From 26d4047e17eba9bc271f8868f1d0ffeec97b555e Mon Sep 17 00:00:00 2001 From: Balazs Gibizer Date: Fri, 23 Aug 2019 15:51:34 +0200 Subject: [PATCH] Mask the token used to allow access to consoles Hide the novncproxy token from the logs. When backported this patch needs to be extended to handle the same issue in the consoleauth service. Co-Authored-By:paul-carlton2 Co-Authored-By:Tristan Cacqueray Change-Id: I5b8fa4233d297722c3af08176901d12887bae3de Closes-Bug: #1492140 --- nova/console/websocketproxy.py | 6 +++++- nova/tests/unit/console/test_websocketproxy.py | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/nova/console/websocketproxy.py b/nova/console/websocketproxy.py index 4d79f40c7faf..e13b3c0fe153 100644 --- a/nova/console/websocketproxy.py +++ b/nova/console/websocketproxy.py @@ -18,6 +18,7 @@ Websocket proxy that is compatible with OpenStack Nova. Leverages websockify.py by Joel Martin ''' +import copy import socket import sys @@ -220,7 +221,10 @@ class NovaProxyRequestHandlerBase(object): detail = _("Origin header protocol does not match this host.") raise exception.ValidationError(detail=detail) - self.msg(_('connect info: %s'), str(connect_info)) + sanitized_info = copy.copy(connect_info) + sanitized_info.token = '***' + self.msg(_('connect info: %s'), sanitized_info) + host = connect_info.host port = connect_info.port diff --git a/nova/tests/unit/console/test_websocketproxy.py b/nova/tests/unit/console/test_websocketproxy.py index ce0c924cf411..98e162d59cb6 100644 --- a/nova/tests/unit/console/test_websocketproxy.py +++ b/nova/tests/unit/console/test_websocketproxy.py @@ -219,6 +219,9 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase): validate.assert_called_with(mock.ANY, "123-456-789") self.wh.socket.assert_called_with('node1', 10000, connect=True) self.wh.do_proxy.assert_called_with('') + # ensure that token is masked when logged + connection_info = self.wh.msg.mock_calls[0][1][1] + self.assertEqual('***', connection_info.token) @mock.patch('nova.console.websocketproxy.NovaProxyRequestHandlerBase.' '_check_console_port')