Mark password/secret options as secret1.7.4

Password, token, and secret options should be marked as secret=True
so that when the value is logged the logger knows to obfuscate the
value.

Change-Id: I6ebdfa3bf6faf37bc11640a5826b3b55bb920fc4
Closes-Bug: 1534299
(cherry picked from commit 04f9f33b4b6079d39c3feea0b1ec1211a1de6a04)

5 files changed, 7 insertions, 5 deletions

diff --git a/keystoneclient/auth/identity/generic/cli.py b/keystoneclient/auth/identity/generic/cli.py
index c493850..212e9b7 100644
--- a/keystoneclient/auth/identity/generic/cli.py
+++ b/keystoneclient/auth/identity/generic/cli.py
@@ -38,6 +38,7 @@ class DefaultCLI(password.Password):
         options.extend([cfg.StrOpt('endpoint',
                                    help='A URL to use instead of a catalog'),
                         cfg.StrOpt('token',
+                                   secret=True,
                                    help='Always use the specified token')])
         return options
 
diff --git a/keystoneclient/auth/identity/generic/password.py b/keystoneclient/auth/identity/generic/password.py
index 3c4180c..3527b19 100644
--- a/keystoneclient/auth/identity/generic/password.py
+++ b/keystoneclient/auth/identity/generic/password.py
@@ -30,7 +30,7 @@ def get_options():
                    deprecated_name='user-name'),
         cfg.StrOpt('user-domain-id', help="User's domain id"),
         cfg.StrOpt('user-domain-name', help="User's domain name"),
-        cfg.StrOpt('password', help="User's password"),
+        cfg.StrOpt('password', secret=True, help="User's password"),
     ]
 
 
diff --git a/keystoneclient/auth/identity/generic/token.py b/keystoneclient/auth/identity/generic/token.py
index 0fbacf0..6a5d15b 100644
--- a/keystoneclient/auth/identity/generic/token.py
+++ b/keystoneclient/auth/identity/generic/token.py
@@ -24,7 +24,7 @@ LOG = logging.getLogger(__name__)
 
 def get_options():
     return [
-        cfg.StrOpt('token', help='Token to authenticate with'),
+        cfg.StrOpt('token', secret=True, help='Token to authenticate with'),
     ]
 
 
diff --git a/keystoneclient/contrib/auth/v3/oidc.py b/keystoneclient/contrib/auth/v3/oidc.py
index 0c94519..f9c5286 100644
--- a/keystoneclient/contrib/auth/v3/oidc.py
+++ b/keystoneclient/contrib/auth/v3/oidc.py
@@ -31,9 +31,10 @@ class OidcPassword(federated.FederatedBaseAuth):
         options = super(OidcPassword, cls).get_options()
         options.extend([
             cfg.StrOpt('username', help='Username'),
-            cfg.StrOpt('password', help='Password'),
+            cfg.StrOpt('password', secret=True, help='Password'),
             cfg.StrOpt('client-id', help='OAuth 2.0 Client ID'),
-            cfg.StrOpt('client-secret', help='OAuth 2.0 Client Secret'),
+            cfg.StrOpt('client-secret', secret=True,
+                       help='OAuth 2.0 Client Secret'),
             cfg.StrOpt('access-token-endpoint',
                        help='OpenID Connect Provider Token Endpoint'),
             cfg.StrOpt('scope', default="profile",
diff --git a/keystoneclient/contrib/auth/v3/saml2.py b/keystoneclient/contrib/auth/v3/saml2.py
index 2e74996..bf8aea1 100644
--- a/keystoneclient/contrib/auth/v3/saml2.py
+++ b/keystoneclient/contrib/auth/v3/saml2.py
@@ -74,7 +74,7 @@ class _BaseSAMLPlugin(v3.AuthConstructor):
                        help="Identity Provider's URL"),
             cfg.StrOpt('username', dest='username', help='Username',
                        deprecated_name='user-name'),
-            cfg.StrOpt('password', help='Password')
+            cfg.StrOpt('password', secret=True, help='Password')
         ])
         return options