Redact dynamic values from logs and report

[jcamiel]

Secrets are being introduced in 6.1.0 and allow to redact known values. We need to have a way to hide values that are not known before execution. We could introduce a redact filter that will make a value secret:

In this sample

GET https://foo.com
HTTP 200
[Captures]
my_secret: header "token" redact

my_secret is a new variable whose value must be redacted from report and logs.

[lepapareil]

[Captures] uses variable as his default behavior, we could maybe add this grammar enhancement:

GET https://foo.com
HTTP 200
[Captures]
variable my_var: header "date"

And then:

GET https://foo.com
HTTP 200
[Captures]
secret my_secret: header "token"

[jcamiel]

Yes, good alternative also. I find the filter to make less change to the grammar... Also this file, with an existing variable predicate, could be a bit awkward:

GET https://foo.com
HTTP 200
[Captures]
variable foo: jsonpath "$.value"
[Asserts]
variable "foo" == "something"

[jcamiel]

Thinking on it, I find a kind of possible way to implement it without changing anything.

Actually, secrets are readonly.

$ hurl --secret token=foo *.hurl is declaring a secret token. You can't reassign token into a variable because the value foo would leak:

GET https://foo.com
HTTP 200
[Captures]
token: header "Secret"

Will trigger a runtime error.

Instead of readonly, let's say secrets are "write-once". This way you can declare a secret without value, and when the secret is assigned for the first time, it gets its value to redact:

$ hurl --secret token=foo *.hurl => token protects the value foo

$ hurl --secret token= *.hurl => token protects the value that will be assigned once. For instance in:

GET https://foo.com
HTTP 200
[Captures]
token: header "Secret"

It's a little hacky but I like that it doesn't need any new syntax. I'm suspecting @fabricereix will not like this solution 👀

[jcamiel]

Other solution: make convention on naming. secret in the name automatically makes a variable secret:

GET https://foo.com
HTTP 200
[Captures]
my_secret: header "X-foo"

[lepapareil]

What about namespace hierarchy using :: :

• variable by default :

GET https://foo.com
HTTP 200
[Captures]
myvar: header "X-foo"

• define as variable :

GET https://foo.com
HTTP 200
[Captures]
variable::myvar: header "X-foo"

• define as secret :

GET https://foo.com
HTTP 200
[Captures]
secret::myvar: header "X-foo"

[lepapareil]

What about one char identifier :

• variable by default :

GET https://foo.com
HTTP 200
[Captures]
myvar: header "X-foo"

• define as variable :

GET https://foo.com
HTTP 200
[Captures]
@myvar: header "X-foo"

• define as secret :

GET https://foo.com
HTTP 200
[Captures]
#myvar: header "X-foo"