A decorator to generate redacted and nicely formatted log entries
Project description
Secure Logger
A Python decorator to generate redacted and nicely formatted log entries. Works on all callables: class, class methods, Python module functions. Recursively redacts Python dictionary key values based on a customizable list of case-insensitive keys. Prevents your sensitive application data like cloud provider key-pairs from leaking into your application logs.
Installation
pip install secure-logger
Usage
As a decorator
from secure_logger.decorators import secure_logger
import logging
logging.getLogger(__name__)
logging.basicConfig(level=logging.INFO)
class Foo(object):
@secure_logger(log_level='INFO')
def bar(self, dict_data, list_data):
pass
# call your method, passing some sensitive data
dict_data = {
"not_a_sensitive_key": "you-can-see-me",
"aws-access-key-id": "i-am-hidden",
"aws-secret-access-key": "so-am-i",
}
list_data = ["foo", "bar"]
foo = Foo()
foo.bar(dict_data=dict_data, list_data=list_data)
Log output:
INFO:secure_logger: __main__.bar() ['<__main__.Foo object at 0x103474ac0>'] keyword args: {
"dict_data": {
"not_a_sensitive_key": "you-can-see-me",
"aws-access-key-id": "*** -- secure_logger() -- ***",
"aws-secret-access-key": "*** -- secure_logger() -- ***"
},
"list_data": [
"foo",
"bar"
]
As library functions
from secure_logger.masked_dict import masked_dict, masked_dict2str
dict_data = {
'not_a_sensitive_key': 'you-can-see-me',
'aws-access-key_id': conf.AWS_ACCESS_KEY_ID,
'aws-secret-access-key': conf.AWS_SECRET_ACCESS_KEY
}
print(masked_dict2str(dict_data))
Output:
{
"not_a_sensitive_key": "you-can-see-me",
"aws-access-key-id": "*** -- secure_logger() -- ***",
"aws-secret-access-key": "*** -- secure_logger() -- ***"
}
Configuration
secure_logger accepts optional parameters which you can configure as either bash environment variables or with a .env file placed in the root of your project
- SECURE_LOGGER_SENSITIVE_KEYS: a Python list of dictionary keys. Not case sensitive.
- SECURE_LOGGER_REDACTION_MESSAGE: a string value that will replace the sensitive key values
- SECURE_LOGGER_INDENTATION: number of characters to indent JSON string output when logging output
- SECURE_LOGGER_LOG_LEVEL: the level at which secure_logger generates log entries. One of: 'CRITICAL', 'FATAL', 'ERROR', 'WARN', 'WARNING', 'INFO', 'DEBUG'
Additionally, you can override individual invocations of the decorator with custom parameters:
class MyClass():
@secure_logger(log_level='DEBUG', sensitive_keys=["password", "apikey", "crown_jewels"], message="*** -- TOP SECRET -- ***", indent=4)
def another_function(self, password: str, apikey: str, crown_jewels: List(dict)):
pass
Configuration Defaults
SECURE_LOGGER_REDACTION_MESSAGE = "*** -- secure_logger() -- ***"
SECURE_LOGGER_INDENTATION = 4
SECURE_LOGGER_SENSITIVE_KEYS = [
"password",
"token",
"client_id",
"client_secret",
"Authorization",
"secret",
"access_key_id",
"secret_access_key",
"access-key-id",
"secret-access-key",
"aws_access_key_id",
"aws_secret_access_key",
"aws-access-key-id",
"aws-secret-access-key",
]
SECURE_LOGGER_LOG_LEVEL = 'DEBUG'
Contributing
Pull requests are welcomed and encouraged!
- This project uses an automated Pull Request CI/CD process.
- This project conforms to 12-Factor Methodology.
- This project uses Semantic Versioning which requires that git commit messages follow strict (but easy to learn) formatting rules.
Contact: Lawrence McDaniel.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file secure-logger-0.2.0.tar.gz
.
File metadata
- Download URL: secure-logger-0.2.0.tar.gz
- Upload date:
- Size: 23.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.9
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7a166bf8db6e82b78b1ce1e279cf9e0f5f93abd5b197f8ebf0f156e7ced74614 |
|
MD5 | d8329c7a345494d72ac068ce256c234c |
|
BLAKE2b-256 | 460a37c7d4b1cd97f3773ab36c29f2688f638de828cf88ee66136a480e6daefa |
File details
Details for the file secure_logger-0.2.0-py3-none-any.whl
.
File metadata
- Download URL: secure_logger-0.2.0-py3-none-any.whl
- Upload date:
- Size: 24.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.10.9
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | a56e26b20d26c01e200ce20d7a08d23f6cbfca0deb2f8e84fafd6b00354c9d84 |
|
MD5 | 6bd2aad0c490558673f7d4944947632f |
|
BLAKE2b-256 | d79f53d2d3ad9e8b345c5fc47dac3e08c65183af1693c9e0a9e2ed243e83ecac |