Merge "Barbican server logs Secret Payload contents"

2016-04-29 16:30:41 +00:00 · 2016-04-29 16:30:41 +00:00 · b797c88838
commit b797c88838
parent c6fbe7f466 5e9856fb43
2 changed files with 9 additions and 1 deletions
--- a/barbican/api/controllers/init.py
+++ b/barbican/api/controllers/init.py
@ -11,6 +11,7 @@
 #  under the License.
 import collections

+from oslo_policy import policy
 import pecan
 from webob import exc

@ -103,6 +104,13 @@ def handle_exceptions(operation_name=u._('System')):
            except exc.HTTPError:
                LOG.exception(u._LE('Webob error seen'))
                raise  # Already converted to Webob exception, just reraise
+            # In case PolicyNotAuthorized, we do not want to expose payload by
+            # logging exception, so just LOG.error
+            except policy.PolicyNotAuthorized as pna:
+                status, message = api.generate_safe_exception_message(
+                    operation_name, pna)
+                LOG.error(message)
+                pecan.abort(status, message)
            except Exception as e:
                # In case intervening modules have disabled logging.
                LOG.logger.disabled = False
--- a/barbican/plugin/crypto/simple_crypto.py
+++ b/barbican/plugin/crypto/simple_crypto.py
@ -34,7 +34,7 @@ simple_crypto_plugin_opts = [
    cfg.StrOpt('kek',
               default='dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=',
               help=u._('Key encryption key to be used by Simple Crypto '
-                        'Plugin'))
+                        'Plugin'), secret=True)
 ]
 CONF.register_group(simple_crypto_plugin_group)
 CONF.register_opts(simple_crypto_plugin_opts, group=simple_crypto_plugin_group)