From a76bcfdd8e754f36bc270ea45e061edaebf1951b Mon Sep 17 00:00:00 2001
From: Joel Friedly <joelfriedly@gmail.com>
Date: Mon, 3 Feb 2014 11:38:47 -0800
Subject: [PATCH] Make keystoneclient not log auth tokens

I think I've looked at every log statement in this repo and I've either
removed the tokens from the log strings or made them print out
"<SANITIZED>" instead.

Change-Id: I1efbc834fcab951f6797b56afb5c5519cc70d28c
Closes-Bug: 1287938
---
 keystoneclient/middleware/auth_token.py | 31 +++++++++++--------------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py
index 41de990ef..60781aacf 100644
--- a/keystoneclient/middleware/auth_token.py
+++ b/keystoneclient/middleware/auth_token.py
@@ -565,7 +565,7 @@ class AuthProtocol(object):
                     versions.append(version['id'])
             except KeyError:
                 self.LOG.error(
-                    'Invalid version response format from server', data)
+                    'Invalid version response format from server')
                 raise ServiceError('Unable to parse version response '
                                    'from keystone')
 
@@ -806,6 +806,7 @@ class AuthProtocol(object):
                 "Unexpected response from keystone service: %s", data)
             raise ServiceError('invalid json response')
         except (ValueError):
+            data['access']['token']['id'] = '<SANITIZED>'
             self.LOG.warn(
                 "Unable to parse expiration time from token: %s", data)
             raise ServiceError('invalid json response')
@@ -838,13 +839,13 @@ class AuthProtocol(object):
             return data
         except NetworkError:
             self.LOG.debug('Token validation failure.', exc_info=True)
-            self.LOG.warn("Authorization failed for token %s", token_id)
+            self.LOG.warn("Authorization failed for token")
             raise InvalidUserToken('Token authorization failed')
         except Exception:
             self.LOG.debug('Token validation failure.', exc_info=True)
             if token_id:
                 self._cache_store_invalid(token_id)
-            self.LOG.warn("Authorization failed for token %s", token_id)
+            self.LOG.warn("Authorization failed for token")
             raise InvalidUserToken('Token authorization failed')
 
     def _build_user_headers(self, token_info):
@@ -1026,8 +1027,7 @@ class AuthProtocol(object):
                 serialized = serialized.decode('utf-8')
             cached = jsonutils.loads(serialized)
             if cached == 'invalid':
-                self.LOG.debug('Cached Token %s is marked unauthorized',
-                               token_id)
+                self.LOG.debug('Cached Token is marked unauthorized')
                 raise InvalidUserToken('Token authorization failed')
 
             data, expires = cached
@@ -1043,10 +1043,10 @@ class AuthProtocol(object):
             expires = timeutils.normalize_time(expires)
             utcnow = timeutils.utcnow()
             if ignore_expires or utcnow < expires:
-                self.LOG.debug('Returning cached token %s', token_id)
+                self.LOG.debug('Returning cached token')
                 return data
             else:
-                self.LOG.debug('Cached Token %s seems expired', token_id)
+                self.LOG.debug('Cached Token seems expired')
 
     def _cache_store(self, token_id, data):
         """Store value into memcache.
@@ -1155,14 +1155,14 @@ class AuthProtocol(object):
 
         """
         if self._cache:
-            self.LOG.debug('Storing %s token in memcache', token_id)
+            self.LOG.debug('Storing token in memcache')
             self._cache_store(token_id, (data, expires))
 
     def _cache_store_invalid(self, token_id):
         """Store invalid token in cache."""
         if self._cache:
             self.LOG.debug(
-                'Marking token %s as unauthorized in memcache', token_id)
+                'Marking token as unauthorized in memcache')
             self._cache_store(token_id, 'invalid')
 
     def cert_file_missing(self, proc_output, file_name):
@@ -1205,11 +1205,11 @@ class AuthProtocol(object):
         if response.status_code == 200:
             return data
         if response.status_code == 404:
-            self.LOG.warn("Authorization failed for token %s", user_token)
+            self.LOG.warn("Authorization failed for token")
             raise InvalidUserToken('Token authorization failed')
         if response.status_code == 401:
             self.LOG.info(
-                'Keystone rejected admin token %s, resetting', headers)
+                'Keystone rejected admin token, resetting')
             self.admin_token = None
         else:
             self.LOG.error('Bad response code while validating token: %s',
@@ -1218,8 +1218,7 @@ class AuthProtocol(object):
             self.LOG.info('Retrying validation')
             return self._validate_user_token(user_token, env, False)
         else:
-            self.LOG.warn("Invalid user token: %s. Keystone response: %s.",
-                          user_token, data)
+            self.LOG.warn("Invalid user token. Keystone response: %s", data)
 
             raise InvalidUserToken()
 
@@ -1235,8 +1234,7 @@ class AuthProtocol(object):
         token_id = utils.hash_signed_token(signed_text)
         for revoked_id in revoked_ids:
             if token_id == revoked_id:
-                self.LOG.debug('Token %s is marked as having been revoked',
-                               token_id)
+                self.LOG.debug('Token is marked as having been revoked')
                 return True
         return False
 
@@ -1350,8 +1348,7 @@ class AuthProtocol(object):
         if response.status_code == 401:
             if retry:
                 self.LOG.info(
-                    'Keystone rejected admin token %s, resetting admin token',
-                    headers)
+                    'Keystone rejected admin token, resetting admin token')
                 self.admin_token = None
                 return self.fetch_revocation_list(retry=False)
         if response.status_code != 200: