diff options
| author | Ben Nemec <bnemec@redhat.com> | 2020-03-10 17:55:16 +0000 |
|---|---|---|
| committer | Ben Nemec <openstack@nemebean.com> | 2020-03-24 17:13:18 +0000 |
| commit | 445de77bf7e6c57b3b4bd4097859075920b0b042 (patch) | |
| tree | 7f9881de1c571c5d9cf95681c37bca60e235edf2 | |
| parent | 85df3325e1444e686107d877cf5ef2592e75a67b (diff) | |
| download | oslo-context-stable/stein.tar.gz | |
Filter out auth_token_info from logging valuesstein-em2.22.2stable/stein
auth_token_info is a common field that subclasses of RequestContext
add. It contains things like the token itself and the entire catalog,
both of which are undesirable to log. The token is a security concern
and the catalog is huge, which bloats the logs an unacceptable amount.
This change removes the auth_token_info key from the logging dict
that we return to the log formatter, which eliminates both problems.
Change-Id: If5ebaa3c1859d32cd05f51defe173fc625b21af5
Closes-Bug: 1866705
(cherry picked from commit 1dd72d1d209e699efc360ff99a20166aac831939)
(cherry picked from commit ab17aef5735bcb242889f610d2165d46b380f7cc)
| -rw-r--r-- | oslo_context/context.py | 6 | ||||
| -rw-r--r-- | oslo_context/tests/test_context.py | 17 |
2 files changed, 17 insertions, 6 deletions
diff --git a/oslo_context/context.py b/oslo_context/context.py index 98a00bf..5e38452 100644 --- a/oslo_context/context.py +++ b/oslo_context/context.py @@ -371,6 +371,12 @@ class RequestContext(object): values['auth_token'] = '***' else: values['auth_token'] = None + # NOTE(bnemec: auth_token_info isn't defined in oslo.context, but it's + # a common pattern in project context subclasses so we handle it here. + # It largely contains things that we don't want logged, like the token + # itself (which needs to be removed for security) and the catalog + # (which needs to be removed because it bloats the logs terribly). + values.pop('auth_token_info', None) return values diff --git a/oslo_context/tests/test_context.py b/oslo_context/tests/test_context.py index 27d7487..fa44763 100644 --- a/oslo_context/tests/test_context.py +++ b/oslo_context/tests/test_context.py @@ -60,15 +60,15 @@ class TestContext(context.RequestContext): This is representative of how at least some of our consumers use the RequestContext class in their projects. """ - FROM_DICT_EXTRA_KEYS = ['foo'] + FROM_DICT_EXTRA_KEYS = ['auth_token_info'] - def __init__(self, foo=None, **kwargs): + def __init__(self, auth_token_info=None, **kwargs): super(TestContext, self).__init__(**kwargs) - self.foo = foo + self.auth_token_info = auth_token_info def to_dict(self): d = super(TestContext, self).to_dict() - d['foo'] = self.foo + d['auth_token_info'] = self.auth_token_info return d @@ -201,10 +201,10 @@ class ContextTest(test_base.BaseTestCase): self.assertTrue(ctx.read_only) def test_from_dict_extended(self): - initial = TestContext(foo='bar') + initial = TestContext(auth_token_info='foo') dct = initial.to_dict() final = TestContext.from_dict(dct) - self.assertEqual('bar', final.foo) + self.assertEqual('foo', final.auth_token_info) self.assertEqual(dct, final.to_dict()) def test_is_user_context(self): @@ -516,6 +516,11 @@ class ContextTest(test_base.BaseTestCase): self.assertEqual(user_domain_name, d['user_domain_name']) self.assertEqual(project_domain_name, d['project_domain_name']) + def test_auth_token_info_removed(self): + ctx = TestContext(auth_token_info={'auth_token': 'topsecret'}) + d = ctx.get_logging_values() + self.assertNotIn('auth_token_info', d) + def test_dict_empty_user_identity(self): ctx = context.RequestContext() d = ctx.to_dict() |