MAGECLOUD-3525: Password masking in logs doesn't work in case of exception (#452)

Author: oshmyheliuk

src/App/Logger/Processor/SanitizeProcessor.php

@@ -5,20 +5,25 @@
  */
 namespace Magento\MagentoCloud\App\Logger\Processor;
 
+use Magento\MagentoCloud\App\Logger\Sanitizer;
+
 /**
- * Uses for sanitize sensitive data.
+ * Logger processor for sanitizing sensitive data.
  */
 class SanitizeProcessor
 {
     /**
-     * Array of replacements that will be applied to log messages.
-     *
-     * @var array
+     * @var Sanitizer
      */
-    private $replacements = [
-        '/-password=\'.*?\'(\s|$)/i' => '-password=\'******\'$1',
-        '/mysqldump (.* )-p\'[^\']+\'/i'  => 'mysqldump $1-p\'******\'',
-    ];
+    private $sanitizer;
+
+    /**
+     * @param Sanitizer $sanitizer
+     */
+    public function __construct(Sanitizer $sanitizer)
+    {
+        $this->sanitizer = $sanitizer;
+    }
 
     /**
      * Finds and replace sensitive data in record message.
@@ -28,9 +33,7 @@ class SanitizeProcessor
      */
     public function __invoke(array $record)
     {
-        foreach ($this->replacements as $pattern => $replacement) {
-            $record['message'] = preg_replace($pattern, $replacement, $record['message']);
-        }
+        $record['message'] = $this->sanitizer->sanitize($record['message']);
 
         return $record;
     }

src/App/Logger/Sanitizer.php

@@ -0,0 +1,39 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\MagentoCloud\App\Logger;
+
+/**
+ * Uses for sanitize sensitive data.
+ */
+class Sanitizer
+{
+    /**
+     * Array of replacements that will be applied to log messages.
+     *
+     * @var array
+     */
+    private $replacements = [
+        '/-password=\'.*?\'(\s|$)/i' => '-password=\'******\'$1',
+        '/mysqldump (.* )-p\'[^\']+\'/i'  => 'mysqldump $1-p\'******\'',
+    ];
+
+    /**
+     * Finds and replace sensitive data in record message.
+     *
+     * @param string $message
+     * @return string
+     */
+    public function sanitize(string $message): string
+    {
+        foreach ($this->replacements as $pattern => $replacement) {
+            $message = preg_replace($pattern, $replacement, $message);
+        }
+
+        return $message;
+    }
+}

src/Shell/Shell.php

@@ -7,6 +7,7 @@
 
 namespace Magento\MagentoCloud\Shell;
 
+use Magento\MagentoCloud\App\Logger\Sanitizer;
 use Magento\MagentoCloud\Filesystem\SystemList;
 use Psr\Log\LoggerInterface;
 use Monolog\Logger;
@@ -26,14 +27,21 @@ class Shell implements ShellInterface
      */
     private $systemList;
 
+    /**
+     * @var Sanitizer
+     */
+    private $sanitizer;
+
     /**
      * @param LoggerInterface $logger
      * @param SystemList $systemList
+     * @param Sanitizer $sanitizer
      */
-    public function __construct(LoggerInterface $logger, SystemList $systemList)
+    public function __construct(LoggerInterface $logger, SystemList $systemList, Sanitizer $sanitizer)
     {
         $this->logger = $logger;
         $this->systemList = $systemList;
+        $this->sanitizer = $sanitizer;
     }
 
     /**
@@ -99,7 +107,14 @@ function ($message, $line) {
         }
 
         if ($status !== 0) {
-            throw new ShellException("Command $command returned code $status", $status);
+            throw new ShellException(
+                sprintf(
+                    "Command %s returned code %d",
+                    $this->sanitizer->sanitize($command),
+                    $status
+                ),
+                $status
+            );
         }
 
         return $output;

src/Test/Unit/App/Logger/Processor/SanitizeProcessorTest.php

@@ -6,74 +6,25 @@
 namespace Magento\MagentoCloud\Test\Unit\App\Logger\Processor;
 
