Masking

🤖 AI-Generated Content

This documentation was generated with AI assistance and is still being audited. Some, or potentially a lot, of this information may be inaccurate. Learn more.

provide.foundation.security.masking

Functions

mask_command

mask_command(
    cmd: str | list[str],
    secret_patterns: list[str] | None = None,
    masked: str = MASKED_VALUE,
) -> str

Mask secrets in command for safe logging.

Parameters:

Name	Type	Description	Default
cmd	str | list[str]	Command string or list to mask	required
secret_patterns	list[str] | None	List of regex patterns to match secrets	None
masked	str	Replacement value for matched secrets	MASKED_VALUE

Returns:

Type	Description
str	Command string with secrets masked

Source code in provide/foundation/security/masking.py

def mask_command(
    cmd: str | list[str],
    secret_patterns: list[str] | None = None,
    masked: str = MASKED_VALUE,
) -> str:
    """Mask secrets in command for safe logging.

    Args:
        cmd: Command string or list to mask
        secret_patterns: List of regex patterns to match secrets
        masked: Replacement value for matched secrets

    Returns:
        Command string with secrets masked

    """
    # Convert to string if list
    cmd_str = " ".join(cmd) if isinstance(cmd, list) else cmd

    return mask_secrets(cmd_str, secret_patterns, masked)

mask_secrets

mask_secrets(
    text: str,
    secret_patterns: list[str] | None = None,
    masked: str = MASKED_VALUE,
) -> str

Mask secrets in text using regex patterns.

Parameters:

Name	Type	Description	Default
text	str	Text to mask secrets in	required
secret_patterns	list[str] | None	List of regex patterns to match secrets	None
masked	str	Replacement value for matched secrets	MASKED_VALUE

Returns:

Type	Description
str	Text with secrets masked

Source code in provide/foundation/security/masking.py

def mask_secrets(
    text: str,
    secret_patterns: list[str] | None = None,
    masked: str = MASKED_VALUE,
) -> str:
    """Mask secrets in text using regex patterns.

    Args:
        text: Text to mask secrets in
        secret_patterns: List of regex patterns to match secrets
        masked: Replacement value for matched secrets

    Returns:
        Text with secrets masked

    """
    # Fast path: for default patterns, do a cheap case-insensitive keyword
    # check before running any regex. Most log messages contain no secret
    # keywords, so this skips all 22 pattern.sub() calls.
    if secret_patterns is None:
        text_lower = text.lower()
        if not any(kw in text_lower for kw in _DEFAULT_QUICK_CHECK_KEYWORDS):
            return text

    compiled = _get_compiled_patterns(secret_patterns)

    result = text
    for pattern in compiled:
        # Pattern should have 2 groups: (prefix)(secret_value)
        # We keep the prefix and mask the value
        result = pattern.sub(
            lambda m: f"{m.group(1)}{masked}",
            result,
        )

    return result

should_mask

should_mask(
    text: str, secret_patterns: list[str] | None = None
) -> bool

Check if text contains secrets that should be masked.

Parameters:

Name	Type	Description	Default
text	str	Text to check	required
secret_patterns	list[str] | None	List of regex patterns to match secrets	None

Returns:

Type	Description
bool	True if text contains secrets

Source code in provide/foundation/security/masking.py

def should_mask(text: str, secret_patterns: list[str] | None = None) -> bool:
    """Check if text contains secrets that should be masked.

    Args:
        text: Text to check
        secret_patterns: List of regex patterns to match secrets

    Returns:
        True if text contains secrets

    """
    # Fast path: no keywords means no secrets possible
    if secret_patterns is None:
        text_lower = text.lower()
        if not any(kw in text_lower for kw in _DEFAULT_QUICK_CHECK_KEYWORDS):
            return False

    compiled = _get_compiled_patterns(secret_patterns)
    return any(pattern.search(text) for pattern in compiled)