Mask node.session.auth.password in volume.py _run_iscsiadm debug logs

The iscsi_command object passed to _run_iscsiadm can contain passwords that get logged at debug level, so we need to sanitize the message getting logged. Adds a test to ensure the logged message is properly sanitized. Closes-Bug: #1320028 Change-Id: I33f1a5b698368504721b41e56266162a713b3ce6
2014-05-16 03:59:36 +00:00 · 2014-05-16 03:59:36 +00:00 · 5445833413
parent 132f5ec861
commit 5445833413
2 changed files with 25 additions and 2 deletions
--- a/nova/tests/virt/libvirt/test_volume.py
+++ b/nova/tests/virt/libvirt/test_volume.py
@ -343,6 +343,26 @@ class LibvirtVolumeTestCase(test.NoDBTestCase):
                                            ['-f', 'fake-multipath-devname'],
                                            check_exit_code=[0, 1])

+    def test_sanitize_log_run_iscsiadm(self):
+        # Tests that the parameters to the _run_iscsiadm function are sanitized
+        # for passwords when logged.
+        def fake_debug(*args, **kwargs):
+            self.assertIn('node.session.auth.password', args[0])
+            self.assertNotIn('scrubme', args[0])
+
+        libvirt_driver = volume.LibvirtISCSIVolumeDriver(self.fake_conn)
+        connection_info = self.iscsi_connection(self.vol, self.location,
+                                                self.iqn)
+        iscsi_properties = connection_info['data']
+        with mock.patch.object(volume.LOG, 'debug',
+                               side_effect=fake_debug) as debug_mock:
+            libvirt_driver._iscsiadm_update(iscsi_properties,
+                                            'node.session.auth.password',
+                                            'scrubme')
+            # we don't care what the log message is, we just want to make sure
+            # our stub method is called which asserts the password is scrubbed
+            self.assertTrue(debug_mock.called)
+
    def iser_connection(self, volume, location, iqn):
        return {
                'driver_volume_type': 'iser',
--- a/nova/virt/libvirt/volume.py
+++ b/nova/virt/libvirt/volume.py
@ -231,8 +231,11 @@ class LibvirtISCSIVolumeDriver(LibvirtBaseVolumeDriver):
                                   '-p', iscsi_properties['target_portal'],
                                   *iscsi_command, run_as_root=True,
                                   check_exit_code=check_exit_code)
-        LOG.debug("iscsiadm %(command)s: stdout=%(out)s stderr=%(err)s",
-                  {'command': iscsi_command, 'out': out, 'err': err})
+        msg = ('iscsiadm %(command)s: stdout=%(out)s stderr=%(err)s' %
+               {'command': iscsi_command, 'out': out, 'err': err})
+        # NOTE(bpokorny): iscsi_command can contain passwords so we need to
+        # sanitize the password in the message.
+        LOG.debug(logging.mask_password(msg))
        return (out, err)

    def _iscsiadm_update(self, iscsi_properties, property_key, property_value,