diff --git a/lib/OpenQA/Log.pm b/lib/OpenQA/Log.pm index af95a98deacd..376ba45370a6 100644 --- a/lib/OpenQA/Log.pm +++ b/lib/OpenQA/Log.pm @@ -208,8 +208,11 @@ sub setup_log ($app, $logfile = undef, $logdir = undef, $level = undef) { OpenQA::App->set_singleton($app); } +# same approach as in os-autoinst bmwqemu.pm sub redact_settings ($vars) { - return {map { $_ !~ qr/(^_SECRET_|_PASSWORD)/ ? ($_ => $vars->{$_}) : ($_ => '[redacted]') } keys %$vars}; + my $hide_re = '^_SECRET_|_PASSWORD'; + $hide_re .= "|$vars->{_HIDE_MATCH_RE}" if $vars->{_HIDE_MATCH_RE}; + return {map { $_ !~ qr/($hide_re)/ ? ($_ => $vars->{$_}) : ($_ => '[redacted]') } keys %$vars}; } sub redact_settings_in_file ($file) { diff --git a/t/24-worker-jobs.t b/t/24-worker-jobs.t index 779fd69e7520..bfb47bac8ae1 100755 --- a/t/24-worker-jobs.t +++ b/t/24-worker-jobs.t @@ -1503,11 +1503,27 @@ subtest 'redacting logfile' => sub { ok OpenQA::Worker::Job::_redact_file($test_file, 'bar'), 'no error as file skipped anyways'; combined_like { ok !OpenQA::Worker::Job::_redact_file($test_file, 'vars.json'), 'returns falsy value on error' } qr/Skipping upload of vars.json because.*No such file or directory/, 'error logged'; - $test_file->spew(encode_json({FOO => 'bar', SOME_PASSWORD => '123', _SECRET_VARIABLE => '456'})); + $test_file->spew( + encode_json( + { + FOO => 'bar', + SOME_PASSWORD => '123', + _SECRET_VARIABLE => '456', + SNEAKY_TEXT => 'secret', + _HIDE_MATCH_RE => 'SNEAK' + })); ok OpenQA::Worker::Job::_redact_file($test_file, 'vars.json'), 'file changed with no error'; my $vars_data = $test_file->slurp; my $vars = decode_json($vars_data); - is_deeply $vars, {FOO => 'bar', SOME_PASSWORD => '[redacted]', _SECRET_VARIABLE => '[redacted]'}, 'secrets hidden' + is_deeply $vars, + { + FOO => 'bar', + SOME_PASSWORD => '[redacted]', + _SECRET_VARIABLE => '[redacted]', + SNEAKY_TEXT => '[redacted]', + _HIDE_MATCH_RE => 'SNEAK' + }, + 'secrets hidden' or diag explain $vars; like $vars_data, qr/\n/, 'JSON still formatted (with breaks at least)'; };