From d8fa792ee720e7877fa371e69633546b752e73da Mon Sep 17 00:00:00 2001
From: Lokesh S <lokesh.s@hp.com>
Date: Tue, 29 Mar 2016 10:11:35 +0000
Subject: [PATCH] Log SHA1 hash of X-Auth-Token value

Remove logging of sensitive information like the
token value from X-Auth-Token. Instead log the sha1
hash of the token value, prefixed with '{SHA1}'.

Closes-Bug: #1367339
Change-Id: I72d2ff5ca569c942aa6896aeadab489ff0097255
---
 neutronclient/common/utils.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/neutronclient/common/utils.py b/neutronclient/common/utils.py
index 47610e60a..882eb2c5c 100644
--- a/neutronclient/common/utils.py
+++ b/neutronclient/common/utils.py
@@ -19,6 +19,7 @@
 
 import argparse
 import functools
+import hashlib
 import logging
 import netaddr
 import os
@@ -30,6 +31,8 @@ import six
 from neutronclient._i18n import _
 from neutronclient.common import exceptions
 
+SENSITIVE_HEADERS = ('X-Auth-Token',)
+
 
 def env(*vars, **kwargs):
     """Returns the first environment variable set.
@@ -167,8 +170,13 @@ def http_log_req(_logger, args, kwargs):
         else:
             string_parts.append(' %s' % element)
 
-    for element in kwargs['headers']:
-        header = ' -H "%s: %s"' % (element, kwargs['headers'][element])
+    for (key, value) in six.iteritems(kwargs['headers']):
+        if key in SENSITIVE_HEADERS:
+            v = value.encode('utf-8')
+            h = hashlib.sha1(v)
+            d = h.hexdigest()
+            value = "{SHA1}%s" % d
+        header = ' -H "%s: %s"' % (key, value)
         string_parts.append(header)
 
     if 'body' in kwargs and kwargs['body']: