From 6478545088bb99b2792db8917b2da4b81155cf82 Mon Sep 17 00:00:00 2001
From: Hongxin Liang <honnix@spotify.com>
Date: Wed, 28 Jun 2023 18:05:03 +0200
Subject: [PATCH 1/3] Matching headers as substring

---
 .../main/java/com/spotify/styx/api/Middlewares.java | 13 ++++++++-----
 .../java/com/spotify/styx/api/MiddlewaresTest.java  |  5 +++--
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/styx-service-common/src/main/java/com/spotify/styx/api/Middlewares.java b/styx-service-common/src/main/java/com/spotify/styx/api/Middlewares.java
index 91a23d6e3..803365249 100644
--- a/styx-service-common/src/main/java/com/spotify/styx/api/Middlewares.java
+++ b/styx-service-common/src/main/java/com/spotify/styx/api/Middlewares.java
@@ -30,7 +30,7 @@
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
 import com.google.common.base.CharMatcher;
 import com.google.common.base.Throwables;
-import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.ImmutableList;
 import com.google.common.net.HttpHeaders;
 import com.spotify.apollo.Request;
 import com.spotify.apollo.RequestContext;
@@ -45,6 +45,7 @@
 import io.opencensus.trace.Span;
 import io.opencensus.trace.Tracer;
 import java.net.URI;
+import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Optional;
@@ -68,8 +69,8 @@ public final class Middlewares {
 
   private static final Logger LOG = LoggerFactory.getLogger(Middlewares.class);
 
-  private static final Set<String> BLACKLISTED_HEADERS =
-      ImmutableSet.of(HttpHeaders.AUTHORIZATION.toLowerCase(Locale.ROOT));
+  private static final List<String> BLACKLISTED_HEADERS =
+      ImmutableList.of(HttpHeaders.AUTHORIZATION.toLowerCase(Locale.ROOT), "service-identity");
 
   private static final String REQUEST_ID = "request-id";
   private static final String X_STYX_REQUEST_ID = "X-Styx-Request-Id";
@@ -271,8 +272,10 @@ private static AuthContext auth(RequestContext requestContext,
   private static Map<String, String> hideSensitiveHeaders(Map<String, String> headers) {
     return headers.entrySet().stream()
         .collect(Collectors.toMap(Map.Entry::getKey,
-            entry -> BLACKLISTED_HEADERS.contains(entry.getKey().toLowerCase(Locale.ROOT)) ? "<hidden>"
-                                                                                           : entry.getValue()));
+            entry -> BLACKLISTED_HEADERS.stream()
+                         .anyMatch(header -> entry.getKey().toLowerCase(Locale.ROOT).contains(header))
+                     ? "<hidden>"
+                     : entry.getValue()));
   }
 
   public static <T> Middleware<AsyncHandler<Response<T>>, AsyncHandler<Response<T>>> authenticator(
diff --git a/styx-service-common/src/test/java/com/spotify/styx/api/MiddlewaresTest.java b/styx-service-common/src/test/java/com/spotify/styx/api/MiddlewaresTest.java
index b5d6ba309..a8fe5e693 100644
--- a/styx-service-common/src/test/java/com/spotify/styx/api/MiddlewaresTest.java
+++ b/styx-service-common/src/test/java/com/spotify/styx/api/MiddlewaresTest.java
@@ -538,7 +538,8 @@ public void testHttpLoggerHidesAuthHeader() throws Exception {
     RequestContext requestContext = mock(RequestContext.class);
     Request request = Request.forUri("/", "PUT")
         .withPayload(ByteString.encodeUtf8("hello"))
-        .withHeader(HttpHeaders.AUTHORIZATION, "Bearer s3cr3tp455w0rd");
+        .withHeader(HttpHeaders.AUTHORIZATION, "Bearer s3cr3tp455w0rd")
+        .withHeader("foo-service-identity", "Bearer s3cr3tp455w0rd");
     when(requestContext.request()).thenReturn(request);
 
