cli2 4.2.10__tar.gz → 4.3.0__tar.gz

{cli2-4.2.10/cli2.egg-info → cli2-4.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: cli2
-Version: 4.2.10
+Version: 4.3.0
 Summary: image:: https://yourlabs.io/oss/cli2/badges/master/pipeline.svg
 Home-page: https://yourlabs.io/oss/cli2
 Author: James Pic

{cli2-4.2.10 → cli2-4.3.0}/cli2/__init__.py

@@ -41,6 +41,7 @@ except ImportError:
 from .display import diff, diff_data, render, print, highlight, yaml_highlight
 from .lock import Lock
 from .log import configure, log
+from .mask import Mask
 from .table import Table
 
 

{cli2-4.2.10 → cli2-4.3.0}/cli2/ansible/action.py

@@ -130,37 +130,22 @@ class ActionBase(ActionBase):
         The client object generated by :py:meth:`client_factory` if you
         implement it.
 
-    .. py:attribute:: mask
-
-        List of result keys to mask, if set, this module will print the result
-        with masked values, so you can set no_log: True for the task and still
-        see most of the result.
+    .. py:attribute:: mask_keys
 
-    .. py:attribute:: masked_keys
+        Declare a list of keys to mask:
 
-        Property which returns the list of keys in :py:attr:`mask` + those in
-        the `mask` fact + those in the client if any.
+        .. code-block:: python
 
-    .. py:attribute:: masked_values
+            class AnsibleModule(ansible.ActionBase):
+                mask_keys = ['secret', 'password']
 
-        First, the plugin will iterate over args and facts to learn all values
-        which are in :py:attr:`masked_keys`.
+    .. py:attribute:: mask
 
-        This is then both used and provisioned by :py:meth:`mask_data()`.
+        :py:class:`~cli2.mask.Mask` object
     """
-    mask = None
-    masked = Option(fact='mask', default=[])
-    masked_values = None
-
-    @property
-    def masked_keys(self):
-        result = []
-        if self.mask:
-            result += self.mask
-        result += self.masked
-        if self.client and self.client.mask:
-            result += self.client.mask
-        return result
+    masked_keys = Option(fact='mask_keys', default=[])
+    masked_values = Option(fact='mask_values', default=[])
+    mask_keys = None
 
     def get(self, arg_name=None, fact_name=None, default=UNSET_DEFAULT):
         if arg_name and arg_name in self._task.args:
@@ -181,18 +166,26 @@ class ActionBase(ActionBase):
         asyncio.run(self.run_wrapped_async())
         return self.result
 
-    def collect_masked_values(self):
-        # collect all values that have to be masked
-        self.masked_values = []
-        for key in self.masked_keys:
-            if self.task_vars.get(key, None):
-                self.masked_values.append(
-                    self._templar.template(self.task_vars[key])
-                )
-            if self._task.args.get(key, None):
-                self.masked_values.append(
-                    self._templar.template(self._task.args[key])
-                )
+    def mask_init(self):
+        # use ansible template value renderer
+        self.mask.renderer = lambda value: self._templar.template(value)
+
+        keys = self.masked_keys + (self.mask_keys or [])
+        for key in keys:
+            self.mask.keys.add(key)
+
+            # discover values from facts
+            if value := self.task_vars.get(key, None):
+                self.mask.values.add(value)
+
+            # discover value from args
+            if value := self._task.args.get(key, None):
+                self.mask.values.add(value)
+
+        # discover values to mask
+        for value in self.masked_values:
+            if value:
+                self.mask.values.add(value)
 
