🔒 Filter ScramCache#inspect, #to_s, #pretty_print

Author: nevans

lib/net/imap/sasl/scram_cache.rb

@@ -58,6 +58,50 @@ def reset(salt: nil, iterations: nil)
           self.iterations      = iterations
           self
         end
+
+        # Returns a string representation with the cached secrets filtered out.
+        def inspect
+          format "#<struct %s %s>", self.class, members
+            .map { [_1, filtered_inspect(_1)].join("=") }
+            .join(", ")
+        end
+        alias to_s inspect
+
+        # Pretty prints a representation with the cached secrets filtered out.
+        def pretty_print(q)
+          q.group(1, sprintf("#<struct %s", PP.mcall(self, Kernel, :class).name), '>') {
+            q.seplist(PP.mcall(self, Struct, :members), lambda { q.text "," }) {|member|
+              q.breakable
+              q.text member.to_s
+              q.text '='
+              q.group(1) {
+                q.breakable ''
+                if secret_member?(member)
+                  q.text filtered_inspect(member)
+                else
+                  q.pp self[member]
+                end
+              }
+            }
+          }
+        end
+
+        private
+
+        def secret_member?(member)
+          member in :salted_password | :client_key | :server_key
+        end
+
+        def filtered_inspect(member)
+          value = self[member]
+          return value.inspect unless secret_member?(member)
+          case value
+          in String then format "#<FILTERED %d bytes>", value.bytesize
+          in nil    then "nil"
+          else           format "#<FILTERED %s>", value.class
+          end
+        end
+
       end
 
     end

test/net/imap/sasl/test_scram_cache.rb

@@ -65,4 +65,87 @@ class SASLScamCacheTest < Net::IMAP::TestCase
     assert cache.sufficient?
   end
 
+  %w[inspect to_s].each do |method|
+    test "##{method}" do
+      cache = SASL::ScramCache.new
+      assert_equal(
+        "#<struct #{SASL::ScramCache} " \
+        "salt=nil, iterations=nil, salted_password=nil, " \
+        "client_key=nil, server_key=nil>",
+        cache.public_send(method)
+      )
+      cache.salt = salt = "saltysaltsalt"
+      cache.iterations = 100_000
+      assert_equal(
+        "#<struct #{SASL::ScramCache} " \
+        "salt=#{salt.inspect}, iterations=100000, " \
+        "salted_password=nil, client_key=nil, server_key=nil>",
+        cache.public_send(method)
+      )
+      cache.salted_password = "this should be filtered!!"
+      assert_equal(
+        "#<struct #{SASL::ScramCache} " \
+        "salt=#{salt.inspect}, iterations=100000, " \
+        "salted_password=#<FILTERED 25 bytes>, client_key=nil, server_key=nil>",
+        cache.public_send(method)
+      )
+      cache.client_key = "filter!"
+      cache.server_key = "this!"
+      assert_equal(
+        "#<struct #{SASL::ScramCache} " \
+        "salt=#{salt.inspect}, iterations=100000, " \
+        "salted_password=#<FILTERED 25 bytes>, " \
+        "client_key=#<FILTERED 7 bytes>, " \
+        "server_key=#<FILTERED 5 bytes>>",
+        cache.public_send(method)
+      )
+      cache.salted_password = nil
+      assert_equal(
+        "#<struct #{SASL::ScramCache} " \
+        "salt=#{salt.inspect}, iterations=100000, " \
+        "salted_password=nil, " \
+        "client_key=#<FILTERED 7 bytes>, " \
+        "server_key=#<FILTERED 5 bytes>>",
+        cache.public_send(method)
+      )
+    end
+  end
+
+  test "#pretty_print" do
+    width = 80
+    cache = SASL::ScramCache.new
+    PP.pp cache, (output = String.new), width
+    assert_equal(<<~PP, output)
+      #<struct #{SASL::ScramCache}
+       salt=nil,
+       iterations=nil,
+       salted_password=nil,
+       client_key=nil,
+       server_key=nil>
+    PP
+    cache.salt = salt = "saltosaltersaltin"
+    cache.iterations = 100_000
+    PP.pp cache, (output = String.new), width
+    assert_equal(<<~PP, output)
+      #<struct #{SASL::ScramCache}
+       salt=#{salt.inspect},
+       iterations=100000,
+       salted_password=nil,
+       client_key=nil,
+       server_key=nil>
+    PP
+    cache.salted_password = "this should be filtered!!"
+    cache.client_key = Object.new
+    cache.server_key = 123.5
+    PP.pp cache, (output = String.new), width
+    assert_equal(<<~PP, output)
+      #<struct #{SASL::ScramCache}
+       salt=#{salt.inspect},
+       iterations=100000,
+       salted_password=#<FILTERED 25 bytes>,
+       client_key=#<FILTERED Object>,
+       server_key=#<FILTERED Float>>
+    PP
+  end
+
 end