lhc 14.0.0 → 15.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7379ccaa5a569acd2eca8b6ea938996477391648efe913b45ff07e478f81e471
-  data.tar.gz: a277d00a29c59e3da5c9fa4fa5b130a201d253ad65ac26a75e1bc348eacf479f
+  metadata.gz: 3a34aeee4fa910b8099acfdd73813103beb630400b92b449dbfbf4d87de4e041
+  data.tar.gz: 846b8cc9e24b9b0b9189b24d38c3e7b485096b4afd970cfc6fe48c8ee3a76d7e
 SHA512:
-  metadata.gz: 76713bd28a5e9ce252bfef62f77d5b04cf3820a290089d7331f2d1445a4e04ff4ebcfa6180b50d75f0ce4b0b62454f3a4bbece2f7a41f37fa2ea8158e755a196
-  data.tar.gz: e33b20e2c2d8f12b68e5ef76842bc94c61cd761be66d4d61b22b0c2501fd6dfc4041c7a9e32bff1d964e34c154d40ed6acf865cfeadb01c7318729597c96b25c
+  metadata.gz: 067d2e56385e931f00caa829411888881705ec19a702979332ad5074bf1a6515f0893e09111314b825fa7dd6d559518c997ac309f17e06eee245faffe93fcebd
+  data.tar.gz: 5284f04c83ca525e774775c41bd88d9f2dc8feeaf8f1fb47d3b9bde5677eeaad9bec6be6213597c4d1f34a2a22f8703b9f8e7fef0a4a09a58f24a6f72b2bf66b

data/README.md

@@ -51,6 +51,7 @@ use it like:
   * [Configuration](#configuration)
      * [Configuring endpoints](#configuring-endpoints)
      * [Configuring placeholders](#configuring-placeholders)
+     * [Configuring scrubs](#configuring-scrubs)
   * [Interceptors](#interceptors)
      * [Quick start: Configure/Enable Interceptors](#quick-start-configureenable-interceptors)
      * [Interceptors on local request level](#interceptors-on-local-request-level)
@@ -491,6 +492,50 @@ You can configure global placeholders, that are used when generating urls from u
   LHC.get(:feedbacks) # http://datastore/v2/feedbacks
 ```
 
+### Configuring scrubs
+
+You can filter out sensitive request data from your log files and rollbar by appending them to `LHS.config.scrubs`. These values will be marked `[FILTERED]` in the log and on rollbar. Also nested parameters are being filtered.
+The scrubbing configuration affects all request done by LHC independent of the endpoint. You can scrub any attribute within `:params`, `:headers` or `:body`. For `:auth` you either can choose `:bearer` or `:basic` (default is both).
+
+LHS scrubs per default:
+- Bearer Token within the Request Header
+- Basic Auth `username` and `password` within the Request Header
+- `password` and `password_confirmation` within the Request Body
+
+Enhance the default scrubbing by pushing the name of the parameter, which should be scrubbed, as string to the existing configuration.
+You can also add multiple parameters at once by pushing multiple strings.
+
+Example:
+```ruby
+  LHC.configure do |c|
+    c.scrubs[:params] << 'api_key'
+    c.scrubs[:body].push('user_token', 'secret_key')
+  end
+```
+
+For disabling scrubbing, add following configuration:
+```ruby
+  LHC.configure do |c|
+    c.scrubs = {}
+  end
+```
+
+If you want to turn off `:bearer` or `:basic` scrubbing, then just overwrite the `:auth` configuration.
+
+Example:
+```ruby
+  LHC.configure do |c|
+    c.scrubs[:auth] = [:bearer]
+  end
+```
+
+If your app has a different authentication strategy than Bearer Authentication or Basic Authentication then you can filter the data by scrubbing the whole header:
+```ruby
+  LHC.configure do |c|
+    c.scrubs[:headers] << 'Authorization'
+  end
+```
+
 ## Interceptors
 
 To monitor and manipulate the HTTP communication done with LHC, you can define interceptors that follow the (Inteceptor Pattern)[https://en.wikipedia.org/wiki/Interceptor_pattern].

