From 99fabf0dceb04517c88b45609d1d0a1ff829f892 Mon Sep 17 00:00:00 2001 From: lvdongbing Date: Thu, 24 Jul 2014 17:49:32 +0800 Subject: Don't expose X-Auth-Token in heat CLI Heat CLI exposes X-Auth-Token in debug mode. This patch replaces X-Auth-Token's value with '{SHA1}'. Some credentials are exposed by keystoneclient as heatclient uses keystoneclient to authenticate, it will be fixed in bug:100414. Change-Id: Ic768af5a947535807ba449fb0aeb1eb98dac56e6 Partial-Bug: #1327019 --- heatclient/common/http.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'heatclient/common/http.py') diff --git a/heatclient/common/http.py b/heatclient/common/http.py index 1007237..2a2f083 100644 --- a/heatclient/common/http.py +++ b/heatclient/common/http.py @@ -14,6 +14,7 @@ # under the License. import copy +import hashlib import logging import os import socket @@ -29,6 +30,7 @@ from heatclient.openstack.common import strutils LOG = logging.getLogger(__name__) USER_AGENT = 'python-heatclient' CHUNKSIZE = 1024 * 64 # 64kB +SENSITIVE_HEADERS = ('X-Auth-Token',) def get_system_ca_file(): @@ -79,12 +81,21 @@ class HTTPClient(object): else: self.verify_cert = kwargs.get('ca_file', get_system_ca_file()) + def safe_header(self, name, value): + if name in SENSITIVE_HEADERS: + # because in python3 byte string handling is ... ug + v = value.encode('utf-8') + h = hashlib.sha1(v) + d = h.hexdigest() + return strutils.safe_decode(name), "{SHA1}%s" % d + else: + return strutils.safe_decode(name), strutils.safe_decode(value) + def log_curl_request(self, method, url, kwargs): curl = ['curl -i -X %s' % method] for (key, value) in kwargs['headers'].items(): - header = '-H \'%s: %s\'' % (strutils.safe_decode(key), - strutils.safe_decode(value)) + header = '-H \'%s: %s\'' % self.safe_header(key, value) curl.append(header) conn_params_fmt = [ -- cgit v1.2.1