Mask password on agent lookup according to policy5.1.2

We currently mask passwords in driver_info for all API responses,
except for agent lookups. This is because driver_vendor_passthru
just expects a dict to return as JSON in the response, and doesn't
modify it at all.

Change lookup to follow the defined policy when returning the node
object in the response, the same way we do for other API responses.

Co-authored-by: Jim Rollenhagen <jim@jimrollenhagen.com>

Change-Id: Ib19d2f86d3527333e905fdbf1f09fc3dc8b8c5a7
Closes-Bug: #1572796
(cherry picked from commit 426a306fb580762e97ada04e1253dedd9b64d410)

1 files changed, 7 insertions, 1 deletions

diff --git a/ironic/drivers/modules/agent_base_vendor.py b/ironic/drivers/modules/agent_base_vendor.py
index 9df0cd392..25a3239cc 100644
--- a/ironic/drivers/modules/agent_base_vendor.py
+++ b/ironic/drivers/modules/agent_base_vendor.py
@@ -16,6 +16,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import ast
 import collections
 import time
 
@@ -535,9 +536,14 @@ class BaseAgentVendor(base.VendorInterface):
         LOG.info(_LI('Initial lookup for node %s succeeded, agent is running '
                      'and waiting for commands'), node.uuid)
 
+        ndict = node.as_dict()
+        if not context.show_password:
+            ndict['driver_info'] = ast.literal_eval(
+                strutils.mask_password(ndict['driver_info'], "******"))
+
         return {
             'heartbeat_timeout': CONF.agent.heartbeat_timeout,
-            'node': node.as_dict()
+            'node': ndict,
         }
 
     def _get_completed_cleaning_command(self, task):