Log token with sha1

By logging the sha1 hash of the token, it can be tracked through
different services.

Closes-bug: #1329301
Change-Id: I9c338f6a418ab8dd34dbaaf918b0ea6e9cbe79d7

2 files changed, 6 insertions, 2 deletions

diff --git a/keystoneclient/session.py b/keystoneclient/session.py
index a382cc7..577c2bf 100644
--- a/keystoneclient/session.py
+++ b/keystoneclient/session.py
@@ -12,6 +12,7 @@
 
 import argparse
 import functools
+import hashlib
 import logging
 import os
 import time
@@ -122,7 +123,10 @@ class Session(object):
         secure_headers = ('authorization', 'x-auth-token',
                           'x-subject-token',)
         if header[0].lower() in secure_headers:
-            return (header[0], 'TOKEN_REDACTED')
+            token_hasher = hashlib.sha1()
+            token_hasher.update(header[1].encode('utf-8'))
+            token_hash = token_hasher.hexdigest()
+            return (header[0], '{SHA1}%s' % token_hash)
         return header
 
     @utils.positional()
diff --git a/keystoneclient/tests/test_session.py b/keystoneclient/tests/test_session.py
index 4c5b460..99c9e6e 100644
--- a/keystoneclient/tests/test_session.py
+++ b/keystoneclient/tests/test_session.py
@@ -168,7 +168,7 @@ class SessionTests(utils.TestCase):
         # Assert that response headers contains actual values and
         # only debug logs has been masked
         for k, v in six.iteritems(security_headers):
-            self.assertIn('%s: TOKEN_REDACTED' % k, self.logger.output)
+            self.assertIn('%s: {SHA1}' % k, self.logger.output)
             self.assertEqual(v, resp.headers[k])
             self.assertNotIn(v, self.logger.output)