     async def run_wrapped_async(self):
         self.verbosity = self.task_vars.get('ansible_verbosity', 0)
@@ -209,7 +202,10 @@ class ActionBase(ActionBase):
                 self.client = await self.client_factory()
             except NotImplementedError:
                 self.client = None
-            self.collect_masked_values()
+                self.mask = cli2.Mask()
+            else:
+                self.mask = copy.deepcopy(self.client.mask)
+            self.mask_init()
             await self.run_async()
         except Exception as exc:
             self.result['failed'] = True
@@ -244,10 +240,10 @@ class ActionBase(ActionBase):
             ):
                 diff = difflib.unified_diff(
                     to_nice_yaml(
-                        self.mask_data(self._before_data)
+                        self.mask(self._before_data)
                     ).splitlines(),
                     to_nice_yaml(
-                        self.mask_data(self._after_data)
+                        self.mask(self._after_data)
                     ).splitlines(),
                     self._before_label,
                     self._after_label,
@@ -258,7 +254,7 @@ class ActionBase(ActionBase):
         """
         Render data as masked yaml.
         """
-        data = self.mask_data(data)
+        data = self.mask(data)
         yaml = to_nice_yaml(data)
         rendered = cli2.yaml_highlight(yaml)
         self.print(rendered)
@@ -267,42 +263,6 @@ class ActionBase(ActionBase):
         # this serves for mocking
         print(data)
 
-    def mask_data(self, data):
-        """"
-        Do our best to mask sensitive values in the data param recursively.
-
-        - when data is a dict: it is recursively iterated on, any value that in
-          is :py:attr:`masked_keys` will have it's value replaced with
-          ``***MASKED***``, also, the value is added to
-          :py:attr:`masked_values`.
-        - when data is a string, each :py:attr:`masked_values` will be replaced
-          with ``***MASKED***``, so we're actually able to mask sensitive
-          information from stdout outputs and the likes.
-        - when data is a list, each item is passed to :py:meth:`mask_data()`.
-
-        Note that the :envvar:`DEBUG` environment variable will prevent any
-        masking at all.
-        """
-        if os.getenv('DEBUG'):
-            return data
-
-        return self._mask(copy.deepcopy(data))
-
-    def _mask(self, data):
-        if isinstance(data, dict):
-            for key, value in data.items():
-                if key in self.masked_keys:
-                    self.masked_values.append(self._templar.template(value))
-                    data[key] = '***MASKED***'
-                else:
-                    data[key] = self.mask_data(value)
-        elif isinstance(data, list):
-            return [self.mask_data(item) for item in data]
-        elif isinstance(data, str):
-            for value in self.masked_values:
-                data = data.replace(str(value), '***MASKED***')
-        return data
-
     async def run_async(self):
         """
         The method you are supposed to implement.
@@ -406,7 +366,7 @@ class ActionBase(ActionBase):
         if self.verbosity:
             display.display(
                 f'<{self.task_vars["inventory_hostname"]}> + '
-                + self.mask_data(cmd),
+                + self.mask(cmd),
                 color='blue',
             )
         shell_action = self._shared_loader_obj.action_loader.get(
@@ -422,9 +382,9 @@ class ActionBase(ActionBase):
 
         if self.verbosity:
             if 'stderr_lines' in result:
-                print(self.mask_data(result['stderr']))
+                self.print(self.mask(result['stderr']))
             if 'stdout_lines' in result:
-                print(self.mask_data(result['stdout']))
+                self.print(self.mask(result['stdout']))
 
         result.pop('invocation')
         return result

{cli2-4.2.10 → cli2-4.3.0}/cli2/client.py

@@ -26,6 +26,7 @@ from .asyncio import async_resolve
 from .cli import Argument, Command, Group, cmd, hide
 from .colors import colors
 from .log import log
+from .mask import Mask
 
 
 class Paginator:
@@ -850,7 +851,7 @@ class Model(metaclass=ModelMetaclass):
 
     @property
     def data_masked(self):
-        return self.client.mask_data(self.data)
+        return self.client.mask(self.data)
 
     @classmethod
     @hide('expressions')
@@ -1098,7 +1099,7 @@ class Handler:
         self.tries = self.tries_default if tries is None else tries
         self.backoff = self.backoff_default if backoff is None else backoff
 
