From 04f9f33b4b6079d39c3feea0b1ec1211a1de6a04 Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Thu, 14 Jan 2016 16:22:04 -0600 Subject: [PATCH] Mark password/secret options as secret Password, token, and secret options should be marked as secret=True so that when the value is logged the logger knows to obfuscate the value. Change-Id: I6ebdfa3bf6faf37bc11640a5826b3b55bb920fc4 Closes-Bug: 1534299 --- keystoneclient/auth/identity/generic/cli.py | 1 + keystoneclient/auth/identity/generic/password.py | 2 +- keystoneclient/auth/identity/generic/token.py | 2 +- keystoneclient/contrib/auth/v3/oidc.py | 5 +++-- keystoneclient/contrib/auth/v3/saml2.py | 2 +- 5 files changed, 7 insertions(+), 5 deletions(-) diff --git a/keystoneclient/auth/identity/generic/cli.py b/keystoneclient/auth/identity/generic/cli.py index c4938503d..212e9b726 100644 --- a/keystoneclient/auth/identity/generic/cli.py +++ b/keystoneclient/auth/identity/generic/cli.py @@ -38,6 +38,7 @@ class DefaultCLI(password.Password): options.extend([cfg.StrOpt('endpoint', help='A URL to use instead of a catalog'), cfg.StrOpt('token', + secret=True, help='Always use the specified token')]) return options diff --git a/keystoneclient/auth/identity/generic/password.py b/keystoneclient/auth/identity/generic/password.py index 3c4180cb1..3527b1940 100644 --- a/keystoneclient/auth/identity/generic/password.py +++ b/keystoneclient/auth/identity/generic/password.py @@ -30,7 +30,7 @@ def get_options(): deprecated_name='user-name'), cfg.StrOpt('user-domain-id', help="User's domain id"), cfg.StrOpt('user-domain-name', help="User's domain name"), - cfg.StrOpt('password', help="User's password"), + cfg.StrOpt('password', secret=True, help="User's password"), ] diff --git a/keystoneclient/auth/identity/generic/token.py b/keystoneclient/auth/identity/generic/token.py index 0fbacf042..6a5d15b28 100644 --- a/keystoneclient/auth/identity/generic/token.py +++ b/keystoneclient/auth/identity/generic/token.py @@ -24,7 +24,7 @@ LOG = logging.getLogger(__name__) def get_options(): return [ - cfg.StrOpt('token', help='Token to authenticate with'), + cfg.StrOpt('token', secret=True, help='Token to authenticate with'), ] diff --git a/keystoneclient/contrib/auth/v3/oidc.py b/keystoneclient/contrib/auth/v3/oidc.py index 0c9451920..f9c52864e 100644 --- a/keystoneclient/contrib/auth/v3/oidc.py +++ b/keystoneclient/contrib/auth/v3/oidc.py @@ -31,9 +31,10 @@ class OidcPassword(federated.FederatedBaseAuth): options = super(OidcPassword, cls).get_options() options.extend([ cfg.StrOpt('username', help='Username'), - cfg.StrOpt('password', help='Password'), + cfg.StrOpt('password', secret=True, help='Password'), cfg.StrOpt('client-id', help='OAuth 2.0 Client ID'), - cfg.StrOpt('client-secret', help='OAuth 2.0 Client Secret'), + cfg.StrOpt('client-secret', secret=True, + help='OAuth 2.0 Client Secret'), cfg.StrOpt('access-token-endpoint', help='OpenID Connect Provider Token Endpoint'), cfg.StrOpt('scope', default="profile", diff --git a/keystoneclient/contrib/auth/v3/saml2.py b/keystoneclient/contrib/auth/v3/saml2.py index 541e0d543..c42d3b67f 100644 --- a/keystoneclient/contrib/auth/v3/saml2.py +++ b/keystoneclient/contrib/auth/v3/saml2.py @@ -74,7 +74,7 @@ class _BaseSAMLPlugin(v3.AuthConstructor): help="Identity Provider's URL"), cfg.StrOpt('username', dest='username', help='Username', deprecated_name='user-name'), - cfg.StrOpt('password', help='Password') + cfg.StrOpt('password', secret=True, help='Password') ]) return options