Make mask_dict_password consistent with mask_password

mask_password when given a value of:

 {'ipmi_password': 'foo'} will return {'ipmi_password': '****'}

But passing the same dict to mask_dict_password() would return the dict
unchanged.

This fixes it so that it works consistently on which keys will trigger a
masking of the password.

Change-Id: I279f245fa750a57809c9d000137c4f9baf44cd40
Closes-Bug: #1594935

oslo_utils/strutils.py

@@ -357,14 +357,19 @@ def mask_dict_password(dictionary, secret="***"):  # nosec
 
     for k, v in dictionary.items():
         if isinstance(v, dict):
-            v = mask_dict_password(v, secret=secret)
-        elif k in _SANITIZE_KEYS:
-            v = secret
-        elif isinstance(v, six.string_types):
-            v = mask_password(v, secret=secret)
-
-        out[k] = v
-
+            out[k] = mask_dict_password(v, secret=secret)
+            continue
+        # NOTE(jlvillal): Check to see if anything in the dictionary 'key'
+        # contains any key specified in _SANITIZE_KEYS.
+        for sani_key in _SANITIZE_KEYS:
+            if sani_key in k:
+                out[k] = secret
+                break
+        else:
+            # We did not find a match for the key name in the
+            # _SANITIZE_KEYS, so we fall through to here
+            if isinstance(v, six.string_types):
+                out[k] = mask_password(v, secret=secret)
     return out
 
 

oslo_utils/tests/test_strutils.py

@@ -616,6 +616,11 @@ class MaskDictionaryPasswordTestCase(test_base.BaseTestCase):
         self.assertEqual(expected,
                          strutils.mask_dict_password(payload))
 
+        payload = {'ipmi_password': 'KeDrahishvowphyecMornEm0or('}
+        expected = {'ipmi_password': '***'}
+        self.assertEqual(expected,
+                         strutils.mask_dict_password(payload))
+
     def test_do_no_harm(self):
         payload = {}
         expected = {}