-    async def __call__(self, client, response, tries, mask, log):
+    async def __call__(self, client, response, tries, log):
         seconds = tries * self.backoff
 
         if isinstance(response, Exception):
@@ -1126,24 +1127,24 @@ class Handler:
             return response
 
         if response.status_code in self.refuses:
-            raise RefusedResponseError(client, response, tries, mask)
+            raise RefusedResponseError(client, response, tries)
 
         if tries >= self.tries:
-            raise RetriesExceededError(client, response, tries, mask)
+            raise RetriesExceededError(client, response, tries)
 
         kwargs = dict(
             status_code=response.status_code,
             tries=tries,
             sleep=seconds,
         )
-        key, value = client.response_log_data(response, mask)
+        key, value = client.response_log_data(response)
         if value:
             kwargs[key] = value
 
         if response.status_code in self.retokens:
             if tries:
                 # our authentication is just not working, no need to retry
-                raise TokenGetError(client, response, tries, mask)
+                raise TokenGetError(client, response, tries)
             log.warn('retoken', **kwargs)
             await client.token_reset()
 
@@ -1179,11 +1180,10 @@ class ResponseError(ClientError):
 
         Request method
     """
-    def __init__(self, client, response, tries, mask, msg=None):
+    def __init__(self, client, response, tries, msg=None):
         self.client = client
         self.response = response
         self.tries = tries
-        self.mask = mask
         self.msg = msg or getattr(self, 'msg', '').format(self=self)
         super().__init__(self.enhance(self.msg))
 
@@ -1212,10 +1212,7 @@ class ResponseError(ClientError):
         :param exc: httpx.HTTPStatusError
         """
         output = [msg]
-        key, value = self.client.request_log_data(
-            self.response.request,
-            self.mask,
-        )
+        key, value = self.client.request_log_data(self.response.request)
         request_msg = ' '.join([
             str(self.response.request.method),
             str(self.response.request.url),
@@ -1227,7 +1224,7 @@ class ResponseError(ClientError):
         if value:
             output.append(display.render(value))
 
-        key, value = self.client.response_log_data(self.response, self.mask)
+        key, value = self.client.response_log_data(self.response)
         output.append(
             ''.join([
                 colors.bold,
@@ -1318,9 +1315,14 @@ class Client(metaclass=ClientMetaclass):
         retry the request, or raise an exception, or return the request.
         Default is a :py:class:`Handler`
 
-    .. py:attribute:: mask
+    .. py:attribute:: mask_keys
+
+        Use this class attribute to declare keys to mask:
 
-        List of keys to mask in logging, ie.: ``['password', 'secret']``
+        .. code-block:: python
+
+            class YourClient(cli2.Client):
+                mask_keys = ['password', 'secret']
 
     .. py:attribute:: cli
 
@@ -1350,6 +1352,10 @@ class Client(metaclass=ClientMetaclass):
         Enforce full logging: quiet requests are logged, masking does not
         apply. This is also enabled with environment variable ``DEBUG``.
 
+    .. py:attribute:: mask
+
+        :py:class:`~cli2.mask.Mask` object
+
     .. py:attribute:: models
 
         Declared models for this Client.
@@ -1357,9 +1363,9 @@ class Client(metaclass=ClientMetaclass):
     paginator = Paginator
     models = []
     semaphore = None
-    mask = []
     debug = False
     cmdclass = ClientCommand
+    mask_keys = None
 
     def __init__(self, *args, handler=None, semaphore=None, mask=None,
                  debug=False, **kwargs):
@@ -1373,8 +1379,12 @@ class Client(metaclass=ClientMetaclass):
 
         self.handler = handler or Handler()
         self.semaphore = semaphore if semaphore else self.semaphore
-        self.mask = mask if mask else self.mask
+        self.mask = mask or Mask()
+        if self.mask_keys:
+            for key in self.mask_keys:
+                self.mask.keys.add(key)
         self.debug = debug or os.getenv('DEBUG', self.debug)
+        self.mask.debug = self.debug
 
         if truststore:
             self._client_kwargs.setdefault(
@@ -1444,7 +1454,7 @@ class Client(metaclass=ClientMetaclass):
     def client(self):
         self._client = None
 