     String email = "foo@bar.net";
@@ -556,7 +557,7 @@ public void testHttpLoggerHidesAuthHeader() throws Exception {
         request.method(),
         request.uri(),
         email,
-        Map.of(HttpHeaders.AUTHORIZATION, "<hidden>"),
+        Map.of(HttpHeaders.AUTHORIZATION, "<hidden>", "foo-service-identity", "<hidden>"),
         Map.of(),
         request.payload().orElseThrow().utf8());
   }

From 51e6b774b9360b2d5ff6ff59a4ba706e16bf212f Mon Sep 17 00:00:00 2001
From: Hongxin Liang <honnix@spotify.com>
Date: Wed, 28 Jun 2023 18:07:26 +0200
Subject: [PATCH 2/3] Use List factory method

---
 .../src/main/java/com/spotify/styx/api/Middlewares.java        | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/styx-service-common/src/main/java/com/spotify/styx/api/Middlewares.java b/styx-service-common/src/main/java/com/spotify/styx/api/Middlewares.java
index 803365249..92e041be2 100644
--- a/styx-service-common/src/main/java/com/spotify/styx/api/Middlewares.java
+++ b/styx-service-common/src/main/java/com/spotify/styx/api/Middlewares.java
@@ -30,7 +30,6 @@
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
 import com.google.common.base.CharMatcher;
 import com.google.common.base.Throwables;
-import com.google.common.collect.ImmutableList;
 import com.google.common.net.HttpHeaders;
 import com.spotify.apollo.Request;
 import com.spotify.apollo.RequestContext;
@@ -70,7 +69,7 @@ public final class Middlewares {
   private static final Logger LOG = LoggerFactory.getLogger(Middlewares.class);
 
   private static final List<String> BLACKLISTED_HEADERS =
-      ImmutableList.of(HttpHeaders.AUTHORIZATION.toLowerCase(Locale.ROOT), "service-identity");
+      List.of(HttpHeaders.AUTHORIZATION.toLowerCase(Locale.ROOT), "service-identity");
 
   private static final String REQUEST_ID = "request-id";
   private static final String X_STYX_REQUEST_ID = "X-Styx-Request-Id";

From 836a2b77f80a58e2dccdeaa6732387f8f916e819 Mon Sep 17 00:00:00 2001
From: Hongxin Liang <honnix@spotify.com>
Date: Wed, 28 Jun 2023 18:08:50 +0200
Subject: [PATCH 3/3] Positive path

---
 .../src/test/java/com/spotify/styx/api/MiddlewaresTest.java  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/styx-service-common/src/test/java/com/spotify/styx/api/MiddlewaresTest.java b/styx-service-common/src/test/java/com/spotify/styx/api/MiddlewaresTest.java
index a8fe5e693..ebd519546 100644
--- a/styx-service-common/src/test/java/com/spotify/styx/api/MiddlewaresTest.java
+++ b/styx-service-common/src/test/java/com/spotify/styx/api/MiddlewaresTest.java
@@ -539,7 +539,8 @@ public void testHttpLoggerHidesAuthHeader() throws Exception {
     Request request = Request.forUri("/", "PUT")
         .withPayload(ByteString.encodeUtf8("hello"))
         .withHeader(HttpHeaders.AUTHORIZATION, "Bearer s3cr3tp455w0rd")
-        .withHeader("foo-service-identity", "Bearer s3cr3tp455w0rd");
+        .withHeader("foo-service-identity", "Bearer s3cr3tp455w0rd")
+        .withHeader("foo-bar", "foo-bar");
     when(requestContext.request()).thenReturn(request);
 
     String email = "foo@bar.net";
@@ -557,7 +558,7 @@ public void testHttpLoggerHidesAuthHeader() throws Exception {
         request.method(),
         request.uri(),
         email,
-        Map.of(HttpHeaders.AUTHORIZATION, "<hidden>", "foo-service-identity", "<hidden>"),
+        Map.of(HttpHeaders.AUTHORIZATION, "<hidden>", "foo-service-identity", "<hidden>", "foo-bar", "foo-bar"),
         Map.of(),
         request.payload().orElseThrow().utf8());
   }