_values_spec.rb
 - spec/dummy/README.rdoc
 - spec/dummy/Rakefile
@@ -537,6 +564,9 @@ test_files:
 - spec/request/parallel_requests_spec.rb
 - spec/request/params_encoding_spec.rb
 - spec/request/request_without_rails_spec.rb
+- spec/request/scrubbed_headers_spec.rb
+- spec/request/scrubbed_options_spec.rb
+- spec/request/scrubbed_params_spec.rb
 - spec/request/url_patterns_spec.rb
 - spec/request/user_agent_spec.rb
 - spec/request/user_agent_without_rails_spec.rb
@@ -547,6 +577,7 @@ test_files:
 - spec/response/effective_url_spec.rb
 - spec/response/headers_spec.rb
 - spec/response/options_spec.rb
+- spec/response/scrubbed_options_spec.rb
 - spec/response/success_spec.rb
 - spec/response/time_spec.rb
 - spec/spec_helper.rb