Mask node.session.auth.password in volume.py _run_iscsiadm debug logs
The iscsi_command object passed to _run_iscsiadm can contain passwords that get logged at debug level, so we need to sanitize the message getting logged. Adds a test to ensure the logged message is properly sanitized. Closes-Bug: #1320028 Change-Id: I33f1a5b698368504721b41e56266162a713b3ce6
This commit is contained in:
parent
132f5ec861
commit
5445833413
|
@ -343,6 +343,26 @@ class LibvirtVolumeTestCase(test.NoDBTestCase):
|
|||
['-f', 'fake-multipath-devname'],
|
||||
check_exit_code=[0, 1])
|
||||
|
||||
def test_sanitize_log_run_iscsiadm(self):
|
||||
# Tests that the parameters to the _run_iscsiadm function are sanitized
|
||||
# for passwords when logged.
|
||||
def fake_debug(*args, **kwargs):
|
||||
self.assertIn('node.session.auth.password', args[0])
|
||||
self.assertNotIn('scrubme', args[0])
|
||||
|
||||
libvirt_driver = volume.LibvirtISCSIVolumeDriver(self.fake_conn)
|
||||
connection_info = self.iscsi_connection(self.vol, self.location,
|
||||
self.iqn)
|
||||
iscsi_properties = connection_info['data']
|
||||
with mock.patch.object(volume.LOG, 'debug',
|
||||
side_effect=fake_debug) as debug_mock:
|
||||
libvirt_driver._iscsiadm_update(iscsi_properties,
|
||||
'node.session.auth.password',
|
||||
'scrubme')
|
||||
# we don't care what the log message is, we just want to make sure
|
||||
# our stub method is called which asserts the password is scrubbed
|
||||
self.assertTrue(debug_mock.called)
|
||||
|
||||
def iser_connection(self, volume, location, iqn):
|
||||
return {
|
||||
'driver_volume_type': 'iser',
|
||||
|
|
|
@ -231,8 +231,11 @@ class LibvirtISCSIVolumeDriver(LibvirtBaseVolumeDriver):
|
|||
'-p', iscsi_properties['target_portal'],
|
||||
*iscsi_command, run_as_root=True,
|
||||
check_exit_code=check_exit_code)
|
||||
LOG.debug("iscsiadm %(command)s: stdout=%(out)s stderr=%(err)s",
|
||||
{'command': iscsi_command, 'out': out, 'err': err})
|
||||
msg = ('iscsiadm %(command)s: stdout=%(out)s stderr=%(err)s' %
|
||||
{'command': iscsi_command, 'out': out, 'err': err})
|
||||
# NOTE(bpokorny): iscsi_command can contain passwords so we need to
|
||||
# sanitize the password in the message.
|
||||
LOG.debug(logging.mask_password(msg))
|
||||
return (out, err)
|
||||
|
||||
def _iscsiadm_update(self, iscsi_properties, property_key, property_value,
|
||||
|
|
Loading…
Reference in New Issue