Merge "Mask passwords that are included in commands"

2014-05-20 19:36:00 +00:00 · 2014-05-20 19:36:00 +00:00 · 189cdb63b4
parent 17162dc6db cdcc19c1d7
commit 189cdb63b4
3 changed files with 27 additions and 2 deletions
--- a/openstack/common/log.py
+++ b/openstack/common/log.py
@ -59,7 +59,10 @@ _SANITIZE_PATTERNS = []
 _FORMAT_PATTERNS = [r'(%(key)s\s*[=]\s*[\"\']).*?([\"\'])',
                    r'(<%(key)s>).*?(</%(key)s>)',
                    r'([\"\']%(key)s[\"\']\s*:\s*[\"\']).*?([\"\'])',
-                    r'([\'"].*?%(key)s[\'"]\s*:\s*u?[\'"]).*?([\'"])']
+                    r'([\'"].*?%(key)s[\'"]\s*:\s*u?[\'"]).*?([\'"])',
+                    r'([\'"].*?%(key)s[\'"]\s*,\s*\'--?[A-z]+\'\s*,\s*u?[\'"])'
+                    '.*?([\'"])',
+                    r'(%(key)s\s*--?[A-z]+\s*).*?([\s])']

 for key in _SANITIZE_KEYS:
    for pattern in _FORMAT_PATTERNS:
--- a/openstack/common/processutils.py
+++ b/openstack/common/processutils.py
@ -156,7 +156,7 @@ def execute(*cmd, **kwargs):
        attempts -= 1
        try:
            LOG.log(loglevel, 'Running cmd (subprocess): %s',
-                    ' '.join(cmd))
+                    ' '.join(logging.mask_password(cmd)))
            _PIPE = subprocess.PIPE  # pylint: disable=E1101

            if os.name == 'nt':
--- a/tests/unit/test_log.py
+++ b/tests/unit/test_log.py
@ -894,3 +894,25 @@ class MaskPasswordTestCase(test_base.BaseTestCase):
        payload = six.text_type(payload)
        expected = """{'adminPass':'***'}"""
        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = ("test = 'node.session.auth.password','-v','mypassword',"
+                   "'nomask'")
+        expected = ("test = 'node.session.auth.password','-v','***',"
+                    "'nomask'")
+        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = ("test = 'node.session.auth.password', '--password', "
+                   "'mypassword', 'nomask'")
+        expected = ("test = 'node.session.auth.password', '--password', "
+                    "'***', 'nomask'")
+        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = "test = node.session.auth.password -v mypassword nomask"
+        expected = "test = node.session.auth.password -v *** nomask"
+        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = ("test = node.session.auth.password --password mypassword "
+                   "nomask")
+        expected = ("test = node.session.auth.password --password *** "
+                    "nomask")
+        self.assertEqual(expected, log.mask_password(payload))