From 54a958534f239d39c60ae773bacde2f35f5dfaac Mon Sep 17 00:00:00 2001
From: "Walter A. Boring IV" <walter.boring@hp.com>
Date: Tue, 9 Aug 2016 08:39:35 -0700
Subject: [PATCH] Mask out passwords when tracing

This patch ensures that input and return parameters that are being
traced mask out passwords to the log file.

Change-Id: I71baa6ee7b2a474701a1caed99d4889fffc62eca
---
 cinder/tests/unit/test_utils.py | 33 +++++++++++++++++++++++++++++++++
 cinder/utils.py                 |  6 ++++++
 2 files changed, 39 insertions(+)

diff --git a/cinder/tests/unit/test_utils.py b/cinder/tests/unit/test_utils.py
index f4c4f63a9b3..aa8afcc4819 100644
--- a/cinder/tests/unit/test_utils.py
+++ b/cinder/tests/unit/test_utils.py
@@ -1263,6 +1263,39 @@ class LogTracingTestCase(test.TestCase):
         self.assertEqual('OK', result)
         self.assertEqual(2, mock_log.debug.call_count)
 
+    def test_utils_trace_method_with_password_dict(self):
+        mock_log = self.patch('cinder.utils.logging.getLogger')
+        mock_log().isEnabledFor.return_value = True
+
+        @utils.trace_method
+        def _trace_test_method(*args, **kwargs):
+            return {'something': 'test',
+                    'password': 'Now you see me'}
+
+        utils.setup_tracing(['method'])
+
+        result = _trace_test_method(self)
+
+        expected_masked_dict = {'password': '***', 'something': 'test'}
+
+        self.assertEqual(expected_masked_dict, result)
+
+    def test_utils_trace_method_with_password_str(self):
+        mock_log = self.patch('cinder.utils.logging.getLogger')
+        mock_log().isEnabledFor.return_value = True
+
+        @utils.trace_method
+        def _trace_test_method(*args, **kwargs):
+            return "'adminPass': 'Now you see me'"
+
+        utils.setup_tracing(['method'])
+
+        result = _trace_test_method(self)
+
+        expected_masked_str = "'adminPass': '***'"
+
+        self.assertEqual(expected_masked_str, result)
+
     def test_utils_calculate_virtual_free_capacity_with_thick(self):
         host_stat = {'total_capacity_gb': 30.01,
                      'free_capacity_gb': 28.01,
diff --git a/cinder/utils.py b/cinder/utils.py
index dad0bfd7109..7c33dd4a708 100644
--- a/cinder/utils.py
+++ b/cinder/utils.py
@@ -839,6 +839,7 @@ def trace(f):
             return f(*args, **kwargs)
 
         all_args = inspect.getcallargs(f, *args, **kwargs)
+
         logger.debug('==> %(func)s: call %(all_args)r',
                      {'func': func_name, 'all_args': all_args})
 
@@ -854,6 +855,11 @@ def trace(f):
             raise
         total_time = int(round(time.time() * 1000)) - start_time
 
+        if isinstance(result, dict):
+            result = strutils.mask_dict_password(result)
+        elif isinstance(result, six.string_types):
+            result = strutils.mask_password(result)
+
         logger.debug('<== %(func)s: return (%(time)dms) %(result)r',
                      {'func': func_name,
                       'time': total_time,