feat(chalice): obfuscate Github token after insert/update

2023-01-27 17:08:39 +01:00 · 2023-01-27 17:08:39 +01:00 · 4315ac9f06
commit 4315ac9f06
parent e6d25e094f
2 changed files with 13 additions and 4 deletions
--- a/api/chalicelib/core/integration_github.py
+++ b/api/chalicelib/core/integration_github.py
@ -24,8 +24,7 @@ class GitHubIntegration(integration_base.BaseIntegration):
        integration = self.get()
        if integration is None:
            return None
-        token = "*" * (len(integration["token"]) - 4) + integration["token"][-4:]
-        return {"token": token, "provider": self.provider.lower()}
+        return {"token": helper.obfuscate(text=integration["token"]), "provider": self.provider.lower()}

    def update(self, changes, obfuscate=False):
        with pg_client.PostgresClient() as cur:
@ -40,12 +39,14 @@ class GitHubIntegration(integration_base.BaseIntegration):
                             **changes})
            )
            w = helper.dict_to_camel_case(cur.fetchone())
+            if w and w.get("token") and obfuscate:
+                w["token"] = helper.obfuscate(w["token"])
            return w

    def _add(self, data):
        pass

-    def add(self, token):
+    def add(self, token, obfuscate=False):
        with pg_client.PostgresClient() as cur:
            cur.execute(
                cur.mogrify("""\
@ -56,6 +57,8 @@ class GitHubIntegration(integration_base.BaseIntegration):
                             "token": token})
            )
            w = helper.dict_to_camel_case(cur.fetchone())
+            if w and w.get("token") and obfuscate:
+                w["token"] = helper.obfuscate(w["token"])
            return w

    # TODO: make a revoke token call
@ -81,4 +84,4 @@ class GitHubIntegration(integration_base.BaseIntegration):
                obfuscate=True
            )
        else:
-            return self.add(token=data["token"])
+            return self.add(token=data["token"], obfuscate=True)
--- a/api/chalicelib/utils/helper.py
+++ b/api/chalicelib/utils/helper.py
@ -312,3 +312,9 @@ def get_domain():
    if not _url.startswith("http"):
        _url = "http://" + _url
    return '.'.join(urlparse(_url).netloc.split(".")[-2:])
+
+
+def obfuscate(text, keep_last: int = 4):
+    if text is None or not isinstance(text, str):
+        return text
+    return "*" * (len(text) - keep_last) + text[-keep_last:]