Browse Source

Make mask_dict_password case insensitive and add new patterns

In Icc19b7c8bdb6a3182939d5e9fdef21288b19f43d mask_password was made case
insensitive but mask_dict_password wasn't. This update makes the
behaviour of these functions the same.

Instead of lowering _SANITIZE_KEYS each time the source list is lowered.

New password patterns from realworld logs were added to the patterns.

Change-Id: Ic3ee301857630a15b9c26fd5d0fc907c43199517
Related-Bug: #1850843
(cherry picked from commit ed70bd3cd1)
tags/3.40.5^0
Dougal Matthews 3 months ago
parent
commit
566e14cb96
3 changed files with 31 additions and 5 deletions
  1. +12
    -5
      oslo_utils/strutils.py
  2. +10
    -0
      oslo_utils/tests/test_strutils.py
  3. +9
    -0
      releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml

+ 12
- 5
oslo_utils/strutils.py View File

@@ -54,12 +54,19 @@ SLUGIFY_STRIP_RE = re.compile(r"[^\w\s-]")
SLUGIFY_HYPHENATE_RE = re.compile(r"[-\s]+")


# NOTE(flaper87): The following globals are used by `mask_password`
_SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
# NOTE(flaper87): The following globals are used by `mask_password` and
# `mask_dict_password`
_SANITIZE_KEYS = ['adminpass', 'admin_pass', 'password', 'admin_password',
'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
'secret', 'sys_pswd', 'token', 'configdrive',
'CHAPPASSWORD', 'encrypted_key', 'private_key',
'encryption_key_id', 'fernetkey', 'sslkey', 'passphrase']
'chappassword', 'encrypted_key', 'private_key',
'encryption_key_id', 'fernetkey', 'sslkey', 'passphrase',
'cephclusterfsid', 'octaviaheartbeatkey', 'rabbitcookie',
'cephmanilaclientkey', 'pacemakerremoteauthkey',
'designaterndckey', 'cephadminkey', 'heatauthencryptionkey',
'cephclientkey', 'keystonecredential',
'barbicansimplecryptokek', 'cephrgwkey', 'swifthashsuffix',
'migrationsshkey', 'cephmdskey', 'cephmonkey']

# NOTE(ldbragst): Let's build a list of regex objects using the list of
# _SANITIZE_KEYS we already have. This way, we only have to add the new key
@@ -406,7 +413,7 @@ def mask_dict_password(dictionary, secret="***"): # nosec
k_matched = False
if isinstance(k, six.string_types):
for sani_key in _SANITIZE_KEYS:
if sani_key in k:
if sani_key.lower() in k.lower():
out[k] = secret
k_matched = True
break


+ 10
- 0
oslo_utils/tests/test_strutils.py View File

@@ -717,6 +717,16 @@ class MaskDictionaryPasswordTestCase(test_base.BaseTestCase):
self.assertEqual(expected,
strutils.mask_dict_password(payload))

payload = {'passwords': {'KeystoneFernetKey1': 'c5FijjS'}}
expected = {'passwords': {'KeystoneFernetKey1': '***'}}
self.assertEqual(expected,
strutils.mask_dict_password(payload))

payload = {'passwords': {'keystonecredential0': 'c5FijjS'}}
expected = {'passwords': {'keystonecredential0': '***'}}
self.assertEqual(expected,
strutils.mask_dict_password(payload))

def test_do_no_harm(self):
payload = {}
expected = {}


+ 9
- 0
releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml View File

@@ -0,0 +1,9 @@
---
security:
- |
This patch ensures that we mask sensitive data when masking dicts, even if
the case doesn't match. This means the behaviour of mask_password and
mask_dict_password is now the same.
- |
Additional password names were included from real world logs that contained
sensitive information.

Loading…
Cancel
Save