openstack/cinder
Code Issues Proposed changes

Mask out passwords when tracing

Browse Source 
This patch ensures that input and return parameters that are being
traced mask out passwords to the log file.

Change-Id: I71baa6ee7b2a474701a1caed99d4889fffc62eca
This commit is contained in:
Walter A. Boring IV 2016-08-09 08:39:35 -07:00
parent 1e32adbafa
commit 54a958534f
2 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
cinder/tests/unit/test_utils.py
View File

@ -1263,6 +1263,39 @@ class LogTracingTestCase(test.TestCase):
self.assertEqual('OK', result) self.assertEqual('OK', result)
self.assertEqual(2, mock_log.debug.call_count) self.assertEqual(2, mock_log.debug.call_count)
def test_utils_trace_method_with_password_dict(self):
mock_log = self.patch('cinder.utils.logging.getLogger')
mock_log().isEnabledFor.return_value = True
@utils.trace_method
def _trace_test_method(*args, **kwargs):
return {'something': 'test',
'password': 'Now you see me'}
utils.setup_tracing(['method'])
result = _trace_test_method(self)
expected_masked_dict = {'password': '***', 'something': 'test'}
self.assertEqual(expected_masked_dict, result)
def test_utils_trace_method_with_password_str(self):
mock_log = self.patch('cinder.utils.logging.getLogger')
mock_log().isEnabledFor.return_value = True
@utils.trace_method
def _trace_test_method(*args, **kwargs):
return "'adminPass': 'Now you see me'"
utils.setup_tracing(['method'])
result = _trace_test_method(self)
expected_masked_str = "'adminPass': '***'"
self.assertEqual(expected_masked_str, result)
def test_utils_calculate_virtual_free_capacity_with_thick(self): def test_utils_calculate_virtual_free_capacity_with_thick(self):
host_stat = {'total_capacity_gb': 30.01, host_stat = {'total_capacity_gb': 30.01,
'free_capacity_gb': 28.01, 'free_capacity_gb': 28.01,

6
cinder/utils.py
View File

@ -839,6 +839,7 @@ def trace(f):
return f(*args, **kwargs) return f(*args, **kwargs)
all_args = inspect.getcallargs(f, *args, **kwargs) all_args = inspect.getcallargs(f, *args, **kwargs)
logger.debug('==> %(func)s: call %(all_args)r', logger.debug('==> %(func)s: call %(all_args)r',
{'func': func_name, 'all_args': all_args}) {'func': func_name, 'all_args': all_args})
@ -854,6 +855,11 @@ def trace(f):
raise raise
total_time = int(round(time.time() * 1000)) - start_time total_time = int(round(time.time() * 1000)) - start_time
if isinstance(result, dict):
result = strutils.mask_dict_password(result)
elif isinstance(result, six.string_types):
result = strutils.mask_password(result)
logger.debug('<== %(func)s: return (%(time)dms) %(result)r', logger.debug('<== %(func)s: return (%(time)dms) %(result)r',
{'func': func_name, {'func': func_name,
'time': total_time, 'time': total_time,