diff options
| author | Dougal Matthews <dougal@dougalmatthews.com> | 2019-11-15 11:11:07 +0000 |
|---|---|---|
| committer | Dougal Matthews <dougal@dougalmatthews.com> | 2019-11-18 09:13:41 +0000 |
| commit | c49a426b6618426f9260eea10c1b2a9e1c5a4d65 (patch) | |
| tree | 851a5a84b47d6f65102948224058d71ab51f7367 | |
| parent | 95f1b88c90ba0654e1353669b8b0f1d170391a25 (diff) | |
| download | oslo-utils-stable/rocky.tar.gz | |
Make mask_dict_password case insensitive and add new patternsrocky-em3.36.5stable/rocky
In Icc19b7c8bdb6a3182939d5e9fdef21288b19f43d mask_password was made case
insensitive but mask_dict_password wasn't. This update makes the
behaviour of these functions the same.
Instead of lowering _SANITIZE_KEYS each time the source list is lowered.
New password patterns from realworld logs were added to the patterns.
Change-Id: Ic3ee301857630a15b9c26fd5d0fc907c43199517
Related-Bug: #1850843
(cherry picked from commit ed70bd3cd10eae2a34a5e9bd5d1fe0a6791ab3de)
| -rw-r--r-- | oslo_utils/strutils.py | 17 | ||||
| -rw-r--r-- | oslo_utils/tests/test_strutils.py | 10 | ||||
| -rw-r--r-- | releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml | 9 |
3 files changed, 31 insertions, 5 deletions
diff --git a/oslo_utils/strutils.py b/oslo_utils/strutils.py index bb08eb9..279a6fb 100644 --- a/oslo_utils/strutils.py +++ b/oslo_utils/strutils.py @@ -54,12 +54,19 @@ SLUGIFY_STRIP_RE = re.compile(r"[^\w\s-]") SLUGIFY_HYPHENATE_RE = re.compile(r"[-\s]+") -# NOTE(flaper87): The following globals are used by `mask_password` -_SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password', +# NOTE(flaper87): The following globals are used by `mask_password` and +# `mask_dict_password` +_SANITIZE_KEYS = ['adminpass', 'admin_pass', 'password', 'admin_password', 'auth_token', 'new_pass', 'auth_password', 'secret_uuid', 'secret', 'sys_pswd', 'token', 'configdrive', - 'CHAPPASSWORD', 'encrypted_key', 'private_key', - 'encryption_key_id', 'fernetkey', 'sslkey', 'passphrase'] + 'chappassword', 'encrypted_key', 'private_key', + 'encryption_key_id', 'fernetkey', 'sslkey', 'passphrase', + 'cephclusterfsid', 'octaviaheartbeatkey', 'rabbitcookie', + 'cephmanilaclientkey', 'pacemakerremoteauthkey', + 'designaterndckey', 'cephadminkey', 'heatauthencryptionkey', + 'cephclientkey', 'keystonecredential', + 'barbicansimplecryptokek', 'cephrgwkey', 'swifthashsuffix', + 'migrationsshkey', 'cephmdskey', 'cephmonkey'] # NOTE(ldbragst): Let's build a list of regex objects using the list of # _SANITIZE_KEYS we already have. This way, we only have to add the new key @@ -408,7 +415,7 @@ def mask_dict_password(dictionary, secret="***"): # nosec k_matched = False if isinstance(k, six.string_types): for sani_key in _SANITIZE_KEYS: - if sani_key in k: + if sani_key.lower() in k.lower(): out[k] = secret k_matched = True break diff --git a/oslo_utils/tests/test_strutils.py b/oslo_utils/tests/test_strutils.py index ebfb2cd..ceb5fdc 100644 --- a/oslo_utils/tests/test_strutils.py +++ b/oslo_utils/tests/test_strutils.py @@ -691,6 +691,16 @@ class MaskDictionaryPasswordTestCase(test_base.BaseTestCase): self.assertEqual(expected, strutils.mask_dict_password(payload)) + payload = {'passwords': {'KeystoneFernetKey1': 'c5FijjS'}} + expected = {'passwords': {'KeystoneFernetKey1': '***'}} + self.assertEqual(expected, + strutils.mask_dict_password(payload)) + + payload = {'passwords': {'keystonecredential0': 'c5FijjS'}} + expected = {'passwords': {'keystonecredential0': '***'}} + self.assertEqual(expected, + strutils.mask_dict_password(payload)) + def test_do_no_harm(self): payload = {} expected = {} diff --git a/releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml b/releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml new file mode 100644 index 0000000..6303534 --- /dev/null +++ b/releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml @@ -0,0 +1,9 @@ +--- +security: + - | + This patch ensures that we mask sensitive data when masking dicts, even if + the case doesn't match. This means the behaviour of mask_password and + mask_dict_password is now the same. + - | + Additional password names were included from real world logs that contained + sensitive information.
\ No newline at end of file |