PYTHON-5928 Redact AWS session token from client repr#2803
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR addresses two security/privacy concerns: redacting the AWS session token in MongoClient __repr__ output, and ensuring the OIDC ALLOWED_HOSTS check is performed before reusing a cached authenticator.
Changes:
- Redact
AWS_SESSION_TOKENinauthMechanismPropertieswhen generating client__repr__. - Move the OIDC
ALLOWED_HOSTSvalidation in_get_authenticatorto run before returning a cached authenticator. - Add corresponding tests in both sync and async test suites.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pymongo/synchronous/mongo_client.py | Adds redaction helper for AWS session token in _repr_helper. |
| pymongo/asynchronous/mongo_client.py | Mirrors the sync redaction logic for async client. |
| pymongo/synchronous/auth_oidc.py | Reorders allowed-hosts check to occur before cache reuse. |
| pymongo/asynchronous/auth_oidc.py | Mirrors the sync OIDC change for the async path. |
| test/test_client.py | Adds test for AWS session token redaction in repr. |
| test/asynchronous/test_client.py | Async counterpart for repr redaction test. |
| test/test_auth_oidc.py | Tests allowed-hosts check happens before cache reuse. |
| test/asynchronous/test_auth_oidc.py | Async counterpart for allowed-hosts cache test. |
| for key in redacted: | ||
| if key.upper() == "AWS_SESSION_TOKEN": |
| def redact_auth_mechanism_properties(value: Any) -> Any: | ||
| if isinstance(value, dict): | ||
| redacted = value.copy() | ||
| for key in redacted: | ||
| if key.upper() == "AWS_SESSION_TOKEN": | ||
| redacted[key] = "<redacted>" | ||
| return redacted | ||
| return value |
| if credentials.cache.data: | ||
| return credentials.cache.data |
| authenticator = _get_authenticator(credentials, ("good.example.com", 27017)) | ||
| self.assertIs(authenticator, credentials.cache.data) |
| "mongodb://AKIA:SECRET@localhost:27017/" | ||
| f"?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:{token}", |
fd2ade2 to
24f74fd
Compare
|
Assigned |
|
Hi, thanks for your contribution. Please update your pull request to be in line with out pull request template guidelines. |
|
Hi @Jibola, I've updated the PR description per the template. Ready for another look when you have a chance. |
|
@NguyenCong2k Thanks! I don't see this in the PR?
|
| def redact_auth_mechanism_properties_for_repr(value: Any) -> Any: | ||
| """Redact sensitive auth mechanism properties before including them in repr.""" | ||
| if not isinstance(value, dict): | ||
| return value | ||
|
|
||
| redacted = value.copy() | ||
| for key in redacted: | ||
| if str(key).upper() not in _SAFE_AUTH_MECHANISM_PROPS_FOR_REPR: | ||
| redacted[key] = "<redacted>" | ||
| return redacted |
58c7007 to
ef49b60
Compare
|
@aclark4life Thanks for catching this. That OIDC item was accidentally left in this PR description; the fix was implemented and merged separately in #2801 under PYTHON-5921. I've rebased this branch onto |
PYTHON-5928
AWS session tokens passed via
authMechanismProperties(for example,AWS_SESSION_TOKEN) were rendered in plain text insideMongoClient.__repr__, leaking short-lived AWS credentials into logs and error messages. The existing username/password redaction did not cover authentication mechanism properties.Changes in this PR
pymongo.common.redact_auth_mechanism_properties_for_repr, which redacts every authentication mechanism property whose upper-cased name is not in the safe allowlist (ALLOWED_HOSTS,CANONICALIZE_HOST_NAME,ENVIRONMENT,SERVICE_HOST,SERVICE_NAME,SERVICE_REALM,TOKEN_RESOURCE).pymongo/asynchronous/mongo_client.pyandpymongo/synchronous/mongo_client.py.AWS_SESSION_TOKENsupplied through the connection URI.aws_session_tokenand a customCUSTOM_API_KEYsupplied throughauthMechanismPropertieskwargs.TOKEN_RESOURCEvalues remaining visible.The allowlist approach, rather than a single-key denylist, also prevents other custom token-, password-, secret-, or key-bearing properties from leaking through the client repr.
Test Plan
Local result:
4 passed.Manual verification:
Checklist
Checklist for Author
Checklist for Reviewer