diff options
author | Jenkins <jenkins@review.openstack.org> | 2016-05-05 16:42:22 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2016-05-05 16:42:22 +0000 |
commit | e6fd8b4e3018d34a79063f682c407c72700274bf (patch) | |
tree | ae579336f545a7c8940cd9986c25210852b67214 | |
parent | d37b847977fbc2ffcc76d89031826c934ea211af (diff) | |
parent | d1340572c500f13442d467fc6863b1be796060fd (diff) | |
download | python-barbicanclient-e6fd8b4e3018d34a79063f682c407c72700274bf.tar.gz |
Merge "Censoring secrets payload value from debug log"
-rw-r--r-- | barbicanclient/base.py | 8 | ||||
-rw-r--r-- | barbicanclient/containers.py | 3 | ||||
-rw-r--r-- | barbicanclient/secrets.py | 4 | ||||
-rw-r--r-- | barbicanclient/tests/test_base.py | 10 |
4 files changed, 22 insertions, 3 deletions
diff --git a/barbicanclient/base.py b/barbicanclient/base.py index 56313ad..168ece1 100644 --- a/barbicanclient/base.py +++ b/barbicanclient/base.py @@ -22,6 +22,14 @@ def filter_null_keys(dictionary): return dict(((k, v) for k, v in dictionary.items() if v is not None)) +def censored_copy(data_dict, censor_keys): + '''Returns redacted dict copy for censored keys''' + if censor_keys is None: + censor_keys = [] + return {k: v if k not in censor_keys else '<redacted>' for k, v in + data_dict.items()} + + def validate_ref(ref, entity): """Verifies that there is a real uuid at the end of the uri diff --git a/barbicanclient/containers.py b/barbicanclient/containers.py index 5cae098..a2c17f3 100644 --- a/barbicanclient/containers.py +++ b/barbicanclient/containers.py @@ -221,7 +221,8 @@ class Container(ContainerFormatter): def _get_secrets_and_store_them_if_necessary(self): # Save all secrets if they are not yet saved - LOG.debug("Storing secrets: {0}".format(self.secrets)) + LOG.debug("Storing secrets: {0}".format(base.censored_copy( + self.secrets, ['payload']))) secret_refs = [] for name, secret in six.iteritems(self.secrets): if secret and not secret.secret_ref: diff --git a/barbicanclient/secrets.py b/barbicanclient/secrets.py index 6b5ce9c..cf707ba 100644 --- a/barbicanclient/secrets.py +++ b/barbicanclient/secrets.py @@ -331,8 +331,8 @@ class Secret(SecretFormatter): secret_dict['payload_content_type'] = u'text/plain' secret_dict = base.filter_null_keys(secret_dict) - - LOG.debug("Request body: {0}".format(secret_dict)) + LOG.debug("Request body: {0}".format(base.censored_copy(secret_dict, + ['payload']))) # Save, store secret_ref and return response = self._api.post(self._entity, json=secret_dict) diff --git a/barbicanclient/tests/test_base.py b/barbicanclient/tests/test_base.py index a186c4c..d03aa9d 100644 --- a/barbicanclient/tests/test_base.py +++ b/barbicanclient/tests/test_base.py @@ -12,3 +12,13 @@ class TestValidateRef(testtools.TestCase): def test_invalid_uuid(self): ref = 'http://localhost/not_a_uuid' self.assertRaises(ValueError, base.validate_ref, ref, 'Thing') + + def test_censored_copy(self): + d1 = {'a': '1', 'password': 'my_password', 'payload': 'my_key', + 'b': '2'} + d2 = base.censored_copy(d1, None) + self.assertEqual(d1, d2, 'd2 contents are unchanged') + self.assertFalse(d1 is d2, 'd1 and d2 are different instances') + d3 = base.censored_copy(d1, ['payload']) + self.assertNotEqual(d1, d3, 'd3 has redacted payload value') + self.assertNotEqual(d3['payload'], 'my_key', 'no key in payload') |