Elide data reduction proxy credentials from NetLog

net/http/http_log_util.cc

Index: net/http/http_log_util.cc
diff --git a/net/http/http_log_util.cc b/net/http/http_log_util.cc
index ab6ebda74aca0be5b39b9bfc046e91943e20c4bd..d9bdce83f2b76f7ac14954e54e34a864cbb57d10 100644
--- a/net/http/http_log_util.cc
+++ b/net/http/http_log_util.cc
@@ -7,6 +7,7 @@
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
+#include "net/http/http_util.h"
 
 namespace net {
 
@@ -33,39 +34,61 @@ bool ShouldRedactChallenge(HttpAuthChallengeTokenizer* challenge) {
 
 }  // namespace
 
+#if defined(SPDY_PROXY_AUTH_ORIGIN)
+bool ElideChromeProxyDirective(const std::string& header_value,
+                               const std::string& directive,
+                               std::string::const_iterator* redact_begin,
+                               std::string::const_iterator* redact_end) {
+  HttpUtil::ValuesIterator it(header_value.begin(), header_value.end(), ',');
+  while (it.GetNext()) {
+    if (LowerCaseEqualsASCII(it.value_begin(),
+                             it.value_begin() + directive.size(),
+                             directive.c_str())) {
+      *redact_begin = it.value_begin();
+      *redact_end = it.value_end();
+      return true;
+    }
+  }
+  return false;
+}
+#endif
+
 std::string ElideHeaderValueForNetLog(NetLog::LogLevel log_level,
                                       const std::string& header,
                                       const std::string& value) {
+  std::string::const_iterator redact_begin = value.begin();
+  std::string::const_iterator redact_end = value.begin();
+  bool unconditionally_redacted = false;
 #if defined(SPDY_PROXY_AUTH_ORIGIN)
-  if (!base::strcasecmp(header.c_str(), "proxy-authorization") ||
-      !base::strcasecmp(header.c_str(), "proxy-authenticate")) {
-    return "[elided]";
+  if (!base::strcasecmp(header.c_str(), "chrome-proxy")) {
+    unconditionally_redacted =
+        ElideChromeProxyDirective(value, "sid=", &redact_begin, &redact_end);
   }
 #endif
 
-  if (log_level < NetLog::LOG_STRIP_PRIVATE_DATA)
-    return value;
-
-  // Note: this logic should be kept in sync with stripCookiesAndLoginInfo in
-  // chrome/browser/resources/net_internals/log_view_painter.js.
-
-  std::string::const_iterator redact_begin = value.begin();
-  std::string::const_iterator redact_end = value.begin();
-  if (!base::strcasecmp(header.c_str(), "set-cookie") ||
-      !base::strcasecmp(header.c_str(), "set-cookie2") ||
-      !base::strcasecmp(header.c_str(), "cookie") ||
-      !base::strcasecmp(header.c_str(), "authorization") ||
-      !base::strcasecmp(header.c_str(), "proxy-authorization")) {
-    redact_begin = value.begin();
-    redact_end = value.end();
-  } else if (!base::strcasecmp(header.c_str(), "www-authenticate") ||
-             !base::strcasecmp(header.c_str(), "proxy-authenticate")) {
-    // Look for authentication information from data received from the server in
-    // multi-round Negotiate authentication.
-    HttpAuthChallengeTokenizer challenge(value.begin(), value.end());
-    if (ShouldRedactChallenge(&challenge)) {
-      redact_begin = challenge.params_begin();
-      redact_end = challenge.params_end();
+  if (!unconditionally_redacted) {

[mmenke, 2014/07/02 18:34:25]

Think you can get rid of this bool, and just use "if (redact_begin !=
redact_end)" here (If they're the same, you aren't redacting anything, anyways).

Optionally, could combine the two ifs...

if (redact_begin != redact_end && log_level >= NetLog::LOG_STRIP_PRIVATE_DATA)

Then there are only two return statements, which I think is a little cleaner.

[bengr, 2014/07/02 19:31:58]

Done.

+    if (log_level < NetLog::LOG_STRIP_PRIVATE_DATA)
+      return value;
+
+    // Note: this logic should be kept in sync with stripCookiesAndLoginInfo in
+    // chrome/browser/resources/net_internals/log_view_painter.js.
+
+    if (!base::strcasecmp(header.c_str(), "set-cookie") ||
+        !base::strcasecmp(header.c_str(), "set-cookie2") ||
+        !base::strcasecmp(header.c_str(), "cookie") ||
+        !base::strcasecmp(header.c_str(), "authorization") ||
+        !base::strcasecmp(header.c_str(), "proxy-authorization")) {
+      redact_begin = value.begin();
+      redact_end = value.end();
+    } else if (!base::strcasecmp(header.c_str(), "www-authenticate") ||
+               !base::strcasecmp(header.c_str(), "proxy-authenticate")) {
+      // Look for authentication information from data received from the server
+      // in multi-round Negotiate authentication.
+      HttpAuthChallengeTokenizer challenge(value.begin(), value.end());
+      if (ShouldRedactChallenge(&challenge)) {
+        redact_begin = challenge.params_begin();
+        redact_end = challenge.params_end();
+      }
     }
   }