Mask passwords that are included in commands
The current password masking doesn't scrub passwords from commands that may be written to log files. This commit adds support for scrubbing passwords provided as options with commands. Adds tests to ensure commands are properly sanitized. Change-Id: I37b9a80142ec5dcadb731332d8c5f494bdc7bfc1 Closes-Bug: #1320028
This commit is contained in:
parent
8ce44b1d8b
commit
cdcc19c1d7
|
@ -59,7 +59,10 @@ _SANITIZE_PATTERNS = []
|
|||
_FORMAT_PATTERNS = [r'(%(key)s\s*[=]\s*[\"\']).*?([\"\'])',
|
||||
r'(<%(key)s>).*?(</%(key)s>)',
|
||||
r'([\"\']%(key)s[\"\']\s*:\s*[\"\']).*?([\"\'])',
|
||||
r'([\'"].*?%(key)s[\'"]\s*:\s*u?[\'"]).*?([\'"])']
|
||||
r'([\'"].*?%(key)s[\'"]\s*:\s*u?[\'"]).*?([\'"])',
|
||||
r'([\'"].*?%(key)s[\'"]\s*,\s*\'--?[A-z]+\'\s*,\s*u?[\'"])'
|
||||
'.*?([\'"])',
|
||||
r'(%(key)s\s*--?[A-z]+\s*).*?([\s])']
|
||||
|
||||
for key in _SANITIZE_KEYS:
|
||||
for pattern in _FORMAT_PATTERNS:
|
||||
|
|
|
@ -156,7 +156,7 @@ def execute(*cmd, **kwargs):
|
|||
attempts -= 1
|
||||
try:
|
||||
LOG.log(loglevel, 'Running cmd (subprocess): %s',
|
||||
' '.join(cmd))
|
||||
' '.join(logging.mask_password(cmd)))
|
||||
_PIPE = subprocess.PIPE # pylint: disable=E1101
|
||||
|
||||
if os.name == 'nt':
|
||||
|
|
|
@ -894,3 +894,25 @@ class MaskPasswordTestCase(test_base.BaseTestCase):
|
|||
payload = six.text_type(payload)
|
||||
expected = """{'adminPass':'***'}"""
|
||||
self.assertEqual(expected, log.mask_password(payload))
|
||||
|
||||
payload = ("test = 'node.session.auth.password','-v','mypassword',"
|
||||
"'nomask'")
|
||||
expected = ("test = 'node.session.auth.password','-v','***',"
|
||||
"'nomask'")
|
||||
self.assertEqual(expected, log.mask_password(payload))
|
||||
|
||||
payload = ("test = 'node.session.auth.password', '--password', "
|
||||
"'mypassword', 'nomask'")
|
||||
expected = ("test = 'node.session.auth.password', '--password', "
|
||||
"'***', 'nomask'")
|
||||
self.assertEqual(expected, log.mask_password(payload))
|
||||
|
||||
payload = "test = node.session.auth.password -v mypassword nomask"
|
||||
expected = "test = node.session.auth.password -v *** nomask"
|
||||
self.assertEqual(expected, log.mask_password(payload))
|
||||
|
||||
payload = ("test = node.session.auth.password --password mypassword "
|
||||
"nomask")
|
||||
expected = ("test = node.session.auth.password --password *** "
|
||||
"nomask")
|
||||
self.assertEqual(expected, log.mask_password(payload))
|
||||
|
|
Loading…
Reference in New Issue