Redact tokens in request headers

Tokens shouldn't be logged since a token could be gathered from a
log file and used. The client was logging the X-Auth-Token and
X-Subject-Token request headers. With this change, the X-Auth-Token
and X-Subject-Token are shown as "TOKEN_REDACTED".

Also, the "Authentication" header is also redacted.

This is for security hardening.

SecurityImpact

Closes-Bug: #1004114
Closes-Bug: #1327019

Change-Id: I1edc3821ed028471102cc9b95eb9f3b54c9e2778

1 files changed, 8 insertions, 1 deletions

diff --git a/keystoneclient/session.py b/keystoneclient/session.py
index c74f752..26b95e1 100644
--- a/keystoneclient/session.py
+++ b/keystoneclient/session.py
@@ -139,6 +139,13 @@ class Session(object):
             # debug log.
             return
 
+        def process_header(header):
+            secure_headers = ('authorization', 'x-auth-token',
+                              'x-subject-token',)
+            if header[0].lower() in secure_headers:
+                return (header[0], 'TOKEN_REDACTED')
+            return header
+
         string_parts = ['REQ: curl -i']
 
         # NOTE(jamielennox): None means let requests do its default validation
@@ -153,7 +160,7 @@ class Session(object):
 
         if headers:
             for header in six.iteritems(headers):
-                string_parts.append('-H "%s: %s"' % header)
+                string_parts.append('-H "%s: %s"' % process_header(header))
         if json:
             data = jsonutils.dumps(json)
         if data: