Merge "Mask passwords in debug log on user password operations" into stable/juno

2015-11-11 23:41:56 +00:00 · 2015-11-11 23:41:56 +00:00 · 1a3365bfa5
parent 2e64d78c78 c15cbc48d6
commit 1a3365bfa5
2 changed files with 9 additions and 15 deletions
--- a/keystone/common/controller.py
+++ b/keystone/common/controller.py
@ -25,6 +25,7 @@ from keystone import exception
 from keystone.i18n import _
 from keystone.models import token_model
 from keystone.openstack.common import log
+from keystone.openstack.common import strutils


 LOG = log.getLogger(__name__)
@ -50,9 +51,12 @@ def v2_deprecated(f):


 def _build_policy_check_credentials(self, action, context, kwargs):
+    kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
+    kwargs_str = strutils.mask_password(kwargs_str)
+
    LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
        'action': action,
-        'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
+        'kwargs': kwargs_str})

    # see if auth context has already been created. If so use it.
    if ('environment' in context and
--- a/keystone/tests/test_v3_identity.py
+++ b/keystone/tests/test_v3_identity.py
@ -1662,8 +1662,6 @@ class IdentityTestCase(test_v3.RestfulTestCase):
    def test_create_user_password_not_logged(self):
        # When a user is created, the password isn't logged at any level.

-        # FIXME(blk-u): This doesn't work as expected, see bug 1465922
-
        log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))

        ref = self.new_user_ref(domain_id=self.domain_id)
@ -1671,15 +1669,12 @@ class IdentityTestCase(test_v3.RestfulTestCase):
            '/users',
            body={'user': ref})

-        # This should be assert*Not*In, see bug 1465922
-        self.assertIn(ref['password'], log_fix.output)
+        self.assertNotIn(ref['password'], log_fix.output)

    def test_update_password_not_logged(self):
        # When admin modifies user password, the password isn't logged at any
        # level.

-        # FIXME(blk-u): This doesn't work as expected, see bug 1465922
-
        log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))

        # bootstrap a user as admin
@ -1694,9 +1689,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
                   expected_status=200)

        self.assertNotIn(password, log_fix.output)
-
-        # This should be assert*Not*In, see bug 1465922
-        self.assertIn(new_password, log_fix.output)
+        self.assertNotIn(new_password, log_fix.output)


 class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
@ -2346,8 +2339,6 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
        # When a user changes their password, the password isn't logged at any
        # level.

-        # FIXME(blk-u): This doesn't work as expected, see bug 1465922
-
        log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))

        # change password
@ -2356,6 +2347,5 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
                             original_password=self.user_ref['password'],
                             expected_status=204)

-        # These should be assert*Not*In, see bug 1465922
-        self.assertIn(self.user_ref['password'], log_fix.output)
-        self.assertIn(new_password, log_fix.output)
+        self.assertNotIn(self.user_ref['password'], log_fix.output)
+        self.assertNotIn(new_password, log_fix.output)