-    async def send(self, request, handler, mask, retries=True, semaphore=None,
+    async def send(self, request, handler, retries=True, semaphore=None,
                    log=None, auth=None, follow_redirects=None):
         """
         Internal request method
@@ -1469,9 +1479,9 @@ class Client(metaclass=ClientMetaclass):
             try:
                 response = await _request()
             except Exception as exc:
-                await handler(self, exc, tries, mask, log)
+                await handler(self, exc, tries, log)
             else:
-                if response := await handler(self, response, tries, mask, log):
+                if response := await handler(self, response, tries, log):
                     return response
 
             tries += 1
@@ -1605,7 +1615,6 @@ class Client(metaclass=ClientMetaclass):
         :param tries: Override for :py:attr:`Handler.tries`
         :param backoff: Override for :py:attr:`Handler.backoff`
         :param semaphore: Override for :py:attr:`Client.semaphore`
-        :param mask: Override for :py:attr:`Client.mask`
         """
         if not self.token and not self.token_getting:
             await self.token_refresh()
@@ -1644,7 +1653,7 @@ class Client(metaclass=ClientMetaclass):
 
         _log = log.bind(method=method, url=str(request.url))
         if not quiet or self.debug:
-            key, value = self.request_log_data(request, mask, quiet)
+            key, value = self.request_log_data(request, quiet)
             kwargs = dict()
             if value:
                 kwargs[key] = value
@@ -1658,7 +1667,6 @@ class Client(metaclass=ClientMetaclass):
             handler=handler,
             retries=retries,
             semaphore=semaphore,
-            mask=mask,
             log=log,
             auth=auth,
             follow_redirects=follow_redirects,
@@ -1666,7 +1674,7 @@ class Client(metaclass=ClientMetaclass):
 
         kwargs = dict(status_code=response.status_code)
         if not quiet or self.debug:
-            key, value = self.response_log_data(response, mask)
+            key, value = self.response_log_data(response)
             if value:
                 kwargs[key] = value
 
@@ -1674,20 +1682,18 @@ class Client(metaclass=ClientMetaclass):
 
         return response
 
-    def response_log_data(self, response, mask=None):
-        mask = mask if mask is not None else self.mask
+    def response_log_data(self, response):
         try:
             data = response.json()
         except json.JSONDecodeError:
             if response.content:
-                return 'content', self.mask_content(response.content, mask)
+                return 'content', self.mask(response.content)
         else:
             if data:
-                return 'json', self.mask_data(data, mask)
+                return 'json', self.mask(data)
         return None, None
 
-    def request_log_data(self, request, mask=None, quiet=False):
-        mask = mask if mask is not None else self.mask
+    def request_log_data(self, request, quiet=False):
         content = request.content.decode()
         if not content:
             return None, None
@@ -1697,7 +1703,7 @@ class Client(metaclass=ClientMetaclass):
         except json.JSONDecodeError:
             pass
         else:
-            return 'json', self.mask_data(data, mask)
+            return 'json', self.mask(data)
 
         parsed = parse_qs(content)
         if parsed:
@@ -1705,37 +1711,9 @@ class Client(metaclass=ClientMetaclass):
                 key: value[0] if len(value) == 1 else value
                 for key, value in parsed.items()
             }
-            return 'data', self.mask_data(data, mask)
+            return 'data', self.mask(data)
 
-        return 'content', self.mask_content(content, mask)
-
-    def mask_content(self, content, mask=None):
-        """
-        Implement content masking for non JSON content here.
-        """
-        return content
-
-    def mask_data(self, data, mask=None):
-        """
-        Apply mask for all :py:attr:`mask` in data.
-        """
-        if self.debug:
-            return data
-
-        mask = mask if mask is not None else self.mask
-
-        if isinstance(data, list):
-            return [self.mask_data(item, mask) for item in data]
-
-        if isinstance(data, dict):
-            for key, value in data.items():
-                if key in mask:
-                    data[key] = '***MASKED***'
-                if isinstance(value, dict):
-                    data[key] = self.mask_data(value, mask)
-                if isinstance(value, list):
-                    data[key] = [self.mask_data(item, mask) for item in value]
-            return data
+        return 'content', self.mask(content)
 
         return data
 

{cli2-4.2.10 → cli2-4.3.0}/cli2/examples/client.py

@@ -13,7 +13,7 @@ class APIClient(cli2.Client):
         ./manage.py migrate
         ./manage.py runserver
     """
-    mask = ["Capacity"]
+    mask_keys = ['Capacity']
 
     def __init__(self, *args, **kwargs):
         kwargs.setdefault('base_url', 'http://localhost:8000')

