From 1656a00d410374bb5a0e4df7e6f7b7ce3433c608 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herv=C3=A9=20Beraud?= <hberaud@redhat.com>
Date: Wed, 9 Mar 2022 14:23:29 +0100
Subject: fix strutils password regex

Those regexes will fix Object style representation output.
See the payload used in tests for details. This kind
of output can be obtained by using the command:

```
$ openstack --debug
```

Co-Authored-By: Daniel Bengtsson <dbengt@redhat.com>
Change-Id: I9024be93b109d1b64ca736546c0f69db7a5e06d0
(cherry picked from commit de4429f2be5fa21d1f6e1cacbb3c8417a7c56310)
(cherry picked from commit 2c1b0628771695e546b0acb1e3c44c16c0c690db)
(cherry picked from commit 90a504672071d61bdae3206c4764bd3528c165d6)
(cherry picked from commit a38b56a6f9438d256d6e0f9b03181015f2b27d8c)
---
 oslo_utils/strutils.py                                        |  2 ++
 oslo_utils/tests/test_strutils.py                             | 11 +++++++++++
 .../notes/mask-password-pattern-c8c880098743de3e.yaml         |  5 +++++
 3 files changed, 18 insertions(+)
 create mode 100644 releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml

diff --git a/oslo_utils/strutils.py b/oslo_utils/strutils.py
index 4b75613..0ccc0ce 100644
--- a/oslo_utils/strutils.py
+++ b/oslo_utils/strutils.py
@@ -80,6 +80,8 @@ _SANITIZE_PATTERNS_WILDCARD = {}
 # have two parameters. Use different lists of patterns here.
 _FORMAT_PATTERNS_1 = [r'(%(key)s[0-9]*\s*[=]\s*)[^\s^\'^\"]+']
 _FORMAT_PATTERNS_2 = [r'(%(key)s[0-9]*\s*[=]\s*[\"\'])[^\"\']*([\"\'])',
+                      r'(%(key)s[0-9]*\s*[=]\s*[\"])[^\"]*([\"])',
+                      r'(%(key)s[0-9]*\s*[=]\s*[\'])[^\']*([\'])',
                       r'(%(key)s[0-9]*\s+[\"\'])[^\"\']*([\"\'])',
                       r'([-]{2}%(key)s[0-9]*\s+)[^\'^\"^=^\s]+([\s]*)',
                       r'(<%(key)s[0-9]*>)[^<]*(</%(key)s[0-9]*>)',
diff --git a/oslo_utils/tests/test_strutils.py b/oslo_utils/tests/test_strutils.py
index 8c7c6f6..5a4591c 100644
--- a/oslo_utils/tests/test_strutils.py
+++ b/oslo_utils/tests/test_strutils.py
@@ -297,6 +297,17 @@ StringToBytesTest.generate_scenarios()
 
 class MaskPasswordTestCase(test_base.BaseTestCase):
 
+    def test_namespace_objects(self):
+        payload = """
+        Namespace(passcode='', username='', password='my"password',
+        profile='', verify=None, token='')
+        """
+        expected = """
+        Namespace(passcode='', username='', password='***',
+        profile='', verify=None, token='***')
+        """
+        self.assertEqual(expected, strutils.mask_password(payload))
+
     def test_sanitize_keys(self):
 
         lowered = [k.lower() for k in strutils._SANITIZE_KEYS]
diff --git a/releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml b/releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml
new file mode 100644
index 0000000..15b3efb
--- /dev/null
+++ b/releasenotes/notes/mask-password-pattern-c8c880098743de3e.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    This patch ensures that we mask sensitive data when masking password, even
+    if double quotes are used as password value.
-- 
cgit v1.2.1