Log SHA1 hash of X-Auth-Token value

Remove logging of sensitive information like the token value from X-Auth-Token. Instead log the sha1 hash of the token value, prefixed with '{SHA1}'. Closes-Bug: #1367339 Change-Id: I72d2ff5ca569c942aa6896aeadab489ff0097255
2016-03-29 10:11:35 +00:00
parent 214854bf7a
commit d8fa792ee7
1 changed files with 10 additions and 2 deletions
--- a/neutronclient/common/utils.py
+++ b/neutronclient/common/utils.py
@@ -19,6 +19,7 @@

 import argparse
 import functools
+import hashlib
 import logging
 import netaddr
 import os
@@ -30,6 +31,8 @@ import six
 from neutronclient._i18n import _
 from neutronclient.common import exceptions

+SENSITIVE_HEADERS = ('X-Auth-Token',)
+

 def env(*vars, **kwargs):
    """Returns the first environment variable set.
@@ -167,8 +170,13 @@ def http_log_req(_logger, args, kwargs):
        else:
            string_parts.append(' %s' % element)

-    for element in kwargs['headers']:
-        header = ' -H "%s: %s"' % (element, kwargs['headers'][element])
+    for (key, value) in six.iteritems(kwargs['headers']):
+        if key in SENSITIVE_HEADERS:
+            v = value.encode('utf-8')
+            h = hashlib.sha1(v)
+            d = h.hexdigest()
+            value = "{SHA1}%s" % d
+        header = ' -H "%s: %s"' % (key, value)
        string_parts.append(header)

    if 'body' in kwargs and kwargs['body']: