Mask the token used to allow access to consoles

Hide the novncproxy token from the logs.

When backported this patch needs to be extended to handle the same issue
in the consoleauth service.

Co-Authored-By:paul-carlton2 <paul.carlton2@hp.com>
Co-Authored-By:Tristan Cacqueray <tdecacqu@redhat.com>

Change-Id: I5b8fa4233d297722c3af08176901d12887bae3de
Closes-Bug: #1492140

nova/console/websocketproxy.py

@@ -18,6 +18,7 @@ Websocket proxy that is compatible with OpenStack Nova.
 Leverages websockify.py by Joel Martin
 '''
 
+import copy
 import socket
 import sys
 
@@ -220,7 +221,10 @@ class NovaProxyRequestHandlerBase(object):
                 detail = _("Origin header protocol does not match this host.")
                 raise exception.ValidationError(detail=detail)
 
-        self.msg(_('connect info: %s'), str(connect_info))
+        sanitized_info = copy.copy(connect_info)
+        sanitized_info.token = '***'
+        self.msg(_('connect info: %s'), sanitized_info)
+
         host = connect_info.host
         port = connect_info.port
 

nova/tests/unit/console/test_websocketproxy.py

@@ -219,6 +219,9 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
         validate.assert_called_with(mock.ANY, "123-456-789")
         self.wh.socket.assert_called_with('node1', 10000, connect=True)
         self.wh.do_proxy.assert_called_with('<socket>')
+        # ensure that token is masked when logged
+        connection_info = self.wh.msg.mock_calls[0][1][1]
+        self.assertEqual('***', connection_info.token)
 
     @mock.patch('nova.console.websocketproxy.NovaProxyRequestHandlerBase.'
                 '_check_console_port')