data/lib/lhc.rb

@@ -113,6 +113,17 @@ module LHC
   autoload :UnknownError,
            'lhc/errors/unknown_error'
 
+  autoload :Scrubber,
+           'lhc/scrubber'
+  autoload :AuthScrubber,
+           'lhc/scrubbers/auth_scrubber'
+  autoload :BodyScrubber,
+           'lhc/scrubbers/body_scrubber'
+  autoload :HeadersScrubber,
+           'lhc/scrubbers/headers_scrubber'
+  autoload :ParamsScrubber,
+           'lhc/scrubbers/params_scrubber'
+
   autoload :Interceptor,
            'lhc/interceptor'
   autoload :Interceptors,

data/lib/lhc/config.rb

@@ -5,9 +5,12 @@ require 'singleton'
 class LHC::Config
   include Singleton
 
+  attr_accessor :scrubs
+
   def initialize
     @endpoints = {}
     @placeholders = {}
+    @scrubs = default_scrubs
   end
 
   def endpoint(name, url, options = {})
@@ -42,9 +45,19 @@ class LHC::Config
     @interceptors = interceptors
   end
 
+  def default_scrubs
+    {
+      auth: [:bearer, :basic],
+      params: [],
+      headers: [],
+      body: ['password', 'password_confirmation']
+    }
+  end
+
   def reset
     @endpoints = {}
     @placeholders = {}
     @interceptors = nil
+    @scrubs = default_scrubs
   end
 end

data/lib/lhc/error.rb

@@ -72,13 +72,12 @@ class LHC::Error < StandardError
 
     debug = []
     debug << [request.method, request.url].map { |str| self.class.fix_invalid_encoding(str) }.join(' ')
-    debug << "Options: #{request.options}"
-    debug << "Headers: #{request.headers}"
+    debug << "Options: #{request.scrubbed_options}"
+    debug << "Headers: #{request.scrubbed_headers}"
     debug << "Response Code: #{response.code} (#{response.options[:return_code]})"
     debug << "Response Options: #{response.options}"
     debug << response.body
     debug << _message
-
     debug.map { |str| self.class.fix_invalid_encoding(str) }.join("\n")
   end
 end

data/lib/lhc/interceptors/auth.rb

@@ -30,7 +30,7 @@ class LHC::Auth < LHC::Interceptor
   def basic_authentication!
     auth = auth_options[:basic]
     credentials = "#{auth[:username]}:#{auth[:password]}"
-    set_authorization_header("Basic #{Base64.strict_encode64(credentials).chomp}")
+    set_basic_authorization_header(Base64.strict_encode64(credentials).chomp)
   end
 
   def bearer_authentication!
@@ -44,7 +44,13 @@ class LHC::Auth < LHC::Interceptor
     request.headers['Authorization'] = value
   end
 
+  def set_basic_authorization_header(base_64_encoded_credentials)
+    request.options[:auth][:basic].merge!(base_64_encoded_credentials: base_64_encoded_credentials)
+    set_authorization_header("Basic #{base_64_encoded_credentials}")
+  end
+
   def set_bearer_authorization_header(token)
+    request.options[:auth].merge!(bearer_token: token)
     set_authorization_header("Bearer #{token}")
   end
   # rubocop:enable Style/AccessorMethodName

data/lib/lhc/interceptors/logging.rb

@@ -14,8 +14,8 @@ class LHC::Logging < LHC::Interceptor
         "<#{request.object_id}>",
         request.method.upcase,
         "#{request.url} at #{Time.now.iso8601}",
-        "Params=#{request.params}",
-        "Headers=#{request.headers}",
+        "Params=#{request.scrubbed_params}",
+        "Headers=#{request.scrubbed_headers}",
         request.source ? "\nCalled from #{request.source}" : nil
       ].compact.join(' ')
     )

data/lib/lhc/interceptors/rollbar.rb

@@ -23,8 +23,8 @@ class LHC::Rollbar < LHC::Interceptor
       request: {
         url: request.url,
         method: request.method,
-        headers: request.headers,
-        params: request.params
+        headers: request.scrubbed_headers,
+        params: request.scrubbed_params
       }
     }.merge additional_params
     begin

data/lib/lhc/request.rb

@@ -12,7 +12,13 @@ class LHC::Request
 
   TYPHOEUS_OPTIONS ||= [:params, :method, :body, :headers, :follow_location, :params_encoding]
 
-  attr_accessor :response, :options, :raw, :format, :error_handler, :errors_ignored, :source
+  attr_accessor :response,
+                :options,
+                :raw,
+                :format,
+                :error_handler,
+                :errors_ignored,
+                :source
 
   def initialize(options, self_executing = true)
     self.errors_ignored = (options.fetch(:ignore, []) || []).to_a.compact
@@ -56,6 +62,23 @@ class LHC::Request
     raw.run
   end
 
+  def scrubbed_params
+    LHC::ParamsScrubber.new(params.deep_dup).scrubbed
+  end
+
+  def scrubbed_headers
+    LHC::HeadersScrubber.new(headers.deep_dup, options[:auth]).scrubbed
+  end
+
+  def scrubbed_options
+    scrubbed_options = options.deep_dup
+    scrubbed_options[:params] = LHC::ParamsScrubber.new(scrubbed_options[:params]).scrubbed
+    scrubbed_options[:headers] = LHC::HeadersScrubber.new(scrubbed_options[:headers], scrubbed_options[:auth]).scrubbed
+    scrubbed_options[:auth] = LHC::AuthScrubber.new(scrubbed_options[:auth]).scrubbed
+    scrubbed_options[:body] = LHC::BodyScrubber.new(scrubbed_options[:body]).scrubbed
+    scrubbed_options
+  end
+
   private
 
   attr_accessor :interceptors

data/lib/lhc/scrubber.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+class LHC::Scrubber
+  attr_accessor :scrubbed
+
+  SCRUB_DISPLAY = '[FILTERED]'
+
+  def initialize(data)
+    @scrubbed = data
+  end
+
+  private
+
+  def scrub_auth_elements
+    LHC.config.scrubs.dig(:auth)
+  end
+
+  def scrub!
