Merge "Censoring secrets payload value from debug log"

2016-05-05 16:42:22 +00:00 · 2016-05-05 16:42:22 +00:00 · e6fd8b4e30
parent d37b847977 d1340572c5
commit e6fd8b4e30
4 changed files with 22 additions and 3 deletions
--- a/barbicanclient/base.py
+++ b/barbicanclient/base.py
@ -22,6 +22,14 @@ def filter_null_keys(dictionary):
    return dict(((k, v) for k, v in dictionary.items() if v is not None))


+def censored_copy(data_dict, censor_keys):
+    '''Returns redacted dict copy for censored keys'''
+    if censor_keys is None:
+        censor_keys = []
+    return {k: v if k not in censor_keys else '<redacted>' for k, v in
+            data_dict.items()}
+
+
 def validate_ref(ref, entity):
    """Verifies that there is a real uuid at the end of the uri

--- a/barbicanclient/containers.py
+++ b/barbicanclient/containers.py
@ -221,7 +221,8 @@ class Container(ContainerFormatter):

    def _get_secrets_and_store_them_if_necessary(self):
        # Save all secrets if they are not yet saved
-        LOG.debug("Storing secrets: {0}".format(self.secrets))
+        LOG.debug("Storing secrets: {0}".format(base.censored_copy(
+                                                self.secrets, ['payload'])))
        secret_refs = []
        for name, secret in six.iteritems(self.secrets):
            if secret and not secret.secret_ref:
--- a/barbicanclient/secrets.py
+++ b/barbicanclient/secrets.py
@ -331,8 +331,8 @@ class Secret(SecretFormatter):
            secret_dict['payload_content_type'] = u'text/plain'

        secret_dict = base.filter_null_keys(secret_dict)
-
-        LOG.debug("Request body: {0}".format(secret_dict))
+        LOG.debug("Request body: {0}".format(base.censored_copy(secret_dict,
+                                                                ['payload'])))

        # Save, store secret_ref and return
        response = self._api.post(self._entity, json=secret_dict)
--- a/barbicanclient/tests/test_base.py
+++ b/barbicanclient/tests/test_base.py
@ -12,3 +12,13 @@ class TestValidateRef(testtools.TestCase):
    def test_invalid_uuid(self):
        ref = 'http://localhost/not_a_uuid'
        self.assertRaises(ValueError, base.validate_ref, ref, 'Thing')
+
+    def test_censored_copy(self):
+        d1 = {'a': '1', 'password': 'my_password', 'payload': 'my_key',
+              'b': '2'}
+        d2 = base.censored_copy(d1, None)
+        self.assertEqual(d1, d2, 'd2 contents are unchanged')
+        self.assertFalse(d1 is d2, 'd1 and d2 are different instances')
+        d3 = base.censored_copy(d1, ['payload'])
+        self.assertNotEqual(d1, d3, 'd3 has redacted payload value')
+        self.assertNotEqual(d3['payload'], 'my_key', 'no key in payload')