diff options
author | Zhi Kun Liu <zhikunli@cn.ibm.com> | 2014-07-15 13:17:05 +0800 |
---|---|---|
committer | Zhi Kun Liu <liuzhikun@gmail.com> | 2014-07-18 01:26:50 +0000 |
commit | e5048043e211ea9cc094e439a51099fdc7e38e2e (patch) | |
tree | 7764ac6604585dc4a6fb50093531db751494fee7 | |
parent | 5c8a85e3861c0e90ef63325956ca809edca5719a (diff) | |
download | python-ceilometerclient-e5048043e211ea9cc094e439a51099fdc7e38e2e.tar.gz |
Don't expose X-Auth-Token in ceilometer CLI
Ceilometer CLI exposes X-Auth-Token in debug mode. This patch
replaces X-Auth-Token's value with '{SHA1}<sha1oftoken>'. Some
credentials are exposed by keystoneclient as ceilometerclient
uses keystoneclient to authenticate, it will be fixed in bug:
100414.
Change-Id: Ia6364314e4b4d26301f974582c0c2ba34b054c86
Partial-Bug: #1327019
-rw-r--r-- | ceilometerclient/common/http.py | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/ceilometerclient/common/http.py b/ceilometerclient/common/http.py index f440abe..56373ee 100644 --- a/ceilometerclient/common/http.py +++ b/ceilometerclient/common/http.py @@ -14,6 +14,7 @@ # under the License. import copy +import hashlib import logging import os import socket @@ -39,6 +40,7 @@ from ceilometerclient import exc LOG = logging.getLogger(__name__) USER_AGENT = 'python-ceilometerclient' CHUNKSIZE = 1024 * 64 # 64kB +SENSITIVE_HEADERS = ('X-Auth-Token',) class HTTPClient(object): @@ -84,11 +86,21 @@ class HTTPClient(object): except httplib.InvalidURL: raise exc.InvalidEndpoint() + def safe_header(self, name, value): + if name in SENSITIVE_HEADERS: + # because in python3 byte string handling is ... ug + v = value.encode('utf-8') + h = hashlib.sha1(v) + d = h.hexdigest() + return name, "{SHA1}%s" % d + else: + return name, value + def log_curl_request(self, method, url, kwargs): curl = ['curl -i -X %s' % method] for (key, value) in kwargs['headers'].items(): - header = '-H \'%s: %s\'' % (key, value) + header = '-H \'%s: %s\'' % self.safe_header(key, value) curl.append(header) conn_params_fmt = [ |