Enhance URL secrets removal

- redact password which might be present in URL netloc
- rename the function to remove_url_secrets since it does not remove
  only S3 secret
- handle properly the reconstruction of URL query
- prefer urlsplit and urlunsplit - instead of urlparse - since this is
  the future / we do not need to separate parameters from parts

Author: benoit74

dispatcher/backend/src/routes/utils.py

@@ -1,6 +1,6 @@
 import logging
 from typing import Any, Dict, List
-from urllib.parse import parse_qs, urlparse
+from urllib.parse import parse_qs, urlencode, urlsplit, urlunsplit
 
 from common.constants import SECRET_REPLACEMENT
 from common.schemas.models import ScheduleConfigSchema
@@ -26,7 +26,7 @@ def has_dict_sub_key(data: Dict[str, Any], keys: List[str]):
 def remove_secrets_from_response(response: dict):
     """replaces or removes (in-place) all occurences of secrets"""
     remove_secret_flags(response)
-    remove_s3_secrets(response)
+    remove_url_secrets(response)
 
 
 def remove_secret_flags(response: dict):
@@ -87,26 +87,45 @@ def remove_secret_flag_from_command(
     ] = f'--{field_name}="{SECRET_REPLACEMENT}"'
 
 
-def remove_s3_secrets(response: dict):
-    """remove keyId and secretAccessKey query params from any URL we might find"""
+def remove_url_secrets(response: dict):
+    """remove secrets from any URL we might find
+
+    For now we remove:
+    - password if passed in the network location
+    - keyId and secretAccessKey query params (probably used for S3)
+    """
     for key in response.keys():
         if not response[key]:
             continue
         if isinstance(response[key], dict):
-            remove_s3_secrets(response[key])
+            remove_url_secrets(response[key])
         else:
             if not isinstance(response[key], str) or "://" not in response[key]:
                 continue
-            for part in [part for part in response[key].split() if "://" in part]:
-                url = urlparse(part)
-                url = url._replace(
-                    query="&".join(
-                        [
-                            f"{key}={value}"
-                            for key, values in parse_qs(url.query).items()
+            for url in [word for word in response[key].split() if "://" in word]:
+                urlparts = urlsplit(url)
+                newquery = urlencode(
+                    {
+                        key: (
+                            value
                             if str(key).lower() not in ["keyid", "secretaccesskey"]
-                            for value in values
-                        ]
+                            else SECRET_REPLACEMENT
+                        )
+                        for key, values in parse_qs(urlparts.query).items()
+                        for value in values
+                    },
+                    doseq=True,
+                )
+                newnetloc: str | None = urlparts.netloc
+                if newnetloc and urlparts.password:
+                    newnetloc = newnetloc.replace(urlparts.password, SECRET_REPLACEMENT)
+                secured_url = urlunsplit(
+                    (
+                        urlparts.scheme,
+                        newnetloc,
+                        urlparts.path,
+                        newquery,
+                        urlparts.fragment,
                     )
-                ).geturl()
-                response[key] = response[key].replace(part, url)
+                )
+                response[key] = response[key].replace(url, secured_url)