cli2-4.3.0/cli2/mask.py

@@ -0,0 +1,121 @@
+"""
+Secret data masking module.
+"""
+
+import copy
+import os
+
+
+class LearnedError(Exception):
+    """
+    Raised when a new value is learned, to run masking again.
+    """
+    pass
+
+
+class Mask:
+    """
+    Masking object that can learn values.
+
+    .. code-block:: python
+
+        mask = cli2.Mask(keys=['password'], values=['1337p4ssw0rD'])
+        result = mask(dict(password='xx', text='some 1337p4ssw0rD noise xx'))
+
+    Will cause result to be:
+
+    .. code-block:: yaml
+
+        password: ***MASKED***
+        text: some ***MASKED*** noise ***MASKED***
+
+    Because:
+
+    - ``1337p4ssw0rD`` was given as a value to mask
+    - ``xx`` was the value of a key named ``password`` which was given as a key
+      to mask
+
+    .. py:attribute:: keys
+
+        Set of keys that contain values to mask
+
+    .. py:attribute:: values
+
+        Set of values to mask
+
+    .. py:attribute:: renderer
+
+        Optionnal callback to render discovered values to mask
+
+    .. py:attribute:: debug
+
+        Enabled by the :envvar:`DEBUG` environment variable, makes this a no-op
+        (don't mask anything).
+    """
+
+    def __init__(self, keys=None, values=None, renderer=None, debug=False):
+        self.keys = set(keys) if keys else set()
+        self.values = set(values) if values else set()
+        self.renderer = renderer
+        if os.getenv('DEBUG'):
+            self.debug = True
+        else:
+            self.debug = debug
+
+    def __call__(self, data):
+        """"
+        Do our best to mask sensitive values in the data param recursively,
+        returning a masked copy of the passed data.
+
+        - when data is a dict: it is recursively iterated on, any value that in
+          is :py:attr:`keys` will have it's value replaced with
+          ``***MASKED***``, also, the value is added to
+          :py:attr:`values`.
+        - when data is a string, each :py:attr:`values` will be replaced
+          with ``***MASKED***``, so we're actually able to mask sensitive
+          information from stdout outputs and the likes.
+        - when data is a list, each item is passed to :py:meth:`_mask()`.
+
+        Note that the :envvar:`DEBUG` environment variable will prevent any
+        masking at all.
+
+        :param data: Any kind of data to mask, will return a deepcopy of that.
+        """
+        if self.debug:
+            return data
+
+        while True:
+            try:
+                return self._mask(copy.deepcopy(data))
+            except LearnedError:
+                continue
+            else:
+                break
+
+    def _mask(self, data):
+        """
+        Actual, in-place masking method.
+        """
+        if isinstance(data, dict):
+            for key, value in data.items():
+                if key in self.keys:
+                    if self.renderer:
+                        value = self.renderer(value)
+                    if value not in self.values:
+                        self.values.add(value)
+                        raise LearnedError()
+                    data[key] = '***MASKED***'
+                else:
+                    data[key] = self._mask(value)
+        elif isinstance(data, list):
+            return [self._mask(item) for item in data]
+        elif isinstance(data, str):
+            for value in self.values:
+                data = data.replace(str(value), '***MASKED***')
+        return data
+
+    def __repr__(self):
+        result = 'Mask(keys=[' + ', '.join(self.keys) + ']'
+        if self.values:
+            result += f', number_of_values={len(self.values)}'
+        return result + ')'

{cli2-4.2.10 → cli2-4.3.0/cli2.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: cli2
-Version: 4.2.10
+Version: 4.3.0
 Summary: image:: https://yourlabs.io/oss/cli2/badges/master/pipeline.svg
 Home-page: https://yourlabs.io/oss/cli2
 Author: James Pic

{cli2-4.2.10 → cli2-4.3.0}/cli2.egg-info/SOURCES.txt

@@ -13,6 +13,7 @@ cli2/decorators.py
 cli2/display.py
 cli2/lock.py
 cli2/log.py
+cli2/mask.py
 cli2/node.py
 cli2/sphinx.py
 cli2/table.py
@@ -49,6 +50,7 @@ tests/test_entry_point.py
 tests/test_group.py
 tests/test_inject.py
 tests/test_lock.py
+tests/test_mask.py
 tests/test_node.py
 tests/test_restful.py
 tests/test_table.py

{cli2-4.2.10 → cli2-4.3.0}/setup.py

@@ -44,7 +44,7 @@ from setuptools import setup
 
 setup(
     name='cli2',
-    version='4.2.10',
+    version='4.3.0',
     setup_requires='setupmeta',
     packages=['cli2'],
     install_requires=[

{cli2-4.2.10 → cli2-4.3.0}/tests/test_ansible.py

@@ -9,7 +9,7 @@ from cli2 import ansible
 
 
 class ActionModule(ansible.ActionBase):
-    mask = ['a']
+    mask_keys = ['a']
 
     async def run_async(self):
         self.result['x'] = dict(a='a', b='b', c='c', d='foo a rrr')
@@ -19,7 +19,7 @@ class ActionModule(ansible.ActionBase):
 async def test_mask(monkeypatch):
     printer = mock.Mock()
     monkeypatch.setattr(ActionModule, 'print', printer)
-    module = await ActionModule.run_test_async(facts=dict(mask=['b']))
+    module = await ActionModule.run_test_async(facts=dict(mask_keys=['b']))
     # result is untouched
     assert module.result == {'x':
         {'a': 'a', 'b': 'b', 'c': 'c', 'd': 'foo a rrr'}
@@ -32,7 +32,7 @@ async def test_mask(monkeypatch):
 @pytest.mark.asyncio
 async def test_response_error(httpx_mock):
     class Client(cli2.Client):
-        mask = ['secret']
+        mask_keys = ['secret']
 
     class Action(ansible.ActionBase):
         async def client_factory(self):

{cli2-4.2.10 → cli2-4.3.0}/tests/test_client.py

@@ -16,9 +16,9 @@ class HandlerSentinel(cli2.Handler):
         super().__init__(*args, **kwargs)
         self.calls = []
 
-    async def __call__(self, client, response, tries, mask, log):
+    async def __call__(self, client, response, tries, log):
         self.calls.append((client, response.status_code, tries))
-        return await super().__call__(client, response, tries, mask, log)
+        return await super().__call__(client, response, tries, log)
 
 
 @pytest.fixture
@@ -256,11 +256,11 @@ async def test_handler(client_class):
     handler = cli2.Handler(accepts=[201], refuses=[218], retokens=[418])
 
     response = httpx.Response(status_code=201)
-    result = await handler(client, response, 0, [], log)
+    result = await handler(client, response, 0, log)
     assert result == response
 
     response = httpx.Response(status_code=200)
-    result = await handler(client, response, 0, [], log)
+    result = await handler(client, response, 0, log)
     log.info.assert_called_once_with(
         'retry', status_code=200, tries=0, sleep=.0
     )
@@ -269,7 +269,7 @@ async def test_handler(client_class):
     response = httpx.Response(status_code=200, content='[2]')
     response.request = httpx.Request('POST', '/', json=[1])
     with pytest.raises(cli2.RetriesExceededError) as exc:
-        await handler(client, response, handler.tries + 1, [], log)
+        await handler(client, response, handler.tries + 1, log)
     log.info.assert_called_once_with(
         'retry', status_code=200, tries=0, sleep=.0
     )
@@ -280,7 +280,7 @@ async def test_handler(client_class):
     response = httpx.Response(status_code=200)
     response.request = httpx.Request('GET', '/')
     with pytest.raises(cli2.RetriesExceededError) as exc:
-        await handler(client, response, handler.tries + 1, [], log)
+        await handler(client, response, handler.tries + 1, log)
 
     msg = 'Unacceptable response <Response [200 OK]> after 31 tries\n\x1b[0m\x1b[1mGET /\x1b[0m\n\x1b[1mHTTP 200\x1b[0m'  # noqa
     assert str(exc.value) == msg
@@ -288,7 +288,7 @@ async def test_handler(client_class):
     response = httpx.Response(status_code=218)
     response.request = httpx.Request('POST', '/')
     with pytest.raises(cli2.RefusedResponseError) as exc:
-        await handler(client, response, 1, [], log)
+        await handler(client, response, 1, log)
 
     assert exc.value.response
     assert exc.value.request
@@ -299,12 +299,12 @@ async def test_handler(client_class):
     response = httpx.Response(status_code=418)
     response.request = httpx.Request('POST', '/')
     with pytest.raises(cli2.TokenGetError):
-        await handler(client, response, 1, [], log)
+        await handler(client, response, 1, log)
 
     assert not client.client_reset.await_count
     exc = httpx.TransportError('foo')
     exc.request = response.request
-    result = await handler(client, exc, 0, [], log)
+    result = await handler(client, exc, 0, log)
     log.warn.assert_called_once_with(
         'reconnect',
         error="TransportError('foo')",
@@ -316,13 +316,13 @@ async def test_handler(client_class):
 
     with pytest.raises(httpx.TransportError) as exc:
         await handler(
-            client, httpx.TransportError('x'), handler.tries + 1, [], log
+            client, httpx.TransportError('x'), handler.tries + 1, log
         )
 
     response = httpx.Response(status_code=418)
     assert not client.token_reset.await_count
     log.warn.reset_mock()
-    result = await handler(client, response, 0, [], log)
+    result = await handler(client, response, 0, log)
     log.warn.assert_called_once_with(
         'retoken', status_code=418, tries=0, sleep=.0
     )
@@ -332,7 +332,7 @@ async def test_handler(client_class):
     handler = cli2.Handler(accepts=[], refuses=[222])
 
     response = httpx.Response(status_code=123)
-    result = await handler(client, response, 0, [], log)
+    result = await handler(client, response, 0, log)
     assert result == response
 
 
@@ -867,7 +867,7 @@ def test_datetime_default_fmt(client_class):
 
 @pytest.mark.asyncio
 async def test_mask_recursive(client_class, monkeypatch):
-    client = client_class(mask=['scrt', 'password'])
+    client = client_class(mask=cli2.Mask(['scrt', 'password']))
     client.client.send = mock.AsyncMock()
 
     log = mock.Mock()
@@ -901,7 +901,7 @@ async def test_mask_recursive(client_class, monkeypatch):
     'key', ('json', 'data'),
 )
 async def test_mask_logs(client_class, key, monkeypatch):
-    client = client_class(mask=['scrt', 'password'])
+    client = client_class(mask=cli2.Mask(['scrt', 'password']))
     client.client.send = mock.AsyncMock()
 
     log = mock.Mock()
@@ -933,27 +933,30 @@ async def test_mask_logs(client_class, key, monkeypatch):
 @pytest.mark.asyncio
 async def test_mask_exceptions(client_class):
     class TestClient(client_class):
-        mask = ['foo']
+        mask_keys = ['foo']
 
     client = TestClient()
 
     response = httpx.Response(status_code=218, content='{"c": 3, "d": 4}')
     response.request = httpx.Request('POST', '/', json=dict(a=1, b=2))
-    error = cli2.ResponseError(client, response, 1, ['a', 'c'])
+    client.mask.keys.add('a')
+    client.mask.keys.add('c')
+    error = cli2.ResponseError(client, response, 1)
     expected = "\n\x1b[0m\x1b[1mPOST /\x1b[0m\n\x1b[94ma\x1b[39;49;00m:\x1b[37m \x1b[39;49;00m\x1b[33m'\x1b[39;49;00m\x1b[33m***MASKED***\x1b[39;49;00m\x1b[33m'\x1b[39;49;00m\x1b[37m\x1b[39;49;00m\n\x1b[94mb\x1b[39;49;00m:\x1b[37m \x1b[39;49;00m2\x1b[37m\x1b[39;49;00m\n\n\x1b[1mHTTP 218\x1b[0m\n\x1b[94mc\x1b[39;49;00m:\x1b[37m \x1b[39;49;00m\x1b[33m'\x1b[39;49;00m\x1b[33m***MASKED***\x1b[39;49;00m\x1b[33m'\x1b[39;49;00m\x1b[37m\x1b[39;49;00m\n\x1b[94md\x1b[39;49;00m:\x1b[37m \x1b[39;49;00m4\x1b[37m\x1b[39;49;00m\n"  # noqa
     assert str(error) == expected
 
