mask Authorization header in HTTP debug output when secrets are used

Prevent exposure of credentials in Robot Framework logs at DEBUG/TRACE
levels by masking Authorization headers in HTTP connection debug output
when Robot Secret types are detected.

Changes:
- Add check_and_process_secrets() to detect and process secrets in one pass
- Track secret usage in sessions via _has_secrets attribute
- Mask Authorization header in _print_debug() when secrets present
- Import AUTHORIZATION constant from log module for consistency

This ensures credentials are never logged even with debug=3, while still
allowing Authorization headers to be visible for debugging when no secrets
are used (e.g., test credentials).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

Author: oboehmer

src/RequestsLibrary/RequestsKeywords.py

@@ -6,10 +6,9 @@
 from RequestsLibrary import log
 from RequestsLibrary.compat import urljoin
 from RequestsLibrary.utils import (
-    has_secrets,
+    check_and_process_secrets,
     is_list_or_tuple,
     is_file_descriptor,
-    process_secrets,
     warn_if_equal_symbol_in_url_session_less,
 )
 
@@ -24,6 +23,7 @@ def __init__(self):
         self.timeout = None
         self.cookies = None
         self.last_response = None
+        self._request_has_secrets = False
 
     def _common_request(self, method, session, uri, **kwargs):
 
@@ -32,12 +32,17 @@ def _common_request(self, method, session, uri, **kwargs):
         else:
             request_function = getattr(requests, "request")
 
-        # Process robot's Secret types included in auth
         auth = kwargs.get("auth")
-        contains_secrets = False
         if auth is not None and isinstance(auth, (list, tuple)):
-            contains_secrets = has_secrets(auth)
-            kwargs["auth"] = process_secrets(auth)
+            kwargs["auth"], contains_secrets = check_and_process_secrets(auth)
+        else:
+            contains_secrets = False
+
+        if session and hasattr(session, '_has_secrets'):
+            contains_secrets = contains_secrets or session._has_secrets
+
+        # Store secrets flag for _print_debug to access
+        self._request_has_secrets = contains_secrets
 
         self._capture_output()
 

src/RequestsLibrary/SessionKeywords.py

@@ -1,4 +1,5 @@
 import logging
+import re
 import sys
 
 import requests
@@ -12,7 +13,8 @@
 from RequestsLibrary import utils
 from RequestsLibrary.compat import RetryAdapter, httplib
 from RequestsLibrary.exceptions import InvalidExpectedStatus, InvalidResponse
-from RequestsLibrary.utils import is_string_type, process_secrets
+from RequestsLibrary.log import AUTHORIZATION
+from RequestsLibrary.utils import is_string_type, check_and_process_secrets
 
 from .RequestsKeywords import RequestsKeywords
 
@@ -172,15 +174,20 @@ def create_session(
                               Note that max_retries must be greater than 0.
 
         """
-        auth = requests.auth.HTTPBasicAuth(*process_secrets(auth)) if auth else None
+        # Check if auth contains secrets and process in one pass
+        if auth:
+            processed_auth, session_has_secrets = check_and_process_secrets(auth)
+            auth = requests.auth.HTTPBasicAuth(*processed_auth)
+        else:
+            session_has_secrets = False
 
         logger.info(
             "Creating Session using : alias=%s, url=%s, headers=%s, \
                     cookies=%s, auth=%s, timeout=%s, proxies=%s, verify=%s, \
                     debug=%s "
             % (alias, url, headers, cookies, auth, timeout, proxies, verify, debug)
         )
-        return self._create_session(
+        session = self._create_session(
             alias=alias,
             url=url,
             headers=headers,
@@ -196,6 +203,9 @@ def create_session(
             retry_status_list=retry_status_list,
             retry_method_list=retry_method_list,
         )
+        # Store whether this session has secrets
+        session._has_secrets = session_has_secrets
+        return session
 
     @keyword("Create Client Cert Session")
     def create_client_cert_session(
@@ -262,7 +272,12 @@ def create_client_cert_session(
                               eg. set to [502, 503] to retry requests if those status are returned.
                               Note that max_retries must be greater than 0.
         """
-        auth = requests.auth.HTTPBasicAuth(*process_secrets(auth)) if auth else None
+        # Check if auth contains secrets and process in one pass
+        if auth:
+            processed_auth, session_has_secrets = check_and_process_secrets(auth)
+            auth = requests.auth.HTTPBasicAuth(*processed_auth)
+        else:
+            session_has_secrets = False
 
         logger.info(
             "Creating Session using : alias=%s, url=%s, headers=%s, \
@@ -300,6 +315,8 @@ def create_client_cert_session(
         )
 
         session.cert = tuple(client_certs)
+        # Store whether this session has secrets
+        session._has_secrets = session_has_secrets
         return session
 
     @keyword("Create Custom Session")
@@ -452,9 +469,15 @@ def create_digest_session(
                               eg. set to [502, 503] to retry requests if those status are returned.
                               Note that max_retries must be greater than 0.
         """
-        digest_auth = requests.auth.HTTPDigestAuth(*process_secrets(auth)) if auth else None
+        # Check if auth contains secrets and process in one pass
+        if auth:
+            processed_auth, session_has_secrets = check_and_process_secrets(auth)
+            digest_auth = requests.auth.HTTPDigestAuth(*processed_auth)
+        else:
+            digest_auth = None
+            session_has_secrets = False
 
-        return self._create_session(
+        session = self._create_session(
             alias=alias,
             url=url,
             headers=headers,
@@ -470,6 +493,9 @@ def create_digest_session(
             retry_status_list=retry_status_list,
             retry_method_list=retry_method_list,
         )
+        # Store whether this session has secrets
+        session._has_secrets = session_has_secrets
+        return session
 
     @keyword("Create Ntlm Session")
     def create_ntlm_session(
@@ -543,8 +569,9 @@ def create_ntlm_session(
                 " - expected 3, got {}".format(len(auth))
             )
         else:
-            auth = process_secrets(auth)
-            ntlm_auth = HttpNtlmAuth("{}\\{}".format(auth[0], auth[1]), auth[2])
+            # Check if auth contains secrets and process in one pass
+            processed_auth, session_has_secrets = check_and_process_secrets(auth)
+            ntlm_auth = HttpNtlmAuth("{}\\{}".format(processed_auth[0], processed_auth[1]), processed_auth[2])
             logger.info(
                 "Creating NTLM Session using : alias=%s, url=%s, \
                         headers=%s, cookies=%s, ntlm_auth=%s, timeout=%s, \
@@ -562,7 +589,7 @@ def create_ntlm_session(
                 )
             )
 
-            return self._create_session(
+            session = self._create_session(
                 alias=alias,
                 url=url,
                 headers=headers,
@@ -578,6 +605,9 @@ def create_ntlm_session(
                 retry_status_list=retry_status_list,
                 retry_method_list=retry_method_list,
             )
+            # Store whether this session has secrets
+            session._has_secrets = session_has_secrets
+            return session
 
     @keyword("Session Exists")
     def session_exists(self, alias):
@@ -657,4 +687,14 @@ def _print_debug(self):
             debug_info = "\n".join(
                 [ll.rstrip() for ll in debug_info.splitlines() if ll.strip()]
             )
+
+            # Mask Authorization header in debug output when secrets are used
+            if self._request_has_secrets:
+                debug_info = re.sub(
+                    rf'({AUTHORIZATION}:)\s*([^\n]+)',
+                    r'\1 *****',
+                    debug_info,
+                    flags=re.IGNORECASE
+                )
+
             logger.debug(debug_info)

src/RequestsLibrary/utils.py

@@ -104,6 +104,30 @@ def process_secrets(auth):
     return new_auth
 
 
+def check_and_process_secrets(auth):
+    """
+    Check if auth contains secrets and process them in a single pass.
+
+    Returns:
+        tuple: (processed_auth, has_secrets_flag)
+    """
+    if not auth or not isinstance(auth, (list, tuple)):
+        return auth, False
+
+    if robot_supports_secrets:
+        has_secrets_flag = False
+        processed = []
+        for a in auth:
+            if isinstance(a, Secret):
+                has_secrets_flag = True
+                processed.append(a.value)
+            else:
+                processed.append(a)
+        return tuple(processed), has_secrets_flag
+    else:
+        return auth, False
+
+
 def utf8_urlencode(data):
     if is_string_type(data):
         return data.encode("utf-8")