Mask passwords when logging the HTTP response

We should sanitize the response body before logging to make sure we aren't leaking through credentials like in the case of the response from the os-initialize_connection volume API. Closes-Bug: #1490693 NOTE(mriedem): The test is slightly different in kilo because the _http_log_response method requires kwargs. Change-Id: Ifd95d3fb624b4636fb72cc11762af62e00a026a0 (cherry picked from commit 3e26ff8248)
2015-08-31 12:32:25 -07:00 · 2015-08-31 12:32:25 -07:00 · ec70eb02f8
parent 5b5daaadab
commit ec70eb02f8
2 changed files with 32 additions and 1 deletions
--- a/keystoneclient/session.py
+++ b/keystoneclient/session.py
@ -21,6 +21,7 @@ import time
 from oslo_config import cfg
 from oslo_serialization import jsonutils
 from oslo_utils import importutils
+from oslo_utils import strutils
 import requests
 import six
 from six.moves import urllib
@ -219,7 +220,8 @@ class Session(object):
            for header in six.iteritems(headers):
                string_parts.append('%s: %s' % Session.process_header(header))
        if text:
-            string_parts.append('\nRESP BODY: %s\n' % text)
+            string_parts.append('\nRESP BODY: %s\n' %
+                                strutils.mask_password(text))

        logger.debug(' '.join(string_parts))

--- a/keystoneclient/tests/unit/test_session.py
+++ b/keystoneclient/tests/unit/test_session.py
@ -237,6 +237,35 @@ class SessionTests(utils.TestCase):
                                session.get,
                                self.TEST_URL)

+    def test_mask_password_in_http_log_response(self):
+        session = client_session.Session()
+
+        def fake_debug(msg):
+            self.assertNotIn('verybadpass', msg)
+
+        logger = mock.Mock(isEnabledFor=mock.Mock(return_value=True))
+        logger.debug = mock.Mock(side_effect=fake_debug)
+        body = {
+            "connection_info": {
+                "driver_volume_type": "iscsi",
+                "data": {
+                    "auth_password": "verybadpass",
+                    "target_discovered": False,
+                    "encrypted": False,
+                    "qos_specs": None,
+                    "target_iqn": ("iqn.2010-10.org.openstack:volume-"
+                                   "744d2085-8e78-40a5-8659-ef3cffb2480e"),
+                    "target_portal": "172.99.69.228:3260",
+                    "volume_id": "744d2085-8e78-40a5-8659-ef3cffb2480e",
+                    "target_lun": 1,
+                    "access_mode": "rw",
+                    "auth_username": "verybadusername",
+                    "auth_method": "CHAP"}}}
+        body_json = jsonutils.dumps(body)
+        response = mock.Mock(text=body_json, status_code=200, headers={})
+        session._http_log_response(response=response, logger=logger)
+        self.assertEqual(1, logger.debug.call_count)
+

 class RedirectTests(utils.TestCase):