+    return if scrub_elements.blank?
+    return if scrubbed.blank?
+
+    LHC::Scrubber.scrub_hash!(scrub_elements, scrubbed) if scrubbed.is_a?(Hash)
+    LHC::Scrubber.scrub_array!(scrub_elements, scrubbed) if scrubbed.is_a?(Array)
+  end
+
+  def self.scrub_array!(scrub_elements, scrubbed)
+    scrubbed.each do |scrubbed_hash|
+      LHC::Scrubber.scrub_hash!(scrub_elements, scrubbed_hash)
+    end
+  end
+
+  def self.scrub_hash!(scrub_elements, scrubbed)
+    scrub_elements.each do |scrub_element|
+      if scrubbed.key?(scrub_element.to_s)
+        key = scrub_element.to_s
+      elsif scrubbed.key?(scrub_element.to_sym)
+        key = scrub_element.to_sym
+      end
+      next if key.blank? || scrubbed[key].blank?
+
+      scrubbed[key] = SCRUB_DISPLAY
+    end
+    scrubbed.values.each { |v| LHC::Scrubber.scrub_hash!(scrub_elements, v) if v.instance_of?(Hash) }
+  end
+end

data/lib/lhc/scrubbers/auth_scrubber.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+class LHC::AuthScrubber < LHC::Scrubber
+  def initialize(data)
+    super(data)
+    scrub_auth_options!
+  end
+
+  private
+
+  def scrub_auth_options!
+    return if scrubbed.blank?
+    return if scrub_auth_elements.blank?
+
+    scrub_basic_auth_options! if scrub_auth_elements.include?(:basic)
+    scrub_bearer_auth_options! if scrub_auth_elements.include?(:bearer)
+  end
+
+  def scrub_basic_auth_options!
+    return if scrubbed[:basic].blank?
+
+    scrubbed[:basic][:username] = SCRUB_DISPLAY
+    scrubbed[:basic][:password] = SCRUB_DISPLAY
+    scrubbed[:basic][:base_64_encoded_credentials] = SCRUB_DISPLAY
+  end
+
+  def scrub_bearer_auth_options!
+    return if scrubbed[:bearer].blank?
+
+    scrubbed[:bearer] = SCRUB_DISPLAY if scrubbed[:bearer].is_a?(String)
+    scrubbed[:bearer_token] = SCRUB_DISPLAY
+  end
+end

data/lib/lhc/scrubbers/body_scrubber.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class LHC::BodyScrubber < LHC::Scrubber
+  def initialize(data)
+    super(data)
+    parse!
+    scrub!
+  end
+
+  private
+
+  def scrub_elements
+    LHC.config.scrubs[:body]
+  end
+
+  def parse!
+    return if scrubbed.nil? || scrubbed.is_a?(Hash) || scrubbed.is_a?(Array)
+
+    if scrubbed.is_a?(String)
+      json = scrubbed
+    else
+      json = scrubbed.to_json
+    end
+
+    parsed = JSON.parse(json)
+    self.scrubbed = parsed if parsed.is_a?(Hash) || parsed.is_a?(Array)
+  end
+end

data/lib/lhc/scrubbers/headers_scrubber.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+class LHC::HeadersScrubber < LHC::Scrubber
+  def initialize(data, auth_options)
+    super(data)
+    @auth_options = auth_options
+    scrub!
+    scrub_auth_headers!
+  end
+
+  private
+
+  attr_reader :auth_options
+
+  def scrub_elements
+    LHC.config.scrubs[:headers]
+  end
+
+  def scrub_auth_headers!
+    return if scrub_auth_elements.blank?
+    return if auth_options.blank?
+
+    scrub_basic_authentication_headers! if scrub_auth_elements.include?(:basic)
+    scrub_bearer_authentication_headers! if scrub_auth_elements.include?(:bearer)
+  end
+
+  def scrub_basic_authentication_headers!
+    return if auth_options[:basic].blank? || scrubbed['Authorization'].blank?
+
+    scrubbed['Authorization'].gsub!(auth_options[:basic][:base_64_encoded_credentials], SCRUB_DISPLAY)
+  end
+
+  def scrub_bearer_authentication_headers!
