Skip to content

A logging filter that hides your secrets. Integrates with Python's logging module.

License

Notifications You must be signed in to change notification settings

bernardcooke53/misprint

Repository files navigation

misprint

PyPI - Version PyPI - Python Version

An integration with the Python standard library's logging module that masks secrets in log messages before they are emitted. This project was heavily inspired by an excellent blog post which has been updated/adapted for modern Python versions.

Misprint is fully type-annotated for easier integration with mypy.


Table of Contents

Installation

pip install misprint

License

misprint is distributed under the terms of the MIT license.

Usage

misprint.Misprinter

You can use the Misprinter class to redact exact string matches or regular expressions within a string:

misprinter = Misprinter(token=["my_secret_token", re.compile(r"^ghp_\w+")])

assert misprinter.mask("this is my_secret_token") == "this is ****"
assert (
    misprinter.mask("github tokens: ghp_abc123 ghp_def456")
    == "github tokens: **** ****"
)

If you need to add a mask for new data to an existing instance then you can use the add_mask_for method:

misprinter = Misprinter()
assert misprinter.mask("a secret1234") == "a secret1234"

misprinter.add_mask_for("secret1234")
assert misprinter.mask("a secret1234") == "a ****"

You can also initialise your Misprinter instance with use_named_masks=True if you would like to be able to identify what data has been masked more easily:

misprinter = Misprinter(use_named_masks=True)
misprinter.add_mask_for("another_secret", name="database password")

assert (
    misprinter.mask("printing another_secret")
    == "printing <'database password' (value removed)>"
)

misprint.MisprintFilter

misprint also provides a logging.Filter subclass, which integrates with the Python standard library's logging module to enable redaction of log messages.

MisprintFilter is a subclass of Misprinter, so inherits all of the methods detailed above. This is useful, as the filter can be connected to the loggers that are configured for a program at startup, and new secrets can be conveniently added to the filter to be redacted in the logs:

import logging
import sys

import misprint

logging.basicConfig(
    datefmt="[%X]",
    handlers=[logging.StreamHandler(sys.stderr)],  # plus others
)

misprinter = misprint.MisprintFilter()

for handler in logging.getLogger().handlers:
    handler.addFilter(misprinter)

A_TOKEN = "asdf1234"

misprinter.add_mask_for(A_TOKEN)

log.error("Bad token: %s", A_TOKEN)

About

A logging filter that hides your secrets. Integrates with Python's logging module.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages