Browse Source

Mask passwords in debug log on user password operations

When a user is created, they change their password, or admin
changes their password and debug logging is enabled, the value of
the user's password was logged. The value should be masked.

Change-Id: I07b7441378fb630f01204d6b656b218f6b94dd5a
Closes-Bug: #1465922
Brant Knudson 3 years ago
parent
commit
fbdb100e65
2 changed files with 9 additions and 15 deletions
  1. 5
    1
      keystone/common/controller.py
  2. 4
    14
      keystone/tests/unit/test_v3_identity.py

+ 5
- 1
keystone/common/controller.py View File

@@ -17,6 +17,7 @@ import uuid
17 17
 
18 18
 from oslo_config import cfg
19 19
 from oslo_log import log
20
+from oslo_utils import strutils
20 21
 import six
21 22
 
22 23
 from keystone.common import authorization
@@ -52,9 +53,12 @@ def v2_deprecated(f):
52 53
 
53 54
 
54 55
 def _build_policy_check_credentials(self, action, context, kwargs):
56
+    kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
57
+    kwargs_str = strutils.mask_password(kwargs_str)
58
+
55 59
     LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
56 60
         'action': action,
57
-        'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
61
+        'kwargs': kwargs_str})
58 62
 
59 63
     # see if auth context has already been created. If so use it.
60 64
     if ('environment' in context and

+ 4
- 14
keystone/tests/unit/test_v3_identity.py View File

@@ -439,8 +439,6 @@ class IdentityTestCase(test_v3.RestfulTestCase):
439 439
     def test_create_user_password_not_logged(self):
440 440
         # When a user is created, the password isn't logged at any level.
441 441
 
442
-        # FIXME(blk-u): This doesn't work as expected, see bug 1465922
443
-
444 442
         log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
445 443
 
446 444
         ref = self.new_user_ref(domain_id=self.domain_id)
@@ -448,15 +446,12 @@ class IdentityTestCase(test_v3.RestfulTestCase):
448 446
             '/users',
449 447
             body={'user': ref})
450 448
 
451
-        # This should be assert*Not*In, see bug 1465922
452
-        self.assertIn(ref['password'], log_fix.output)
449
+        self.assertNotIn(ref['password'], log_fix.output)
453 450
 
454 451
     def test_update_password_not_logged(self):
455 452
         # When admin modifies user password, the password isn't logged at any
456 453
         # level.
457 454
 
458
-        # FIXME(blk-u): This doesn't work as expected, see bug 1465922
459
-
460 455
         log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
461 456
 
462 457
         # bootstrap a user as admin
@@ -471,9 +466,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
471 466
                    expected_status=200)
472 467
 
473 468
         self.assertNotIn(password, log_fix.output)
474
-
475
-        # This should be assert*Not*In, see bug 1465922
476
-        self.assertIn(new_password, log_fix.output)
469
+        self.assertNotIn(new_password, log_fix.output)
477 470
 
478 471
 
479 472
 class IdentityV3toV2MethodsTestCase(tests.TestCase):
@@ -628,8 +621,6 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
628 621
         # When a user changes their password, the password isn't logged at any
629 622
         # level.
630 623
 
631
-        # FIXME(blk-u): This doesn't work as expected, see bug 1465922
632
-
633 624
         log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
634 625
 
635 626
         # change password
@@ -638,6 +629,5 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
638 629
                              original_password=self.user_ref['password'],
639 630
                              expected_status=204)
640 631
 
641
-        # These should be assert*Not*In, see bug 1465922
642
-        self.assertIn(self.user_ref['password'], log_fix.output)
643
-        self.assertIn(new_password, log_fix.output)
632
+        self.assertNotIn(self.user_ref['password'], log_fix.output)
633
+        self.assertNotIn(new_password, log_fix.output)

Loading…
Cancel
Save