+    return if auth_options[:bearer].blank? || scrubbed['Authorization'].blank?
+
+    scrubbed['Authorization'].gsub!(auth_options[:bearer_token], SCRUB_DISPLAY)
+  end
+end

data/lib/lhc/scrubbers/params_scrubber.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class LHC::ParamsScrubber < LHC::Scrubber
+  def initialize(data)
+    super(data)
+    scrub!
+  end
+
+  private
+
+  def scrub_elements
+    LHC.config.scrubs[:params]
+  end
+end

data/lib/lhc/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module LHC
-  VERSION ||= '14.0.0'
+  VERSION ||= '15.0.0'
 end

data/spec/config/scrubs_spec.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe LHC do
+  it 'has a default value for scrubs' do
+    expect(LHC.config.scrubs[:auth]).to eq [:bearer, :basic]
+    expect(LHC.config.scrubs[:params]).to eq []
+    expect(LHC.config.scrubs[:headers]).to eq []
+    expect(LHC.config.scrubs[:body]).to eq ['password', 'password_confirmation']
+  end
+
+  describe 'auth' do
+    context 'when only bearer auth should get scrubbed' do
+      before(:each) do
+        LHC.configure do |c|
+          c.scrubs[:auth] = [:bearer]
+        end
+      end
+
+      it 'has only bearer auth in scrubs' do
+        expect(LHC.config.scrubs[:auth]).to eq([:bearer])
+        expect(LHC.config.scrubs[:params]).to eq []
+        expect(LHC.config.scrubs[:headers]).to eq []
+        expect(LHC.config.scrubs[:body]).to eq ['password', 'password_confirmation']
+      end
+    end
+  end
+
+  context 'params' do
+    context 'when additional param "api_key" should be scrubbed' do
+      before(:each) do
+        LHC.configure do |c|
+          c.scrubs[:params] << 'api_key'
+        end
+      end
+
+      it 'has "api_key" in scrubs' do
+        expect(LHC.config.scrubs[:auth]).to eq [:bearer, :basic]
+        expect(LHC.config.scrubs[:params]).to eq ['api_key']
+        expect(LHC.config.scrubs[:headers]).to eq []
+        expect(LHC.config.scrubs[:body]).to eq ['password', 'password_confirmation']
+      end
+    end
+  end
+
+  context 'headers' do
+    context 'when additional header "private_key" should be scrubbed' do
+      before(:each) do
+        LHC.configure do |c|
+          c.scrubs[:headers] << 'private_key'
+        end
+      end
+
+      it 'has "private_key" in scrubs' do
+        expect(LHC.config.scrubs[:auth]).to eq [:bearer, :basic]
+        expect(LHC.config.scrubs[:params]).to eq []
+        expect(LHC.config.scrubs[:headers]).to eq ['private_key']
+        expect(LHC.config.scrubs[:body]).to eq ['password', 'password_confirmation']
+      end
+    end
+  end
+
+  context 'body' do
+    context 'when only password should get scrubbed' do
+      before(:each) do
+        LHC.configure do |c|
+          c.scrubs[:body] = ['password']
+        end
+      end
+
+      it 'has password in scrubs' do
+        expect(LHC.config.scrubs[:auth]).to eq [:bearer, :basic]
+        expect(LHC.config.scrubs[:params]).to eq []
+        expect(LHC.config.scrubs[:headers]).to eq []
+        expect(LHC.config.scrubs[:body]).to eq(['password'])
+      end
+    end
+
+    context 'when "user_token" should be scrubbed' do
+      before(:each) do
+        LHC.configure do |c|
+          c.scrubs[:body] << 'user_token'
+        end
+      end
+
+      it 'has user_token in scrubs' do
+        expect(LHC.config.scrubs[:auth]).to eq [:bearer, :basic]
+        expect(LHC.config.scrubs[:params]).to eq []
+        expect(LHC.config.scrubs[:headers]).to eq []
+        expect(LHC.config.scrubs[:body]).to eq(['password', 'password_confirmation', 'user_token'])
+      end
+    end
+  end
+
+  context 'when nothing should be scrubbed' do
+    before(:each) do
+      LHC.configure do |c|
+        c.scrubs = {}
+      end
+    end
+
+    it 'does not have scrubs' do
+      expect(LHC.config.scrubs.blank?).to be true
+      expect(LHC.config.scrubs[:auth]).to be nil
+    end
+  end
+end

data/spec/error/to_s_spec.rb

@@ -48,10 +48,10 @@ describe LHC::Error do
         double('LHC::Request',
                method: 'GET',
                url: 'http://example.com/sessions',
-               headers: { 'Bearer Token' => "aaaaaaaa-bbbb-cccc-dddd-eeee" },
-               options: { followlocation: true,
-                          auth: { bearer: "aaaaaaaa-bbbb-cccc-dddd-eeee" },
-                          params: { limit: 20 }, url: "http://example.com/sessions" })
+               scrubbed_headers: { 'Bearer Token' => LHC::Scrubber::SCRUB_DISPLAY },
