Pact-js: Add logLevel to options of pact.verifyPacts()

Created on 15 Nov 2018  路  6Comments  路  Source: pact-foundation/pact-js

Problem:
When customProviderHeaders is used, pact always logs the its content in plain text in logs as warn. Sometimes these headers contain sensitive information like authorisation, which would be best if not logged at all.
Solution:
Add capability to control logging level of pact.verifyPacts(opts), then we could decide if sensitive information should be logged or not.

enhancement

Most helpful comment

We should be able to help you with this - but in the meantime, perhaps you could pipe the output through a grep -v to remove the sensitive logs?

All 6 comments

Can you help us understand the risk better?

Sure, in my case we need to send the AWS API Key of our REST APIs, which are logged, not a big problem for dev and test environments, but holds us from doing test in production because we can't have sensitive information logged.
In other cases besides mine, it could user and password from Basic Auth, or a long lived token that could exploited for hacking.

Understand, my initial reaction was similar to Beth. In _most_ use cases, these tests should occur on a development machine/environment where security shouldn't be an issue. There are some edge cases where I think this could be useful, in particular, when verifying against third party APIs or APIs you have less control over than you'd like, but still want to do contract testing (very much an advanced use case).

We should be able to help you with this - but in the meantime, perhaps you could pipe the output through a grep -v to remove the sensitive logs?

We noted the same in our CI builds, when calling pact.verifyPacts(opts), it would output the credentials to the command line, in the output.

In order to supress this, we call the *.js file containing the verification code, with a shell script

#!/bin/bash

set -o pipefail
node server/providerTests/<fileName>.js | grep -v Created 
````

Setting pipefail, means that any errors from the left hand side of the pipe are carried through, rather than just getting the exit code from the grep command.

This means our circleci builds output the verification results in CI, but without leaking the basic auth creds for the broker.

This was important for me in my own projects as mine are public, for my work, less of an issue as everyone needs credentials to read the build logs, but I am always risk adverse so the less I can leak, the better 馃憤 

See here for a circleci job implementing the above bash script

https://circleci.com/gh/YOU54F/pact-consumer-example-typescript/517?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link


output

!/bin/bash

yarn run pact-verify-provider
yarn run v1.12.3
$ ./src/pact/tasks/verify-provider_pact.sh
[2019-03-24T22:27:04.336Z] INFO: [email protected]/80 on b66534db4b98: Verifying provider
[2019-03-24T22:27:04.343Z] INFO: [email protected]/80 on b66534db4b98: Verifying Pacts.
[2019-03-24T22:27:04.344Z] INFO: [email protected]/80 on b66534db4b98: Verifying Pact Files
[2019-03-24T22:27:06.457Z] WARN: [email protected]/80 on b66534db4b98: No state handler found for "A pet 1845563262948980200 exists", ignorning
[2019-03-24T22:27:06.989Z] INFO: [email protected]/80 on b66534db4b98: Pact Verification succeeded.
success
Done in 3.23s.
```

Thanks for the example @YOU54F

Was this page helpful?
0 / 5 - 0 ratings

Related issues

blackbaud-joshlandi picture blackbaud-joshlandi  路  8Comments

alexeits picture alexeits  路  8Comments

asadzaheer picture asadzaheer  路  3Comments

christopher-francisco picture christopher-francisco  路  6Comments

eauc picture eauc  路  6Comments