 use Magento\MagentoCloud\App\Logger\Processor\SanitizeProcessor;
+use Magento\MagentoCloud\App\Logger\Sanitizer;
+use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 
 /**
  * @inheritdoc
  */
 class SanitizeProcessorTest extends TestCase
 {
-    /**
-     * @param array $record
-     * @param array $expected
-     * @dataProvider invokeDataProvider
-     */
-    public function testInvoke(array $record, array $expected)
+    public function testInvoke()
     {
-        $this->assertEquals($expected, (new SanitizeProcessor)($record));
-    }
-
-    /**
-     * @return array
-     */
-    public function invokeDataProvider()
-    {
-        return [
-            [
-                ['message' => 'some message'],
-                ['message' => 'some message']
-            ],
-            [
-                ['message' => 'some message with admin password --admin-password=\'Ks81bUSl13Osd\''],
-                ['message' => 'some message with admin password --admin-password=\'******\''],
-            ],
-            [
-                ['message' => 'some message with db password --db-password=\'Ks81bUSl13Osd\''],
-                ['message' => 'some message with db password --db-password=\'******\''],
-            ],
-            [
-                ['message' => 'some message with db password --db-password=\'--db-password\''],
-                ['message' => 'some message with db password --db-password=\'******\''],
-            ],
-            [
-                ['message' => 'some text --admin-password=\'Ks81bUSl13Osd\' some text'],
-                ['message' => 'some text --admin-password=\'******\' some text'],
-            ],
-            [
-                ['message' => 'some text --admin-password=\'Ks81bUSl13Osd\' --db-password=\'Ks81bUSl13Osd\' some text'],
-                ['message' => 'some text --admin-password=\'******\' --db-password=\'******\' some text'],
-            ],
-            [
-                ['message' => 'some text --admin-password=\'' . escapeshellarg("Ks81b'USl'13Osd") . '\''],
-                ['message' => 'some text --admin-password=\'******\''],
-            ],
-            [
-                ['message' => 'Command: bash -c "set -o pipefail; timeout 3600 mysqldump -h \'127.0.0.1\' -P \'3304\''
-                    . ' -u \'abcdefghijklm_stg\' -p\'OmgSuperSecretPasswordDoNotLeak\' \'abcdefghijklm_stg\''
-                    . ' --single-transaction --no-autocommit --quick | gzip > /tmp/dump-1525977618.sql.gz'],
-                ['message' => 'Command: bash -c "set -o pipefail; timeout 3600 mysqldump -h \'127.0.0.1\' -P \'3304\''
-                    . ' -u \'abcdefghijklm_stg\' -p\'******\' \'abcdefghijklm_stg\''
-                    . ' --single-transaction --no-autocommit --quick | gzip > /tmp/dump-1525977618.sql.gz'],
-            ],
-            [
-                ['message' => 'Command: bash -c "set -o pipefail; timeout 3600 mysqldump -h \'127.0.0.1\' -P \'3304\''
-                    . ' -u \'abcdefghijklm_stg\' \'abcdefghijklm_stg\' --single-transaction --no-autocommit'
-                    . ' --quick | gzip > /tmp/dump-1525977618.sql.gz'],
-                ['message' => 'Command: bash -c "set -o pipefail; timeout 3600 mysqldump -h \'127.0.0.1\' -P \'3304\''
-                    . ' -u \'abcdefghijklm_stg\' \'abcdefghijklm_stg\' --single-transaction --no-autocommit'
-                    . ' --quick | gzip > /tmp/dump-1525977618.sql.gz'],
-            ],
+        /** @var Sanitizer|MockObject $sanitizerMock */
+        $sanitizerMock = $this->createMock(Sanitizer::class);
+        $sanitizerMock->expects($this->once())
+            ->method('sanitize')
+            ->with('some message')
+            ->willReturn('sanitized message');
 
-        ];
+        $sanitizeProcessor = new SanitizeProcessor($sanitizerMock);
+        $this->assertEquals(['message' => 'sanitized message'], $sanitizeProcessor(['message' => 'some message']));
     }
 }