+               scrubbed_options: { followlocation: true,
+                                   auth: { bearer: LHC::Scrubber::SCRUB_DISPLAY },
+                                   params: { limit: 20 }, url: "http://example.com/sessions" })
       end
 
       let(:response) do
@@ -72,8 +72,8 @@ describe LHC::Error do
       it 'produces correct debug output' do
         expect(subject.to_s.split("\n")).to eq(<<-MSG.strip_heredoc.split("\n"))
           GET http://example.com/sessions
-          Options: {:followlocation=>true, :auth=>{:bearer=>"aaaaaaaa-bbbb-cccc-dddd-eeee"}, :params=>{:limit=>20}, :url=>"http://example.com/sessions"}
-          Headers: {"Bearer Token"=>"aaaaaaaa-bbbb-cccc-dddd-eeee"}
+          Options: {:followlocation=>true, :auth=>{:bearer=>"#{LHC::Scrubber::SCRUB_DISPLAY}"}, :params=>{:limit=>20}, :url=>"http://example.com/sessions"}
+          Headers: {"Bearer Token"=>"#{LHC::Scrubber::SCRUB_DISPLAY}"}
           Response Code: 500 (internal_error)
           Response Options: {:return_code=>:internal_error, :response_headers=>""}
           {"status":500,"message":"undefined"}

data/spec/interceptors/logging/main_spec.rb

@@ -8,7 +8,7 @@ describe LHC::Logging do
   before(:each) do
     LHC.config.interceptors = [LHC::Logging]
     LHC::Logging.logger = logger
-    stub_request(:get, 'http://local.ch').to_return(status: 200)
+    stub_request(:get, /http:\/\/local.ch.*/).to_return(status: 200)
   end
 
   it 'does log information before and after every request made with LHC' do
@@ -34,4 +34,24 @@ describe LHC::Logging do
       )
     end
   end
+
+  context 'sensitive data' do
+    before :each do
+      LHC.config.scrubs[:params] << 'api_key'
+      LHC.config.scrubs[:headers] << 'private_key'
+      LHC.get('http://local.ch', params: { api_key: '123-abc' }, headers: { private_key: 'abc-123' })
+    end
+
+    it 'does not log sensitive params information' do
+      expect(logger).to have_received(:info).once.with(
+        a_string_including("Params={:api_key=>\"#{LHC::Scrubber::SCRUB_DISPLAY}\"}")
+      )
+    end
+
+    it 'does not log sensitive header information' do
+      expect(logger).to have_received(:info).once.with(
+        a_string_including(":private_key=>\"#{LHC::Scrubber::SCRUB_DISPLAY}\"")
+      )
+    end
+  end
 end

data/spec/interceptors/rollbar/main_spec.rb

@@ -36,22 +36,34 @@ describe LHC::Rollbar do
         )
     end
 
-    context 'additional params' do
-      it 'does report errors to rollbar with additional data' do
-        stub_request(:get, 'http://local.ch')
-          .to_return(status: 400)
-        expect(-> { LHC.get('http://local.ch', rollbar: { additional: 'data' }) })
-          .to raise_error LHC::BadRequest
-        expect(::Rollbar).to have_received(:warning)
-          .with(
-            'Status: 400 URL: http://local.ch',
-            hash_including(
-              response: anything,
-              request: anything,
-              additional: 'data'
-            )
+    it 'does report errors to rollbar with additional data' do
+      stub_request(:get, 'http://local.ch')
+        .to_return(status: 400)
+      expect(-> { LHC.get('http://local.ch', rollbar: { additional: 'data' }) })
+        .to raise_error LHC::BadRequest
+      expect(::Rollbar).to have_received(:warning)
+        .with(
+          'Status: 400 URL: http://local.ch',
+          hash_including(
+            response: anything,
+            request: anything,
+            additional: 'data'
           )
-      end
+        )
+    end
+
+    it 'scrubs sensitive data' do
+      LHC.config.scrubs[:params] << 'api_key'
+      LHC.config.scrubs[:headers] << 'private_key'
+      stub_request(:get, 'http://local.ch?api_key=123-abc').to_return(status: 400)
+      expect(-> { LHC.get('http://local.ch', params: { api_key: '123-abc' }, headers: { private_key: 'abc-123' }) })
+        .to raise_error LHC::BadRequest
+      expect(::Rollbar).to have_received(:warning)
+        .with(
+          'Status: 400 URL: http://local.ch',
+          response: hash_including(body: anything, code: anything, headers: anything, time: anything, timeout?: anything),
+          request: hash_including(url: anything, method: anything, headers: hash_including(private_key: LHC::Scrubber::SCRUB_DISPLAY), params: { api_key: LHC::Scrubber::SCRUB_DISPLAY })
+        )
     end
   end
 end

data/spec/request/scrubbed_headers_spec.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe LHC::Request do
+  let(:headers) { { private_key: 'xyz-123' } }
