Elide data reduction proxy credentials from NetLog

BUG=345907

Review URL: https://codereview.chromium.org/361053002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@281117 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 72 insertions, 55 deletions

diff --git a/net/http/http_log_util.cc b/net/http/http_log_util.cc
index ab6ebda..570232f 100644
--- a/net/http/http_log_util.cc
+++ b/net/http/http_log_util.cc
@@ -7,6 +7,7 @@
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
+#include "net/http/http_util.h"
 
 namespace net {
 
@@ -33,39 +34,57 @@ bool ShouldRedactChallenge(HttpAuthChallengeTokenizer* challenge) {
 
 }  // namespace
 
+#if defined(SPDY_PROXY_AUTH_ORIGIN)
+void ElideChromeProxyDirective(const std::string& header_value,
+                               const std::string& directive,
+                               std::string::const_iterator* redact_begin,
+                               std::string::const_iterator* redact_end) {
+  HttpUtil::ValuesIterator it(header_value.begin(), header_value.end(), ',');
+  while (it.GetNext()) {
+    if (LowerCaseEqualsASCII(it.value_begin(),
+                             it.value_begin() + directive.size(),
+                             directive.c_str())) {
+      *redact_begin = it.value_begin();
+      *redact_end = it.value_end();
+      return;
+    }
+  }
+}
+#endif
+
 std::string ElideHeaderValueForNetLog(NetLog::LogLevel log_level,
                                       const std::string& header,
                                       const std::string& value) {
+  std::string::const_iterator redact_begin = value.begin();
+  std::string::const_iterator redact_end = value.begin();
 #if defined(SPDY_PROXY_AUTH_ORIGIN)
-  if (!base::strcasecmp(header.c_str(), "proxy-authorization") ||
-      !base::strcasecmp(header.c_str(), "proxy-authenticate")) {
-    return "[elided]";
+  if (!base::strcasecmp(header.c_str(), "chrome-proxy")) {
+    ElideChromeProxyDirective(value, "sid=", &redact_begin, &redact_end);
   }
 #endif
 
-  if (log_level < NetLog::LOG_STRIP_PRIVATE_DATA)
-    return value;
-
-  // Note: this logic should be kept in sync with stripCookiesAndLoginInfo in
-  // chrome/browser/resources/net_internals/log_view_painter.js.
-
-  std::string::const_iterator redact_begin = value.begin();
-  std::string::const_iterator redact_end = value.begin();
-  if (!base::strcasecmp(header.c_str(), "set-cookie") ||
-      !base::strcasecmp(header.c_str(), "set-cookie2") ||
-      !base::strcasecmp(header.c_str(), "cookie") ||
-      !base::strcasecmp(header.c_str(), "authorization") ||
-      !base::strcasecmp(header.c_str(), "proxy-authorization")) {
-    redact_begin = value.begin();
-    redact_end = value.end();
-  } else if (!base::strcasecmp(header.c_str(), "www-authenticate") ||
-             !base::strcasecmp(header.c_str(), "proxy-authenticate")) {
-    // Look for authentication information from data received from the server in
-    // multi-round Negotiate authentication.
-    HttpAuthChallengeTokenizer challenge(value.begin(), value.end());
-    if (ShouldRedactChallenge(&challenge)) {
-      redact_begin = challenge.params_begin();
-      redact_end = challenge.params_end();
+  if (redact_begin == redact_end &&
+      log_level >= NetLog::LOG_STRIP_PRIVATE_DATA) {
+
+    // Note: this logic should be kept in sync with stripCookiesAndLoginInfo in
+    // chrome/browser/resources/net_internals/log_view_painter.js.
+
+    if (!base::strcasecmp(header.c_str(), "set-cookie") ||
+        !base::strcasecmp(header.c_str(), "set-cookie2") ||
+        !base::strcasecmp(header.c_str(), "cookie") ||
+        !base::strcasecmp(header.c_str(), "authorization") ||
+        !base::strcasecmp(header.c_str(), "proxy-authorization")) {
+      redact_begin = value.begin();
+      redact_end = value.end();
+    } else if (!base::strcasecmp(header.c_str(), "www-authenticate") ||
+               !base::strcasecmp(header.c_str(), "proxy-authenticate")) {
+      // Look for authentication information from data received from the server
+      // in multi-round Negotiate authentication.
+      HttpAuthChallengeTokenizer challenge(value.begin(), value.end());
+      if (ShouldRedactChallenge(&challenge)) {
+        redact_begin = challenge.params_begin();
+        redact_end = challenge.params_end();
+      }
     }
   }
 
diff --git a/net/http/http_log_util_unittest.cc b/net/http/http_log_util_unittest.cc
index 1b0e9db..3c5c826 100644
--- a/net/http/http_log_util_unittest.cc
+++ b/net/http/http_log_util_unittest.cc
@@ -10,66 +10,64 @@ namespace net {
 TEST(HttpLogUtilTest, ElideHeaderValueForNetLog) {
   // Only elide for appropriate log level.
   EXPECT_EQ("[10 bytes were stripped]", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA, "Cookie", "name=value"));
+      NetLog::LOG_STRIP_PRIVATE_DATA, "Cookie", "name=value"));
   EXPECT_EQ("name=value", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_ALL_BUT_BYTES, "Cookie", "name=value"));
+      NetLog::LOG_ALL_BUT_BYTES, "Cookie", "name=value"));
 
