Helper function to sanitize db url credentials

The database url is sanitized in logfiles because of security issues.
However the connected url itself is useful information to devs and admins.
This patch provides a helper function to sanitize only the credentials
in a database url. All projects must process the CONF.database.connection
value using "sanitize_db_url" when updating the db package

Fixes bug #1076833

Change-Id: Id6cf7b120ef6c3fcda7f33fd26676b62a4475bb2

openstack/common/db/sqlalchemy/session.py

@@ -279,13 +279,11 @@ database_opts = [
                deprecated_opts=[cfg.DeprecatedOpt('sql_connection',
                                                   group='DEFAULT'),
                                 cfg.DeprecatedOpt('sql_connection',
-                                                  group='DATABASE')],
-               secret=True),
+                                                  group='DATABASE')]),
     cfg.StrOpt('slave_connection',
                default='',
                help='The SQLAlchemy connection string used to connect to the '
-                    'slave database',
-               secret=True),
+                    'slave database'),
     cfg.IntOpt('idle_timeout',
                default=3600,
                deprecated_opts=[cfg.DeprecatedOpt('sql_idle_timeout',

openstack/common/db/sqlalchemy/utils.py

@@ -18,6 +18,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import re
+
 from migrate.changeset import UniqueConstraint
 import sqlalchemy
 from sqlalchemy import Boolean
@@ -45,6 +47,15 @@ from openstack.common import timeutils
 
 LOG = logging.getLogger(__name__)
 
+_DBURL_REGEX = re.compile(r"[^:]+://([^:]+):([^@]+)@.+")
+
+
+def sanitize_db_url(url):
+    match = _DBURL_REGEX.match(url)
+    if match:
+        return '%s****:****%s' % (url[:match.start(1)], url[match.end(2):])
+    return url
+
 
 class InvalidSortKey(Exception):
     message = _("Sort key supplied was not valid.")