+  let(:response) { LHC.get(:local, headers: headers) }
+  let(:auth) { {} }
+
+  before :each do
+    LHC.config.endpoint(:local, 'http://local.ch', auth: auth)
+    stub_request(:get, 'http://local.ch').with(headers: headers)
+  end
+
+  it 'scrubs "private_key"' do
+    LHC.config.scrubs[:headers] << 'private_key'
+    expect(response.request.scrubbed_headers).to include(private_key: LHC::Scrubber::SCRUB_DISPLAY)
+  end
+
+  it 'does not add a new attribute when a non existing header should be scrubbed' do
+    LHC.config.scrubs[:headers] << 'anything'
+    expect(response.request.scrubbed_headers).not_to include('anything' => LHC::Scrubber::SCRUB_DISPLAY)
+  end
+
+  context 'when strings instead of symbols are provided' do
+    let(:headers) { { 'private_key' => 'xyz-123' } }
+
+    it 'scrubs "private_key"' do
+      LHC.config.scrubs[:headers] << 'private_key'
+      expect(response.request.scrubbed_headers).to include('private_key' => LHC::Scrubber::SCRUB_DISPLAY)
+    end
+  end
+
+  context 'other authentication strategy' do
+    let(:api_key) { '123456' }
+    let(:authorization_header) { { 'Authorization' => "Apikey #{api_key}" } }
+    let(:headers) { authorization_header }
+
+    it 'provides srubbed Authorization header' do
+      LHC.config.scrubs[:headers] << 'Authorization'
+      expect(response.request.scrubbed_headers).to include('Authorization' => LHC::Scrubber::SCRUB_DISPLAY)
+      expect(response.request.headers).to include(authorization_header)
+    end
+  end
+
+  describe 'auth' do
+    before :each do
+      LHC.config.interceptors = [LHC::Auth]
+      stub_request(:get, 'http://local.ch').with(headers: authorization_header)
+    end
+
+    let(:request) do
+      response = LHC.get(:local)
+      response.request
+    end
+
+    context 'bearer authentication' do
+      let(:bearer_token) { '123456' }
+      let(:authorization_header) { { 'Authorization' => "Bearer #{bearer_token}" } }
+      let(:auth) { { bearer: -> { bearer_token } } }
+
+      it 'provides srubbed request headers' do
+        expect(request.scrubbed_headers).to include('Authorization' => "Bearer #{LHC::Scrubber::SCRUB_DISPLAY}")
+        expect(request.headers).to include(authorization_header)
+      end
+
+      context 'when nothing should get scrubbed' do
+        before :each do
+          LHC.config.scrubs = {}
+        end
+
+        it 'does not filter beaerer auth' do
+          expect(request.scrubbed_headers).to include(authorization_header)
+        end
+      end
+    end
+
+    context 'basic authentication' do
+      let(:username) { 'steve' }
+      let(:password) { 'abcdefg' }
+      let(:credentials_base_64_codiert) { Base64.strict_encode64("#{username}:#{password}").chomp }
+      let(:authorization_header) { { 'Authorization' => "Basic #{credentials_base_64_codiert}" } }
+      let(:auth) { { basic: { username: username, password: password } } }
+
+      it 'provides srubbed request headers' do
+        expect(request.scrubbed_headers).to include('Authorization' => "Basic #{LHC::Scrubber::SCRUB_DISPLAY}")
+        expect(request.headers).to include(authorization_header)
+      end
+
+      context 'when nothing should get scrubbed' do
+        before :each do
+          LHC.config.scrubs = {}
+        end
+
+        it 'does not filter basic auth' do
+          expect(request.scrubbed_headers).to include(authorization_header)
+        end
+      end
+    end
+  end
+end

data/spec/request/scrubbed_options_spec.rb

@@ -0,0 +1,194 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe LHC::Request do
+  before :each do
+    LHC.config.interceptors = [LHC::Auth]
+    LHC.config.endpoint(:local, 'http://local.ch', auth: auth)
+    LHC.config.scrubs[:params] << 'api_key'
+    LHC.config.scrubs[:headers] << 'private_key'
+    LHC.config.scrubs[:body] << 'user_token'
+    stub_request(:post, "http://local.ch?#{params.to_query}").with(headers: authorization_header.merge(headers), body: body.to_json)
+  end
+
+  let(:bearer_token) { '123456' }
+  let(:authorization_header) { { 'Authorization' => "Bearer #{bearer_token}" } }
+  let(:auth) { { bearer: -> { bearer_token } } }
+  let(:params) { { api_key: 'api-key-params' } }
+  let(:headers) { { private_key: 'private-key-header' } }
+  let(:body) { { user_token: 'user-token-body' } }
+
+  let(:request) do
+    response = LHC.post(:local, params: params, headers: headers, body: body)
+    response.request
+  end
+
+  it 'provides srubbed request options' do
+    expect(request.scrubbed_options[:params]).to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+    expect(request.scrubbed_options[:headers]).to include(private_key: LHC::Scrubber::SCRUB_DISPLAY)
+    expect(request.scrubbed_options[:body]).to include(user_token: LHC::Scrubber::SCRUB_DISPLAY)
+    expect(request.scrubbed_options[:auth][:bearer_token]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+    expect(request.scrubbed_options[:auth][:basic]).to be nil
+  end
+
+  context 'when bearer auth is not a proc' do
+    let(:auth) { { bearer: bearer_token } }
+
+    it 'also scrubbes the bearer' do
+      expect(request.scrubbed_options[:auth][:bearer]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:bearer_token]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+    end
+  end
+
+  context 'when options do not have auth' do
+    let(:authorization_header) { {} }
+    let(:auth) { nil }
+
+    it 'provides srubbed request options' do
+      expect(request.scrubbed_options[:params]).to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:headers]).to include(private_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:body]).to include(user_token: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth]).to be nil
+    end
+  end
+
+  context 'when body data is nested' do
+    let(:body) do
+      {
+        data: {
+          attributes: {
+            employee: {
+              name: 'Muster',
+              surname: 'Hans',
+              password: 'test-1234',
+              password_confirmation: 'test-1234'
+            }
+          }
+        }
+      }
+    end
+
+    it 'srubbes nested attributes' do
+      expect(request.scrubbed_options[:params]).to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:headers]).to include(private_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:body][:data][:attributes][:employee]).to include(password: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:body][:data][:attributes][:employee]).to include(password_confirmation: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:bearer_token]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:basic]).to be nil
+    end
+  end
+
+  context 'basic authentication' do
+    let(:username) { 'steve' }
+    let(:password) { 'abcdefg' }
+    let(:credentials_base_64_codiert) { Base64.strict_encode64("#{username}:#{password}").chomp }
+    let(:authorization_header) { { 'Authorization' => "Basic #{credentials_base_64_codiert}" } }
+    let(:auth) { { basic: { username: username, password: password } } }
+
+    it 'provides srubbed request headers' do
+      expect(request.scrubbed_options[:auth][:basic][:username]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:basic][:password]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:basic][:base_64_encoded_credentials]).to eq(LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:bearer]).to be nil
+    end
+  end
+
+  context 'when nothing should get scrubbed' do
+    before :each do
+      LHC.config.scrubs = {}
+    end
+
+    it 'does not filter anything' do
+      expect(request.scrubbed_options[:params]).not_to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:headers]).not_to include(private_key: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:body]).not_to include(user_token: LHC::Scrubber::SCRUB_DISPLAY)
+      expect(request.scrubbed_options[:auth][:bearer_token]).not_to eq(LHC::Scrubber::SCRUB_DISPLAY)
+    end
+  end
+
+  context 'custom data structures that respond to as_json (like LHS data or record)' do
+    before do
+      class CustomStructure
+
+        def initialize(data)
+          @data = data
+        end
+
+        def as_json
+          @data.as_json
+        end
+
+        def to_json
+          as_json.to_json
+        end
+      end
+
+      stub_request(:post, 'http://local.ch').with(body: custom_structure.to_json)
+    end
+
+    let(:custom_structure) do
+      CustomStructure.new(user_token: '12345')
+    end
+
+    let(:request) do
+      response = LHC.post(:local, body: custom_structure)
+      response.request
+    end
+
+    it 'provides srubbed request options' do
+      expect(request.scrubbed_options[:body]).to include('user_token' => LHC::Scrubber::SCRUB_DISPLAY)
+    end
+  end
+
+  context 'encoded data hash' do
+    let(:body) { { user_token: 'user-token-body' } }
+
+    let(:request) do
+      response = LHC.post(:local, body: body.to_json)
+      response.request
+    end
+
+    before :each do
+      stub_request(:post, 'http://local.ch').with(body: body.to_json)
+    end
+
+    it 'provides srubbed request options' do
+      expect(request.scrubbed_options[:body]).to include('user_token' => LHC::Scrubber::SCRUB_DISPLAY)
+    end
+  end
+
+  context 'array' do
+    let(:body) { [{ user_token: 'user-token-body' }] }
+
+    let(:request) do
+      response = LHC.post(:local, body: body)
+      response.request
+    end
+
+    before :each do
+      stub_request(:post, 'http://local.ch').with(body: body.to_json)
+    end
+
+    it 'provides srubbed request options' do
+      expect(request.scrubbed_options[:body]).to eq([user_token: LHC::Scrubber::SCRUB_DISPLAY])
+    end
+  end
+
+  context 'encoded array' do
+    let(:body) { [{ user_token: 'user-token-body' }] }
+
+    let(:request) do
+      response = LHC.post(:local, body: body.to_json)
+      response.request
+    end
+
+    before :each do
+      stub_request(:post, 'http://local.ch').with(body: body.to_json)
+    end
+
+    it 'provides srubbed request options' do
+      expect(request.scrubbed_options[:body]).to eq(['user_token' => LHC::Scrubber::SCRUB_DISPLAY])
+    end
+  end
+end

data/spec/request/scrubbed_params_spec.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe LHC::Request do
+  let(:params) { { api_key: 'xyz-123', secret_key: '123-xyz' } }
+  let(:response) { LHC.get(:local, params: params) }
+
+  before :each do
+    LHC.config.endpoint(:local, 'http://local.ch')
+    stub_request(:get, "http://local.ch?#{params.to_query}")
+  end
+
+  it 'scrubs "api_key"' do
+    LHC.config.scrubs[:params] << 'api_key'
+    expect(response.request.scrubbed_params).to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+    expect(response.request.scrubbed_params).to include(secret_key: '123-xyz')
+  end
+
+  it 'scrubs "api_key" and "secret_key"' do
+    LHC.config.scrubs[:params].push('api_key', 'secret_key')
+    expect(response.request.scrubbed_params).to include(api_key: LHC::Scrubber::SCRUB_DISPLAY)
+    expect(response.request.scrubbed_params).to include(secret_key: LHC::Scrubber::SCRUB_DISPLAY)
+  end
+
+  context 'when value is empty' do
+    let(:params) { { api_key: nil, secret_key: '' } }
+
+    it 'does not filter the value' do
+      LHC.config.scrubs[:params].push('api_key', 'secret_key')
+      expect(response.request.scrubbed_params).to include(api_key: nil)
+      expect(response.request.scrubbed_params).to include(secret_key: '')
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lhc
 version: !ruby/object:Gem::Version
-  version: 14.0.0
+  version: 15.0.0
 platform: ruby
 authors:
 - https://github.com/local-ch/lhc/contributors
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-11 00:00:00.000000000 Z
+date: 2021-05-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -270,6 +270,11 @@ files:
 - lib/lhc/response/data/collection.rb
 - lib/lhc/response/data/item.rb
 - lib/lhc/rspec.rb
+- lib/lhc/scrubber.rb
+- lib/lhc/scrubbers/auth_scrubber.rb
+- lib/lhc/scrubbers/body_scrubber.rb
+- lib/lhc/scrubbers/headers_scrubber.rb
+- lib/lhc/scrubbers/params_scrubber.rb
 - lib/lhc/test/cache_helper.rb
 - lib/lhc/version.rb
 - script/ci/build.sh
@@ -281,6 +286,7 @@ files:
 - spec/basic_methods/request_without_rails_spec.rb
 - spec/config/endpoints_spec.rb
 - spec/config/placeholders_spec.rb
+- spec/config/scrubs_spec.rb
 - spec/core_ext/hash/deep_transform_values_spec.rb
 - spec/dummy/README.rdoc
 - spec/dummy/Rakefile
@@ -382,6 +388,9 @@ files:
 - spec/request/parallel_requests_spec.rb
 - spec/request/params_encoding_spec.rb
 - spec/request/request_without_rails_spec.rb
+- spec/request/scrubbed_headers_spec.rb
+- spec/request/scrubbed_options_spec.rb
+- spec/request/scrubbed_params_spec.rb
 - spec/request/url_patterns_spec.rb
 - spec/request/user_agent_spec.rb
 - spec/request/user_agent_without_rails_spec.rb
@@ -436,6 +445,7 @@ test_files:
 - spec/basic_methods/request_without_rails_spec.rb
 - spec/config/endpoints_spec.rb
 - spec/config/placeholders_spec.rb
+- spec/config/scrubs_spec.rb
 - spec/core_ext/hash/deep_transform_values_spec.rb
 - spec/dummy/README.rdoc
 - spec/dummy/Rakefile
@@ -537,6 +547,9 @@ test_files:
 - spec/request/parallel_requests_spec.rb
 - spec/request/params_encoding_spec.rb
 - spec/request/request_without_rails_spec.rb
+- spec/request/scrubbed_headers_spec.rb
+- spec/request/scrubbed_options_spec.rb
+- spec/request/scrubbed_params_spec.rb
 - spec/request/url_patterns_spec.rb
 - spec/request/user_agent_spec.rb
 - spec/request/user_agent_without_rails_spec.rb