Ouput a placeholder instead of the auth_token
As the name of the get_logging_values suggests, that function will get entries from the context for logging purposes. For this, we shouldn't need the auth_token since it might potentially leak in the logs. This filters out the auth_token by setting it as '***' by default. Change-Id: I2b245c1665c3587be3c476b803122788d186e5d5
This commit is contained in:
parent
e75f4c5ad9
commit
a8d86df940
|
@ -353,6 +353,13 @@ class RequestContext(object):
|
||||||
'user_domain_name': self.user_domain_name,
|
'user_domain_name': self.user_domain_name,
|
||||||
'project_domain_name': self.project_domain_name}
|
'project_domain_name': self.project_domain_name}
|
||||||
values.update(self.to_dict())
|
values.update(self.to_dict())
|
||||||
|
if self.auth_token:
|
||||||
|
# NOTE(jaosorior): Gotta obfuscate the token since this dict is
|
||||||
|
# meant for logging and we shouldn't leak it.
|
||||||
|
values['auth_token'] = '***'
|
||||||
|
else:
|
||||||
|
values['auth_token'] = None
|
||||||
|
|
||||||
return values
|
return values
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
|
|
@ -486,6 +486,7 @@ class ContextTest(test_base.BaseTestCase):
|
||||||
|
|
||||||
d = ctx.get_logging_values()
|
d = ctx.get_logging_values()
|
||||||
self.assertIn('auth_token', d)
|
self.assertIn('auth_token', d)
|
||||||
|
self.assertEqual(d['auth_token'], '***')
|
||||||
self.assertIn('user', d)
|
self.assertIn('user', d)
|
||||||
self.assertIn('tenant', d)
|
self.assertIn('tenant', d)
|
||||||
self.assertIn('domain', d)
|
self.assertIn('domain', d)
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
The ``get_logging_values`` function no longer outputs the auth_token, but
|
||||||
|
instead leaves it as ``***`` instead. As the name suggests, this function is
|
||||||
|
meant for logging, and letting the auth_token there might leak sensitive
|
||||||
|
data.
|
Loading…
Reference in New Issue