| 256 | } |
| 257 | |
| 258 | func TestAdminHandlerServeHTTPRedactsSensitiveHeadersInLogs(t *testing.T) { |
| 259 | core, logs := observer.New(zap.InfoLevel) |
| 260 | |
| 261 | defaultLoggerMu.Lock() |
| 262 | origLogger := defaultLogger.logger |
| 263 | defaultLogger.logger = zap.New(core) |
| 264 | defaultLoggerMu.Unlock() |
| 265 | t.Cleanup(func() { |
| 266 | defaultLoggerMu.Lock() |
| 267 | defaultLogger.logger = origLogger |
| 268 | defaultLoggerMu.Unlock() |
| 269 | }) |
| 270 | |
| 271 | handler := adminHandler{ |
| 272 | mux: http.NewServeMux(), |
| 273 | } |
| 274 | req := httptest.NewRequest(http.MethodGet, "/", nil) |
| 275 | req.Header.Set("Authorization", "Bearer secret") |
| 276 | req.Header.Set("Cookie", "session=secret") |
| 277 | req.Header.Set("X-Test", "ok") |
| 278 | rr := httptest.NewRecorder() |
| 279 | |
| 280 | handler.ServeHTTP(rr, req) |
| 281 | |
| 282 | if logs.Len() == 0 { |
| 283 | t.Fatal("expected request log entry") |
| 284 | } |
| 285 | |
| 286 | ctx := logs.All()[0].ContextMap() |
| 287 | headers, ok := ctx["headers"].(map[string]any) |
| 288 | if !ok { |
| 289 | t.Fatalf("expected headers field in log context, got %T", ctx["headers"]) |
| 290 | } |
| 291 | |
| 292 | if got := headers["Authorization"]; !reflect.DeepEqual(got, []any{"REDACTED"}) { |
| 293 | t.Fatalf("expected redacted Authorization header, got %#v", got) |
| 294 | } |
| 295 | if got := headers["Cookie"]; !reflect.DeepEqual(got, []any{"REDACTED"}) { |
| 296 | t.Fatalf("expected redacted Cookie header, got %#v", got) |
| 297 | } |
| 298 | if got := headers["X-Test"]; !reflect.DeepEqual(got, []any{"ok"}) { |
| 299 | t.Fatalf("expected X-Test header to remain visible, got %#v", got) |
| 300 | } |
| 301 | } |
| 302 | |
| 303 | func initAdminMetrics() { |
| 304 | if adminMetrics.requestErrors != nil { |