logging: add secret masking

Allows strings to be registered that will be masked
in the log output.

diff --git a/suricata/update/loghandler.py b/suricata/update/loghandler.py
index cf460a382165463d94874b3814a8e217e72b38ce..d98577767478f94dde538ef28767b8da106a259a 100644 (file)
--- a/suricata/update/loghandler.py
+++ b/suricata/update/loghandler.py
@@ -18,6 +18,15 @@
 import logging
 import time
 
+# A list of secrets that will be replaced in the log output.
+secrets = {}
+
+def add_secret(secret, replacement):
+    """Register a secret to be masked. The secret will be replaced with:
+           <replacement>
+    """
+    secrets[str(secret)] = str(replacement)
+
 class SuriColourLogHandler(logging.StreamHandler):
     """An alternative stream log handler that logs with Suricata inspired
     log colours."""
@@ -61,5 +70,10 @@ class SuriColourLogHandler(logging.StreamHandler):
             record.levelname.title(),
             self.RESET,
             message_prefix,
-            record.getMessage(),
+            self.mask_secrets(record.getMessage()),
             self.RESET))
+
+    def mask_secrets(self, msg):
+        for secret in secrets:
+            msg = msg.replace(secret, "<%s>" % secrets[secret])
+        return msg