From ca585bec9d6973a89f6f6b5788c783affe9621a3 Mon Sep 17 00:00:00 2001
From: Derek Higgins <derekh@redhat.com>
Date: Mon, 21 Nov 2016 13:57:20 +0000
Subject: [PATCH] mask private keys for the ssh power driver.

As this driver is deprecated masking here (opposed to strutils)
is simpler, and easier to backport. This can be removed along with
support for the ssh power driver.

Change-Id: I107f2ce4ee2cd22558455de7ed595c2b3a7c6845
Closes-Bug: #1638596
---
 ironic/api/controllers/v1/node.py                    |  8 ++++++++
 ironic/tests/unit/api/v1/test_nodes.py               | 12 ++++++++++++
 .../notes/mask-ssh-creds-54ab7b2656578d2e.yaml       |  4 ++++
 3 files changed, 24 insertions(+)
 create mode 100644 releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml

diff --git a/ironic/api/controllers/v1/node.py b/ironic/api/controllers/v1/node.py
index c14cdcfb00..b6b120a4d8 100644
--- a/ironic/api/controllers/v1/node.py
+++ b/ironic/api/controllers/v1/node.py
@@ -838,6 +838,14 @@ class Node(base.APIBase):
         if not show_driver_secrets and node.driver_info != wtypes.Unset:
             node.driver_info = strutils.mask_dict_password(
                 node.driver_info, "******")
+
+            # NOTE(derekh): mask ssh keys for the ssh power driver.
+            # As this driver is deprecated masking here (opposed to strutils)
+            # is simpler, and easier to backport. This can be removed along
+            # with support for the ssh power driver.
+            if node.driver_info.get('ssh_key_contents'):
+                node.driver_info['ssh_key_contents'] = "******"
+
         if not show_instance_secrets and node.instance_info != wtypes.Unset:
             node.instance_info = strutils.mask_dict_password(
                 node.instance_info, "******")
diff --git a/ironic/tests/unit/api/v1/test_nodes.py b/ironic/tests/unit/api/v1/test_nodes.py
index 917a952470..a3af99e7cb 100644
--- a/ironic/tests/unit/api/v1/test_nodes.py
+++ b/ironic/tests/unit/api/v1/test_nodes.py
@@ -1043,6 +1043,18 @@ class TestListNodes(test_api_base.BaseApiTest):
         # rpc_node lookup and pass that downwards
         mock_vdi.assert_called_once_with(mock.ANY, node.uuid, 'test-topic')
 
+    def test_ssh_creds_masked(self):
+        driver_info = {"ssh_password": "password", "ssh_key_contents": "key"}
+        node = obj_utils.create_test_node(self.context,
+                                          chassis_id=self.chassis.id,
+                                          driver_info=driver_info)
+        data = self.get_json(
+            '/nodes/%s' % node.uuid,
+            headers={api_base.Version.string: str(api_v1.MAX_VER)})
+
+        self.assertEqual("******", data["driver_info"]["ssh_password"])
+        self.assertEqual("******", data["driver_info"]["ssh_key_contents"])
+
 
 class TestPatch(test_api_base.BaseApiTest):
 
diff --git a/releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml b/releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml
new file mode 100644
index 0000000000..20f86be420
--- /dev/null
+++ b/releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml
@@ -0,0 +1,4 @@
+---
+security:
+  - private ssh keys are now masked when using the ssh power driver
+    and node details are requested.