From 05ffd8ba71c1c0da5ef6e90d0ca1a721679f66db Mon Sep 17 00:00:00 2001
From: Lucas Alvares Gomes <lucasagomes@gmail.com>
Date: Tue, 8 Mar 2016 09:47:30 +0000
Subject: [PATCH] Mask passwords before displaying them

This patch is introducing a new configuration option called
"show_passwords" under the "default" section. If true, vbmc will
display all passwords in the logs and commands such as "show"; if false,
the passwords are going to be masked. Defaults to false.
---
 virtualbmc/config.py  | 14 ++++++++++++--
 virtualbmc/manager.py | 17 +++++++++++++++--
 virtualbmc/utils.py   |  9 +++++++++
 3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/virtualbmc/config.py b/virtualbmc/config.py
index 2448c45..fa8f53a 100644
--- a/virtualbmc/config.py
+++ b/virtualbmc/config.py
@@ -25,8 +25,15 @@ CONFIG = None
 
 class VirtualBMCConfig(object):
 
-    DEFAULTS = {'log': {'logfile': None,
-                        'debug': 'false'}}
+    DEFAULTS = {
+        'default': {
+            'show_passwords': 'false'
+        },
+        'log': {
+            'logfile': None,
+            'debug': 'false'
+        },
+    }
 
     def __init__(self):
         config = configparser.ConfigParser()
@@ -48,6 +55,9 @@ class VirtualBMCConfig(object):
         self._conf_dict['log']['debug'] = utils.str2bool(
             self._conf_dict['log']['debug'])
 
+        self._conf_dict['default']['show_passwords'] = utils.str2bool(
+            self._conf_dict['default']['show_passwords'])
+
     def __getitem__(self, key):
         return self._conf_dict[key]
 
diff --git a/virtualbmc/manager.py b/virtualbmc/manager.py
index 23c9da1..252462d 100644
--- a/virtualbmc/manager.py
+++ b/virtualbmc/manager.py
@@ -23,6 +23,7 @@ import exception
 import log
 from virtualbmc import VirtualBMC
 import utils
+import config as vbmc_config
 
 LOG = log.get_logger()
 
@@ -32,6 +33,8 @@ DOWN = 'down'
 
 DEFAULT_SECTION = 'VirtualBMC'
 
+CONF = vbmc_config.get_config()
+
 
 class VirtualBMCManager(object):
 
@@ -72,6 +75,11 @@ class VirtualBMCManager(object):
 
         bmc_config = self._parse_config(domain_name)
         bmc_config['status'] = RUNNING if running else DOWN
+
+        # mask the passwords if requested
+        if not CONF['default']['show_passwords']:
+            bmc_config = utils.mask_dict_password(bmc_config)
+
         return bmc_config
 
     def add(self, username, password, port, address, domain_name, libvirt_uri,
@@ -134,11 +142,16 @@ class VirtualBMCManager(object):
             sasl_username=bmc_config['libvirt_sasl_username'],
             sasl_password=bmc_config['libvirt_sasl_password'])
 
+        # mask the passwords if requested
+        log_config = bmc_config.copy()
+        if not CONF['default']['show_passwords']:
+            log_config = utils.mask_dict_password(bmc_config)
+
         LOG.debug('Starting a Virtual BMC for domain %(domain)s with the '
                   'following configuration options: %(config)s',
                   {'domain': domain_name,
-                   'config': ' '.join(['%s="%s"' % (k, bmc_config[k])
-                                       for k in bmc_config])})
+                   'config': ' '.join(['%s="%s"' % (k, log_config[k])
+                                       for k in log_config])})
 
         with daemon.DaemonContext(stderr=sys.stderr,
                                   files_preserve=[LOG.handler.stream, ]):
diff --git a/virtualbmc/utils.py b/virtualbmc/utils.py
index 363c0f6..4ef6936 100644
--- a/virtualbmc/utils.py
+++ b/virtualbmc/utils.py
@@ -85,3 +85,12 @@ def str2bool(string):
         raise ValueError('Value "%s" can not be interpreted as '
                          'boolean' % string)
     return lower == 'true'
+
+
+def mask_dict_password(dictionary, secret='***'):
+    """Replace passwords with a secret in a dictionary."""
+    d = dictionary.copy()
+    for k in d:
+        if 'password' in k:
+            d[k] = secret
+    return d