From 82e1782b39ceb1e3abe92323d120045e916db404 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Wed, 20 Mar 2024 00:24:17 +0900
Subject: [PATCH] vault: Hide values used for authentication

The following options are used for authentication with Vault, so should
be hidden from logs.

1) root_token_id
This is not actually an id but a token string

2) approle_role_id and approle_secret_id
These are used together to obtain token

Closes-Bug: #2058397
Change-Id: I0650fd12e3f51fc4d829e0be3ab95cd8b3ee03ea
---
 barbican/plugin/vault_secret_store.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/barbican/plugin/vault_secret_store.py b/barbican/plugin/vault_secret_store.py
index df6eb14c0..67d95cab4 100644
--- a/barbican/plugin/vault_secret_store.py
+++ b/barbican/plugin/vault_secret_store.py
@@ -28,10 +28,13 @@ DEFAULT_MOUNTPOINT = "secret"
 vault_opt_group = cfg.OptGroup(name='vault_plugin', title='Vault Plugin')
 vault_opts = [
     cfg.StrOpt('root_token_id',
+               secret=True,
                help='root token for vault'),
     cfg.StrOpt('approle_role_id',
+               secret=True,
                help='AppRole role_id for authentication with vault'),
     cfg.StrOpt('approle_secret_id',
+               secret=True,
                help='AppRole secret_id for authentication with vault'),
     cfg.StrOpt('kv_mountpoint',
                default=DEFAULT_MOUNTPOINT,