From 80582f2b860b2dadef7ae07bdbd8395bf03848b1 Mon Sep 17 00:00:00 2001
From: "Jay S. Bryant" <jsbryant@us.ibm.com>
Date: Tue, 15 Jul 2014 13:51:03 -0500
Subject: Mask passwords in client debug output

This change looks for the use of 'password' in the data that
is sent and uses mask_password() to remove the actual password
text.  This change will prevent debug output that is being
saved from saving passwords.

A test case is added to verify that password output is being removed.

Change-Id: I93bde838ea21101df08c0e824d9f9457ed2ad077
Closes-Bug: 1341735
---
 cinderclient/client.py            |  7 ++++++-
 cinderclient/tests/test_client.py | 30 ++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/cinderclient/client.py b/cinderclient/client.py
index 71d2a42..0f1ce0f 100644
--- a/cinderclient/client.py
+++ b/cinderclient/client.py
@@ -23,6 +23,7 @@ from __future__ import print_function
 import logging
 
 from cinderclient import exceptions
+from cinderclient.openstack.common import strutils
 from cinderclient import utils
 
 from keystoneclient import access
@@ -235,7 +236,11 @@ class HTTPClient(CinderClientMixin):
             string_parts.append(header)
 
         if 'data' in kwargs:
-            string_parts.append(" -d '%s'" % (kwargs['data']))
+            if "password" in kwargs['data']:
+                data = strutils.mask_password(kwargs['data'])
+            else:
+                data = kwargs['data']
+            string_parts.append(" -d '%s'" % (data))
         self._logger.debug("\nREQ: %s\n" % "".join(string_parts))
 
     def http_log_resp(self, resp):
diff --git a/cinderclient/tests/test_client.py b/cinderclient/tests/test_client.py
index 47c4c69..f81cf3d 100644
--- a/cinderclient/tests/test_client.py
+++ b/cinderclient/tests/test_client.py
@@ -11,6 +11,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import logging
+
+import fixtures
 
 import cinderclient.client
 import cinderclient.v1.client
@@ -31,3 +34,30 @@ class ClientTest(utils.TestCase):
     def test_get_client_class_unknown(self):
         self.assertRaises(cinderclient.exceptions.UnsupportedVersion,
                           cinderclient.client.get_client_class, '0')
+
+    def test_log_req(self):
+        self.logger = self.useFixture(
+            fixtures.FakeLogger(
+                format="%(message)s",
+                level=logging.DEBUG,
+                nuke_handlers=True
+            )
+        )
+
+        kwargs = {}
+        kwargs['headers'] = {"X-Foo": "bar"}
+        kwargs['data'] = ('{"auth": {"tenantName": "fakeService",'
+                          ' "passwordCredentials": {"username": "fakeUser",'
+                          ' "password": "fakePassword"}}}')
+
+        cs = cinderclient.client.HTTPClient("user", None, None,
+                                            "http://127.0.0.1:5000")
+        cs.http_log_debug = True
+        cs.http_log_req('PUT', kwargs)
+
+        output = self.logger.output.split('\n')
+
+        print("JSBRYANT: output is", output)
+
+        self.assertNotIn("fakePassword", output[1])
+        self.assertIn("fakeUser", output[1])
-- 
cgit v1.2.1