Skip to content

PYTHON-5928 Redact AWS session token from client repr#2803

Open
NguyenCong2k wants to merge 1 commit into
mongodb:masterfrom
NguyenCong2k:fix-redact-aws-session-token-repr
Open

PYTHON-5928 Redact AWS session token from client repr#2803
NguyenCong2k wants to merge 1 commit into
mongodb:masterfrom
NguyenCong2k:fix-redact-aws-session-token-repr

Conversation

@NguyenCong2k

@NguyenCong2k NguyenCong2k commented May 14, 2026

Copy link
Copy Markdown
Contributor

[PYTHON-5928]

AWS session tokens passed via authMechanismProperties (e.g. AWS_SESSION_TOKEN) were rendered in plain text inside MongoClient.__repr__, leaking short-lived AWS credentials into logs and error messages. The existing username/password redaction did not cover auth mechanism properties.

This PR also hardens the cached OIDC authenticator path so the ALLOWED_HOSTS validation runs before a cached *_oidc authenticator is returned, not only when a new authenticator is built.

Changes in this PR

  • Add shared helper pymongo.common.redact_auth_mechanism_properties_for_repr that redacts any auth mechanism property whose upper-cased name is not in a safe allowlist (ALLOWED_HOSTS, CANONICALIZE_HOST_NAME, ENVIRONMENT, SERVICE_HOST, SERVICE_NAME, SERVICE_REALM, TOKEN_RESOURCE).
  • Call the helper from the repr path in both pymongo/synchronous/mongo_client.py and pymongo/asynchronous/mongo_client.py.
  • Move the OIDC ALLOWED_HOSTS check in _get_authenticator ahead of the cached-authenticator early return, so a disallowed host is rejected even when a cached authenticator exists.
  • Add regression tests covering:
    • AWS_SESSION_TOKEN supplied via the connection URI
    • aws_session_token, custom CUSTOM_API_KEY, and safe TOKEN_RESOURCE supplied via authMechanismProperties kwargs
    • sync (MongoClient) and async (AsyncMongoClient) variants

The allowlist approach (rather than a single-key denylist) addresses the Copilot review comment that other token-like values (GSSAPI/PLAIN PASSWORD, custom OIDC properties) could otherwise leak.

Test Plan

All tests pass on the supported Python versions for the driver:

python -m pytest test/test_client.py::ClientUnitTest::test_repr_redacts_aws_session_token ^
                 test/test_client.py::ClientUnitTest::test_repr_redacts_secret_auth_mechanism_properties ^
                 test/asynchronous/test_client.py::AsyncClientUnitTest::test_repr_redacts_aws_session_token ^
                 test/asynchronous/test_client.py::AsyncClientUnitTest::test_repr_redacts_secret_auth_mechanism_properties -q

python -m pytest test/test_auth_oidc.py -q

Manual verification (before/after):

from pymongo import MongoClient
client = MongoClient(
    "mongodb://AKIA:SECRET@localhost:27017/"
    "?authMechanism=MONGODB-AWS"
    "&authMechanismProperties=AWS_SESSION_TOKEN:SECRET-TOKEN",
    connect=False,
)
print(repr(client))  # before: token visible; after: 'AWS_SESSION_TOKEN': '<redacted>'

Checklist for Author

  • Is there test coverage? (sync + async regression tests)
  • Did you update the changelog (if necessary)? (no changelog update yet; happy to add once a maintainer confirms the preferred file)
  • Is any followup work tracked in a JIRA ticket? PYTHON-5928

Checklist for Reviewer

  • Does the title of the PR reference a JIRA Ticket?
  • Do you fully understand the implementation?
  • Is all relevant documentation (README or docstring) updated?

Copilot AI review requested due to automatic review settings May 14, 2026 04:36
@NguyenCong2k NguyenCong2k requested a review from a team as a code owner May 14, 2026 04:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR addresses two security/privacy concerns: redacting the AWS session token in MongoClient __repr__ output, and ensuring the OIDC ALLOWED_HOSTS check is performed before reusing a cached authenticator.

Changes:

  • Redact AWS_SESSION_TOKEN in authMechanismProperties when generating client __repr__.
  • Move the OIDC ALLOWED_HOSTS validation in _get_authenticator to run before returning a cached authenticator.
  • Add corresponding tests in both sync and async test suites.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
pymongo/synchronous/mongo_client.py Adds redaction helper for AWS session token in _repr_helper.
pymongo/asynchronous/mongo_client.py Mirrors the sync redaction logic for async client.
pymongo/synchronous/auth_oidc.py Reorders allowed-hosts check to occur before cache reuse.
pymongo/asynchronous/auth_oidc.py Mirrors the sync OIDC change for the async path.
test/test_client.py Adds test for AWS session token redaction in repr.
test/asynchronous/test_client.py Async counterpart for repr redaction test.
test/test_auth_oidc.py Tests allowed-hosts check happens before cache reuse.
test/asynchronous/test_auth_oidc.py Async counterpart for allowed-hosts cache test.

Comment thread pymongo/synchronous/mongo_client.py Outdated
Comment on lines +1306 to +1307
for key in redacted:
if key.upper() == "AWS_SESSION_TOKEN":
Comment thread pymongo/synchronous/mongo_client.py Outdated
Comment on lines +1303 to +1310
def redact_auth_mechanism_properties(value: Any) -> Any:
if isinstance(value, dict):
redacted = value.copy()
for key in redacted:
if key.upper() == "AWS_SESSION_TOKEN":
redacted[key] = "<redacted>"
return redacted
return value
Comment thread pymongo/synchronous/auth_oidc.py Outdated
Comment on lines +70 to +71
if credentials.cache.data:
return credentials.cache.data
Comment thread test/test_auth_oidc.py Outdated
Comment on lines +133 to +134
authenticator = _get_authenticator(credentials, ("good.example.com", 27017))
self.assertIs(authenticator, credentials.cache.data)
Comment thread test/test_client.py
Comment on lines +198 to +199
"mongodb://AKIA:SECRET@localhost:27017/"
f"?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:{token}",
@NguyenCong2k NguyenCong2k force-pushed the fix-redact-aws-session-token-repr branch from 9759aeb to fd2ade2 Compare May 14, 2026 04:38
@NguyenCong2k NguyenCong2k force-pushed the fix-redact-aws-session-token-repr branch from fd2ade2 to 24f74fd Compare May 14, 2026 17:06
@Jibola Jibola changed the title Redact AWS session token from client repr PYTHON-XXXX Redact AWS session token from client repr Jul 9, 2026
@codeowners-service-app

Copy link
Copy Markdown

Assigned aclark4life for team dbx-python because caseyclements is out of office.

@Jibola Jibola marked this pull request as draft July 9, 2026 14:05
@Jibola Jibola marked this pull request as ready for review July 9, 2026 14:05
@Jibola Jibola changed the title PYTHON-XXXX Redact AWS session token from client repr PYTHON-5928 Redact AWS session token from client repr Jul 9, 2026
@Jibola

Jibola commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Hi, thanks for your contribution. Please update your pull request to be in line with out pull request template guidelines.

@NguyenCong2k

Copy link
Copy Markdown
Contributor Author

Hi @Jibola, I've updated the PR description per the template. Ready for another look when you have a chance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants