Mask out passwords when tracing

This patch ensures that input and return parameters that are being traced mask out passwords to the log file. Change-Id: I71baa6ee7b2a474701a1caed99d4889fffc62eca
2016-08-09 08:39:35 -07:00 · 2016-08-09 08:39:35 -07:00 · 54a958534f
parent 1e32adbafa
commit 54a958534f
2 changed files with 39 additions and 0 deletions
--- a/cinder/tests/unit/test_utils.py
+++ b/cinder/tests/unit/test_utils.py
@ -1263,6 +1263,39 @@ class LogTracingTestCase(test.TestCase):
        self.assertEqual('OK', result)
        self.assertEqual(2, mock_log.debug.call_count)

+    def test_utils_trace_method_with_password_dict(self):
+        mock_log = self.patch('cinder.utils.logging.getLogger')
+        mock_log().isEnabledFor.return_value = True
+
+        @utils.trace_method
+        def _trace_test_method(*args, **kwargs):
+            return {'something': 'test',
+                    'password': 'Now you see me'}
+
+        utils.setup_tracing(['method'])
+
+        result = _trace_test_method(self)
+
+        expected_masked_dict = {'password': '***', 'something': 'test'}
+
+        self.assertEqual(expected_masked_dict, result)
+
+    def test_utils_trace_method_with_password_str(self):
+        mock_log = self.patch('cinder.utils.logging.getLogger')
+        mock_log().isEnabledFor.return_value = True
+
+        @utils.trace_method
+        def _trace_test_method(*args, **kwargs):
+            return "'adminPass': 'Now you see me'"
+
+        utils.setup_tracing(['method'])
+
+        result = _trace_test_method(self)
+
+        expected_masked_str = "'adminPass': '***'"
+
+        self.assertEqual(expected_masked_str, result)
+
    def test_utils_calculate_virtual_free_capacity_with_thick(self):
        host_stat = {'total_capacity_gb': 30.01,
                     'free_capacity_gb': 28.01,
--- a/cinder/utils.py
+++ b/cinder/utils.py
@ -839,6 +839,7 @@ def trace(f):
            return f(*args, **kwargs)

        all_args = inspect.getcallargs(f, *args, **kwargs)
+
        logger.debug('==> %(func)s: call %(all_args)r',
                     {'func': func_name, 'all_args': all_args})

@ -854,6 +855,11 @@ def trace(f):
            raise
        total_time = int(round(time.time() * 1000)) - start_time

+        if isinstance(result, dict):
+            result = strutils.mask_dict_password(result)
+        elif isinstance(result, six.string_types):
+            result = strutils.mask_password(result)
+
        logger.debug('<== %(func)s: return (%(time)dms) %(result)r',
                     {'func': func_name,
                      'time': total_time,