Mask the token used to allow access to consoles

Hide the novncproxy token from the logs. When backported this patch needs to be extended to handle the same issue in the consoleauth service. Co-Authored-By:paul-carlton2 <paul.carlton2@hp.com> Co-Authored-By:Tristan Cacqueray <tdecacqu@redhat.com> Change-Id: I5b8fa4233d297722c3af08176901d12887bae3de Closes-Bug: #1492140
openstack · Nov 27, 2019 · 26d4047 · 26d4047
1 parent 23995b4
commit 26d4047
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/nova/console/websocketproxy.py b/nova/console/websocketproxy.py
@@ -18,6 +18,7 @@
 Leverages websockify.py by Joel Martin
 '''
 
+import copy
 import socket
 import sys
 
@@ -220,7 +221,10 @@ def new_websocket_client(self):
                 detail = _("Origin header protocol does not match this host.")
                 raise exception.ValidationError(detail=detail)
 
-        self.msg(_('connect info: %s'), str(connect_info))
+        sanitized_info = copy.copy(connect_info)
+        sanitized_info.token = '***'
+        self.msg(_('connect info: %s'), sanitized_info)
+
         host = connect_info.host
         port = connect_info.port
 

diff --git a/nova/tests/unit/console/test_websocketproxy.py b/nova/tests/unit/console/test_websocketproxy.py
@@ -219,6 +219,9 @@ def test_new_websocket_client(self, validate, check_port):
         validate.assert_called_with(mock.ANY, "123-456-789")
         self.wh.socket.assert_called_with('node1', 10000, connect=True)
         self.wh.do_proxy.assert_called_with('<socket>')
+        # ensure that token is masked when logged
+        connection_info = self.wh.msg.mock_calls[0][1][1]
+        self.assertEqual('***', connection_info.token)
 
     @mock.patch('nova.console.websocketproxy.NovaProxyRequestHandlerBase.'
                 '_check_console_port')