test: fix log headers (#5222)

* test: fix log headers * ensure just public types are tested * fix(postgres): proper statements for setup step 7 --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
2025-08-11 19:07:30 +00:00 · 2023-02-15 04:21:58 +01:00
parent 681541f41b
commit 058192c22b
9 changed files with 158 additions and 37 deletions
--- a/internal/logstore/emitters/access/record.go
+++ b/internal/logstore/emitters/access/record.go
@@ -39,36 +39,41 @@ const (
 func (a Record) Normalize() logstore.LogRecord {
 	a.RequestedDomain = cutString(a.RequestedDomain, 200)
 	a.RequestURL = cutString(a.RequestURL, 200)
-	normalizeHeaders(a.RequestHeaders, strings.ToLower(zitadel_http.Authorization), "grpcgateway-authorization", "cookie", "grpcgateway-cookie")
-	normalizeHeaders(a.ResponseHeaders, "set-cookie")
+	a.RequestHeaders = normalizeHeaders(a.RequestHeaders, strings.ToLower(zitadel_http.Authorization), "grpcgateway-authorization", "cookie", "grpcgateway-cookie")
+	a.ResponseHeaders = normalizeHeaders(a.ResponseHeaders, "set-cookie")
 	return &a
 }

+// normalizeHeaders lowers all header keys and redacts secrets
+func normalizeHeaders(header map[string][]string, redactKeysLower ...string) map[string][]string {
+	return pruneKeys(redactKeys(lowerKeys(header), redactKeysLower...))
+}
+
+func lowerKeys(header map[string][]string) map[string][]string {
+	lower := make(map[string][]string, len(header))
+	for k, v := range header {
+		lower[strings.ToLower(k)] = v
+	}
+	return lower
+}
+
+func redactKeys(header map[string][]string, redactKeysLower ...string) map[string][]string {
+	redactedKeys := make(map[string][]string, len(header))
+	for k, v := range header {
+		redactedKeys[k] = v
+	}
+	for _, redactKey := range redactKeysLower {
+		if _, ok := redactedKeys[redactKey]; ok {
+			redactedKeys[redactKey] = []string{redacted}
+		}
+	}
+	return redactedKeys
+}
+
 const maxValuesPerKey = 10

-// normalizeHeaders lowers all header keys and redacts secrets
-func normalizeHeaders(header map[string][]string, redactKeysLower ...string) {
-	lowerKeys(header)
-	redactKeys(header, redactKeysLower...)
-	pruneKeys(header)
-}
-
-func lowerKeys(header map[string][]string) {
-	for k, v := range header {
-		delete(header, k)
-		header[strings.ToLower(k)] = v
-	}
-}
-
-func redactKeys(header map[string][]string, redactKeysLower ...string) {
-	for _, redactKey := range redactKeysLower {
-		if _, ok := header[redactKey]; ok {
-			header[redactKey] = []string{redacted}
-		}
-	}
-}
-
-func pruneKeys(header map[string][]string) {
+func pruneKeys(header map[string][]string) map[string][]string {
+	prunedKeys := make(map[string][]string, len(header))
 	for key, value := range header {
 		valueItems := make([]string, 0, maxValuesPerKey)
 		for i, valueItem := range value {
@@ -79,8 +84,9 @@ func pruneKeys(header map[string][]string) {
 			// Max 200 value length
 			valueItems = append(valueItems, cutString(valueItem, 200))
 		}
-		header[key] = valueItems
+		prunedKeys[key] = valueItems
 	}
+	return prunedKeys
 }

 func cutString(str string, pos int) string {
--- a/internal/logstore/emitters/access/record_test.go
+++ b/internal/logstore/emitters/access/record_test.go
@@ -0,0 +1,79 @@
+package access_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/zitadel/zitadel/internal/logstore/emitters/access"
+)
+
+func TestRecord_Normalize(t *testing.T) {
+	tests := []struct {
+		name   string
+		record access.Record
+		want   *access.Record
+	}{{
+		name: "headers with certain keys should be redacted",
+		record: access.Record{
+			RequestHeaders: map[string][]string{
+				"authorization":             {"AValue"},
+				"grpcgateway-authorization": {"AValue"},
+				"cookie":                    {"AValue"},
+				"grpcgateway-cookie":        {"AValue"},
+			}, ResponseHeaders: map[string][]string{
+				"set-cookie": {"AValue"},
+			},
+		},
+		want: &access.Record{
+			RequestHeaders: map[string][]string{
+				"authorization":             {"[REDACTED]"},
+				"grpcgateway-authorization": {"[REDACTED]"},
+				"cookie":                    {"[REDACTED]"},
+				"grpcgateway-cookie":        {"[REDACTED]"},
+			}, ResponseHeaders: map[string][]string{
+				"set-cookie": {"[REDACTED]"},
+			},
+		},
+	}, {
+		name: "header keys should be lower cased",
+		record: access.Record{
+			RequestHeaders:  map[string][]string{"AKey": {"AValue"}},
+			ResponseHeaders: map[string][]string{"AKey": {"AValue"}}},
+		want: &access.Record{
+			RequestHeaders:  map[string][]string{"akey": {"AValue"}},
+			ResponseHeaders: map[string][]string{"akey": {"AValue"}}},
+	}, {
+		name: "an already prune record should stay unchanged",
+		record: access.Record{
+			RequestURL: "https://my.zitadel.cloud/",
+			RequestHeaders: map[string][]string{
+				"authorization": {"[REDACTED]"},
+			},
+			ResponseHeaders: map[string][]string{},
+		},
+		want: &access.Record{
+			RequestURL: "https://my.zitadel.cloud/",
+			RequestHeaders: map[string][]string{
+				"authorization": {"[REDACTED]"},
+			},
+			ResponseHeaders: map[string][]string{},
+		},
+	}, {
+		name: "empty record should stay empty",
+		record: access.Record{
+			RequestHeaders:  map[string][]string{},
+			ResponseHeaders: map[string][]string{},
+		},
+		want: &access.Record{
+			RequestHeaders:  map[string][]string{},
+			ResponseHeaders: map[string][]string{},
+		},
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.record.Normalize(); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("Normalize() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}