Browse Source

Filter out auth_token_info from logging values

auth_token_info is a common field that subclasses of RequestContext
add. It contains things like the token itself and the entire catalog,
both of which are undesirable to log. The token is a security concern
and the catalog is huge, which bloats the logs an unacceptable amount.

This change removes the auth_token_info key from the logging dict
that we return to the log formatter, which eliminates both problems.

Change-Id: If5ebaa3c1859d32cd05f51defe173fc625b21af5
Closes-Bug: 1866705
(cherry picked from commit 1dd72d1d209e699efc360ff99a20166aac831939)
tags/2.23.1^0
Ben Nemec 4 months ago
committed by Ben Nemec
parent
commit
ab17aef573
2 changed files with 17 additions and 6 deletions
  1. +6
    -0
      oslo_context/context.py
  2. +11
    -6
      oslo_context/tests/test_context.py

+ 6
- 0
oslo_context/context.py View File

@@ -371,6 +371,12 @@ class RequestContext(object):
values['auth_token'] = '***'
else:
values['auth_token'] = None
# NOTE(bnemec: auth_token_info isn't defined in oslo.context, but it's
# a common pattern in project context subclasses so we handle it here.
# It largely contains things that we don't want logged, like the token
# itself (which needs to be removed for security) and the catalog
# (which needs to be removed because it bloats the logs terribly).
values.pop('auth_token_info', None)

return values



+ 11
- 6
oslo_context/tests/test_context.py View File

@@ -60,15 +60,15 @@ class TestContext(context.RequestContext):
This is representative of how at least some of our consumers use the
RequestContext class in their projects.
"""
FROM_DICT_EXTRA_KEYS = ['foo']
FROM_DICT_EXTRA_KEYS = ['auth_token_info']

def __init__(self, foo=None, **kwargs):
def __init__(self, auth_token_info=None, **kwargs):
super(TestContext, self).__init__(**kwargs)
self.foo = foo
self.auth_token_info = auth_token_info

def to_dict(self):
d = super(TestContext, self).to_dict()
d['foo'] = self.foo
d['auth_token_info'] = self.auth_token_info
return d


@@ -201,10 +201,10 @@ class ContextTest(test_base.BaseTestCase):
self.assertTrue(ctx.read_only)

def test_from_dict_extended(self):
initial = TestContext(foo='bar')
initial = TestContext(auth_token_info='foo')
dct = initial.to_dict()
final = TestContext.from_dict(dct)
self.assertEqual('bar', final.foo)
self.assertEqual('foo', final.auth_token_info)
self.assertEqual(dct, final.to_dict())

def test_is_user_context(self):
@@ -516,6 +516,11 @@ class ContextTest(test_base.BaseTestCase):
self.assertEqual(user_domain_name, d['user_domain_name'])
self.assertEqual(project_domain_name, d['project_domain_name'])

def test_auth_token_info_removed(self):
ctx = TestContext(auth_token_info={'auth_token': 'topsecret'})
d = ctx.get_logging_values()
self.assertNotIn('auth_token_info', d)

def test_dict_empty_user_identity(self):
ctx = context.RequestContext()
d = ctx.to_dict()


Loading…
Cancel
Save