From 05cf2cf58f6a3d3b1a88ee7e3481a2f0eb7ad7a5 Mon Sep 17 00:00:00 2001
From: Derek Higgins <derekh@redhat.com>
Date: Thu, 3 Nov 2016 15:37:05 +0000
Subject: [PATCH] Mask data before displaying it in debug output

---
 keystoneauth1/session.py                 |  3 ++-
 keystoneauth1/tests/unit/test_session.py | 11 ++++++++---
 requirements.txt                         |  1 +
 test-requirements.txt                    |  1 -
 4 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/keystoneauth1/session.py b/keystoneauth1/session.py
index 087a34b..a6df10d 100644
--- a/keystoneauth1/session.py
+++ b/keystoneauth1/session.py
@@ -22,6 +22,7 @@ import sys
 import time
 import uuid
 
+from oslo_utils import strutils
 from positional import positional
 import requests
 import six
@@ -337,7 +338,7 @@ class Session(object):
                     data = data.decode("ascii")
                 except UnicodeDecodeError:
                     data = "<binary_data>"
-            string_parts.append("-d '%s'" % data)
+            string_parts.append("-d '%s'" % strutils.mask_password(data))
 
         logger.debug(' '.join(string_parts))
 
diff --git a/keystoneauth1/tests/unit/test_session.py b/keystoneauth1/tests/unit/test_session.py
index de4c564..f7d821f 100644
--- a/keystoneauth1/tests/unit/test_session.py
+++ b/keystoneauth1/tests/unit/test_session.py
@@ -193,18 +193,23 @@ class SessionTests(utils.TestCase):
                             'X-Auth-Token': uuid.uuid4().hex,
                             'X-Subject-Token': uuid.uuid4().hex, }
         body = 'BODYRESPONSE'
-        data = 'BODYDATA'
+
+        secret_data = 'password=ABC'
+        secret_sanitized = 'password=***'
+        post_data = 'BODYDATA:' + secret_data
+        logged_data = 'BODYDATA:' + secret_sanitized
+
         all_headers = dict(
             itertools.chain(headers.items(), security_headers.items()))
         self.stub_url('POST', text=body, headers=all_headers)
-        resp = session.post(self.TEST_URL, headers=all_headers, data=data)
+        resp = session.post(self.TEST_URL, headers=all_headers, data=post_data)
         self.assertEqual(resp.status_code, 200)
 
         self.assertIn('curl', self.logger.output)
         self.assertIn('POST', self.logger.output)
         self.assertIn('--insecure', self.logger.output)
         self.assertIn(body, self.logger.output)
-        self.assertIn("'%s'" % data, self.logger.output)
+        self.assertIn("'%s'" % logged_data, self.logger.output)
 
         for k, v in six.iteritems(headers):
             self.assertIn(k, self.logger.output)
diff --git a/requirements.txt b/requirements.txt
index f6d31de..6b4d66c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,6 +5,7 @@
 pbr>=1.6 # Apache-2.0
 iso8601>=0.1.11 # MIT
 positional>=1.1.1 # Apache-2.0
+oslo.utils>=3.17.0 # Apache-2.0
 requests>=2.10.0 # Apache-2.0
 six>=1.9.0 # MIT
 stevedore>=1.17.1 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 56abf01..b4219f4 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -12,7 +12,6 @@ fixtures>=3.0.0 # Apache-2.0/BSD
 mock>=2.0 # BSD
 oslo.config!=3.18.0,>=3.14.0 # Apache-2.0
 oslosphinx>=4.7.0 # Apache-2.0
-oslo.utils>=3.17.0 # Apache-2.0
 oslotest>=1.10.0 # Apache-2.0
 os-testr>=0.8.0 # Apache-2.0
 betamax>=0.7.0 # Apache-2.0
-- 
2.1.0