Mask passwords when logging the HTTP response
We should sanitize the response body before logging to make sure we
aren't leaking through credentials like in the case of the response from
the os-initialize_connection volume API.
Closes-Bug: #1490693
NOTE(mriedem): The test is slightly different in kilo because the
_http_log_response method requires kwargs.
Change-Id: Ifd95d3fb624b4636fb72cc11762af62e00a026a0
(cherry picked from commit 3e26ff8248
)
This commit is contained in:
parent
5b5daaadab
commit
ec70eb02f8
|
@ -21,6 +21,7 @@ import time
|
|||
from oslo_config import cfg
|
||||
from oslo_serialization import jsonutils
|
||||
from oslo_utils import importutils
|
||||
from oslo_utils import strutils
|
||||
import requests
|
||||
import six
|
||||
from six.moves import urllib
|
||||
|
@ -219,7 +220,8 @@ class Session(object):
|
|||
for header in six.iteritems(headers):
|
||||
string_parts.append('%s: %s' % Session.process_header(header))
|
||||
if text:
|
||||
string_parts.append('\nRESP BODY: %s\n' % text)
|
||||
string_parts.append('\nRESP BODY: %s\n' %
|
||||
strutils.mask_password(text))
|
||||
|
||||
logger.debug(' '.join(string_parts))
|
||||
|
||||
|
|
|
@ -237,6 +237,35 @@ class SessionTests(utils.TestCase):
|
|||
session.get,
|
||||
self.TEST_URL)
|
||||
|
||||
def test_mask_password_in_http_log_response(self):
|
||||
session = client_session.Session()
|
||||
|
||||
def fake_debug(msg):
|
||||
self.assertNotIn('verybadpass', msg)
|
||||
|
||||
logger = mock.Mock(isEnabledFor=mock.Mock(return_value=True))
|
||||
logger.debug = mock.Mock(side_effect=fake_debug)
|
||||
body = {
|
||||
"connection_info": {
|
||||
"driver_volume_type": "iscsi",
|
||||
"data": {
|
||||
"auth_password": "verybadpass",
|
||||
"target_discovered": False,
|
||||
"encrypted": False,
|
||||
"qos_specs": None,
|
||||
"target_iqn": ("iqn.2010-10.org.openstack:volume-"
|
||||
"744d2085-8e78-40a5-8659-ef3cffb2480e"),
|
||||
"target_portal": "172.99.69.228:3260",
|
||||
"volume_id": "744d2085-8e78-40a5-8659-ef3cffb2480e",
|
||||
"target_lun": 1,
|
||||
"access_mode": "rw",
|
||||
"auth_username": "verybadusername",
|
||||
"auth_method": "CHAP"}}}
|
||||
body_json = jsonutils.dumps(body)
|
||||
response = mock.Mock(text=body_json, status_code=200, headers={})
|
||||
session._http_log_response(response=response, logger=logger)
|
||||
self.assertEqual(1, logger.debug.call_count)
|
||||
|
||||
|
||||
class RedirectTests(utils.TestCase):
|
||||
|
||||
|
|
Loading…
Reference in New Issue