src/Test/Unit/App/Logger/SanitizerTest.php

@@ -0,0 +1,81 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\MagentoCloud\Test\Unit\App\Logger;
+
+use Magento\MagentoCloud\App\Logger\Sanitizer;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * @inheritdoc
+ */
+class SanitizerTest extends TestCase
+{
+    /**
+     * @param string $message
+     * @param string $expectedMesssage
+     * @dataProvider invokeDataProvider
+     */
+    public function testInvoke(string $message, string $expectedMesssage)
+    {
+        $this->assertEquals($expectedMesssage, (new Sanitizer())->sanitize($message));
+    }
+
+    /**
+     * @return array
+     */
+    public function invokeDataProvider()
+    {
+        return [
+            [
+                'some message',
+                'some message',
+            ],
+            [
+                'some message with admin password --admin-password=\'Ks81bUSl13Osd\'',
+                'some message with admin password --admin-password=\'******\'',
+            ],
+            [
+                'some message with db password --db-password=\'Ks81bUSl13Osd\'',
+                'some message with db password --db-password=\'******\'',
+            ],
+            [
+                'some message with db password --db-password=\'--db-password\'',
+                'some message with db password --db-password=\'******\'',
+            ],
+            [
+                'some text --admin-password=\'Ks81bUSl13Osd\' some text',
+                'some text --admin-password=\'******\' some text',
+            ],
+            [
+                'some text --admin-password=\'Ks81bUSl13Osd\' --db-password=\'Ks81bUSl13Osd\' some text',
+                'some text --admin-password=\'******\' --db-password=\'******\' some text',
+            ],
+            [
+                'some text --admin-password=\'' . escapeshellarg("Ks81b'USl'13Osd") . '\'',
+                'some text --admin-password=\'******\'',
+            ],
+            [
+                'Command: bash -c "set -o pipefail; timeout 3600 mysqldump -h \'127.0.0.1\' -P \'3304\''
+                    . ' -u \'abcdefghijklm_stg\' -p\'OmgSuperSecretPasswordDoNotLeak\' \'abcdefghijklm_stg\''
+                    . ' --single-transaction --no-autocommit --quick | gzip > /tmp/dump-1525977618.sql.gz',
+                'Command: bash -c "set -o pipefail; timeout 3600 mysqldump -h \'127.0.0.1\' -P \'3304\''
+                    . ' -u \'abcdefghijklm_stg\' -p\'******\' \'abcdefghijklm_stg\''
+                    . ' --single-transaction --no-autocommit --quick | gzip > /tmp/dump-1525977618.sql.gz',
+            ],
+            [
+                'Command: bash -c "set -o pipefail; timeout 3600 mysqldump -h \'127.0.0.1\' -P \'3304\''
+                    . ' -u \'abcdefghijklm_stg\' \'abcdefghijklm_stg\' --single-transaction --no-autocommit'
+                    . ' --quick | gzip > /tmp/dump-1525977618.sql.gz',
+                'Command: bash -c "set -o pipefail; timeout 3600 mysqldump -h \'127.0.0.1\' -P \'3304\''
+                    . ' -u \'abcdefghijklm_stg\' \'abcdefghijklm_stg\' --single-transaction --no-autocommit'
+                    . ' --quick | gzip > /tmp/dump-1525977618.sql.gz',
+            ],
+
+        ];
+    }
+}

src/Test/Unit/Shell/ShellTest.php

@@ -5,6 +5,7 @@
  */
 namespace Magento\MagentoCloud\Test\Unit\Shell;
 
+use Magento\MagentoCloud\App\Logger\Sanitizer;
 use Magento\MagentoCloud\Filesystem\SystemList;
 use PHPUnit\Framework\MockObject\Matcher\InvokedCount;
 use PHPUnit\Framework\MockObject\MockObject;
@@ -35,15 +36,21 @@ class ShellTest extends TestCase
      */
     private $systemListMock;
 
+    /**
+     * @var Sanitizer|MockObject
+     */
+    private $sanitizerMock;
+
     /**
      * @inheritdoc
      */
     protected function setUp()
     {
         $this->loggerMock = $this->getMockForAbstractClass(LoggerInterface::class);
         $this->systemListMock = $this->createMock(SystemList::class);
+        $this->sanitizerMock = $this->createMock(Sanitizer::class);
 
-        $this->shell = new Shell($this->loggerMock, $this->systemListMock);
+        $this->shell = new Shell($this->loggerMock, $this->systemListMock, $this->sanitizerMock);
     }
 
     /**
@@ -71,6 +78,8 @@ public function testExecute($execOutput)
         $this->loggerMock->expects($this->once())
             ->method('info')
             ->with($command);
+        $this->sanitizerMock->expects($this->never())
+            ->method('sanitize');
         if ($execOutput) {
             $this->loggerMock->expects($this->once())
                 ->method('log')
@@ -95,13 +104,13 @@ public function executeDataProvider(): array
      * @param InvokedCount $logExpects
      * @param array $execOutput
      * @expectedException \RuntimeException
-     * @expectedExceptionMessage Command ls -al returned code 123
+     * @expectedExceptionMessage Command ls -al --password="***" returned code 123
      * @expectedExceptionCode 123
      * @dataProvider executeExceptionDataProvider
      */
     public function testExecuteException($logExpects, array $execOutput)
     {
-        $command = 'ls -al';
+        $command = 'ls -al --password="123"';
         $magentoRoot = '/magento';
         $execCommand = 'cd ' . $magentoRoot . ' && ' . $command . ' 2>&1';
 
@@ -116,6 +125,10 @@ public function testExecuteException($logExpects, array $execOutput)
         $this->systemListMock->expects($this->once())
             ->method('getMagentoRoot')
             ->willReturn($magentoRoot);
+        $this->sanitizerMock->expects($this->once())
+            ->method('sanitize')
+            ->with('ls -al --password="123"')
+            ->willReturn('ls -al --password="***"');
 
         $this->loggerMock->expects($this->once())
             ->method('info')