Merge "Mask passwords when logging the HTTP response"

2015-09-03 20:29:08 +00:00
parent 3e862bbb1e 3e26ff8248
commit 1bff68f9b8
2 changed files with 32 additions and 1 deletions
--- a/keystoneclient/session.py
+++ b/keystoneclient/session.py
@@ -23,6 +23,7 @@ from debtcollector import removals
 from oslo_config import cfg
 from oslo_serialization import jsonutils
 from oslo_utils import importutils
+from oslo_utils import strutils
 import requests
 import six
 from six.moves import urllib
@@ -208,7 +209,8 @@ class Session(object):
        for header in six.iteritems(response.headers):
            string_parts.append('%s: %s' % self._process_header(header))
        if text:
-            string_parts.append('\nRESP BODY: %s\n' % text)
+            string_parts.append('\nRESP BODY: %s\n' %
+                                strutils.mask_password(text))

        logger.debug(' '.join(string_parts))

--- a/keystoneclient/tests/unit/test_session.py
+++ b/keystoneclient/tests/unit/test_session.py
@@ -250,6 +250,35 @@ class SessionTests(utils.TestCase):
                              session.get,
                              self.TEST_URL)

+    def test_mask_password_in_http_log_response(self):
+        session = client_session.Session()
+
+        def fake_debug(msg):
+            self.assertNotIn('verybadpass', msg)
+
+        logger = mock.Mock(isEnabledFor=mock.Mock(return_value=True))
+        logger.debug = mock.Mock(side_effect=fake_debug)
+        body = {
+            "connection_info": {
+                "driver_volume_type": "iscsi",
+                "data": {
+                    "auth_password": "verybadpass",
+                    "target_discovered": False,
+                    "encrypted": False,
+                    "qos_specs": None,
+                    "target_iqn": ("iqn.2010-10.org.openstack:volume-"
+                                   "744d2085-8e78-40a5-8659-ef3cffb2480e"),
+                    "target_portal": "172.99.69.228:3260",
+                    "volume_id": "744d2085-8e78-40a5-8659-ef3cffb2480e",
+                    "target_lun": 1,
+                    "access_mode": "rw",
+                    "auth_username": "verybadusername",
+                    "auth_method": "CHAP"}}}
+        body_json = jsonutils.dumps(body)
+        response = mock.Mock(text=body_json, status_code=200, headers={})
+        session._http_log_response(response, logger)
+        self.assertEqual(1, logger.debug.call_count)
+

 class RedirectTests(utils.TestCase):