allow the same secret and identifier to be redacted multiple times

cloudtruth · Sep 24, 2020 · 255e6d5 · 255e6d5
1 parent abfd513
commit 255e6d5
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/interposer/tapedeck.py b/interposer/tapedeck.py
@@ -378,19 +378,24 @@ def redact(self, secret: str, identifier: str) -> str:
         key = f"_redact_{identifier}"
 
         if self.mode == Mode.Recording:
+            secretlen = len(secret)
+            redacted = (identifier + ("_" * secretlen))[:secretlen]
+            if self._redactions.get(secret) == redacted:
+                # calling it more than once for the same secret and ID is ok
+                return secret
+
             if self._tape.get(key):
                 raise AttributeError(
-                    f"{identifier} has already been used to redact a secret"
+                    f"{identifier} has already been used to redact another secret"
                 )
-            secretlen = len(secret)
-            self._redactions[secret] = (identifier + ("_" * secretlen))[:secretlen]
+            self._redactions[secret] = redacted
             self._tape[key] = secretlen
             return secret
         else:
             secretlen = self._tape.get(key)
             if not secretlen:
                 raise AttributeError(
-                    f"{identifier} was not used during recording to redact a secret"
+                    f"{identifier} was not used during recording to redact this secret"
                 )
             return (identifier + ("_" * secretlen))[:secretlen]
 

diff --git a/tests/tapedeck_test.py b/tests/tapedeck_test.py
@@ -243,6 +243,8 @@ def test_recording_secrets(self):
             # a secret redaction identifier can only be used once in a recording
             with self.assertRaises(AttributeError):
                 uut.redact("foo", "REDACTED_SMALLER_THAN_ORIGINAL")
+            # but if the secret is the same that is not an error
+            assert uut.redact(token, "REDACTED_SMALLER_THAN_ORIGINAL") == token
 
         # now during playback see everything with a secret (token) has been redacted!