A Python decorator to generate redacted and nicely formatted log entries. Works on all callables: class, class methods, Python module functions. Recursively redacts Python dictionary key values based on a customizable list of case-insensitive keys. Prevents your sensitive application data like cloud provider key-pairs from leaking into your application logs.
pip install secure-loggerfrom secure_logger.decorators import secure_logger
import logging
logging.getLogger(__name__)
logging.basicConfig(level=logging.INFO)
class Foo(object):
@secure_logger(log_level='INFO')
def bar(self, dict_data, list_data):
pass
# call your method, passing some sensitive data
dict_data = {
"not_a_sensitive_key": "you-can-see-me",
"aws-access-key-id": "i-am-hidden",
"aws-secret-access-key": "so-am-i",
}
list_data = ["foo", "bar"]
foo = Foo()
foo.bar(dict_data=dict_data, list_data=list_data)Log output:
INFO:secure_logger: __main__.bar() ['<__main__.Foo object at 0x103474ac0>'] keyword args: {
"dict_data": {
"not_a_sensitive_key": "you-can-see-me",
"aws-access-key-id": "*** -- secure_logger() -- ***",
"aws-secret-access-key": "*** -- secure_logger() -- ***"
},
"list_data": [
"foo",
"bar"
]from secure_logger.masked_dict import masked_dict, masked_dict2str
dict_data = {
'not_a_sensitive_key': 'you-can-see-me',
'aws-access-key_id': conf.AWS_ACCESS_KEY_ID,
'aws-secret-access-key': conf.AWS_SECRET_ACCESS_KEY
}
print(masked_dict2str(dict_data))Output:
{
"not_a_sensitive_key": "you-can-see-me",
"aws-access-key-id": "*** -- secure_logger() -- ***",
"aws-secret-access-key": "*** -- secure_logger() -- ***"
}secure_logger accepts optional parameters which you can configure as either bash environment variables or with a .env file placed in the root of your project
- SECURE_LOGGER_SENSITIVE_KEYS: a Python list of dictionary keys. Not case sensitive.
- SECURE_LOGGER_REDACTION_MESSAGE: a string value that will replace the sensitive key values
- SECURE_LOGGER_INDENTATION: number of characters to indent JSON string output when logging output
- SECURE_LOGGER_LOG_LEVEL: the level at which secure_logger generates log entries. One of: 'CRITICAL', 'FATAL', 'ERROR', 'WARN', 'WARNING', 'INFO', 'DEBUG'
Additionally, you can override individual invocations of the decorator with custom parameters:
class MyClass():
@secure_logger(log_level='DEBUG', sensitive_keys=["password", "apikey", "crown_jewels"], message="*** -- TOP SECRET -- ***", indent=4)
def another_function(self, password: str, apikey: str, crown_jewels: List(dict)):
passSECURE_LOGGER_REDACTION_MESSAGE = "*** -- secure_logger() -- ***"
SECURE_LOGGER_INDENTATION = 4
SECURE_LOGGER_SENSITIVE_KEYS = [
"password",
"token",
"client_id",
"client_secret",
"Authorization",
"secret",
"access_key_id",
"secret_access_key",
"access-key-id",
"secret-access-key",
"aws_access_key_id",
"aws_secret_access_key",
"aws-access-key-id",
"aws-secret-access-key",
]
SECURE_LOGGER_LOG_LEVEL = 'DEBUG'Pull requests are welcomed and encouraged!
- This project uses an automated Pull Request CI/CD process.
- This project conforms to 12-Factor Methodology.
- This project uses Semantic Versioning which requires that git commit messages follow strict (but easy to learn) formatting rules.
Contact: Lawrence McDaniel.
