Mask passwords that are included in commands

The current password masking doesn't scrub passwords from commands that may be written to log files. This commit adds support for scrubbing passwords provided as options with commands. Adds tests to ensure commands are properly sanitized. Change-Id: I37b9a80142ec5dcadb731332d8c5f494bdc7bfc1 Closes-Bug: #1320028
2014-05-18 18:26:33 +00:00 · 2014-05-18 18:26:33 +00:00 · cdcc19c1d7
parent 8ce44b1d8b
commit cdcc19c1d7
3 changed files with 27 additions and 2 deletions
--- a/openstack/common/log.py
+++ b/openstack/common/log.py
@ -59,7 +59,10 @@ _SANITIZE_PATTERNS = []
 _FORMAT_PATTERNS = [r'(%(key)s\s*[=]\s*[\"\']).*?([\"\'])',
                    r'(<%(key)s>).*?(</%(key)s>)',
                    r'([\"\']%(key)s[\"\']\s*:\s*[\"\']).*?([\"\'])',
-                    r'([\'"].*?%(key)s[\'"]\s*:\s*u?[\'"]).*?([\'"])']
+                    r'([\'"].*?%(key)s[\'"]\s*:\s*u?[\'"]).*?([\'"])',
+                    r'([\'"].*?%(key)s[\'"]\s*,\s*\'--?[A-z]+\'\s*,\s*u?[\'"])'
+                    '.*?([\'"])',
+                    r'(%(key)s\s*--?[A-z]+\s*).*?([\s])']

 for key in _SANITIZE_KEYS:
    for pattern in _FORMAT_PATTERNS:
--- a/openstack/common/processutils.py
+++ b/openstack/common/processutils.py
@ -156,7 +156,7 @@ def execute(*cmd, **kwargs):
        attempts -= 1
        try:
            LOG.log(loglevel, 'Running cmd (subprocess): %s',
-                    ' '.join(cmd))
+                    ' '.join(logging.mask_password(cmd)))
            _PIPE = subprocess.PIPE  # pylint: disable=E1101

            if os.name == 'nt':
--- a/tests/unit/test_log.py
+++ b/tests/unit/test_log.py
@ -894,3 +894,25 @@ class MaskPasswordTestCase(test_base.BaseTestCase):
        payload = six.text_type(payload)
        expected = """{'adminPass':'***'}"""
        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = ("test = 'node.session.auth.password','-v','mypassword',"
+                   "'nomask'")
+        expected = ("test = 'node.session.auth.password','-v','***',"
+                    "'nomask'")
+        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = ("test = 'node.session.auth.password', '--password', "
+                   "'mypassword', 'nomask'")
+        expected = ("test = 'node.session.auth.password', '--password', "
+                    "'***', 'nomask'")
+        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = "test = node.session.auth.password -v mypassword nomask"
+        expected = "test = node.session.auth.password -v *** nomask"
+        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = ("test = node.session.auth.password --password mypassword "
+                   "nomask")
+        expected = ("test = node.session.auth.password --password *** "
+                    "nomask")
+        self.assertEqual(expected, log.mask_password(payload))