     # this needs to work with form data too
     response = httpx.Response(status_code=218, content='{"c": 3, "d": 4}')
     response.request = httpx.Request('POST', '/', data=dict(a=1, b=2))
-    error = cli2.ResponseError(client, response, 1, ['a', 'c'])
+    client.mask = cli2.Mask(['a', 'c'])
+    error = cli2.ResponseError(client, response, 1)
     expected = "\n\x1b[0m\x1b[1mPOST /\x1b[0m\n\x1b[94ma\x1b[39;49;00m:\x1b[37m \x1b[39;49;00m\x1b[33m'\x1b[39;49;00m\x1b[33m***MASKED***\x1b[39;49;00m\x1b[33m'\x1b[39;49;00m\x1b[37m\x1b[39;49;00m\n\x1b[94mb\x1b[39;49;00m:\x1b[37m \x1b[39;49;00m\x1b[33m'\x1b[39;49;00m\x1b[33m2\x1b[39;49;00m\x1b[33m'\x1b[39;49;00m\x1b[37m\x1b[39;49;00m\n\n\x1b[1mHTTP 218\x1b[0m\n\x1b[94mc\x1b[39;49;00m:\x1b[37m \x1b[39;49;00m\x1b[33m'\x1b[39;49;00m\x1b[33m***MASKED***\x1b[39;49;00m\x1b[33m'\x1b[39;49;00m\x1b[37m\x1b[39;49;00m\n\x1b[94md\x1b[39;49;00m:\x1b[37m \x1b[39;49;00m4\x1b[37m\x1b[39;49;00m\n"  # noqa
     assert str(error) == expected
 
 
 @pytest.mark.asyncio
 async def test_request_mask(client_class, monkeypatch):
-    client = client_class(mask=['password'])
+    client = client_class(mask=cli2.Mask(['password']))
     client.client.send = mock.AsyncMock()
 
     log = mock.Mock()
@@ -965,7 +968,8 @@ async def test_request_mask(client_class, monkeypatch):
     data = dict(foo='bar', password='secret')
     response.request = httpx.Request('POST', '/', json=data)
     client.client.send.return_value = response
-    await client.post('/', json=data, mask=['scrt'])
+    client.mask.keys.add('scrt')
+    await client.post('/', json=data)
     log.bind.assert_called_once_with(
         method='POST',
         url='http://lol/'
@@ -973,7 +977,7 @@ async def test_request_mask(client_class, monkeypatch):
     log = log.bind.return_value
     log.debug.assert_called_once_with(
         'request',
-        json=dict(foo='bar', password='secret'),
+        json=dict(foo='bar', password='***MASKED***'),
     )
     log.info.assert_called_once_with(
         'response',
@@ -1025,11 +1029,11 @@ async def test_log_quiet(client_class, monkeypatch):
 def test_class_override(client_class):
     class TestClient(client_class):
         semaphore = 'foo'
-        mask = 'bar'
+        mask_keys = ['bar']
         debug = True
 
     assert TestClient().semaphore == 'foo'
-    assert TestClient().mask == 'bar'
+    assert TestClient().mask.keys == {'bar'}
     assert TestClient().debug
 
 
@@ -1081,7 +1085,7 @@ def test_id_value(client_class):
 
 @pytest.mark.asyncio
 async def test_debug(client_class, monkeypatch):
-    client = client_class(mask=['scrt', 'password'], debug=True)
+    client = client_class(mask=cli2.Mask(['scrt', 'password']), debug=True)
     client.client.send = mock.AsyncMock()
 
     log = mock.Mock()

cli2-4.3.0/tests/test_mask.py

@@ -0,0 +1,22 @@
+import cli2
+import pytest
+
+
+def test_mask():
+    mask = cli2.Mask(['seckey'], ['secval'])
+    fixture = {
+        'a': {
+            'b': 'secval b secret',
+            'seckey': 'secret',
+        },
+        'b': ['secval foo secret'],
+    }
+
+    expected = {
+        'a': {
+            'b': '***MASKED*** b ***MASKED***',
+            'seckey': '***MASKED***',
+        },
+        'b': ['***MASKED*** foo ***MASKED***']
+    }
+    assert mask(fixture) == expected