TPT-4014: Redact sensitive data from logging (#906)

* Redact sensitive data from logging

* Address copilot suggestions

* TPT-4014 Address comments suggestions

Author: dawiddzhafarov

client.go

@@ -66,6 +66,12 @@ Body: {{.Body}}`))
 
 var envDebug = false
 
+// redactHeadersMap is a map of headers that should be redacted in logs,
+// mapping the header name to its redacted value.
+var redactHeadersMap = map[string]string{
+	"Authorization": "Bearer *******************************",
+}
+
 // Client is a wrapper around the Resty client
 type Client struct {
 	resty             *resty.Client
@@ -394,6 +400,19 @@ func (c *httpClient) applyAfterResponse(resp *http.Response) error {
 	return nil
 }
 
+// nolint:unused
+func redactHeaders(headers http.Header) http.Header {
+	redacted := headers.Clone()
+
+	for header, redactedValue := range redactHeadersMap {
+		if headers.Get(header) != "" {
+			redacted.Set(header, redactedValue)
+		}
+	}
+
+	return redacted
+}
+
 // nolint:unused
 func (c *httpClient) logRequest(req *http.Request, method, url string, bodyBuffer *bytes.Buffer) {
 	var reqBody string
@@ -408,7 +427,7 @@ func (c *httpClient) logRequest(req *http.Request, method, url string, bodyBuffe
 	err := reqLogTemplate.Execute(&logBuf, map[string]any{
 		"Method":  method,
 		"URL":     url,
-		"Headers": req.Header,
+		"Headers": redactHeaders(req.Header),
 		"Body":    reqBody,
 	})
 	if err == nil {
@@ -456,7 +475,7 @@ func (c *httpClient) logResponse(resp *http.Response) (*http.Response, error) {
 
 	err := respLogTemplate.Execute(&logBuf, map[string]any{
 		"Status":  resp.Status,
-		"Headers": resp.Header,
+		"Headers": redactHeaders(resp.Header),
 		"Body":    respBody.String(),
 	})
 	if err == nil {
@@ -827,10 +846,22 @@ func (c *Client) updateHostURL() {
 	)
 }
 
+func redactLogHeaders(header http.Header) {
+	for h, redactedValue := range redactHeadersMap {
+		if header.Get(h) != "" {
+			header.Set(h, redactedValue)
+		}
+	}
+}
+
 func (c *Client) enableLogSanitization() *Client {
 	c.resty.OnRequestLog(func(r *resty.RequestLog) error {
-		// masking authorization header
-		r.Header.Set("Authorization", "Bearer *******************************")
+		redactLogHeaders(r.Header)
+		return nil
+	})
+
+	c.resty.OnResponseLog(func(r *resty.ResponseLog) error {
+		redactLogHeaders(r.Header)
 		return nil
 	})
 

client_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/jarcoal/httpmock"
 	"github.com/linode/linodego/internal/testutil"
+	"github.com/stretchr/testify/require"
 )
 
 func TestClient_SetAPIVersion(t *testing.T) {
@@ -703,3 +704,101 @@ func TestMonitorClient_SetAPIBasics(t *testing.T) {
 		t.Fatal(cmp.Diff(client.resty.BaseURL, expectedHost))
 	}
 }
+
+func TestRedactHeaders(t *testing.T) {
+	tests := []struct {
+		name    string
+		headers http.Header
+		wantVal map[string]string
+	}{
+		{
+			name: "redacts authorization header",
+			headers: http.Header{
+				"Authorization": []string{"Bearer supersecrettoken"},
+				"Content-Type":  []string{"application/json"},
+			},
+			wantVal: map[string]string{
+				"Authorization": redactHeadersMap["Authorization"],
+				"Content-Type":  "application/json",
+			},
+		},
+		{
+			name: "leaves non-sensitive headers unchanged",
+			headers: http.Header{
+				"Content-Type": []string{"application/json"},
+				"Accept":       []string{"application/json"},
+			},
+			wantVal: map[string]string{
+				"Content-Type": "application/json",
+				"Accept":       "application/json",
+			},
+		},
+		{
+			name:    "handles empty headers",
+			headers: http.Header{},
+			wantVal: map[string]string{},
+		},
+		{
+			name: "does not mutate original headers",
+			headers: http.Header{
+				"Authorization": []string{"Bearer supersecrettoken"},
+			},
+			wantVal: map[string]string{
+				"Authorization": redactHeadersMap["Authorization"],
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			originalAuth := tt.headers.Get("Authorization")
+
+			result := redactHeaders(tt.headers)
+
+			// Verify expected values in result
+			for key, expectedVal := range tt.wantVal {
+				if got := result.Get(key); got != expectedVal {
+					t.Errorf("redactHeaders() header %q = %q, want %q", key, got, expectedVal)
+				}
+			}
+
+			// Verify original was not mutated
+			if tt.headers.Get("Authorization") != originalAuth {
+				t.Error("redactHeaders() mutated the original headers")
+			}
+		})
+	}
+}
+
+func TestEnableLogSanitization(t *testing.T) {
+	mockClient := testutil.CreateMockClient(t, NewClient)
+	mockClient.SetDebug(true)
+
+	plainTextToken := "supersecrettoken"
+	mockClient.SetToken(plainTextToken)
+
+	var logBuf bytes.Buffer
+	logger := testutil.CreateLogger()
+	logger.L.SetOutput(&logBuf)
+	mockClient.SetLogger(logger)
+
+	httpmock.RegisterResponder("GET", "=~.*",
+		httpmock.NewStringResponder(200, `{}`).HeaderSet(http.Header{
+			"Authorization": []string{"Bearer " + plainTextToken},
+		}))
+
+	_, err := mockClient.resty.R().Get("https://api.linode.com/v4/test")
+	require.NoError(t, err)
+
+	logOutput := logBuf.String()
+
+	// Verify token is not present in either request or response logs
+	if strings.Contains(logOutput, plainTextToken) {
+		t.Errorf("log output contains raw token %q, expected it to be redacted", plainTextToken)
+	}
+
+	// Verify Authorization header still appears (as redacted value) in request log
+	if !strings.Contains(logOutput, "Authorization") {
+		t.Error("expected Authorization header to appear in request log output")
+	}
+}