Skip to main content

A decorator to generate redacted and nicely formatted log entries

Project description

Secure Logger

FullStackWithLawrence Python
12-Factor Unit Tests GHA pushMain Status Auto AssignSource code Release Notes PyPI releases License: AGPL v3 hack.d Lawrence McDaniel

A Python decorator to generate redacted and nicely formatted log entries. Works on all callables: class, class methods, Python module functions. Recursively redacts Python dictionary key values based on a customizable list of case-insensitive keys. Prevents your sensitive application data like cloud provider key-pairs from leaking into your application logs.

Installation

pip install secure-logger

Usage

As a decorator

from secure_logger.decorators import secure_logger
import logging

logging.getLogger(__name__)
logging.basicConfig(level=logging.INFO)

class Foo(object):
    @secure_logger(log_level='INFO')
    def bar(self, dict_data, list_data):
        pass

# call your method, passing some sensitive data
dict_data = {
    "not_a_sensitive_key": "you-can-see-me",
    "aws-access-key-id": "i-am-hidden",
    "aws-secret-access-key": "so-am-i",
}
list_data = ["foo", "bar"]
foo = Foo()
foo.bar(dict_data=dict_data, list_data=list_data)

Log output:

INFO:secure_logger: __main__.bar() ['<__main__.Foo object at 0x103474ac0>'] keyword args: {
    "dict_data": {
        "not_a_sensitive_key": "you-can-see-me",
        "aws-access-key-id": "*** -- secure_logger() -- ***",
        "aws-secret-access-key": "*** -- secure_logger() -- ***"
    },
    "list_data": [
        "foo",
        "bar"
    ]

As library functions

from secure_logger.masked_dict import masked_dict, masked_dict2str

dict_data = {
    'not_a_sensitive_key': 'you-can-see-me',
    'aws-access-key_id': conf.AWS_ACCESS_KEY_ID,
    'aws-secret-access-key': conf.AWS_SECRET_ACCESS_KEY
}
print(masked_dict2str(dict_data))

Output:

{
    "not_a_sensitive_key": "you-can-see-me",
    "aws-access-key-id": "*** -- secure_logger() -- ***",
    "aws-secret-access-key": "*** -- secure_logger() -- ***"
}

Configuration

secure_logger accepts optional parameters which you can configure as either bash environment variables or with a .env file placed in the root of your project

  • SECURE_LOGGER_SENSITIVE_KEYS: a Python list of dictionary keys. Not case sensitive.
  • SECURE_LOGGER_REDACTION_MESSAGE: a string value that will replace the sensitive key values
  • SECURE_LOGGER_INDENTATION: number of characters to indent JSON string output when logging output
  • SECURE_LOGGER_LOG_LEVEL: the level at which secure_logger generates log entries. One of: 'CRITICAL', 'FATAL', 'ERROR', 'WARN', 'WARNING', 'INFO', 'DEBUG'

Additionally, you can override individual invocations of the decorator with custom parameters:

class MyClass():

    @secure_logger(log_level='DEBUG', sensitive_keys=["password", "apikey", "crown_jewels"], message="*** -- TOP SECRET -- ***", indent=4)
    def another_function(self, password: str, apikey: str, crown_jewels: List(dict)):
         pass

Configuration Defaults

SECURE_LOGGER_REDACTION_MESSAGE = "*** -- secure_logger() -- ***"
SECURE_LOGGER_INDENTATION = 4
SECURE_LOGGER_SENSITIVE_KEYS = [
    "password",
    "token",
    "client_id",
    "client_secret",
    "Authorization",
    "secret",
    "access_key_id",
    "secret_access_key",
    "access-key-id",
    "secret-access-key",
    "aws_access_key_id",
    "aws_secret_access_key",
    "aws-access-key-id",
    "aws-secret-access-key",
]
SECURE_LOGGER_LOG_LEVEL = 'DEBUG'

Contributing

Pull requests are welcomed and encouraged!

Contact: Lawrence McDaniel.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

secure-logger-0.2.0.tar.gz (23.7 kB view details)

Uploaded Source

Built Distribution

secure_logger-0.2.0-py3-none-any.whl (24.8 kB view details)

Uploaded Python 3

File details

Details for the file secure-logger-0.2.0.tar.gz.

File metadata

  • Download URL: secure-logger-0.2.0.tar.gz
  • Upload date:
  • Size: 23.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.10.9

File hashes

Hashes for secure-logger-0.2.0.tar.gz
Algorithm Hash digest
SHA256 7a166bf8db6e82b78b1ce1e279cf9e0f5f93abd5b197f8ebf0f156e7ced74614
MD5 d8329c7a345494d72ac068ce256c234c
BLAKE2b-256 460a37c7d4b1cd97f3773ab36c29f2688f638de828cf88ee66136a480e6daefa

See more details on using hashes here.

File details

Details for the file secure_logger-0.2.0-py3-none-any.whl.

File metadata

File hashes

Hashes for secure_logger-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a56e26b20d26c01e200ce20d7a08d23f6cbfca0deb2f8e84fafd6b00354c9d84
MD5 6bd2aad0c490558673f7d4944947632f
BLAKE2b-256 d79f53d2d3ad9e8b345c5fc47dac3e08c65183af1693c9e0a9e2ed243e83ecac

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page