diff options
| author | Chad Smith <chad.smith@canonical.com> | 2020-03-03 15:23:33 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-03-03 15:23:33 -0700 |
| commit | fa1abfec27050a4fb71cad950a17e42f9b43b478 (patch) | |
| tree | 91b4c91352545bde5a1890c671876e06632dffdf /cloudinit/url_helper.py | |
| parent | 67c8e53cc3fe007bb40d6e9c10549ca8200a9cd7 (diff) | |
| download | cloud-init-git-fa1abfec27050a4fb71cad950a17e42f9b43b478.tar.gz | |
ec2: only redact token request headers in logs, avoid altering request (#230)
Our header redact logic was redacting both logged request headers and
the actual source request. This results in DataSourceEc2 sending the
invalid header "X-aws-ec2-metadata-token-ttl-seconds: REDACTED" which
gets an HTTP status response of 400.
Cloud-init retries this failed token request for 2 minutes before
falling back to IMDSv1.
LP: #1865882
Diffstat (limited to 'cloudinit/url_helper.py')
| -rw-r--r-- | cloudinit/url_helper.py | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/cloudinit/url_helper.py b/cloudinit/url_helper.py index eeb27aa8..f3c0cf9c 100644 --- a/cloudinit/url_helper.py +++ b/cloudinit/url_helper.py @@ -281,13 +281,14 @@ def readurl(url, data=None, timeout=None, retries=0, sec_between=1, for (k, v) in req_args.items(): if k == 'data': continue - filtered_req_args[k] = v - if k == 'headers': - for hkey, _hval in v.items(): - if hkey in headers_redact: - filtered_req_args[k][hkey] = ( - copy.deepcopy(req_args[k][hkey])) - filtered_req_args[k][hkey] = REDACTED + if k == 'headers' and headers_redact: + matched_headers = [k for k in headers_redact if v.get(k)] + if matched_headers: + filtered_req_args[k] = copy.deepcopy(v) + for key in matched_headers: + filtered_req_args[k][key] = REDACTED + else: + filtered_req_args[k] = v try: if log_req_resp: |