diff options
author | lvdongbing <dongbing.lv@kylin-cloud.com> | 2014-07-24 17:49:32 +0800 |
---|---|---|
committer | lvdongbing <dongbing.lv@kylin-cloud.com> | 2014-07-25 15:04:25 +0800 |
commit | 99fabf0dceb04517c88b45609d1d0a1ff829f892 (patch) | |
tree | 85b440e8b9b94a952687d4711aff6e68a8140860 /heatclient/common/http.py | |
parent | a98c1f3617604c4871263ff9cc986b27f302ef46 (diff) | |
download | python-heatclient-99fabf0dceb04517c88b45609d1d0a1ff829f892.tar.gz |
Don't expose X-Auth-Token in heat CLI
Heat CLI exposes X-Auth-Token in debug mode. This patch replaces
X-Auth-Token's value with '{SHA1}<sha1oftoken>'. Some credentials
are exposed by keystoneclient as heatclient uses keystoneclient to
authenticate, it will be fixed in bug:100414.
Change-Id: Ic768af5a947535807ba449fb0aeb1eb98dac56e6
Partial-Bug: #1327019
Diffstat (limited to 'heatclient/common/http.py')
-rw-r--r-- | heatclient/common/http.py | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/heatclient/common/http.py b/heatclient/common/http.py index 1007237..2a2f083 100644 --- a/heatclient/common/http.py +++ b/heatclient/common/http.py @@ -14,6 +14,7 @@ # under the License. import copy +import hashlib import logging import os import socket @@ -29,6 +30,7 @@ from heatclient.openstack.common import strutils LOG = logging.getLogger(__name__) USER_AGENT = 'python-heatclient' CHUNKSIZE = 1024 * 64 # 64kB +SENSITIVE_HEADERS = ('X-Auth-Token',) def get_system_ca_file(): @@ -79,12 +81,21 @@ class HTTPClient(object): else: self.verify_cert = kwargs.get('ca_file', get_system_ca_file()) + def safe_header(self, name, value): + if name in SENSITIVE_HEADERS: + # because in python3 byte string handling is ... ug + v = value.encode('utf-8') + h = hashlib.sha1(v) + d = h.hexdigest() + return strutils.safe_decode(name), "{SHA1}%s" % d + else: + return strutils.safe_decode(name), strutils.safe_decode(value) + def log_curl_request(self, method, url, kwargs): curl = ['curl -i -X %s' % method] for (key, value) in kwargs['headers'].items(): - header = '-H \'%s: %s\'' % (strutils.safe_decode(key), - strutils.safe_decode(value)) + header = '-H \'%s: %s\'' % self.safe_header(key, value) curl.append(header) conn_params_fmt = [ |