Mask out passwords when tracing

This patch ensures that tracing log output is masking out passwords to the log file. Closes-Bug: 1616527 Change-Id: I5452ab8b993a184406331ad34abb9ceff24e4180
openstack · Aug 24, 2016 · f8e4f3c · f8e4f3c
1 parent ce0d9b3
commit f8e4f3c
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 3 deletions.
diff --git a/os_brick/tests/test_utils.py b/os_brick/tests/test_utils.py
@@ -231,3 +231,41 @@ def _trace_test_method(*args, **kwargs):
         self.assertEqual('OK', result)
         return_log = mock_log.debug.call_args_list[1]
         self.assertIn('2900', str(return_log))
+
+    def test_utils_trace_method_with_password_dict(self):
+        mock_logging = self.mock_object(utils, 'logging')
+        mock_log = mock.Mock()
+        mock_log.isEnabledFor = lambda x: True
+        mock_logging.getLogger = mock.Mock(return_value=mock_log)
+
+        @utils.trace
+        def _trace_test_method(*args, **kwargs):
+            return {'something': 'test',
+                    'password': 'Now you see me'}
+
+        result = _trace_test_method(self)
+        expected_unmasked_dict = {'something': 'test',
+                                  'password': 'Now you see me'}
+
+        self.assertEqual(expected_unmasked_dict, result)
+        self.assertEqual(2, mock_log.debug.call_count)
+        self.assertIn("'password': '***'",
+                      str(mock_log.debug.call_args_list[1]))
+
+    def test_utils_trace_method_with_password_str(self):
+        mock_logging = self.mock_object(utils, 'logging')
+        mock_log = mock.Mock()
+        mock_log.isEnabledFor = lambda x: True
+        mock_logging.getLogger = mock.Mock(return_value=mock_log)
+
+        @utils.trace
+        def _trace_test_method(*args, **kwargs):
+            return "'adminPass': 'Now you see me'"
+
+        result = _trace_test_method(self)
+        expected_unmasked_str = "'adminPass': 'Now you see me'"
+
+        self.assertEqual(expected_unmasked_str, result)
+        self.assertEqual(2, mock_log.debug.call_count)
+        self.assertIn("'adminPass': '***'",
+                      str(mock_log.debug.call_args_list[1]))
diff --git a/os_brick/utils.py b/os_brick/utils.py
@@ -15,12 +15,13 @@
 import functools
 import inspect
 import logging as py_logging
+import retrying
+import six
 import time
 
 from oslo_log import log as logging
 from oslo_utils import encodeutils
-import retrying
-import six
+from oslo_utils import strutils
 
 from os_brick.i18n import _
 
@@ -151,10 +152,17 @@ def trace_logging_wrapper(*args, **kwargs):
             raise
         total_time = int(round(time.time() * 1000)) - start_time
 
+        if isinstance(result, dict):
+            mask_result = strutils.mask_dict_password(result)
+        elif isinstance(result, six.string_types):
+            mask_result = strutils.mask_password(result)
+        else:
+            mask_result = result
+
         logger.debug('<== %(func)s: return (%(time)dms) %(result)r',
                      {'func': func_name,
                       'time': total_time,
-                      'result': result})
+                      'result': mask_result})
         return result
     return trace_logging_wrapper