Filter out auth_token_info from logging values

auth_token_info is a common field that subclasses of RequestContext
add. It contains things like the token itself and the entire catalog,
both of which are undesirable to log. The token is a security concern
and the catalog is huge, which bloats the logs an unacceptable amount.

This change removes the auth_token_info key from the logging dict
that we return to the log formatter, which eliminates both problems.

Change-Id: If5ebaa3c1859d32cd05f51defe173fc625b21af5
Closes-Bug: 1866705
This commit is contained in:
Ben Nemec 2020-03-10 17:55:16 +00:00
parent 730bf256d8
commit 1dd72d1d20
2 changed files with 17 additions and 6 deletions

View File

@ -371,6 +371,12 @@ class RequestContext(object):
values['auth_token'] = '***'
else:
values['auth_token'] = None
# NOTE(bnemec: auth_token_info isn't defined in oslo.context, but it's
# a common pattern in project context subclasses so we handle it here.
# It largely contains things that we don't want logged, like the token
# itself (which needs to be removed for security) and the catalog
# (which needs to be removed because it bloats the logs terribly).
values.pop('auth_token_info', None)
return values

View File

@ -60,15 +60,15 @@ class TestContext(context.RequestContext):
This is representative of how at least some of our consumers use the
RequestContext class in their projects.
"""
FROM_DICT_EXTRA_KEYS = ['foo']
FROM_DICT_EXTRA_KEYS = ['auth_token_info']
def __init__(self, foo=None, **kwargs):
def __init__(self, auth_token_info=None, **kwargs):
super(TestContext, self).__init__(**kwargs)
self.foo = foo
self.auth_token_info = auth_token_info
def to_dict(self):
d = super(TestContext, self).to_dict()
d['foo'] = self.foo
d['auth_token_info'] = self.auth_token_info
return d
@ -201,10 +201,10 @@ class ContextTest(test_base.BaseTestCase):
self.assertTrue(ctx.read_only)
def test_from_dict_extended(self):
initial = TestContext(foo='bar')
initial = TestContext(auth_token_info='foo')
dct = initial.to_dict()
final = TestContext.from_dict(dct)
self.assertEqual('bar', final.foo)
self.assertEqual('foo', final.auth_token_info)
self.assertEqual(dct, final.to_dict())
def test_is_user_context(self):
@ -516,6 +516,11 @@ class ContextTest(test_base.BaseTestCase):
self.assertEqual(user_domain_name, d['user_domain_name'])
self.assertEqual(project_domain_name, d['project_domain_name'])
def test_auth_token_info_removed(self):
ctx = TestContext(auth_token_info={'auth_token': 'topsecret'})
d = ctx.get_logging_values()
self.assertNotIn('auth_token_info', d)
def test_dict_empty_user_identity(self):
ctx = context.RequestContext()
d = ctx.to_dict()