Browse Source

Don't expose X-Auth-Token in ceilometer CLI

Ceilometer CLI exposes X-Auth-Token in debug mode. This patch
replaces X-Auth-Token's value with '{SHA1}<sha1oftoken>'. Some
credentials are exposed by keystoneclient as ceilometerclient
uses keystoneclient to authenticate, it will be fixed in bug:
100414.

Change-Id: Ia6364314e4b4d26301f974582c0c2ba34b054c86
Partial-Bug: #1327019
changes/32/106932/5
Zhi Kun Liu 8 years ago
committed by Zhi Kun Liu
parent
commit
e5048043e2
  1. 14
      ceilometerclient/common/http.py

14
ceilometerclient/common/http.py

@ -14,6 +14,7 @@
# under the License.
import copy
import hashlib
import logging
import os
import socket
@ -39,6 +40,7 @@ from ceilometerclient import exc
LOG = logging.getLogger(__name__)
USER_AGENT = 'python-ceilometerclient'
CHUNKSIZE = 1024 * 64 # 64kB
SENSITIVE_HEADERS = ('X-Auth-Token',)
class HTTPClient(object):
@ -84,11 +86,21 @@ class HTTPClient(object):
except httplib.InvalidURL:
raise exc.InvalidEndpoint()
def safe_header(self, name, value):
if name in SENSITIVE_HEADERS:
# because in python3 byte string handling is ... ug
v = value.encode('utf-8')
h = hashlib.sha1(v)
d = h.hexdigest()
return name, "{SHA1}%s" % d
else:
return name, value
def log_curl_request(self, method, url, kwargs):
curl = ['curl -i -X %s' % method]
for (key, value) in kwargs['headers'].items():
header = '-H \'%s: %s\'' % (key, value)
header = '-H \'%s: %s\'' % self.safe_header(key, value)
curl.append(header)
conn_params_fmt = [

Loading…
Cancel
Save