Mask passwords before displaying them

This patch is introducing a new configuration option called "show_passwords" under the "default" section. If true, vbmc will display all passwords in the logs and commands such as "show"; if false, the passwords are going to be masked. Defaults to false.
2016-03-08 09:47:30 +00:00 · 2016-03-08 09:47:30 +00:00 · 05ffd8ba71
parent c2d6399778
commit 05ffd8ba71
3 changed files with 36 additions and 4 deletions
--- a/virtualbmc/config.py
+++ b/virtualbmc/config.py
@ -25,8 +25,15 @@ CONFIG = None

 class VirtualBMCConfig(object):

-    DEFAULTS = {'log': {'logfile': None,
-                        'debug': 'false'}}
+    DEFAULTS = {
+        'default': {
+            'show_passwords': 'false'
+        },
+        'log': {
+            'logfile': None,
+            'debug': 'false'
+        },
+    }

    def __init__(self):
        config = configparser.ConfigParser()
@ -48,6 +55,9 @@ class VirtualBMCConfig(object):
        self._conf_dict['log']['debug'] = utils.str2bool(
            self._conf_dict['log']['debug'])

+        self._conf_dict['default']['show_passwords'] = utils.str2bool(
+            self._conf_dict['default']['show_passwords'])
+
    def __getitem__(self, key):
        return self._conf_dict[key]

--- a/virtualbmc/manager.py
+++ b/virtualbmc/manager.py
@ -23,6 +23,7 @@ import exception
 import log
 from virtualbmc import VirtualBMC
 import utils
+import config as vbmc_config

 LOG = log.get_logger()

@ -32,6 +33,8 @@ DOWN = 'down'

 DEFAULT_SECTION = 'VirtualBMC'

+CONF = vbmc_config.get_config()
+

 class VirtualBMCManager(object):

@ -72,6 +75,11 @@ class VirtualBMCManager(object):

        bmc_config = self._parse_config(domain_name)
        bmc_config['status'] = RUNNING if running else DOWN
+
+        # mask the passwords if requested
+        if not CONF['default']['show_passwords']:
+            bmc_config = utils.mask_dict_password(bmc_config)
+
        return bmc_config

    def add(self, username, password, port, address, domain_name, libvirt_uri,
@ -134,11 +142,16 @@ class VirtualBMCManager(object):
            sasl_username=bmc_config['libvirt_sasl_username'],
            sasl_password=bmc_config['libvirt_sasl_password'])

+        # mask the passwords if requested
+        log_config = bmc_config.copy()
+        if not CONF['default']['show_passwords']:
+            log_config = utils.mask_dict_password(bmc_config)
+
        LOG.debug('Starting a Virtual BMC for domain %(domain)s with the '
                  'following configuration options: %(config)s',
                  {'domain': domain_name,
-                   'config': ' '.join(['%s="%s"' % (k, bmc_config[k])
-                                       for k in bmc_config])})
+                   'config': ' '.join(['%s="%s"' % (k, log_config[k])
+                                       for k in log_config])})

        with daemon.DaemonContext(stderr=sys.stderr,
                                  files_preserve=[LOG.handler.stream, ]):
--- a/virtualbmc/utils.py
+++ b/virtualbmc/utils.py
@ -85,3 +85,12 @@ def str2bool(string):
        raise ValueError('Value "%s" can not be interpreted as '
                         'boolean' % string)
    return lower == 'true'
+
+
+def mask_dict_password(dictionary, secret='***'):
+    """Replace passwords with a secret in a dictionary."""
+    d = dictionary.copy()
+    for k in d:
+        if 'password' in k:
+            d[k] = secret
+    return d