From 6303001675a1af26e60fb3b2d6322e42adaebec0 Mon Sep 17 00:00:00 2001
From: Pavlo Shchelokovskyy <shchelokovskyy@gmail.com>
Date: Wed, 1 Jun 2022 22:15:49 +0300
Subject: [PATCH] Do not log sensitive info in OIDC

Change-Id: Ieaf8f459b11bec6fc0462a4977cc419fb4a88569
---
 keystoneauth1/identity/v3/oidc.py | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/keystoneauth1/identity/v3/oidc.py b/keystoneauth1/identity/v3/oidc.py
index 4d010f4..9102a6a 100644
--- a/keystoneauth1/identity/v3/oidc.py
+++ b/keystoneauth1/identity/v3/oidc.py
@@ -11,6 +11,8 @@
 # under the License.
 
 import abc
+import copy
+import logging
 import warnings
 
 import six
@@ -27,6 +29,8 @@ __all__ = ('OidcAuthorizationCode',
            'OidcPassword',
            'OidcAccessToken')
 
+SENSITIVE_KEYS = ("password", "code", "token", "secret")
+
 
 @six.add_metaclass(abc.ABCMeta)
 class _OidcBase(federation.FederationBaseAuth):
@@ -175,6 +179,13 @@ class _OidcBase(federation.FederationBaseAuth):
             raise exceptions.OidcAccessTokenEndpointNotFound()
         return endpoint
 
+    def _sanitize(self, data):
+        sanitized = copy.deepcopy(data)
+        for key in sanitized:
+            if any(s in key for s in SENSITIVE_KEYS):
+                sanitized[key] = "***"
+        return sanitized
+
     def _get_access_token(self, session, payload):
         """Exchange a variety of user supplied values for an access token.
 
@@ -190,11 +201,26 @@ class _OidcBase(federation.FederationBaseAuth):
         client_auth = (self.client_id, self.client_secret)
         access_token_endpoint = self._get_access_token_endpoint(session)
 
+        if _logger.isEnabledFor(logging.DEBUG):
+            sanitized_payload = self._sanitize(payload)
+            _logger.debug(
+                "Making OpenID-Connect authentication request to %s with "
+                "data %s", access_token_endpoint, sanitized_payload
+            )
+
         op_response = session.post(access_token_endpoint,
                                    requests_auth=client_auth,
                                    data=payload,
+                                   log=False,
                                    authenticated=False)
-        access_token = op_response.json()[self.access_token_type]
+        response = op_response.json()
+        if _logger.isEnabledFor(logging.DEBUG):
+            sanitized_response = self._sanitize(response)
+            _logger.debug(
+                "OpenID-Connect authentication response from %s is %s",
+                access_token_endpoint, sanitized_response
+            )
+        access_token = response[self.access_token_type]
         return access_token
 
     def _get_keystone_token(self, session, access_token):
-- 
2.34.1