Mask passwords included without quotes at the ends of commands

The current password masking doesn't scrub passwords from commands in the case where the password doesn't have quotes around it and the password is the last string in the command. This commit updates one of the regular expressions to catch this case. Adds tests to ensure passwords at the ends of commands are properly sanitized. Change-Id: Id57a0cb05cd76ef8c26def738305ade6b085aaa7 Closes-Bug: #1320028
2014-06-02 18:06:37 +00:00 · 2014-06-02 18:06:37 +00:00 · 5e3d3a544f
commit 5e3d3a544f
parent b308be77f8
2 changed files with 11 additions and 1 deletions
--- a/openstack/common/log.py
+++ b/openstack/common/log.py
@ -62,7 +62,7 @@ _FORMAT_PATTERNS = [r'(%(key)s\s*[=]\s*[\"\']).*?([\"\'])',
                    r'([\'"].*?%(key)s[\'"]\s*:\s*u?[\'"]).*?([\'"])',
                    r'([\'"].*?%(key)s[\'"]\s*,\s*\'--?[A-z]+\'\s*,\s*u?[\'"])'
                    '.*?([\'"])',
-                    r'(%(key)s\s*--?[A-z]+\s*).*?([\s])']
+                    r'(%(key)s\s*--?[A-z]+\s*)\S+(\s*)']

 for key in _SANITIZE_KEYS:
    for pattern in _FORMAT_PATTERNS:
--- a/tests/unit/test_log.py
+++ b/tests/unit/test_log.py
@ -907,6 +907,12 @@ class MaskPasswordTestCase(test_base.BaseTestCase):
                    "'***', 'nomask'")
        self.assertEqual(expected, log.mask_password(payload))

+        payload = ("test = 'node.session.auth.password', '--password', "
+                   "'mypassword'")
+        expected = ("test = 'node.session.auth.password', '--password', "
+                    "'***'")
+        self.assertEqual(expected, log.mask_password(payload))
+
        payload = "test = node.session.auth.password -v mypassword nomask"
        expected = "test = node.session.auth.password -v *** nomask"
        self.assertEqual(expected, log.mask_password(payload))
@ -916,3 +922,7 @@ class MaskPasswordTestCase(test_base.BaseTestCase):
        expected = ("test = node.session.auth.password --password *** "
                    "nomask")
        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = ("test = node.session.auth.password --password mypassword")
+        expected = ("test = node.session.auth.password --password ***")
+        self.assertEqual(expected, log.mask_password(payload))