Skip to content

Masking

provide.foundation.security.masking

TODO: Add module docstring.

Functions

mask_command 

mask_command(
    cmd: str | list[str],
    secret_patterns: list[str] | None = None,
    masked: str = MASKED_VALUE,
) -> str

Mask secrets in command for safe logging.

Parameters:

Name Type Description Default
cmd str | list[str]

Command string or list to mask

 required
secret_patterns list[str] | None

List of regex patterns to match secrets

 None
masked str

Replacement value for matched secrets

 MASKED_VALUE

Returns:

Type Description
str

Command string with secrets masked
Source code in provide/foundation/security/masking.py 
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
def mask_command(
    cmd: str | list[str],
    secret_patterns: list[str] | None = None,
    masked: str = MASKED_VALUE,
) -> str:
    """Mask secrets in command for safe logging.

    Args:
        cmd: Command string or list to mask
        secret_patterns: List of regex patterns to match secrets
        masked: Replacement value for matched secrets

    Returns:
        Command string with secrets masked

    """
    # Convert to string if list
    cmd_str = " ".join(cmd) if isinstance(cmd, list) else cmd

    return mask_secrets(cmd_str, secret_patterns, masked)

mask_secrets 

mask_secrets(
    text: str,
    secret_patterns: list[str] | None = None,
    masked: str = MASKED_VALUE,
) -> str

Mask secrets in text using regex patterns.

Parameters:

Name Type Description Default
text str

Text to mask secrets in

 required
secret_patterns list[str] | None

List of regex patterns to match secrets

 None
masked str

Replacement value for matched secrets

 MASKED_VALUE

Returns:

Type Description
str

Text with secrets masked
Source code in provide/foundation/security/masking.py 
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
def mask_secrets(
    text: str,
    secret_patterns: list[str] | None = None,
    masked: str = MASKED_VALUE,
) -> str:
    """Mask secrets in text using regex patterns.

    Args:
        text: Text to mask secrets in
        secret_patterns: List of regex patterns to match secrets
        masked: Replacement value for matched secrets

    Returns:
        Text with secrets masked

    """
    if secret_patterns is None:
        secret_patterns = DEFAULT_SECRET_PATTERNS

    result = text
    for pattern in secret_patterns:
        # Pattern should have 2 groups: (prefix)(secret_value)
        # We keep the prefix and mask the value
        result = re.sub(
            pattern,
            lambda m: f"{m.group(1)}{masked}",
            result,
            flags=re.IGNORECASE,
        )

    return result

should_mask 

should_mask(
    text: str, secret_patterns: list[str] | None = None
) -> bool

Check if text contains secrets that should be masked.

Parameters:

Name Type Description Default
text str

Text to check

 required
secret_patterns list[str] | None

List of regex patterns to match secrets

 None

Returns:

Type Description
bool

True if text contains secrets
Source code in provide/foundation/security/masking.py 
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
def should_mask(text: str, secret_patterns: list[str] | None = None) -> bool:
    """Check if text contains secrets that should be masked.

    Args:
        text: Text to check
        secret_patterns: List of regex patterns to match secrets

    Returns:
        True if text contains secrets

    """
    if secret_patterns is None:
        secret_patterns = DEFAULT_SECRET_PATTERNS

    return any(re.search(pattern, text, flags=re.IGNORECASE) for pattern in secret_patterns)