Skip to content

Ensure clean http url #538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Jun 11, 2021
Merged

Ensure clean http url #538

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
2e8e14f
Implemented username and pw check on urllib
Jun 2, 2021
441a0df
Implemented check on aiohttp and wrapped conversions in try catch
Jun 3, 2021
7558742
Made function name uniform
Jun 3, 2021
bf536ad
Finished implementations in tornado, wsgi, and asgi
Jun 4, 2021
c8be726
Fixed dependencies
Jun 4, 2021
9aba340
Moved common function into utils
Jun 4, 2021
358aaa0
Ran isort to follow pep8 import conversions
Jun 4, 2021
f1fb942
Disabled pylint too many public msg in test file and fixed spacing
Jun 7, 2021
b70049d
resolve pylint and changed return type to str
Jun 7, 2021
063759b
Created changelog entry
Jun 7, 2021
62c11fc
Changed implementation to use urllib parse to limit dependencies
Jun 8, 2021
685302a
Moved remove credential function to http utils
Jun 10, 2021
aff0526
Merge branch 'open-telemetry:main' into ensure-clean-httpURL
ryokather Jun 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
([#530](https://github.com/open-telemetry/opentelemetry-python-contrib/pull/530))
- Fix weak reference error for pyodbc cursor in SQLAlchemy instrumentation.
([#469](https://github.com/open-telemetry/opentelemetry-python-contrib/pull/469))
- Implemented specification that HTTP span attributes must not contain username and password.
([#538](https://github.com/open-telemetry/opentelemetry-python-contrib/pull/538))

## [0.22b0](https://github.com/open-telemetry/opentelemetry-python/releases/tag/v1.3.0-0.22b0) - 2021-06-01

Expand Down
7 changes: 4 additions & 3 deletions ...strumentation-aiohttp-client/src/opentelemetry/instrumentation/aiohttp_client/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ def strip_query_params(url: yarl.URL) -> str:
from opentelemetry.instrumentation.instrumentor import BaseInstrumentor
from opentelemetry.instrumentation.utils import (
http_status_to_status_code,
remove_url_credentials,
unwrap,
)
from opentelemetry.propagate import inject
Expand Down Expand Up @@ -173,11 +174,11 @@ async def on_request_start(
if trace_config_ctx.span.is_recording():
attributes = {
SpanAttributes.HTTP_METHOD: http_method,
SpanAttributes.HTTP_URL: trace_config_ctx.url_filter(
params.url
SpanAttributes.HTTP_URL: remove_url_credentials(
trace_config_ctx.url_filter(params.url)
)
if callable(trace_config_ctx.url_filter)
else str(params.url),
else remove_url_credentials(str(params.url)),
}
for key, value in attributes.items():
trace_config_ctx.span.set_attribute(key, value)
Expand Down
31 changes: 31 additions & 0 deletions ...ion/opentelemetry-instrumentation-aiohttp-client/tests/test_aiohttp_client_integration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,37 @@ async def request_handler(request):
]
)

def test_credential_removal(self):
trace_configs = [aiohttp_client.create_trace_config()]

url = "http://username:[email protected]/status/200"
with self.subTest(url=url):

async def do_request(url):
async with aiohttp.ClientSession(
trace_configs=trace_configs,
) as session:
async with session.get(url):
pass

loop = asyncio.get_event_loop()
loop.run_until_complete(do_request(url))

self.assert_spans(
[
(
"HTTP GET",
(StatusCode.UNSET, None),
{
SpanAttributes.HTTP_METHOD: "GET",
SpanAttributes.HTTP_URL: "http://httpbin.org/status/200",
SpanAttributes.HTTP_STATUS_CODE: int(HTTPStatus.OK),
},
)
]
)
self.memory_exporter.clear()


class TestAioHttpClientInstrumentor(TestBase):
URL = "/test-path"
Expand Down
7 changes: 5 additions & 2 deletions ...ion/opentelemetry-instrumentation-asgi/src/opentelemetry/instrumentation/asgi/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,10 @@

