Merge branch 'master' into 8.x

docs/Changelog.rst

@@ -3,6 +3,20 @@
 Changelog
 =========
 
+8.6.0.post6 (26 January 2023)
+-----------------------------
+
+**Announcement**
+
+I'm just cranking these out today! The truth is, I'm catching more things with the increased
+scrutiny of heavy Curator testing. This is good, right?
+
+**Changes**
+
+  * Discovered that passwords were being logged. Added a function to replace any value
+    from a key (from ``KEYS_TO_REDACT`` in ``defaults.py``) with ``REDACTED``. Keys are
+    ``['password', 'basic_auth', 'bearer_auth', 'api_key', 'id', 'opaque_id']``
+
 8.6.0.post5 (26 January 2023)
 -----------------------------
 

es_client/builder.py

@@ -115,6 +115,7 @@ def validate(self):
                 try:
                     verify_url_schema(host)
                 except ConfigurationError as exc:
+                    self.logger.critical('Invalid host schema detected: %s -- %s', host, exc)
                     raise ConfigurationError(f'Invalid host schema detected: {host}') from exc
         self._check_basic_auth()
         self._check_api_key()

es_client/defaults.py

@@ -2,8 +2,10 @@
 from six import string_types
 from voluptuous import All, Any, Boolean, Coerce, Optional, Range, Schema
 
-VERSION_MIN=(8,0,0)
-VERSION_MAX=(8,99,99)
+VERSION_MIN = (8, 0, 0)
+VERSION_MAX = (8, 99, 99)
+
+KEYS_TO_REDACT = ['password', 'basic_auth', 'bearer_auth', 'api_key', 'id', 'opaque_id']
 
 CLIENT_SETTINGS = [
     'hosts', 'cloud_id', 'api_key', 'basic_auth', 'bearer_auth', 'opaque_id', 'headers',

es_client/helpers/schemacheck.py

@@ -2,6 +2,7 @@
 # pylint: disable=protected-access, broad-except
 import logging
 from re import sub
+from es_client.helpers.utils import password_filter
 from es_client.exceptions import ConfigurationError
 
 class SchemaCheck(object):
@@ -26,7 +27,7 @@ def __init__(self, config, schema, test_what, location):
         self.logger = logging.getLogger(__name__)
         # Set the Schema for validation...
         self.logger.debug('Schema: %s', schema)
-        self.logger.debug('"%s" config: %s', test_what, config)
+        self.logger.debug('"%s" config: %s', test_what, password_filter(config))
         self.config = config
         self.schema = schema
         self.test_what = test_what
@@ -47,7 +48,7 @@ def get_badvalue(data_string, data):
                     key = int(k)
                 except ValueError:
                     key = k
-                if value == None:
+                if value is None:
                     value = data[key]
                     # if this fails, it's caught below
             return value

es_client/helpers/utils.py

@@ -2,8 +2,9 @@
 import logging
 import os
 import re
+from copy import deepcopy
 import yaml
-from es_client.defaults import config_schema
+from es_client.defaults import config_schema, KEYS_TO_REDACT
 from es_client.exceptions import ConfigurationError
 from es_client.helpers.schemacheck import SchemaCheck
 
@@ -151,3 +152,16 @@ def get_version(client):
     else:
         version = version.split('.')
     return tuple(map(int, version))
+
+def password_filter(data):
+    """
+    Return a deepcopy of the dictionary with any password fields hidden
+    """
+    def iterdict(mydict):
+        for key, value in mydict.items():
+            if isinstance(value, dict):
+                iterdict(value)
+            elif key in KEYS_TO_REDACT:
+                mydict.update({key: "REDACTED"})
+        return mydict
+    return iterdict(deepcopy(data))

es_client/version.py

@@ -1 +1 @@
-__version__ = '8.6.0.post5'
+__version__ = '8.6.0.post6'

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi"
 
 [project]
 name = "es_client"
-version = "8.6.0.post5"
+version = "8.6.0.post6"
 description = "Elasticsearch Client builder, complete with schema validation"
 authors = [{name = "Aaron Mildenstein", email = "aaron@mildensteins.com"}]
 readme = "README.rst"