openstack/python-glanceclient
Code Issues Proposed changes

Update how tokens are redacted

Browse Source 
Using SHA-1 to match how Nova and Swift redact their tokens.
Was discussed in the below thread:

http://lists.openstack.org/pipermail/openstack-dev/2014-September/045802.html

Here's what nova went with: https://review.openstack.org/#/c/99511/
swift seem to be following suit: https://review.openstack.org/#/c/99632/

Change-Id: I3045d6d9d2a13770f4022dbbd474b34eb1032f6e
Closes-bug: 1329301
This commit is contained in:
Travis Tripp
2014-09-15 16:17:18 -06:00
parent 4a5903bce7
commit f980fc5492
2 changed files with 15 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
glanceclient/common/http.py
View File

@@ -36,6 +36,7 @@ if not hasattr(parse, 'parse_qsl'):
parse.parse_qsl = cgi.parse_qsl parse.parse_qsl = cgi.parse_qsl
from glanceclient.common import https from glanceclient.common import https
from glanceclient.common.utils import safe_header
from glanceclient import exc from glanceclient import exc
from glanceclient.openstack.common import importutils from glanceclient.openstack.common import importutils
from glanceclient.openstack.common import network_utils from glanceclient.openstack.common import network_utils
@@ -95,9 +96,7 @@ class HTTPClient(object):
headers.update(self.session.headers) headers.update(self.session.headers)
for (key, value) in six.iteritems(headers): for (key, value) in six.iteritems(headers):
if key.lower() == 'x-auth-token': header = '-H \'%s: %s\'' % safe_header(key, value)
value = '*' * 3
header = '-H \'%s: %s\'' % (key, value)
curl.append(header) curl.append(header)
if not self.session.verify: if not self.session.verify:
@@ -123,9 +122,7 @@ class HTTPClient(object):
status = (resp.raw.version / 10.0, resp.status_code, resp.reason) status = (resp.raw.version / 10.0, resp.status_code, resp.reason)
dump = ['\nHTTP/%.1f %s %s' % status] dump = ['\nHTTP/%.1f %s %s' % status]
headers = resp.headers.items() headers = resp.headers.items()
if 'X-Auth-Token' in resp.headers: dump.extend(['%s: %s' % safe_header(k, v) for k, v in headers])
headers['X-Auth-Token'] = '*' * 3
dump.extend(['%s: %s' % (k, v) for k, v in headers])
dump.append('') dump.append('')
if body: if body:
body = strutils.safe_decode(body) body = strutils.safe_decode(body)

12
glanceclient/common/utils.py
View File

@@ -39,6 +39,8 @@ from glanceclient.openstack.common import strutils
_memoized_property_lock = threading.Lock() _memoized_property_lock = threading.Lock()
SENSITIVE_HEADERS = ('X-Auth-Token', )
# Decorator for cli-args # Decorator for cli-args
def arg(*args, **kwargs): def arg(*args, **kwargs):
@@ -385,3 +387,13 @@ def memoized_property(fn):
setattr(self, attr_name, fn(self)) setattr(self, attr_name, fn(self))
return getattr(self, attr_name) return getattr(self, attr_name)
return _memoized_property return _memoized_property
def safe_header(name, value):
if name in SENSITIVE_HEADERS:
v = value.encode('utf-8')
h = hashlib.sha1(v)
d = h.hexdigest()
return name, "{SHA1}%s" % d
else:
return name, value