From e9f318e9b6017fad81fb9b18cefd5e91ec8bac6b Mon Sep 17 00:00:00 2001 From: "Walter A. Boring IV" Date: Mon, 17 Apr 2017 21:14:41 +0000 Subject: [PATCH] Mask logging of connection info for iSCSI connector The iSCSI Connector object could possibly log CHAP passwords to the log file. This patch uses the oslo strutils to mask out any passwords that may get logged. Change-Id: I3496377874bf5820afd919923282c846a956ef67 --- os_brick/initiator/connectors/iscsi.py | 6 ++- .../tests/initiator/connectors/test_iscsi.py | 47 +++++++++++++++++++ 2 files changed, 51 insertions(+), 2 deletions(-) diff --git a/os_brick/initiator/connectors/iscsi.py b/os_brick/initiator/connectors/iscsi.py index a651c0a0f..8a9227515 100644 --- a/os_brick/initiator/connectors/iscsi.py +++ b/os_brick/initiator/connectors/iscsi.py @@ -373,7 +373,8 @@ class ISCSIConnector(base.BaseLinuxConnector, base_iscsi.BaseISCSIConnector): Try and update the local kernel's size information for an iSCSI volume. """ - LOG.info("Extend volume for %s", connection_properties) + LOG.info("Extend volume for %s", + strutils.mask_dict_password(connection_properties)) volume_paths = self.get_volume_paths(connection_properties) LOG.info("Found paths for volume %s", volume_paths) @@ -382,7 +383,8 @@ class ISCSIConnector(base.BaseLinuxConnector, base_iscsi.BaseISCSIConnector): else: LOG.warning("Couldn't find any volume paths on the host to " "extend volume for %(props)s", - {'props': connection_properties}) + {'props': strutils.mask_dict_password( + connection_properties)}) raise exception.VolumePathsNotFound() @utils.trace diff --git a/os_brick/tests/initiator/connectors/test_iscsi.py b/os_brick/tests/initiator/connectors/test_iscsi.py index 09a3a71c2..e66be4a30 100644 --- a/os_brick/tests/initiator/connectors/test_iscsi.py +++ b/os_brick/tests/initiator/connectors/test_iscsi.py @@ -1030,6 +1030,53 @@ Setting up iSCSI targets: unused new_size = self.connector.extend_volume(connection_info['data']) self.assertEqual(fake_new_size, new_size) + @mock.patch.object(iscsi.LOG, 'info') + @mock.patch.object(linuxscsi.LinuxSCSI, 'extend_volume') + @mock.patch.object(iscsi.ISCSIConnector, 'get_volume_paths') + def test_extend_volume_mask_password(self, mock_volume_paths, + mock_scsi_extend, + mock_log_info): + fake_new_size = 1024 + mock_volume_paths.return_value = ['/dev/vdx'] + mock_scsi_extend.return_value = fake_new_size + volume = {'id': 'fake_uuid'} + connection_info = self.iscsi_connection_chap( + volume, "10.0.2.15:3260", "fake_iqn", + 'CHAP', 'fake_user', 'fake_password', + 'CHAP1', 'fake_user1', 'fake_password1') + self.connector.extend_volume(connection_info['data']) + + self.assertEqual(2, mock_log_info.call_count) + self.assertIn("'auth_password': '***'", + str(mock_log_info.call_args_list[0])) + self.assertIn("'discovery_auth_password': '***'", + str(mock_log_info.call_args_list[0])) + + @mock.patch.object(iscsi.LOG, 'warning') + @mock.patch.object(linuxscsi.LinuxSCSI, 'extend_volume') + @mock.patch.object(iscsi.ISCSIConnector, 'get_volume_paths') + def test_extend_volume_mask_password_no_paths(self, mock_volume_paths, + mock_scsi_extend, + mock_log_warning): + fake_new_size = 1024 + mock_volume_paths.return_value = [] + mock_scsi_extend.return_value = fake_new_size + volume = {'id': 'fake_uuid'} + connection_info = self.iscsi_connection_chap( + volume, "10.0.2.15:3260", "fake_iqn", + 'CHAP', 'fake_user', 'fake_password', + 'CHAP1', 'fake_user1', 'fake_password1') + + self.assertRaises(exception.VolumePathsNotFound, + self.connector.extend_volume, + connection_info['data']) + + self.assertEqual(1, mock_log_warning.call_count) + self.assertIn("'auth_password': '***'", + str(mock_log_warning.call_args_list[0])) + self.assertIn("'discovery_auth_password': '***'", + str(mock_log_warning.call_args_list[0])) + @mock.patch.object(os.path, 'isdir') def test_get_all_available_volumes_path_not_dir(self, mock_isdir): mock_isdir.return_value = False