dispatcher/backend/src/tests/unit/routes/test_utils.py

@@ -443,14 +443,18 @@
                         "expiration": 60,
                         "upload_uri": (
                             "s3://s3.us-west-1.wasabisys.com/"
-                            "?bucketName=org-kiwix-zimfarm-logs"
+                            "?keyId=********"
+                            "&secretAccessKey=********"
+                            "&bucketName=org-kiwix-zimfarm-logs"
                         ),
                     },
                     "artifacts": {
                         "expiration": 20,
                         "upload_uri": (
                             "s3://s3.us-west-1.wasabisys.com/"
-                            "?bucketName=org-kiwix-zimfarm-artifacts"
+                            "?keyId=********"
+                            "&secretAccessKey=********"
+                            "&bucketName=org-kiwix-zimfarm-artifacts"
                         ),
                     },
                 },
@@ -470,7 +474,7 @@
                         "please_clean_me": (
                             "something\nwhat s3://s3.us-west-1.wasabisys.com/"
                             "?keyId=this_is_super_secret"
-                            "&secretAccessKey=this_is_super_secret"
+                            "&secretAccessKey=this_is_a_super_secret"
                             "&bucketName=org-kiwix-zimfarm-logs what\n"
                             "something\n"
                         ),
@@ -489,7 +493,9 @@
                     "response_but": {
                         "please_clean_me": (
                             "something\nwhat s3://s3.us-west-1.wasabisys.com/"
-                            "?bucketName=org-kiwix-zimfarm-logs what\n"
+                            "?keyId=********"
+                            "&secretAccessKey=********"
+                            "&bucketName=org-kiwix-zimfarm-logs what\n"
                             "something\n"
                         ),
                     },
@@ -566,46 +572,71 @@ def test_remove_secrets(response, expected_response):
                     "&keyId=this_is_super_secret \n"
                     "something"
                 ),
+                "please_clean_me8": (
+                    " ftp://username:password@hostname:123/path not encoded?"
+                    "param=val%26ue#anchor "
+                ),
             },
             {
                 "please_clean_me1": (
                     "s3://s3.us-west-1.wasabisys.com/"
-                    "?bucketName=org-kiwix-zimfarm-logs"
+                    "?keyId=********"
+                    "&secretAccessKey=********"
+                    "&bucketName=org-kiwix-zimfarm-logs"
                 ),
                 "please_clean_me2": (
                     "s3://s3.us-west-1.wasabisys.com/"
                     "?bucketName=org-kiwix-zimfarm-logs"
+                    "&keyId=********"
+                    "&secretAccessKey=********"
                 ),
                 "please_clean_me3": (
                     "s3://s3.us-west-1.wasabisys.com/"
                     "?bucketName=org-kiwix-zimfarm-logs"
+                    "&keyId=********"
+                    "&secretAccessKey=********"
                     "&something=somevalue"
                 ),
                 "please_clean_me4": (
                     "s3://s3.us-west-1.wasabisys.com/"
                     "?bucketName=org-kiwix-zimfarm-logs"
+                    "&secretAccessKey=********"
                     "&something=somevalue"
+                    "&keyId=********"
                     "&something2=somevalue2"
                 ),
                 "please_clean_me5": (
                     " s3://s3.us-west-1.wasabisys.com/"
-                    "?bucketName=org-kiwix-zimfarm-logs"
+                    "?keyId=********"
+                    "&secretAccessKey=********"
+                    "&bucketName=org-kiwix-zimfarm-logs"
                 ),
                 "please_clean_me6": (
                     "s3://s3.us-west-1.wasabisys.com/"
-                    "?bucketName=org-kiwix-zimfarm-logs "
+                    "?keyId=********"
+                    "&secretAccessKey=********"
+                    "&bucketName=org-kiwix-zimfarm-logs "
                 ),
                 "please_clean_me7": (
                     "something s3://s3.us-west-1.wasabisys.com/"
-                    "?bucketName=org-kiwix-zimfarm-logs \n"
+                    "?keyId=********"
+                    "&secretAccessKey=********"
+                    "&bucketName=org-kiwix-zimfarm-logs \n"
                     "something s3://s3.us-west-1.wasabisys.com/"
-                    "?bucketName=org-kiwix-zimfarm-logs \n"
+                    "?secretAccessKey=********"
+                    "&bucketName=org-kiwix-zimfarm-logs \n"
                     "something s3://s3.us-west-1.wasabisys.com/"
-                    "?bucketName=org-kiwix-zimfarm-logs \n"
+                    "?keyId=********"
+                    "&bucketName=org-kiwix-zimfarm-logs \n"
                     "something s3://s3.us-west-1.wasabisys.com/"
-                    "?bucketName=org-kiwix-zimfarm-logs \n"
+                    "?bucketName=org-kiwix-zimfarm-logs"
+                    "&keyId=******** \n"
                     "something"
                 ),
+                "please_clean_me8": (
+                    " ftp://username:--------@hostname:123/path not encoded?param="
+                    "val%26ue#anchor "
+                ),
             },
         ),
     ],