Filter X-Auth-Token in catch_errors

If X-Auth-Token is logged in files, it may be caught by attackers.
This patch tries to replace token-id by * in log files.

Change-Id: Icf0cd9d4da37575d79a0da94ade979793ad0d3fa
Closes-Bug:#1646254

2 files changed, 5 insertions, 0 deletions

diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py
index 43d085f..782713b 100644
--- a/oslo_middleware/catch_errors.py
+++ b/oslo_middleware/catch_errors.py
@@ -37,6 +37,8 @@ class CatchErrors(base.ConfigurableMiddleware):
         try:
             response = req.get_response(self.application)
         except Exception:
+            if hasattr(req, 'environ') and 'HTTP_X_AUTH_TOKEN' in req.environ:
+                req.environ['HTTP_X_AUTH_TOKEN'] = '*****'
             LOG.exception(_LE('An error occurred during '
                               'processing the request: %s'), req)
             response = webob.exc.HTTPInternalServerError()
diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py
index 920bbe2..66351e5 100644
--- a/oslo_middleware/tests/test_catch_errors.py
+++ b/oslo_middleware/tests/test_catch_errors.py
@@ -26,6 +26,7 @@ class CatchErrorsTest(test_base.BaseTestCase):
     def _test_has_request_id(self, application, expected_code=None):
         app = catch_errors.CatchErrors(application)
         req = webob.Request.blank('/test')
+        req.environ['HTTP_X_AUTH_TOKEN'] = 'hello=world'
         res = req.get_response(app)
         self.assertEqual(expected_code, res.status_int)
 
@@ -45,3 +46,5 @@ class CatchErrorsTest(test_base.BaseTestCase):
             self._test_has_request_id(application,
                                       webob.exc.HTTPInternalServerError.code)
             self.assertEqual(1, log_exc.call_count)
+            req_log = log_exc.call_args[0][1]
+            self.assertIn('X-Auth-Token: *****', str(req_log))