Mask passwords in client debug output

This change looks for the use of 'password' in the data that is sent and uses mask_password() to remove the actual password text. This change will prevent debug output that is being saved from saving passwords. A test case is added to verify that password output is being removed. Change-Id: I93bde838ea21101df08c0e824d9f9457ed2ad077 Closes-Bug: 1341735
2014-07-15 13:51:03 -05:00
parent 2274089dc6
commit 80582f2b86
2 changed files with 36 additions and 1 deletions
--- a/cinderclient/client.py
+++ b/cinderclient/client.py
@@ -23,6 +23,7 @@ from __future__ import print_function
 import logging

 from cinderclient import exceptions
+from cinderclient.openstack.common import strutils
 from cinderclient import utils

 from keystoneclient import access
@@ -235,7 +236,11 @@ class HTTPClient(CinderClientMixin):
            string_parts.append(header)

        if 'data' in kwargs:
-            string_parts.append(" -d '%s'" % (kwargs['data']))
+            if "password" in kwargs['data']:
+                data = strutils.mask_password(kwargs['data'])
+            else:
+                data = kwargs['data']
+            string_parts.append(" -d '%s'" % (data))
        self._logger.debug("\nREQ: %s\n" % "".join(string_parts))

    def http_log_resp(self, resp):
--- a/cinderclient/tests/test_client.py
+++ b/cinderclient/tests/test_client.py
@@ -11,6 +11,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+import logging
+
+import fixtures

 import cinderclient.client
 import cinderclient.v1.client
@@ -31,3 +34,30 @@ class ClientTest(utils.TestCase):
    def test_get_client_class_unknown(self):
        self.assertRaises(cinderclient.exceptions.UnsupportedVersion,
                          cinderclient.client.get_client_class, '0')
+
+    def test_log_req(self):
+        self.logger = self.useFixture(
+            fixtures.FakeLogger(
+                format="%(message)s",
+                level=logging.DEBUG,
+                nuke_handlers=True
+            )
+        )
+
+        kwargs = {}
+        kwargs['headers'] = {"X-Foo": "bar"}
+        kwargs['data'] = ('{"auth": {"tenantName": "fakeService",'
+                          ' "passwordCredentials": {"username": "fakeUser",'
+                          ' "password": "fakePassword"}}}')
+
+        cs = cinderclient.client.HTTPClient("user", None, None,
+                                            "http://127.0.0.1:5000")
+        cs.http_log_debug = True
+        cs.http_log_req('PUT', kwargs)
+
+        output = self.logger.output.split('\n')
+
+        print("JSBRYANT: output is", output)
+
+        self.assertNotIn("fakePassword", output[1])
+        self.assertIn("fakeUser", output[1])