   // Headers are compared case insensitively.
   EXPECT_EQ("[10 bytes were stripped]", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA, "cOoKiE", "name=value"));
+      NetLog::LOG_STRIP_PRIVATE_DATA, "cOoKiE", "name=value"));
 
   // These headers should be completely elided.
   EXPECT_EQ("[10 bytes were stripped]", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA, "Set-Cookie", "name=value"));
+      NetLog::LOG_STRIP_PRIVATE_DATA, "Set-Cookie", "name=value"));
   EXPECT_EQ("[10 bytes were stripped]", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA, "Set-Cookie2", "name=value"));
+      NetLog::LOG_STRIP_PRIVATE_DATA, "Set-Cookie2", "name=value"));
   EXPECT_EQ("[10 bytes were stripped]", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA, "Authorization", "Basic 1234"));
-#if !defined(SPDY_PROXY_AUTH_ORIGIN)
+      NetLog::LOG_STRIP_PRIVATE_DATA, "Authorization", "Basic 1234"));
   EXPECT_EQ("[10 bytes were stripped]", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA,
-      "Proxy-Authorization", "Basic 1234"));
-#endif
+      NetLog::LOG_STRIP_PRIVATE_DATA, "Proxy-Authorization", "Basic 1234"));
 
   // Unknown headers should pass through.
   EXPECT_EQ("value", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA, "Boring", "value"));
+      NetLog::LOG_STRIP_PRIVATE_DATA, "Boring", "value"));
 
   // Basic and Digest auth challenges are public.
   EXPECT_EQ("Basic realm=test", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA,
-      "WWW-Authenticate", "Basic realm=test"));
+      NetLog::LOG_STRIP_PRIVATE_DATA, "WWW-Authenticate", "Basic realm=test"));
   EXPECT_EQ("Digest realm=test", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA,
-      "WWW-Authenticate", "Digest realm=test"));
-#if !defined(SPDY_PROXY_AUTH_ORIGIN)
+      NetLog::LOG_STRIP_PRIVATE_DATA, "WWW-Authenticate", "Digest realm=test"));
   EXPECT_EQ("Basic realm=test", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA,
+      NetLog::LOG_STRIP_PRIVATE_DATA,
       "Proxy-Authenticate", "Basic realm=test"));
   EXPECT_EQ("Digest realm=test", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA,
+      NetLog::LOG_STRIP_PRIVATE_DATA,
       "Proxy-Authenticate", "Digest realm=test"));
-#endif
 
   // Multi-round mechanisms partially elided.
   EXPECT_EQ("NTLM [4 bytes were stripped]", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA, "WWW-Authenticate", "NTLM 1234"));
-#if !defined(SPDY_PROXY_AUTH_ORIGIN)
+      NetLog::LOG_STRIP_PRIVATE_DATA, "WWW-Authenticate", "NTLM 1234"));
   EXPECT_EQ("NTLM [4 bytes were stripped]", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA, "Proxy-Authenticate", "NTLM 1234"));
-#endif
+      NetLog::LOG_STRIP_PRIVATE_DATA, "Proxy-Authenticate", "NTLM 1234"));
 
   // Leave whitespace intact.
   EXPECT_EQ("NTLM  [4 bytes were stripped] ", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_STRIP_PRIVATE_DATA, "WWW-Authenticate", "NTLM  1234 "));
+      NetLog::LOG_STRIP_PRIVATE_DATA, "WWW-Authenticate", "NTLM  1234 "));
 
   // Extra elisions for SPDY_PROXY_AUTH_ORIGIN.
 #if defined(SPDY_PROXY_AUTH_ORIGIN)
-  EXPECT_EQ("[elided]", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_ALL_BUT_BYTES,
-      "Proxy-Authenticate", "Basic realm=test"));
-  EXPECT_EQ("[elided]", ElideHeaderValueForNetLog(
-      net::NetLog::LOG_ALL_BUT_BYTES, "Proxy-Authorization", "Basic 1234"));
+  EXPECT_EQ("ps=123, [7 bytes were stripped], c=foo, v=bar",
+            ElideHeaderValueForNetLog(
+                NetLog::LOG_STRIP_PRIVATE_DATA,
+                "Chrome-Proxy", "ps=123, sid=456, c=foo, v=bar"));
+  EXPECT_EQ("[7 bytes were stripped], ps=123, c=foo, v=bar",
+            ElideHeaderValueForNetLog(
+                NetLog::LOG_STRIP_PRIVATE_DATA,
+                "Chrome-Proxy", "sid=456, ps=123, c=foo, v=bar"));
+  EXPECT_EQ("ps=123, c=foo, v=bar, [7 bytes were stripped]",
+            ElideHeaderValueForNetLog(
+                NetLog::LOG_STRIP_PRIVATE_DATA,
+                "Chrome-Proxy", "ps=123, c=foo, v=bar, sid=456"));
 #endif
 }