From 2c8bfa1277094260cf9d4b8a7b97aefa928d7d0f Mon Sep 17 00:00:00 2001
From: Charles Lowell <chlowe@microsoft.com>
Date: Mon, 22 Jun 2020 14:19:06 -0700
Subject: [PATCH] Don't redact Key Vault header values in logs (#12077)

---
 sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md         | 2 ++
 .../azure/keyvault/certificates/_shared/client_base.py        | 4 +++-
 sdk/keyvault/azure-keyvault-keys/CHANGELOG.md                 | 2 ++
 .../azure/keyvault/keys/_shared/client_base.py                | 4 +++-
 sdk/keyvault/azure-keyvault-secrets/CHANGELOG.md              | 2 ++
 .../azure/keyvault/secrets/_shared/client_base.py             | 4 +++-
 6 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md b/sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md
index cfcc7560a73..b283fa6eae2 100644
--- a/sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md
+++ b/sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md
@@ -1,6 +1,8 @@
 # Release History
 
 ## 4.2.0b2 (Unreleased)
+- Values of `x-ms-keyvault-region` and `x-ms-keyvault-service-version` headers
+  are no longer redacted in logging output.
 - Updated minimum `azure-core` version to 1.4.0
 
 ## 4.2.0b1 (2020-03-10)
diff --git a/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/client_base.py b/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/client_base.py
index b1e1a2e997d..6fccbaf5780 100644
--- a/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/client_base.py
+++ b/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_shared/client_base.py
@@ -27,7 +27,9 @@
 
 def _get_policies(config, **kwargs):
     logging_policy = HttpLoggingPolicy(**kwargs)
-    logging_policy.allowed_header_names.add("x-ms-keyvault-network-info")
+    logging_policy.allowed_header_names.update(
+        {"x-ms-keyvault-network-info", "x-ms-keyvault-region", "x-ms-keyvault-service-version"}
+    )
 
     return [
         config.headers_policy,
diff --git a/sdk/keyvault/azure-keyvault-keys/CHANGELOG.md b/sdk/keyvault/azure-keyvault-keys/CHANGELOG.md
index 09e6365abe2..03d3eae0826 100644
--- a/sdk/keyvault/azure-keyvault-keys/CHANGELOG.md
+++ b/sdk/keyvault/azure-keyvault-keys/CHANGELOG.md
@@ -1,6 +1,8 @@
 # Release History
 
 ## 4.2.0b2 (Unreleased)
+- Values of `x-ms-keyvault-region` and `x-ms-keyvault-service-version` headers
+  are no longer redacted in logging output.
 - Updated minimum `azure-core` version to 1.4.0
 - `CryptographyClient` will no longer perform encrypt or wrap operations when
   its key has expired or is not yet valid.
diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/client_base.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/client_base.py
index b1e1a2e997d..6fccbaf5780 100644
--- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/client_base.py
+++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/client_base.py
@@ -27,7 +27,9 @@
 
 def _get_policies(config, **kwargs):
     logging_policy = HttpLoggingPolicy(**kwargs)
-    logging_policy.allowed_header_names.add("x-ms-keyvault-network-info")
+    logging_policy.allowed_header_names.update(
+        {"x-ms-keyvault-network-info", "x-ms-keyvault-region", "x-ms-keyvault-service-version"}
+    )
 
     return [
         config.headers_policy,
diff --git a/sdk/keyvault/azure-keyvault-secrets/CHANGELOG.md b/sdk/keyvault/azure-keyvault-secrets/CHANGELOG.md
index 206b9feea68..f13360a8f8b 100644
--- a/sdk/keyvault/azure-keyvault-secrets/CHANGELOG.md
+++ b/sdk/keyvault/azure-keyvault-secrets/CHANGELOG.md
@@ -1,6 +1,8 @@
 # Release History
 
 ## 4.2.0b2 (Unreleased)
+- Values of `x-ms-keyvault-region` and `x-ms-keyvault-service-version` headers
+  are no longer redacted in logging output.
 - Updated minimum `azure-core` version to 1.4.0
 
 ## 4.2.0b1 (2020-03-10)
diff --git a/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/client_base.py b/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/client_base.py
index b1e1a2e997d..6fccbaf5780 100644
--- a/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/client_base.py
+++ b/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_shared/client_base.py
@@ -27,7 +27,9 @@
 
 def _get_policies(config, **kwargs):
     logging_policy = HttpLoggingPolicy(**kwargs)
-    logging_policy.allowed_header_names.add("x-ms-keyvault-network-info")
+    logging_policy.allowed_header_names.update(
+        {"x-ms-keyvault-network-info", "x-ms-keyvault-region", "x-ms-keyvault-service-version"}
+    )
 
     return [
         config.headers_policy,