diff options
| author | Jay S. Bryant <jsbryant@us.ibm.com> | 2014-07-15 13:51:03 -0500 |
|---|---|---|
| committer | Jay S. Bryant <jsbryant@us.ibm.com> | 2014-07-30 13:43:32 -0500 |
| commit | 80582f2b860b2dadef7ae07bdbd8395bf03848b1 (patch) | |
| tree | 3b56c580c46bdaa2186c18b232fda2daea5d51a1 | |
| parent | 2274089dc65ea87063151b3d243e7f6b1019db95 (diff) | |
| download | python-cinderclient-80582f2b860b2dadef7ae07bdbd8395bf03848b1.tar.gz | |
Mask passwords in client debug output
This change looks for the use of 'password' in the data that
is sent and uses mask_password() to remove the actual password
text. This change will prevent debug output that is being
saved from saving passwords.
A test case is added to verify that password output is being removed.
Change-Id: I93bde838ea21101df08c0e824d9f9457ed2ad077
Closes-Bug: 1341735
| -rw-r--r-- | cinderclient/client.py | 7 | ||||
| -rw-r--r-- | cinderclient/tests/test_client.py | 30 |
2 files changed, 36 insertions, 1 deletions
diff --git a/cinderclient/client.py b/cinderclient/client.py index 71d2a42..0f1ce0f 100644 --- a/cinderclient/client.py +++ b/cinderclient/client.py @@ -23,6 +23,7 @@ from __future__ import print_function import logging from cinderclient import exceptions +from cinderclient.openstack.common import strutils from cinderclient import utils from keystoneclient import access @@ -235,7 +236,11 @@ class HTTPClient(CinderClientMixin): string_parts.append(header) if 'data' in kwargs: - string_parts.append(" -d '%s'" % (kwargs['data'])) + if "password" in kwargs['data']: + data = strutils.mask_password(kwargs['data']) + else: + data = kwargs['data'] + string_parts.append(" -d '%s'" % (data)) self._logger.debug("\nREQ: %s\n" % "".join(string_parts)) def http_log_resp(self, resp): diff --git a/cinderclient/tests/test_client.py b/cinderclient/tests/test_client.py index 47c4c69..f81cf3d 100644 --- a/cinderclient/tests/test_client.py +++ b/cinderclient/tests/test_client.py @@ -11,6 +11,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +import logging + +import fixtures import cinderclient.client import cinderclient.v1.client @@ -31,3 +34,30 @@ class ClientTest(utils.TestCase): def test_get_client_class_unknown(self): self.assertRaises(cinderclient.exceptions.UnsupportedVersion, cinderclient.client.get_client_class, '0') + + def test_log_req(self): + self.logger = self.useFixture( + fixtures.FakeLogger( + format="%(message)s", + level=logging.DEBUG, + nuke_handlers=True + ) + ) + + kwargs = {} + kwargs['headers'] = {"X-Foo": "bar"} + kwargs['data'] = ('{"auth": {"tenantName": "fakeService",' + ' "passwordCredentials": {"username": "fakeUser",' + ' "password": "fakePassword"}}}') + + cs = cinderclient.client.HTTPClient("user", None, None, + "http://127.0.0.1:5000") + cs.http_log_debug = True + cs.http_log_req('PUT', kwargs) + + output = self.logger.output.split('\n') + + print("JSBRYANT: output is", output) + + self.assertNotIn("fakePassword", output[1]) + self.assertIn("fakeUser", output[1]) |