Mask the token used to allow access to consoles

Hide the novncproxy token from the logs.

When backported this patch needs to be extended to handle the same issue
in the consoleauth service.

Co-Authored-By:paul-carlton2 <paul.carlton2@hp.com>
Co-Authored-By:Tristan Cacqueray <tdecacqu@redhat.com>

Change-Id: I5b8fa4233d297722c3af08176901d12887bae3de
Closes-Bug: #1492140
This commit is contained in:
Balazs Gibizer 2019-08-23 15:51:34 +02:00
parent 23995b4f99
commit 26d4047e17
2 changed files with 8 additions and 1 deletions
nova

@ -18,6 +18,7 @@ Websocket proxy that is compatible with OpenStack Nova.
Leverages websockify.py by Joel Martin Leverages websockify.py by Joel Martin
''' '''
import copy
import socket import socket
import sys import sys
@ -220,7 +221,10 @@ class NovaProxyRequestHandlerBase(object):
detail = _("Origin header protocol does not match this host.") detail = _("Origin header protocol does not match this host.")
raise exception.ValidationError(detail=detail) raise exception.ValidationError(detail=detail)
self.msg(_('connect info: %s'), str(connect_info)) sanitized_info = copy.copy(connect_info)
sanitized_info.token = '***'
self.msg(_('connect info: %s'), sanitized_info)
host = connect_info.host host = connect_info.host
port = connect_info.port port = connect_info.port

@ -219,6 +219,9 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
validate.assert_called_with(mock.ANY, "123-456-789") validate.assert_called_with(mock.ANY, "123-456-789")
self.wh.socket.assert_called_with('node1', 10000, connect=True) self.wh.socket.assert_called_with('node1', 10000, connect=True)
self.wh.do_proxy.assert_called_with('<socket>') self.wh.do_proxy.assert_called_with('<socket>')
# ensure that token is masked when logged
connection_info = self.wh.msg.mock_calls[0][1][1]
self.assertEqual('***', connection_info.token)
@mock.patch('nova.console.websocketproxy.NovaProxyRequestHandlerBase.' @mock.patch('nova.console.websocketproxy.NovaProxyRequestHandlerBase.'
'_check_console_port') '_check_console_port')