Merge "Mask passwords in debug log on user password operations" into stable/juno
This commit is contained in:
commit
1a3365bfa5
|
@ -25,6 +25,7 @@ from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone.models import token_model
|
from keystone.models import token_model
|
||||||
from keystone.openstack.common import log
|
from keystone.openstack.common import log
|
||||||
|
from keystone.openstack.common import strutils
|
||||||
|
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
@ -50,9 +51,12 @@ def v2_deprecated(f):
|
||||||
|
|
||||||
|
|
||||||
def _build_policy_check_credentials(self, action, context, kwargs):
|
def _build_policy_check_credentials(self, action, context, kwargs):
|
||||||
|
kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
|
||||||
|
kwargs_str = strutils.mask_password(kwargs_str)
|
||||||
|
|
||||||
LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
|
LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
|
||||||
'action': action,
|
'action': action,
|
||||||
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
|
'kwargs': kwargs_str})
|
||||||
|
|
||||||
# see if auth context has already been created. If so use it.
|
# see if auth context has already been created. If so use it.
|
||||||
if ('environment' in context and
|
if ('environment' in context and
|
||||||
|
|
|
@ -1662,8 +1662,6 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
def test_create_user_password_not_logged(self):
|
def test_create_user_password_not_logged(self):
|
||||||
# When a user is created, the password isn't logged at any level.
|
# When a user is created, the password isn't logged at any level.
|
||||||
|
|
||||||
# FIXME(blk-u): This doesn't work as expected, see bug 1465922
|
|
||||||
|
|
||||||
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
||||||
|
|
||||||
ref = self.new_user_ref(domain_id=self.domain_id)
|
ref = self.new_user_ref(domain_id=self.domain_id)
|
||||||
|
@ -1671,15 +1669,12 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
'/users',
|
'/users',
|
||||||
body={'user': ref})
|
body={'user': ref})
|
||||||
|
|
||||||
# This should be assert*Not*In, see bug 1465922
|
self.assertNotIn(ref['password'], log_fix.output)
|
||||||
self.assertIn(ref['password'], log_fix.output)
|
|
||||||
|
|
||||||
def test_update_password_not_logged(self):
|
def test_update_password_not_logged(self):
|
||||||
# When admin modifies user password, the password isn't logged at any
|
# When admin modifies user password, the password isn't logged at any
|
||||||
# level.
|
# level.
|
||||||
|
|
||||||
# FIXME(blk-u): This doesn't work as expected, see bug 1465922
|
|
||||||
|
|
||||||
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
||||||
|
|
||||||
# bootstrap a user as admin
|
# bootstrap a user as admin
|
||||||
|
@ -1694,9 +1689,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
||||||
expected_status=200)
|
expected_status=200)
|
||||||
|
|
||||||
self.assertNotIn(password, log_fix.output)
|
self.assertNotIn(password, log_fix.output)
|
||||||
|
self.assertNotIn(new_password, log_fix.output)
|
||||||
# This should be assert*Not*In, see bug 1465922
|
|
||||||
self.assertIn(new_password, log_fix.output)
|
|
||||||
|
|
||||||
|
|
||||||
class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
|
class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
|
||||||
|
@ -2346,8 +2339,6 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
|
||||||
# When a user changes their password, the password isn't logged at any
|
# When a user changes their password, the password isn't logged at any
|
||||||
# level.
|
# level.
|
||||||
|
|
||||||
# FIXME(blk-u): This doesn't work as expected, see bug 1465922
|
|
||||||
|
|
||||||
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
|
||||||
|
|
||||||
# change password
|
# change password
|
||||||
|
@ -2356,6 +2347,5 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
|
||||||
original_password=self.user_ref['password'],
|
original_password=self.user_ref['password'],
|
||||||
expected_status=204)
|
expected_status=204)
|
||||||
|
|
||||||
# These should be assert*Not*In, see bug 1465922
|
self.assertNotIn(self.user_ref['password'], log_fix.output)
|
||||||
self.assertIn(self.user_ref['password'], log_fix.output)
|
self.assertNotIn(new_password, log_fix.output)
|
||||||
self.assertIn(new_password, log_fix.output)
|
|
||||||
|
|
Loading…
Reference in New Issue