diff options
author | Zuul <zuul@review.opendev.org> | 2020-03-25 11:40:26 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2020-03-25 11:40:26 +0000 |
commit | d7282a183f75d19c409b1a039667c27549327b2f (patch) | |
tree | 734ec8c087ca4cd6e7b4a131f7c7c8a6d42357c2 | |
parent | f5091a91d0a977dd43b939317ecdeb1cd5db1980 (diff) | |
parent | 2927519cf05a40cdd13d21739e39e7aaf574e5c1 (diff) | |
download | nova-d7282a183f75d19c409b1a039667c27549327b2f.tar.gz |
Merge "Mask the token used to allow access to consoles" into stable/pike
-rw-r--r-- | nova/console/websocketproxy.py | 6 | ||||
-rw-r--r-- | nova/consoleauth/manager.py | 9 | ||||
-rw-r--r-- | nova/tests/unit/console/test_websocketproxy.py | 3 | ||||
-rw-r--r-- | nova/tests/unit/consoleauth/test_consoleauth.py | 21 |
4 files changed, 32 insertions, 7 deletions
diff --git a/nova/console/websocketproxy.py b/nova/console/websocketproxy.py index 245560ad24..393b4f951f 100644 --- a/nova/console/websocketproxy.py +++ b/nova/console/websocketproxy.py @@ -18,6 +18,7 @@ Websocket proxy that is compatible with OpenStack Nova. Leverages websockify.py by Joel Martin ''' +import copy import socket import sys @@ -133,7 +134,10 @@ class NovaProxyRequestHandlerBase(object): detail = _("Origin header protocol does not match this host.") raise exception.ValidationError(detail=detail) - self.msg(_('connect info: %s'), str(connect_info)) + sanitized_info = copy.copy(connect_info) + sanitized_info['token'] = '***' + self.msg(_('connect info: %s'), sanitized_info) + host = connect_info['host'] port = int(connect_info['port']) diff --git a/nova/consoleauth/manager.py b/nova/consoleauth/manager.py index 52d4529e54..79b526fe69 100644 --- a/nova/consoleauth/manager.py +++ b/nova/consoleauth/manager.py @@ -100,9 +100,8 @@ class ConsoleAuthManager(manager.Manager): self.mc_instance.set(instance_uuid.encode('UTF-8'), jsonutils.dumps(tokens)) - - LOG.info("Received Token: %(token)s, %(token_dict)s", - {'token': token, 'token_dict': token_dict}) + token_dict['token'] = '***' + LOG.info("Received Token: %(token_dict)s", {'token_dict': token_dict}) def _validate_token(self, context, token): instance_uuid = token['instance_uuid'] @@ -130,8 +129,8 @@ class ConsoleAuthManager(manager.Manager): def check_token(self, context, token): token_str = self.mc.get(token.encode('UTF-8')) token_valid = (token_str is not None) - LOG.info("Checking Token: %(token)s, %(token_valid)s", - {'token': token, 'token_valid': token_valid}) + LOG.info("Checking that token is known: %(token_valid)s", + {'token_valid': token_valid}) if token_valid: token = jsonutils.loads(token_str) if self._validate_token(context, token): diff --git a/nova/tests/unit/console/test_websocketproxy.py b/nova/tests/unit/console/test_websocketproxy.py index ff45d17904..79c8a127ff 100644 --- a/nova/tests/unit/console/test_websocketproxy.py +++ b/nova/tests/unit/console/test_websocketproxy.py @@ -108,6 +108,9 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase): check_token.assert_called_with(mock.ANY, token="123-456-789") self.wh.socket.assert_called_with('node1', 10000, connect=True) self.wh.do_proxy.assert_called_with('<socket>') + # ensure that token is masked when logged + connection_info = self.wh.msg.mock_calls[0][1][1] + self.assertEqual('***', connection_info['token']) @mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token') def test_new_websocket_client_ipv6_url(self, check_token): diff --git a/nova/tests/unit/consoleauth/test_consoleauth.py b/nova/tests/unit/consoleauth/test_consoleauth.py index 5e4e5eeaef..a6b5d8fb95 100644 --- a/nova/tests/unit/consoleauth/test_consoleauth.py +++ b/nova/tests/unit/consoleauth/test_consoleauth.py @@ -87,6 +87,17 @@ class ConsoleauthTestCase(test.NoDBTestCase): self.stub_out(self.rpcapi + 'validate_console_port', fake_validate_console_port) + @mock.patch('nova.consoleauth.manager.LOG.info') + def test_authorize_does_not_log_token_secrete(self, mock_info): + self.manager_api.authorize_console( + self.context, 'secret', 'novnc', '127.0.0.1', '8080', 'host', + self.instance_uuid) + + mock_info.assert_called_once_with( + 'Received Token: %(token_dict)s', test.MatchType(dict)) + self.assertEqual( + '***', mock_info.mock_calls[0][1][1]['token_dict']['token']) + @mock.patch('nova.objects.instance.Instance.get_by_uuid') def test_multiple_tokens_for_instance(self, mock_get): mock_get.return_value = None @@ -121,8 +132,9 @@ class ConsoleauthTestCase(test.NoDBTestCase): self.assertIsNone( self.manager_api.check_token(self.context, token)) + @mock.patch('nova.consoleauth.manager.LOG.info') @mock.patch('nova.objects.instance.Instance.get_by_uuid') - def test_wrong_token_has_port(self, mock_get): + def test_wrong_token_has_port(self, mock_get, mock_log): mock_get.return_value = None token = u'mytok' @@ -133,6 +145,13 @@ class ConsoleauthTestCase(test.NoDBTestCase): '127.0.0.1', '8080', 'host', instance_uuid=self.instance_uuid) self.assertIsNone(self.manager_api.check_token(self.context, token)) + mock_log.assert_has_calls([ + mock.call( + 'Received Token: %(token_dict)s', mock.ANY), + mock.call( + 'Checking that token is known: %(token_valid)s', + {'token_valid': True}), + ]) def test_delete_expired_tokens(self): self.useFixture(test.TimeOverride()) |