Mask the token used to allow access to consoles

Hide the novncproxy token from the logs.

When backported this patch needs to be extended to handle the same issue
in the consoleauth service.

Co-Authored-By:paul-carlton2 <paul.carlton2@hp.com>
Co-Authored-By:Tristan Cacqueray <tdecacqu@redhat.com>

Change-Id: I5b8fa4233d297722c3af08176901d12887bae3de
Closes-Bug: #1492140
This commit is contained in:
Balazs Gibizer 2019-08-23 15:51:34 +02:00
parent 23995b4f99
commit 26d4047e17
2 changed files with 8 additions and 1 deletions

View File

@ -18,6 +18,7 @@ Websocket proxy that is compatible with OpenStack Nova.
Leverages websockify.py by Joel Martin
'''
import copy
import socket
import sys
@ -220,7 +221,10 @@ class NovaProxyRequestHandlerBase(object):
detail = _("Origin header protocol does not match this host.")
raise exception.ValidationError(detail=detail)
self.msg(_('connect info: %s'), str(connect_info))
sanitized_info = copy.copy(connect_info)
sanitized_info.token = '***'
self.msg(_('connect info: %s'), sanitized_info)
host = connect_info.host
port = connect_info.port

View File

@ -219,6 +219,9 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
validate.assert_called_with(mock.ANY, "123-456-789")
self.wh.socket.assert_called_with('node1', 10000, connect=True)
self.wh.do_proxy.assert_called_with('<socket>')
# ensure that token is masked when logged
connection_info = self.wh.msg.mock_calls[0][1][1]
self.assertEqual('***', connection_info.token)
@mock.patch('nova.console.websocketproxy.NovaProxyRequestHandlerBase.'
'_check_console_port')