NetApp E-series: Do not log passwords in requests

Previously, requests to the backend that contained passwords were
not scrubbed prior to logging.

Closes-bug: 1383444

Change-Id: I389d5115e4a6ffbae6f0463a62015f6ac01ec2e9

diff --git a/cinder/tests/volume/drivers/netapp/eseries/__init__.py b/cinder/tests/volume/drivers/netapp/eseries/__init__.py
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/cinder/tests/volume/drivers/netapp/eseries/test_client.py b/cinder/tests/volume/drivers/netapp/eseries/test_client.py
new file mode 100644 (file)
index 0000000..8aef18c
--- /dev/null
+++ b/cinder/tests/volume/drivers/netapp/eseries/test_client.py
@@ -0,0 +1,46 @@
+# Copyright (c) 2014 Alex Meade
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import mock
+
+from cinder import test
+from cinder.volume.drivers.netapp.eseries import client
+
+
+class NetAppEseriesClientDriverTestCase(test.TestCase):
+    """Test case for NetApp e-series client."""
+
+    def setUp(self):
+        super(NetAppEseriesClientDriverTestCase, self).setUp()
+        self.mock_log = mock.Mock()
+        self.mock_object(client, 'LOG', self.mock_log)
+        self.fake_password = 'mysecret'
+        self.my_client = client.RestClient('http', 'host', '80', '/test',
+                                           'user', self.fake_password,
+                                           system_id='fake_sys_id')
+        self.my_client.invoke_service = mock.Mock()
+
+    def test_register_storage_system_does_not_log_password(self):
+        self.my_client.register_storage_system([], password=self.fake_password)
+        for call in self.mock_log.debug.mock_calls:
+            __, args, __ = call
+            self.assertNotIn(self.fake_password, args[0])
+
+    def test_update_stored_system_password_does_not_log_password(self):
+        self.my_client.update_stored_system_password(
+            password=self.fake_password)
+        for call in self.mock_log.debug.mock_calls:
+            __, args, __ = call
+            self.assertNotIn(self.fake_password, args[0])

diff --git a/cinder/volume/drivers/netapp/eseries/client.py b/cinder/volume/drivers/netapp/eseries/client.py
index 3b144f91f1cf9b98ebfb91fe7e3b9a5c15d32609..c635e8bc2b1107119ebbecfcad80d3f79968b061 100644 (file)
--- a/cinder/volume/drivers/netapp/eseries/client.py
+++ b/cinder/volume/drivers/netapp/eseries/client.py
@@ -16,6 +16,7 @@
 Client classes for web services.
 """
 
+import copy
 import json
 
 import requests
@@ -117,8 +118,15 @@ class RestClient(WebserviceClient):
     def _invoke(self, method, path, data=None, use_system=True,
                 timeout=None, verify=False, **kwargs):
         """Invokes end point for resource on path."""
-        params = {'m': method, 'p': path, 'd': data, 'sys': use_system,
-                  't': timeout, 'v': verify, 'k': kwargs}
+        scrubbed_data = copy.deepcopy(data)
+        if scrubbed_data:
+            if 'password' in scrubbed_data:
+                scrubbed_data['password'] = "****"
+            if 'storedPassword' in scrubbed_data:
+                scrubbed_data['storedPassword'] = "****"
+
+        params = {'m': method, 'p': path, 'd': scrubbed_data,
+                  'sys': use_system, 't': timeout, 'v': verify, 'k': kwargs}
         LOG.debug("Invoking rest with method: %(m)s, path: %(p)s,"
                   " data: %(d)s, use_system: %(sys)s, timeout: %(t)s,"
                   " verify: %(v)s, kwargs: %(k)s." % (params))