prepare 8.1.4 release (#211)

## [8.1.4] - 2023-05-31
### Fixed:
- Password will be redacted from redis URL prior to logging.

---------

Co-authored-by: Elliot <[email protected]>
Co-authored-by: Eli Bishop <[email protected]>
Co-authored-by: LaunchDarklyCI <[email protected]>
Co-authored-by: Ben Woskow <[email protected]>
Co-authored-by: LaunchDarklyCI <[email protected]>
Co-authored-by: hroederld <[email protected]>
Co-authored-by: Robert J. Neal <[email protected]>
Co-authored-by: Robert J. Neal <[email protected]>
Co-authored-by: Ember Stevens <[email protected]>
Co-authored-by: ember-stevens <[email protected]>
Co-authored-by: Matthew M. Keeler <[email protected]>
Co-authored-by: charukiewicz <[email protected]>
Co-authored-by: LaunchDarklyReleaseBot <[email protected]>
Co-authored-by: Christian Charukiewicz <[email protected]>
Co-authored-by: Matthew M. Keeler <[email protected]>
Co-authored-by: Ben Woskow <[email protected]>
Co-authored-by: Gavin Whelan <[email protected]>
Co-authored-by: Gabor Angeli <[email protected]>
Co-authored-by: Elliot <[email protected]>
Co-authored-by: Louis Chan <[email protected]>
Co-authored-by: prpnmac <[email protected]>

Author: 15 people

ldclient/impl/integrations/redis/redis_big_segment_store.py

@@ -1,5 +1,6 @@
 from ldclient import log
 from ldclient.interfaces import BigSegmentStore, BigSegmentStoreMetadata
+from ldclient.impl.util import redact_password
 
 from typing import Any, Optional, Dict, Set, cast
 
@@ -21,7 +22,7 @@ def __init__(self, url: str, prefix: Optional[str], redis_opts: Dict[str, Any]):
             raise NotImplementedError("Cannot use Redis Big Segment store because redis package is not installed")
         self._prefix = prefix or 'launchdarkly'
         self._pool = redis.ConnectionPool.from_url(url=url, **redis_opts)
-        log.info("Started RedisBigSegmentStore connected to URL: " + url + " using prefix: " + self._prefix)
+        log.info("Started RedisBigSegmentStore connected to URL: " + redact_password(url) + " using prefix: " + self._prefix)
 
     def get_metadata(self) -> BigSegmentStoreMetadata:
         r = redis.Redis(connection_pool=self._pool)

ldclient/impl/integrations/redis/redis_feature_store.py

@@ -10,6 +10,7 @@
 from ldclient import log
 from ldclient.interfaces import DiagnosticDescription, FeatureStoreCore
 from ldclient.versioned_data_kind import FEATURES
+from ldclient.impl.util import redact_password
 
 from typing import Any, Dict
 
@@ -21,7 +22,7 @@ def __init__(self, url, prefix, redis_opts: Dict[str, Any]):
         self._prefix = prefix or 'launchdarkly'
         self._pool = redis.ConnectionPool.from_url(url=url, **redis_opts)
         self.test_update_hook = None  # exposed for testing
-        log.info("Started RedisFeatureStore connected to URL: " + url + " using prefix: " + self._prefix)
+        log.info("Started RedisFeatureStore connected to URL: " + redact_password(url) + " using prefix: " + self._prefix)
 
     def _items_key(self, kind):
         return "{0}:{1}".format(self._prefix, kind.namespace)

ldclient/impl/util.py

@@ -5,6 +5,7 @@
 
 from typing import Any
 from ldclient.impl.http import _base_headers
+from urllib.parse import urlparse, urlunparse
 
 
 def current_time_millis() -> int:
@@ -132,3 +133,17 @@ def stringify_attrs(attrdict, attrs):
                 newdict = attrdict.copy()
             newdict[attr] = str(val)
     return attrdict if newdict is None else newdict
+
+def redact_password(url: str) -> str:
+    """
+    Replace any embedded password in the provided URL with 'xxxx'. This is
+    useful for ensuring sensitive information included in a URL isn't logged.
+    """
+    parts = urlparse(url)
+    if parts.password is None:
+        return url
+
+    updated = parts.netloc.replace(parts.password, "xxxx")
+    parts = parts._replace(netloc=updated)
+
+    return urlunparse(parts)

testing/test_config.py

@@ -63,7 +63,10 @@ def application_will_ignore_invalid_keys():
     ":",
     "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._-a"
 ])
-def application_will_drop_invalid_values(value):
-    application = {"id": value, "version": value}
+def invalid_application_tags(request):
+    return request.param
+
+def test_application_will_drop_invalid_values(invalid_application_tags):
+    application = {"id": invalid_application_tags, "version": invalid_application_tags}
     config = Config(sdk_key = "SDK_KEY", application = application)
     assert config.application == {"id": "", "version": ""}

testing/test_util.py

@@ -0,0 +1,16 @@
+from ldclient.impl.util import redact_password
+import pytest
+
+@pytest.fixture(params = [
+    ("rediss://user:password=@redis-server-url:6380/0?ssl_cert_reqs=CERT_REQUIRED", "rediss://user:xxxx@redis-server-url:6380/0?ssl_cert_reqs=CERT_REQUIRED"),
+    ("rediss://user-matches-password:user-matches-password@redis-server-url:6380/0?ssl_cert_reqs=CERT_REQUIRED", "rediss://xxxx:xxxx@redis-server-url:6380/0?ssl_cert_reqs=CERT_REQUIRED"),
+    ("rediss://redis-server-url", "rediss://redis-server-url"),
+    ("invalid urls are left alone", "invalid urls are left alone"),
+])
+def password_redaction_tests(request):
+    return request.param
+
+def test_can_redact_password(password_redaction_tests):
+    input, expected = password_redaction_tests
+
+    assert redact_password(input) == expected