mask private keys for the ssh power driver.

As this driver is deprecated masking here (opposed to strutils) is simpler, and easier to backport. This can be removed along with support for the ssh power driver. Closes-Bug: #1638596 Change-Id: I107f2ce4ee2cd22558455de7ed595c2b3a7c6845 (cherry picked from commit ca585bec9d)
2016-11-21 13:57:20 +00:00 · 2016-11-21 13:57:20 +00:00 · 94f132e711
parent fcf32419cd
commit 94f132e711
3 changed files with 24 additions and 0 deletions
--- a/ironic/api/controllers/v1/node.py
+++ b/ironic/api/controllers/v1/node.py
@ -826,6 +826,14 @@ class Node(base.APIBase):
        if not show_driver_secrets and node.driver_info != wtypes.Unset:
            node.driver_info = strutils.mask_dict_password(
                node.driver_info, "******")
+
+            # NOTE(derekh): mask ssh keys for the ssh power driver.
+            # As this driver is deprecated masking here (opposed to strutils)
+            # is simpler, and easier to backport. This can be removed along
+            # with support for the ssh power driver.
+            if node.driver_info.get('ssh_key_contents'):
+                node.driver_info['ssh_key_contents'] = "******"
+
        if not show_instance_secrets and node.instance_info != wtypes.Unset:
            node.instance_info = strutils.mask_dict_password(
                node.instance_info, "******")
--- a/ironic/tests/unit/api/v1/test_nodes.py
+++ b/ironic/tests/unit/api/v1/test_nodes.py
@ -992,6 +992,18 @@ class TestListNodes(test_api_base.BaseApiTest):
        # rpc_node lookup and pass that downwards
        mock_vdi.assert_called_once_with(mock.ANY, node.uuid, 'test-topic')

+    def test_ssh_creds_masked(self):
+        driver_info = {"ssh_password": "password", "ssh_key_contents": "key"}
+        node = obj_utils.create_test_node(self.context,
+                                          chassis_id=self.chassis.id,
+                                          driver_info=driver_info)
+        data = self.get_json(
+            '/nodes/%s' % node.uuid,
+            headers={api_base.Version.string: str(api_v1.MAX_VER)})
+
+        self.assertEqual("******", data["driver_info"]["ssh_password"])
+        self.assertEqual("******", data["driver_info"]["ssh_key_contents"])
+

 class TestPatch(test_api_base.BaseApiTest):

--- a/releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml
+++ b/releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml
@ -0,0 +1,4 @@
+---
+security:
+  - private ssh keys are now masked when using the ssh power driver
+    and node details are requested.