from opentelemetry import context, trace
from opentelemetry.instrumentation.asgi.version import __version__ # noqa
from opentelemetry.instrumentation.utils import http_status_to_status_code
from opentelemetry.instrumentation.utils import (
http_status_to_status_code,
remove_url_credentials,
)
from opentelemetry.propagate import extract
from opentelemetry.propagators.textmap import Getter
from opentelemetry.semconv.trace import SpanAttributes
Expand Down Expand Up @@ -86,7 +89,7 @@ def collect_request_attributes(scope):
SpanAttributes.NET_HOST_PORT: port,
SpanAttributes.HTTP_FLAVOR: scope.get("http_version"),
SpanAttributes.HTTP_TARGET: scope.get("path"),
SpanAttributes.HTTP_URL: http_url,
SpanAttributes.HTTP_URL: remove_url_credentials(http_url),
}
http_method = scope.get("method")
if http_method:
Expand Down
8 changes: 8 additions & 0 deletions instrumentation/opentelemetry-instrumentation-asgi/tests/test_asgi_middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -430,6 +430,14 @@ def test_response_attributes_invalid_status_code(self):
otel_asgi.set_status_code(self.span, "Invalid Status Code")
self.assertEqual(self.span.set_status.call_count, 1)

def test_credential_removal(self):
self.scope["server"] = ("username:[email protected]", 80)
self.scope["path"] = "/status/200"
attrs = otel_asgi.collect_request_attributes(self.scope)
self.assertEqual(
attrs[SpanAttributes.HTTP_URL], "http://httpbin.org/status/200"
)


if __name__ == "__main__":
unittest.main()
7 changes: 6 additions & 1 deletion ...telemetry-instrumentation-requests/src/opentelemetry/instrumentation/requests/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,10 @@
from opentelemetry.instrumentation.instrumentor import BaseInstrumentor
from opentelemetry.instrumentation.requests.package import _instruments
from opentelemetry.instrumentation.requests.version import __version__
from opentelemetry.instrumentation.utils import http_status_to_status_code
from opentelemetry.instrumentation.utils import (
http_status_to_status_code,
remove_url_credentials,
)
from opentelemetry.propagate import inject
from opentelemetry.semconv.trace import SpanAttributes
from opentelemetry.trace import SpanKind, get_tracer
Expand Down Expand Up @@ -124,6 +127,8 @@ def _instrumented_requests_call(
if not span_name or not isinstance(span_name, str):
span_name = get_default_span_name(method)

url = remove_url_credentials(url)

labels = {}
labels[SpanAttributes.HTTP_METHOD] = method
labels[SpanAttributes.HTTP_URL] = url
Expand Down
7 changes: 7 additions & 0 deletions instrumentation/opentelemetry-instrumentation-requests/tests/test_requests_integration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,13 @@ def test_invalid_url(self):
)
self.assertEqual(span.status.status_code, StatusCode.ERROR)

def test_credential_removal(self):
new_url = "http://username:[email protected]/status/200"
self.perform_request(new_url)
span = self.assert_span()

self.assertEqual(span.attributes[SpanAttributes.HTTP_URL], self.URL)

def test_if_headers_equals_none(self):
result = requests.get(self.URL, headers=None)
self.assertEqual(result.text, "Hello!")
Expand Down
7 changes: 5 additions & 2 deletions ...opentelemetry-instrumentation-tornado/src/opentelemetry/instrumentation/tornado/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,10 @@
from tornado.httpclient import HTTPError, HTTPRequest

from opentelemetry import trace
from opentelemetry.instrumentation.utils import http_status_to_status_code
from opentelemetry.instrumentation.utils import (
http_status_to_status_code,
remove_url_credentials,
)
from opentelemetry.propagate import inject
from opentelemetry.semconv.trace import SpanAttributes
from opentelemetry.trace.status import Status
Expand Down Expand Up @@ -61,7 +64,7 @@ def fetch_async(tracer, request_hook, response_hook, func, _, args, kwargs):

if span.is_recording():
attributes = {
SpanAttributes.HTTP_URL: request.url,
SpanAttributes.HTTP_URL: remove_url_credentials(request.url),
SpanAttributes.HTTP_METHOD: request.method,
}
for key, value in attributes.items():
Expand Down
23 changes: 23 additions & 0 deletions instrumentation/opentelemetry-instrumentation-tornado/tests/test_instrumentation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,29 @@ def test_response_headers(self):
self.memory_exporter.clear()
set_global_response_propagator(orig)

def test_credential_removal(self):
response = self.fetch(
"http://username:[email protected]/status/200"
)
self.assertEqual(response.code, 200)

spans = self.sorted_spans(self.memory_exporter.get_finished_spans())
self.assertEqual(len(spans), 1)
client = spans[0]

self.assertEqual(client.name, "GET")
self.assertEqual(client.kind, SpanKind.CLIENT)
self.assert_span_has_attributes(
client,
{
SpanAttributes.HTTP_URL: "http://httpbin.org/status/200",
SpanAttributes.HTTP_METHOD: "GET",
SpanAttributes.HTTP_STATUS_CODE: 200,
},
)

self.memory_exporter.clear()


class TornadoHookTest(TornadoTest):
_client_request_hook = None
Expand Down
7 changes: 6 additions & 1 deletion ...opentelemetry-instrumentation-urllib/src/opentelemetry/instrumentation/urllib/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,10 @@
from opentelemetry.instrumentation.instrumentor import BaseInstrumentor
from opentelemetry.instrumentation.urllib.package import _instruments
from opentelemetry.instrumentation.urllib.version import __version__
from opentelemetry.instrumentation.utils import http_status_to_status_code
from opentelemetry.instrumentation.utils import (
http_status_to_status_code,
remove_url_credentials,
)
from opentelemetry.propagate import inject
from opentelemetry.semconv.trace import SpanAttributes
from opentelemetry.trace import SpanKind, get_tracer
Expand Down Expand Up @@ -142,6 +145,8 @@ def _instrumented_open_call(
if not span_name or not isinstance(span_name, str):
span_name = get_default_span_name(method)

url = remove_url_credentials(url)

labels = {
SpanAttributes.HTTP_METHOD: method,
SpanAttributes.HTTP_URL: url,
Expand Down
11 changes: 11 additions & 0 deletions instrumentation/opentelemetry-instrumentation-urllib/tests/test_urllib_integration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@
from opentelemetry.test.test_base import TestBase
from opentelemetry.trace import StatusCode

# pylint: disable=too-many-public-methods


class RequestsIntegrationTestBase(abc.ABC):
# pylint: disable=no-member
Expand Down Expand Up @@ -318,6 +320,15 @@ def test_requests_timeout_exception(self, *_, **__):
span = self.assert_span()
self.assertEqual(span.status.status_code, StatusCode.ERROR)

def test_credential_removal(self):
url = "http://username:[email protected]/status/200"

with self.assertRaises(Exception):
self.perform_request(url)

span = self.assert_span()
self.assertEqual(span.attributes[SpanAttributes.HTTP_URL], self.URL)


class TestRequestsIntegration(RequestsIntegrationTestBase, TestBase):
@staticmethod
Expand Down
6 changes: 6 additions & 0 deletions instrumentation/opentelemetry-instrumentation-urllib3/tests/test_urllib3_integration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,3 +287,9 @@ def url_filter(url):

response = self.perform_request(self.HTTP_URL + "?e=mcc")
self.assert_success_span(response, self.HTTP_URL)

def test_credential_removal(self):
url = "http://username:[email protected]/status/200"

response = self.perform_request(url)
self.assert_success_span(response, self.HTTP_URL)
9 changes: 7 additions & 2 deletions ...ion/opentelemetry-instrumentation-wsgi/src/opentelemetry/instrumentation/wsgi/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,10 @@ def hello():
import wsgiref.util as wsgiref_util

from opentelemetry import context, trace
from opentelemetry.instrumentation.utils import http_status_to_status_code
from opentelemetry.instrumentation.utils import (
http_status_to_status_code,
remove_url_credentials,
)
from opentelemetry.instrumentation.wsgi.version import __version__
from opentelemetry.propagate import extract
from opentelemetry.propagators.textmap import Getter
Expand Down Expand Up @@ -128,7 +131,9 @@ def collect_request_attributes(environ):
if target is not None:
result[SpanAttributes.HTTP_TARGET] = target
else:
result[SpanAttributes.HTTP_URL] = wsgiref_util.request_uri(environ)
result[SpanAttributes.HTTP_URL] = remove_url_credentials(
wsgiref_util.request_uri(environ)
)

remote_addr = environ.get("REMOTE_ADDR")
if remote_addr:
Expand Down
12 changes: 12 additions & 0 deletions instrumentation/opentelemetry-instrumentation-wsgi/tests/test_wsgi_middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -364,6 +364,18 @@ def test_response_attributes(self):
self.assertEqual(self.span.set_attribute.call_count, len(expected))
self.span.set_attribute.assert_has_calls(expected, any_order=True)

def test_credential_removal(self):
self.environ["HTTP_HOST"] = "username:[email protected]"
self.environ["PATH_INFO"] = "/status/200"
expected = {
SpanAttributes.HTTP_URL: "http://httpbin.com/status/200",
SpanAttributes.NET_HOST_PORT: 80,
}
self.assertGreaterEqual(
otel_wsgi.collect_request_attributes(self.environ).items(),
expected.items(),
)


class TestWsgiMiddlewareWithTracerProvider(WsgiTestBase):
def validate_response(
Expand Down
1 change: 1 addition & 0 deletions opentelemetry-instrumentation/setup.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ include_package_data = True
install_requires =
opentelemetry-api == 1.4.0.dev0
wrapt >= 1.0.0, < 2.0.0
yarl ~= 1.6

[options.packages.find]
where = src
Expand Down
10 changes: 10 additions & 0 deletions opentelemetry-instrumentation/src/opentelemetry/instrumentation/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
from typing import Dict, Sequence

from wrapt import ObjectProxy
from yarl import URL

from opentelemetry.trace import StatusCode

Expand Down Expand Up @@ -60,3 +61,12 @@ def unwrap(obj, attr: str):
func = getattr(obj, attr, None)
if func and isinstance(func, ObjectProxy) and hasattr(func, "__wrapped__"):
setattr(obj, attr, func.__wrapped__)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this logic be better off here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only thought I had was that it is most similar to the other utility function http_status_to_status_code in the same file and the library you linked is only used by web server instrumentations. However, it might make more logical sense to separate it from the opentelemetry-instrumentation itself. What would you suggest? @lzchen

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the library would be used for all http related instrumentations, it just so happens the logic contained is only used in server instrumentations.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good 👍 Just updated with the last remaining suggestions.


def remove_url_credentials(url: str) -> str:
"""Given a string url, attempt to remove the username and password"""
try:
url = str(URL(url).with_user(None))
except ValueError: # invalid url was passed
pass
return url
6 changes: 4 additions & 2 deletions tox.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -405,6 +405,8 @@ deps =
protobuf>=3.13.0
requests==2.25.0
pyodbc~=4.0.30
yarl ~= 1.6

changedir =
tests/opentelemetry-docker-tests/tests

Expand All @@ -427,17 +429,17 @@ commands_pre =
-e {toxinidir}/opentelemetry-python-core/exporter/opentelemetry-exporter-opencensus
docker-compose up -d
python check_availability.py

commands =
pytest {posargs}

commands_post =
docker-compose down -v


[testenv:generate]
deps =
-r {toxinidir}/gen-requirements.txt

commands =
{toxinidir}/scripts/generate_setup.py
{toxinidir}/scripts/generate_instrumentation_bootstrap.py
{toxinidir}/scripts/generate_instrumentation_bootstrap.py