diff options
| author | Jenkins <jenkins@review.openstack.org> | 2015-11-11 23:41:56 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2015-11-11 23:41:56 +0000 |
| commit | 1a3365bfa5dbef73a7e9a43fa1af8caf2b65f405 (patch) | |
| tree | ea165eaf7b933d54eed9b63e1680f509068ac3e6 | |
| parent | 2e64d78c78088115ee3c2c13fc3805dfad30cc8b (diff) | |
| parent | c15cbc48d63e9cb6a6994ffc73fded2464a8651c (diff) | |
| download | keystone-stable/juno.tar.gz | |
Merge "Mask passwords in debug log on user password operations" into stable/junojuno-eol2014.2.4stable/juno
| -rw-r--r-- | keystone/common/controller.py | 6 | ||||
| -rw-r--r-- | keystone/tests/test_v3_identity.py | 18 |
2 files changed, 9 insertions, 15 deletions
diff --git a/keystone/common/controller.py b/keystone/common/controller.py index b25d70f6e..c86c74102 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -25,6 +25,7 @@ from keystone import exception from keystone.i18n import _ from keystone.models import token_model from keystone.openstack.common import log +from keystone.openstack.common import strutils LOG = log.getLogger(__name__) @@ -50,9 +51,12 @@ def v2_deprecated(f): def _build_policy_check_credentials(self, action, context, kwargs): + kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs]) + kwargs_str = strutils.mask_password(kwargs_str) + LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, - 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) + 'kwargs': kwargs_str}) # see if auth context has already been created. If so use it. if ('environment' in context and diff --git a/keystone/tests/test_v3_identity.py b/keystone/tests/test_v3_identity.py index dfcffda9d..36f8f9db5 100644 --- a/keystone/tests/test_v3_identity.py +++ b/keystone/tests/test_v3_identity.py @@ -1662,8 +1662,6 @@ class IdentityTestCase(test_v3.RestfulTestCase): def test_create_user_password_not_logged(self): # When a user is created, the password isn't logged at any level. - # FIXME(blk-u): This doesn't work as expected, see bug 1465922 - log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG)) ref = self.new_user_ref(domain_id=self.domain_id) @@ -1671,15 +1669,12 @@ class IdentityTestCase(test_v3.RestfulTestCase): '/users', body={'user': ref}) - # This should be assert*Not*In, see bug 1465922 - self.assertIn(ref['password'], log_fix.output) + self.assertNotIn(ref['password'], log_fix.output) def test_update_password_not_logged(self): # When admin modifies user password, the password isn't logged at any # level. - # FIXME(blk-u): This doesn't work as expected, see bug 1465922 - log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG)) # bootstrap a user as admin @@ -1694,9 +1689,7 @@ class IdentityTestCase(test_v3.RestfulTestCase): expected_status=200) self.assertNotIn(password, log_fix.output) - - # This should be assert*Not*In, see bug 1465922 - self.assertIn(new_password, log_fix.output) + self.assertNotIn(new_password, log_fix.output) class IdentityInheritanceTestCase(test_v3.RestfulTestCase): @@ -2346,8 +2339,6 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase): # When a user changes their password, the password isn't logged at any # level. - # FIXME(blk-u): This doesn't work as expected, see bug 1465922 - log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG)) # change password @@ -2356,6 +2347,5 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase): original_password=self.user_ref['password'], expected_status=204) - # These should be assert*Not*In, see bug 1465922 - self.assertIn(self.user_ref['password'], log_fix.output) - self.assertIn(new_password, log_fix.output) + self.assertNotIn(self.user_ref['password'], log_fix.output) + self.assertNotIn(new_password, log_fix.output) |