Merge 24f74fd8db into 552b7bf47b

2026-05-14 17:06:12 +00:00 · 2026-05-14 17:06:12 +00:00 · 7d6793b5ef
commit 7d6793b5ef
parent 552b7bf47b 24f74fd8db
5 changed files with 99 additions and 0 deletions
--- a/pymongo/asynchronous/mongo_client.py
+++ b/pymongo/asynchronous/mongo_client.py
@ -1307,6 +1307,8 @@ class AsyncMongoClient(common.BaseObject, Generic[_DocumentType]):
                    return "document_class=dict"
                else:
                    return f"document_class={value.__module__}.{value.__name__}"
+            if option == "authmechanismproperties":
+                value = common.redact_auth_mechanism_properties_for_repr(value)
            if option in common.TIMEOUT_OPTIONS and value is not None:
                return f"{option}={int(value * 1000)}"

--- a/pymongo/common.py
+++ b/pymongo/common.py
@ -426,6 +426,31 @@ _MECHANISM_PROPS = frozenset(
 )


+_SAFE_AUTH_MECHANISM_PROPS_FOR_REPR = frozenset(
+    [
+        "ALLOWED_HOSTS",
+        "CANONICALIZE_HOST_NAME",
+        "ENVIRONMENT",
+        "SERVICE_HOST",
+        "SERVICE_NAME",
+        "SERVICE_REALM",
+        "TOKEN_RESOURCE",
+    ]
+)
+
+
+def redact_auth_mechanism_properties_for_repr(value: Any) -> Any:
+    """Redact sensitive auth mechanism properties before including them in repr."""
+    if not isinstance(value, dict):
+        return value
+
+    redacted = value.copy()
+    for key in redacted:
+        if str(key).upper() not in _SAFE_AUTH_MECHANISM_PROPS_FOR_REPR:
+            redacted[key] = "<redacted>"
+    return redacted
+
+
 def validate_auth_mechanism_properties(option: str, value: Any) -> dict[str, Union[bool, str]]:
    """Validate authMechanismProperties."""
    props: dict[str, Any] = {}
--- a/pymongo/synchronous/mongo_client.py
+++ b/pymongo/synchronous/mongo_client.py
@ -1307,6 +1307,8 @@ class MongoClient(common.BaseObject, Generic[_DocumentType]):
                    return "document_class=dict"
                else:
                    return f"document_class={value.__module__}.{value.__name__}"
+            if option == "authmechanismproperties":
+                value = common.redact_auth_mechanism_properties_for_repr(value)
            if option in common.TIMEOUT_OPTIONS and value is not None:
                return f"{option}={int(value * 1000)}"

--- a/test/asynchronous/test_client.py
+++ b/test/asynchronous/test_client.py
@ -195,6 +195,41 @@ class AsyncClientUnitTest(AsyncUnitTest):

        self.assertRaises(ConfigurationError, AsyncMongoClient, [])

+    async def test_repr_redacts_aws_session_token(self):
+        token = "SECRET_AWS_SESSION_TOKEN"
+        client = AsyncMongoClient(
+            "mongodb://AKIA:SECRET@localhost:27017/"
+            f"?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:{token}",
+            connect=False,
+        )
+
+        the_repr = repr(client)
+
+        self.assertNotIn(token, the_repr)
+        self.assertIn("'AWS_SESSION_TOKEN': '<redacted>'", the_repr)
+
+    async def test_repr_redacts_secret_auth_mechanism_properties(self):
+        token = "SECRET_AWS_SESSION_TOKEN"
+        api_key = "SECRET_API_KEY"
+        client = AsyncMongoClient(
+            "mongodb://AKIA:SECRET@localhost:27017/",
+            authMechanism="MONGODB-AWS",
+            authMechanismProperties={
+                "aws_session_token": token,
+                "CUSTOM_API_KEY": api_key,
+                "TOKEN_RESOURCE": "mongodb://cluster.example",
+            },
+            connect=False,
+        )
+
+        the_repr = repr(client)
+
+        self.assertNotIn(token, the_repr)
+        self.assertNotIn(api_key, the_repr)
+        self.assertIn("'aws_session_token': '<redacted>'", the_repr)
+        self.assertIn("'CUSTOM_API_KEY': '<redacted>'", the_repr)
+        self.assertIn("'TOKEN_RESOURCE': 'mongodb://cluster.example'", the_repr)
+
    async def test_max_pool_size_zero(self):
        self.simple_client(maxPoolSize=0)

--- a/test/test_client.py
+++ b/test/test_client.py
@ -192,6 +192,41 @@ class ClientUnitTest(UnitTest):

        self.assertRaises(ConfigurationError, MongoClient, [])

+    def test_repr_redacts_aws_session_token(self):
+        token = "SECRET_AWS_SESSION_TOKEN"
+        client = MongoClient(
+            "mongodb://AKIA:SECRET@localhost:27017/"
+            f"?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:{token}",
+            connect=False,
+        )
+
+        the_repr = repr(client)
+
+        self.assertNotIn(token, the_repr)
+        self.assertIn("'AWS_SESSION_TOKEN': '<redacted>'", the_repr)
+
+    def test_repr_redacts_secret_auth_mechanism_properties(self):
+        token = "SECRET_AWS_SESSION_TOKEN"
+        api_key = "SECRET_API_KEY"
+        client = MongoClient(
+            "mongodb://AKIA:SECRET@localhost:27017/",
+            authMechanism="MONGODB-AWS",
+            authMechanismProperties={
+                "aws_session_token": token,
+                "CUSTOM_API_KEY": api_key,
+                "TOKEN_RESOURCE": "mongodb://cluster.example",
+            },
+            connect=False,
+        )
+
+        the_repr = repr(client)
+
+        self.assertNotIn(token, the_repr)
+        self.assertNotIn(api_key, the_repr)
+        self.assertIn("'aws_session_token': '<redacted>'", the_repr)
+        self.assertIn("'CUSTOM_API_KEY': '<redacted>'", the_repr)
+        self.assertIn("'TOKEN_RESOURCE': 'mongodb://cluster.example'", the_repr)
+
    def test_max_pool_size_zero(self):
        self.simple_client(maxPoolSize=0)