openstack/os-brick
Code Issues Proposed changes

Mask out passwords when tracing

Browse Source 
This patch ensures that tracing log output is masking out passwords
to the log file.

Closes-Bug: 1616527
Change-Id: I5452ab8b993a184406331ad34abb9ceff24e4180
This commit is contained in:
Walter A. Boring IV
2016-08-11 06:27:48 -07:00
parent ce0d9b3703
commit f8e4f3cdbe
2 changed files with 49 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
os_brick/tests/test_utils.py
View File

@@ -231,3 +231,41 @@ class LogTracingTestCase(base.TestCase):
self.assertEqual('OK', result) self.assertEqual('OK', result)
return_log = mock_log.debug.call_args_list[1] return_log = mock_log.debug.call_args_list[1]
self.assertIn('2900', str(return_log)) self.assertIn('2900', str(return_log))
def test_utils_trace_method_with_password_dict(self):
mock_logging = self.mock_object(utils, 'logging')
mock_log = mock.Mock()
mock_log.isEnabledFor = lambda x: True
mock_logging.getLogger = mock.Mock(return_value=mock_log)
@utils.trace
def _trace_test_method(*args, **kwargs):
return {'something': 'test',
'password': 'Now you see me'}
result = _trace_test_method(self)
expected_unmasked_dict = {'something': 'test',
'password': 'Now you see me'}
self.assertEqual(expected_unmasked_dict, result)
self.assertEqual(2, mock_log.debug.call_count)
self.assertIn("'password': '***'",
str(mock_log.debug.call_args_list[1]))
def test_utils_trace_method_with_password_str(self):
mock_logging = self.mock_object(utils, 'logging')
mock_log = mock.Mock()
mock_log.isEnabledFor = lambda x: True
mock_logging.getLogger = mock.Mock(return_value=mock_log)
@utils.trace
def _trace_test_method(*args, **kwargs):
return "'adminPass': 'Now you see me'"
result = _trace_test_method(self)
expected_unmasked_str = "'adminPass': 'Now you see me'"
self.assertEqual(expected_unmasked_str, result)
self.assertEqual(2, mock_log.debug.call_count)
self.assertIn("'adminPass': '***'",
str(mock_log.debug.call_args_list[1]))

14
os_brick/utils.py
View File

@@ -15,12 +15,13 @@
import functools import functools
import inspect import inspect
import logging as py_logging import logging as py_logging
import retrying
import six
import time import time
from oslo_log import log as logging from oslo_log import log as logging
from oslo_utils import encodeutils from oslo_utils import encodeutils
import retrying from oslo_utils import strutils
import six
from os_brick.i18n import _ from os_brick.i18n import _
@@ -151,10 +152,17 @@ def trace(f):
raise raise
total_time = int(round(time.time() * 1000)) - start_time total_time = int(round(time.time() * 1000)) - start_time
if isinstance(result, dict):
mask_result = strutils.mask_dict_password(result)
elif isinstance(result, six.string_types):
mask_result = strutils.mask_password(result)
else:
mask_result = result
logger.debug('<== %(func)s: return (%(time)dms) %(result)r', logger.debug('<== %(func)s: return (%(time)dms) %(result)r',
{'func': func_name, {'func': func_name,
'time': total_time, 'time': total_time,
'result': result}) 'result': mask_result})
return result return result
return trace_logging_wrapper return trace_logging_wrapper