diff options
| author | Arun Kant <arun.kant@hpe.com> | 2016-04-07 15:16:12 -0700 |
|---|---|---|
| committer | Arun Kant <arun.kant@hpe.com> | 2016-04-08 09:33:08 -0700 |
| commit | d1340572c500f13442d467fc6863b1be796060fd (patch) | |
| tree | f55cb306b8f2eeae5b31d87f86bcfa30edf70bd8 | |
| parent | 8d3b5b3b7bcdc6d174d862c7e4ceec6e84c8fede (diff) | |
| download | python-barbicanclient-d1340572c500f13442d467fc6863b1be796060fd.tar.gz | |
Censoring secrets payload value from debug log
Added utility method to censor dict values by keys.
Change-Id: I1ec4050c9f9e0906635eff764add16b4b804804e
Closes-Bug: #1567029
| -rw-r--r-- | barbicanclient/base.py | 8 | ||||
| -rw-r--r-- | barbicanclient/containers.py | 3 | ||||
| -rw-r--r-- | barbicanclient/secrets.py | 4 | ||||
| -rw-r--r-- | barbicanclient/tests/test_base.py | 10 |
4 files changed, 22 insertions, 3 deletions
diff --git a/barbicanclient/base.py b/barbicanclient/base.py index 56313ad..168ece1 100644 --- a/barbicanclient/base.py +++ b/barbicanclient/base.py @@ -22,6 +22,14 @@ def filter_null_keys(dictionary): return dict(((k, v) for k, v in dictionary.items() if v is not None)) +def censored_copy(data_dict, censor_keys): + '''Returns redacted dict copy for censored keys''' + if censor_keys is None: + censor_keys = [] + return {k: v if k not in censor_keys else '<redacted>' for k, v in + data_dict.items()} + + def validate_ref(ref, entity): """Verifies that there is a real uuid at the end of the uri diff --git a/barbicanclient/containers.py b/barbicanclient/containers.py index 5cae098..a2c17f3 100644 --- a/barbicanclient/containers.py +++ b/barbicanclient/containers.py @@ -221,7 +221,8 @@ class Container(ContainerFormatter): def _get_secrets_and_store_them_if_necessary(self): # Save all secrets if they are not yet saved - LOG.debug("Storing secrets: {0}".format(self.secrets)) + LOG.debug("Storing secrets: {0}".format(base.censored_copy( + self.secrets, ['payload']))) secret_refs = [] for name, secret in six.iteritems(self.secrets): if secret and not secret.secret_ref: diff --git a/barbicanclient/secrets.py b/barbicanclient/secrets.py index 6b5ce9c..cf707ba 100644 --- a/barbicanclient/secrets.py +++ b/barbicanclient/secrets.py @@ -331,8 +331,8 @@ class Secret(SecretFormatter): secret_dict['payload_content_type'] = u'text/plain' secret_dict = base.filter_null_keys(secret_dict) - - LOG.debug("Request body: {0}".format(secret_dict)) + LOG.debug("Request body: {0}".format(base.censored_copy(secret_dict, + ['payload']))) # Save, store secret_ref and return response = self._api.post(self._entity, json=secret_dict) diff --git a/barbicanclient/tests/test_base.py b/barbicanclient/tests/test_base.py index a186c4c..d03aa9d 100644 --- a/barbicanclient/tests/test_base.py +++ b/barbicanclient/tests/test_base.py @@ -12,3 +12,13 @@ class TestValidateRef(testtools.TestCase): def test_invalid_uuid(self): ref = 'http://localhost/not_a_uuid' self.assertRaises(ValueError, base.validate_ref, ref, 'Thing') + + def test_censored_copy(self): + d1 = {'a': '1', 'password': 'my_password', 'payload': 'my_key', + 'b': '2'} + d2 = base.censored_copy(d1, None) + self.assertEqual(d1, d2, 'd2 contents are unchanged') + self.assertFalse(d1 is d2, 'd1 and d2 are different instances') + d3 = base.censored_copy(d1, ['payload']) + self.assertNotEqual(d1, d3, 'd3 has redacted payload value') + self.assertNotEqual(d3['payload'], 'my_key', 'no key in payload') |