diff options
| author | Matt Riedemann <mriedem@us.ibm.com> | 2015-08-31 12:32:25 -0700 |
|---|---|---|
| committer | Matt Riedemann <mriedem@us.ibm.com> | 2015-10-09 11:11:43 -0700 |
| commit | ec70eb02f8a5889828cde786694283240f64c5c4 (patch) | |
| tree | 633f3da1fcea561bc31f1eaaa72a78765e598f3f | |
| parent | 5b5daaadabcdff891f42cc57e356035e6ea72a14 (diff) | |
| download | python-keystoneclient-ec70eb02f8a5889828cde786694283240f64c5c4.tar.gz | |
Mask passwords when logging the HTTP response1.3.3
We should sanitize the response body before logging to make sure we
aren't leaking through credentials like in the case of the response from
the os-initialize_connection volume API.
Closes-Bug: #1490693
NOTE(mriedem): The test is slightly different in kilo because the
_http_log_response method requires kwargs.
Change-Id: Ifd95d3fb624b4636fb72cc11762af62e00a026a0
(cherry picked from commit 3e26ff824801d5084791a52980021784e794e35f)
| -rw-r--r-- | keystoneclient/session.py | 4 | ||||
| -rw-r--r-- | keystoneclient/tests/unit/test_session.py | 29 |
2 files changed, 32 insertions, 1 deletions
diff --git a/keystoneclient/session.py b/keystoneclient/session.py index f9da97d..cc78dab 100644 --- a/keystoneclient/session.py +++ b/keystoneclient/session.py @@ -21,6 +21,7 @@ import time from oslo_config import cfg from oslo_serialization import jsonutils from oslo_utils import importutils +from oslo_utils import strutils import requests import six from six.moves import urllib @@ -219,7 +220,8 @@ class Session(object): for header in six.iteritems(headers): string_parts.append('%s: %s' % Session.process_header(header)) if text: - string_parts.append('\nRESP BODY: %s\n' % text) + string_parts.append('\nRESP BODY: %s\n' % + strutils.mask_password(text)) logger.debug(' '.join(string_parts)) diff --git a/keystoneclient/tests/unit/test_session.py b/keystoneclient/tests/unit/test_session.py index 646cba8..eeb6d46 100644 --- a/keystoneclient/tests/unit/test_session.py +++ b/keystoneclient/tests/unit/test_session.py @@ -237,6 +237,35 @@ class SessionTests(utils.TestCase): session.get, self.TEST_URL) + def test_mask_password_in_http_log_response(self): + session = client_session.Session() + + def fake_debug(msg): + self.assertNotIn('verybadpass', msg) + + logger = mock.Mock(isEnabledFor=mock.Mock(return_value=True)) + logger.debug = mock.Mock(side_effect=fake_debug) + body = { + "connection_info": { + "driver_volume_type": "iscsi", + "data": { + "auth_password": "verybadpass", + "target_discovered": False, + "encrypted": False, + "qos_specs": None, + "target_iqn": ("iqn.2010-10.org.openstack:volume-" + "744d2085-8e78-40a5-8659-ef3cffb2480e"), + "target_portal": "172.99.69.228:3260", + "volume_id": "744d2085-8e78-40a5-8659-ef3cffb2480e", + "target_lun": 1, + "access_mode": "rw", + "auth_username": "verybadusername", + "auth_method": "CHAP"}}} + body_json = jsonutils.dumps(body) + response = mock.Mock(text=body_json, status_code=200, headers={}) + session._http_log_response(response=response, logger=logger) + self.assertEqual(1, logger.debug.call_count) + class RedirectTests(utils.TestCase): |