Mask passwords in debug log on user password operations
When a user is created, they change their password, or admin changes their password and debug logging is enabled, the value of the user's password was logged. The value should be masked. Conflicts: keystone/common/controller.py keystone/tests/unit/test_v3_identity.py Change-Id: I07b7441378fb630f01204d6b656b218f6b94dd5a Closes-Bug: #1465922 (cherry picked from commitfbdb100e65
) (cherry picked from commitc4dc1331e1
)
This commit is contained in:
parent
a7037547fe
commit
c15cbc48d6
|
@ -25,6 +25,7 @@ from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone.models import token_model
|
from keystone.models import token_model
|
||||||
from keystone.openstack.common import log
|
from keystone.openstack.common import log
|
||||||
|
from keystone.openstack.common import strutils
|
||||||
|
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
@ -50,9 +51,12 @@ def v2_deprecated(f):
|
||||||
|
|
||||||
|
|
||||||
def _build_policy_check_credentials(self, action, context, kwargs):
|
def _build_policy_check_credentials(self, action, context, kwargs):
|
||||||
|
kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
|
||||||
|
kwargs_str = strutils.mask_password(kwargs_str)
|
||||||
|
|
||||||
LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
|
LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
|
||||||
'action': action,
|
'action': action,
|
||||||
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
|
'kwargs': kwargs_str})
|
||||||
|
|
||||||
# see if auth context has already been created. If so use it.
|
# see if auth context has already been created. If so use it.
|
||||||
if ('environment' in context and
|
if ('environment' in context and
|
||||||
|
|
|
@ -1662,8 +1662,6 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
def test_create_user_password_not_logged(self):
|
def test_create_user_password_not_logged(self):
|
||||||
# When a user is created, the password isn't logged at any level.
|
# When a user is created, the password isn't logged at any level.
|
||||||
|
|
||||||
# FIXME(blk-u): This doesn't work as expected, see bug 1465922
|
|
||||||
|
|
||||||
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
||||||
|
|
||||||
ref = self.new_user_ref(domain_id=self.domain_id)
|
ref = self.new_user_ref(domain_id=self.domain_id)
|
||||||
|
@ -1671,15 +1669,12 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
'/users',
|
'/users',
|
||||||
body={'user': ref})
|
body={'user': ref})
|
||||||
|
|
||||||
# This should be assert*Not*In, see bug 1465922
|
self.assertNotIn(ref['password'], log_fix.output)
|
||||||
self.assertIn(ref['password'], log_fix.output)
|
|
||||||
|
|
||||||
def test_update_password_not_logged(self):
|
def test_update_password_not_logged(self):
|
||||||
# When admin modifies user password, the password isn't logged at any
|
# When admin modifies user password, the password isn't logged at any
|
||||||
# level.
|
# level.
|
||||||
|
|
||||||
# FIXME(blk-u): This doesn't work as expected, see bug 1465922
|
|
||||||
|
|
||||||
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
||||||
|
|
||||||
# bootstrap a user as admin
|
# bootstrap a user as admin
|
||||||
|
@ -1694,9 +1689,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
expected_status=200)
|
expected_status=200)
|
||||||
|
|
||||||
self.assertNotIn(password, log_fix.output)
|
self.assertNotIn(password, log_fix.output)
|
||||||
|
self.assertNotIn(new_password, log_fix.output)
|
||||||
# This should be assert*Not*In, see bug 1465922
|
|
||||||
self.assertIn(new_password, log_fix.output)
|
|
||||||
|
|
||||||
|
|
||||||
class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
|
class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
|
||||||
|
@ -2346,8 +2339,6 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
|
||||||
# When a user changes their password, the password isn't logged at any
|
# When a user changes their password, the password isn't logged at any
|
||||||
# level.
|
# level.
|
||||||
|
|
||||||
# FIXME(blk-u): This doesn't work as expected, see bug 1465922
|
|
||||||
|
|
||||||
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
||||||
|
|
||||||
# change password
|
# change password
|
||||||
|
@ -2356,6 +2347,5 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
|
||||||
original_password=self.user_ref['password'],
|
original_password=self.user_ref['password'],
|
||||||
expected_status=204)
|
expected_status=204)
|
||||||
|
|
||||||
# These should be assert*Not*In, see bug 1465922
|
self.assertNotIn(self.user_ref['password'], log_fix.output)
|
||||||
self.assertIn(self.user_ref['password'], log_fix.output)
|
self.assertNotIn(new_password, log_fix.output)
|
||||||
self.assertIn(new_password, log_fix.output)
|
|
||||||
|
|
Loading…
Reference in New Issue