Merge "Mask passwords in debug log on user password operations" into …

…stable/juno
openstack · Nov 11, 2015 · 1a3365b · 1a3365b
2 parents 2e64d78 + c15cbc4
commit 1a3365b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 15 deletions.
diff --git a/keystone/common/controller.py b/keystone/common/controller.py
@@ -25,6 +25,7 @@
 from keystone.i18n import _
 from keystone.models import token_model
 from keystone.openstack.common import log
+from keystone.openstack.common import strutils
 
 
 LOG = log.getLogger(__name__)
@@ -50,9 +51,12 @@ def v2_deprecated(f):
 
 
 def _build_policy_check_credentials(self, action, context, kwargs):
+    kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
+    kwargs_str = strutils.mask_password(kwargs_str)
+
     LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
         'action': action,
-        'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
+        'kwargs': kwargs_str})
 
     # see if auth context has already been created. If so use it.
     if ('environment' in context and

diff --git a/keystone/tests/test_v3_identity.py b/keystone/tests/test_v3_identity.py
@@ -1662,24 +1662,19 @@ def test_filtered_role_assignments(self):
     def test_create_user_password_not_logged(self):
         # When a user is created, the password isn't logged at any level.
 
-        # FIXME(blk-u): This doesn't work as expected, see bug 1465922
-
         log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
 
         ref = self.new_user_ref(domain_id=self.domain_id)
         self.post(
             '/users',
             body={'user': ref})
 
-        # This should be assert*Not*In, see bug 1465922
-        self.assertIn(ref['password'], log_fix.output)
+        self.assertNotIn(ref['password'], log_fix.output)
 
     def test_update_password_not_logged(self):
         # When admin modifies user password, the password isn't logged at any
         # level.
 
-        # FIXME(blk-u): This doesn't work as expected, see bug 1465922
-
         log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
 
         # bootstrap a user as admin
@@ -1694,9 +1689,7 @@ def test_update_password_not_logged(self):
                    expected_status=200)
 
         self.assertNotIn(password, log_fix.output)
-
-        # This should be assert*Not*In, see bug 1465922
-        self.assertIn(new_password, log_fix.output)
+        self.assertNotIn(new_password, log_fix.output)
 
 
 class IdentityInheritanceTestCase(test_v3.RestfulTestCase):
@@ -2346,8 +2339,6 @@ def test_changing_password_not_logged(self):
         # When a user changes their password, the password isn't logged at any
         # level.
 
-        # FIXME(blk-u): This doesn't work as expected, see bug 1465922
-
         log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
 
         # change password
@@ -2356,6 +2347,5 @@ def test_changing_password_not_logged(self):
                              original_password=self.user_ref['password'],
                              expected_status=204)
 
-        # These should be assert*Not*In, see bug 1465922
-        self.assertIn(self.user_ref['password'], log_fix.output)
-        self.assertIn(new_password, log_fix.output)
+        self.assertNotIn(self.user_ref['password'], log_fix.output)
+        self.assertNotIn(new_password, log_fix.output)