Also include domain when printing token

author: Tor Brede Vekterli <vekterli@yahooinc.com> 2023-06-06 15:04:53 +0200
committer: Tor Brede Vekterli <vekterli@yahooinc.com> 2023-06-06 15:04:53 +0200
commit: e8b5a5e4eb2409705bedc3a9e0ddf451e0e3e55e (patch)
tree: db1750b404a25c31ecb35edc09818d9c7af55d6e /security-utils
parent: 594c7848b0d18e1d1e5d37a6a2be31a0530756b0 (diff)
3 files changed, 12 insertions, 3 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/token/Token.java b/security-utils/src/main/java/com/yahoo/security/token/Token.java
index bc1d7239310..af50ad9a733 100644
--- a/security-utils/src/main/java/com/yahoo/security/token/Token.java
+++ b/security-utils/src/main/java/com/yahoo/security/token/Token.java
@@ -67,7 +67,8 @@ public class Token {
     @Override
     public String toString() {
         // Avoid leaking raw token secret as part of toString() output
-        return "Token(fingerprint: %s)".formatted(fingerprint);
+        // Fingerprint first, since that's the most important bit.
+        return "Token(fingerprint: %s, domain: %s)".formatted(fingerprint, domain);
     }
 
     /**
diff --git a/security-utils/src/main/java/com/yahoo/security/token/TokenDomain.java b/security-utils/src/main/java/com/yahoo/security/token/TokenDomain.java
index b29815f3a56..e01d942cacf 100644
--- a/security-utils/src/main/java/com/yahoo/security/token/TokenDomain.java
+++ b/security-utils/src/main/java/com/yahoo/security/token/TokenDomain.java
@@ -3,6 +3,7 @@ package com.yahoo.security.token;
 
 import java.util.Arrays;
 
+import static com.yahoo.security.ArrayUtils.fromUtf8Bytes;
 import static com.yahoo.security.ArrayUtils.toUtf8Bytes;
 
 /**
@@ -43,6 +44,11 @@ public record TokenDomain(byte[] fingerprintContext, byte[] checkHashContext) {
         return result;
     }
 
+    @Override
+    public String toString() {
+        return "'%s'/'%s'".formatted(fromUtf8Bytes(fingerprintContext), fromUtf8Bytes(checkHashContext));
+    }
+
     public static TokenDomain of(String fingerprintContext, String checkHashContext) {
         return new TokenDomain(toUtf8Bytes(fingerprintContext),
                                toUtf8Bytes(checkHashContext));
diff --git a/security-utils/src/test/java/com/yahoo/security/token/TokenTest.java b/security-utils/src/test/java/com/yahoo/security/token/TokenTest.java
index 6af2452eb7e..3418929f60b 100644
--- a/security-utils/src/test/java/com/yahoo/security/token/TokenTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/token/TokenTest.java
@@ -100,9 +100,11 @@ public class TokenTest {
     }
 
     @Test
-    void token_stringification_only_contains_fingerprint() {
+    void token_stringification_does_not_contain_raw_secret() {
         var t = Token.of(TEST_DOMAIN, "foo");
-        assertEquals("Token(fingerprint: 53:2e:4e:09:d5:4f:96:f4:1a:44:82:ef:f0:44:b9:a2)", t.toString());
+        assertEquals("Token(fingerprint: 53:2e:4e:09:d5:4f:96:f4:1a:44:82:ef:f0:44:b9:a2, " +
+                           "domain: 'my fingerprint'/'my check hash')",
+                     t.toString());
     }
 
     @Test
author	Tor Brede Vekterli <vekterli@yahooinc.com>	2023-06-06 15:04:53 +0200
committer	Tor Brede Vekterli <vekterli@yahooinc.com>	2023-06-06 15:04:53 +0200
commit	e8b5a5e4eb2409705bedc3a9e0ddf451e0e3e55e (patch)
tree	db1750b404a25c31ecb35edc09818d9c7af55d6e /security-utils
parent	594c7848b0d18e1d1e5d37a6a2be31a0530756b0 (diff)