2 files changed, 12 insertions, 6 deletions

diff --git a/oslo_utils/strutils.py b/oslo_utils/strutils.py
index 40c45dd..6295bde 100644
--- a/oslo_utils/strutils.py
+++ b/oslo_utils/strutils.py
@@ -55,7 +55,7 @@ SLUGIFY_HYPHENATE_RE = re.compile(r"[-\s]+")
 
 
 # NOTE(flaper87): The following globals are used by `mask_password` and
-#                 `mask_dict_password`
+#                 `mask_dict_password`. They must all be lowercase.
 _SANITIZE_KEYS = ['adminpass', 'admin_pass', 'password', 'admin_password',
                   'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
                   'secret', 'sys_pswd', 'token', 'configdrive',
@@ -83,11 +83,11 @@ _FORMAT_PATTERNS_2 = [r'(%(key)s[0-9]*\s*[=]\s*[\"\'])[^\"\']*([\"\'])',
                       r'([-]{2}%(key)s[0-9]*\s+)[^\'^\"^=^\s]+([\s]*)',
                       r'(<%(key)s[0-9]*>)[^<]*(</%(key)s[0-9]*>)',
                       r'([\"\']%(key)s[0-9]*[\"\']\s*:\s*[\"\'])[^\"\']*'
-                      '([\"\'])',
+                      r'([\"\'])',
                       r'([\'"][^"\']*%(key)s[0-9]*[\'"]\s*:\s*u?[\'"])[^\"\']*'
-                      '([\'"])',
+                      r'([\'"])',
                       r'([\'"][^\'"]*%(key)s[0-9]*[\'"]\s*,\s*\'--?[A-z]+'
-                      '\'\s*,\s*u?[\'"])[^\"\']*([\'"])',
+                      r'\'\s*,\s*u?[\'"])[^\"\']*([\'"])',
                       r'(%(key)s[0-9]*\s*--?[A-z]+\s*)\S+(\s*)']
 
 # NOTE(dhellmann): Keep a separate list of patterns by key so we only
@@ -337,7 +337,7 @@ def mask_password(message, secret="***"):  # nosec
     # specified in _SANITIZE_KEYS, if not then just return the message since
     # we don't have to mask any passwords.
     for key in _SANITIZE_KEYS:
-        if key.lower() in message.lower():
+        if key in message.lower():
             for pattern in _SANITIZE_PATTERNS_2[key]:
                 message = re.sub(pattern, substitute2, message)
             for pattern in _SANITIZE_PATTERNS_1[key]:
@@ -413,7 +413,7 @@ def mask_dict_password(dictionary, secret="***"):  # nosec
         k_matched = False
         if isinstance(k, six.string_types):
             for sani_key in _SANITIZE_KEYS:
-                if sani_key.lower() in k.lower():
+                if sani_key in k.lower():
                     out[k] = secret
                     k_matched = True
                     break
diff --git a/oslo_utils/tests/test_strutils.py b/oslo_utils/tests/test_strutils.py
index 7ed8c54..25e974c 100644
--- a/oslo_utils/tests/test_strutils.py
+++ b/oslo_utils/tests/test_strutils.py
@@ -296,6 +296,12 @@ StringToBytesTest.generate_scenarios()
 
 class MaskPasswordTestCase(test_base.BaseTestCase):
 
+    def test_sanitize_keys(self):
+
+        lowered = [k.lower() for k in strutils._SANITIZE_KEYS]
+        message = "The _SANITIZE_KEYS must all be lowercase."
+        self.assertEqual(strutils._SANITIZE_KEYS, lowered, message)
+
     def test_json(self):
         # Test 'adminPass' w/o spaces
         payload = """{'adminPass':'TL0EfN33'}"""