Don't expose X-Auth-Token in heat CLI

Heat CLI exposes X-Auth-Token in debug mode. This patch replaces X-Auth-Token's value with '{SHA1}<sha1oftoken>'. Some credentials are exposed by keystoneclient as heatclient uses keystoneclient to authenticate, it will be fixed in bug:100414. Change-Id: Ic768af5a947535807ba449fb0aeb1eb98dac56e6 Partial-Bug: #1327019
2014-07-24 17:49:32 +08:00 · 2014-07-24 17:49:32 +08:00 · 99fabf0dce
parent a98c1f3617
commit 99fabf0dce
1 changed files with 13 additions and 2 deletions
--- a/heatclient/common/http.py
+++ b/heatclient/common/http.py
@ -14,6 +14,7 @@
 #    under the License.

 import copy
+import hashlib
 import logging
 import os
 import socket
@ -29,6 +30,7 @@ from heatclient.openstack.common import strutils
 LOG = logging.getLogger(__name__)
 USER_AGENT = 'python-heatclient'
 CHUNKSIZE = 1024 * 64  # 64kB
+SENSITIVE_HEADERS = ('X-Auth-Token',)


 def get_system_ca_file():
@ -79,12 +81,21 @@ class HTTPClient(object):
            else:
                self.verify_cert = kwargs.get('ca_file', get_system_ca_file())

+    def safe_header(self, name, value):
+        if name in SENSITIVE_HEADERS:
+            # because in python3 byte string handling is ... ug
+            v = value.encode('utf-8')
+            h = hashlib.sha1(v)
+            d = h.hexdigest()
+            return strutils.safe_decode(name), "{SHA1}%s" % d
+        else:
+            return strutils.safe_decode(name), strutils.safe_decode(value)
+
    def log_curl_request(self, method, url, kwargs):
        curl = ['curl -i -X %s' % method]

        for (key, value) in kwargs['headers'].items():
-            header = '-H \'%s: %s\'' % (strutils.safe_decode(key),
-                                        strutils.safe_decode(value))
+            header = '-H \'%s: %s\'' % self.safe_header(key, value)
            curl.append(header)

        conn_params_fmt = [