Make mask_dict_password case insensitive and add new patterns

In Icc19b7c8bdb6a3182939d5e9fdef21288b19f43d mask_password was made case insensitive but mask_dict_password wasn't. This update makes the behaviour of these functions the same. Instead of lowering _SANITIZE_KEYS each time the source list is lowered. New password patterns from realworld logs were added to the patterns. Change-Id: Ic3ee301857630a15b9c26fd5d0fc907c43199517 Related-Bug: #1850843
2019-11-15 11:11:07 +00:00 · 2019-11-15 11:11:07 +00:00 · ed70bd3cd1
parent 704fdfdf79
commit ed70bd3cd1
3 changed files with 31 additions and 5 deletions
--- a/oslo_utils/strutils.py
+++ b/oslo_utils/strutils.py
@ -54,12 +54,19 @@ SLUGIFY_STRIP_RE = re.compile(r"[^\w\s-]")
 SLUGIFY_HYPHENATE_RE = re.compile(r"[-\s]+")


-# NOTE(flaper87): The following globals are used by `mask_password`
-_SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
+# NOTE(flaper87): The following globals are used by `mask_password` and
+#                 `mask_dict_password`
+_SANITIZE_KEYS = ['adminpass', 'admin_pass', 'password', 'admin_password',
                  'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
                  'secret', 'sys_pswd', 'token', 'configdrive',
-                  'CHAPPASSWORD', 'encrypted_key', 'private_key',
-                  'encryption_key_id', 'fernetkey', 'sslkey', 'passphrase']
+                  'chappassword', 'encrypted_key', 'private_key',
+                  'encryption_key_id', 'fernetkey', 'sslkey', 'passphrase',
+                  'cephclusterfsid', 'octaviaheartbeatkey', 'rabbitcookie',
+                  'cephmanilaclientkey', 'pacemakerremoteauthkey',
+                  'designaterndckey', 'cephadminkey', 'heatauthencryptionkey',
+                  'cephclientkey', 'keystonecredential',
+                  'barbicansimplecryptokek', 'cephrgwkey', 'swifthashsuffix',
+                  'migrationsshkey', 'cephmdskey', 'cephmonkey']

 # NOTE(ldbragst): Let's build a list of regex objects using the list of
 # _SANITIZE_KEYS we already have. This way, we only have to add the new key
@ -406,7 +413,7 @@ def mask_dict_password(dictionary, secret="***"):  # nosec
        k_matched = False
        if isinstance(k, six.string_types):
            for sani_key in _SANITIZE_KEYS:
-                if sani_key in k:
+                if sani_key.lower() in k.lower():
                    out[k] = secret
                    k_matched = True
                    break
--- a/oslo_utils/tests/test_strutils.py
+++ b/oslo_utils/tests/test_strutils.py
@ -717,6 +717,16 @@ class MaskDictionaryPasswordTestCase(test_base.BaseTestCase):
        self.assertEqual(expected,
                         strutils.mask_dict_password(payload))

+        payload = {'passwords': {'KeystoneFernetKey1': 'c5FijjS'}}
+        expected = {'passwords': {'KeystoneFernetKey1': '***'}}
+        self.assertEqual(expected,
+                         strutils.mask_dict_password(payload))
+
+        payload = {'passwords': {'keystonecredential0': 'c5FijjS'}}
+        expected = {'passwords': {'keystonecredential0': '***'}}
+        self.assertEqual(expected,
+                         strutils.mask_dict_password(payload))
+
    def test_do_no_harm(self):
        payload = {}
        expected = {}
--- a/releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml
+++ b/releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml
@ -0,0 +1,9 @@
+---
+security:
+  - |
+    This patch ensures that we mask sensitive data when masking dicts, even if
+    the case doesn't match. This means the behaviour of mask_password and
+    mask_dict_password is now the same.
+  - |
+    Additional password names were included from real world logs that contained
+    sensitive information.