Make mask_dict_password case insensitive and add new patterns

In Icc19b7c8bdb6a3182939d5e9fdef21288b19f43d mask_password was made case
insensitive but mask_dict_password wasn't. This update makes the
behaviour of these functions the same.

Instead of lowering _SANITIZE_KEYS each time the source list is lowered.

New password patterns from realworld logs were added to the patterns.

Change-Id: Ic3ee301857630a15b9c26fd5d0fc907c43199517
Related-Bug: #1850843

oslo_utils/strutils.py

@@ -54,12 +54,19 @@ SLUGIFY_STRIP_RE = re.compile(r"[^\w\s-]")
 SLUGIFY_HYPHENATE_RE = re.compile(r"[-\s]+")
 
 
-# NOTE(flaper87): The following globals are used by `mask_password`
+# NOTE(flaper87): The following globals are used by `mask_password` and
-_SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
+#                 `mask_dict_password`
+_SANITIZE_KEYS = ['adminpass', 'admin_pass', 'password', 'admin_password',
                   'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
                   'secret', 'sys_pswd', 'token', 'configdrive',
-                  'CHAPPASSWORD', 'encrypted_key', 'private_key',
+                  'chappassword', 'encrypted_key', 'private_key',
-                  'encryption_key_id', 'fernetkey', 'sslkey', 'passphrase']
+                  'encryption_key_id', 'fernetkey', 'sslkey', 'passphrase',
+                  'cephclusterfsid', 'octaviaheartbeatkey', 'rabbitcookie',
+                  'cephmanilaclientkey', 'pacemakerremoteauthkey',
+                  'designaterndckey', 'cephadminkey', 'heatauthencryptionkey',
+                  'cephclientkey', 'keystonecredential',
+                  'barbicansimplecryptokek', 'cephrgwkey', 'swifthashsuffix',
+                  'migrationsshkey', 'cephmdskey', 'cephmonkey']
 
 # NOTE(ldbragst): Let's build a list of regex objects using the list of
 # _SANITIZE_KEYS we already have. This way, we only have to add the new key
@@ -406,7 +413,7 @@ def mask_dict_password(dictionary, secret="***"):  # nosec
         k_matched = False
         if isinstance(k, six.string_types):
             for sani_key in _SANITIZE_KEYS:
-                if sani_key in k:
+                if sani_key.lower() in k.lower():
                     out[k] = secret
                     k_matched = True
                     break

oslo_utils/tests/test_strutils.py

@@ -717,6 +717,16 @@ class MaskDictionaryPasswordTestCase(test_base.BaseTestCase):
         self.assertEqual(expected,
                          strutils.mask_dict_password(payload))
 
+        payload = {'passwords': {'KeystoneFernetKey1': 'c5FijjS'}}
+        expected = {'passwords': {'KeystoneFernetKey1': '***'}}
+        self.assertEqual(expected,
+                         strutils.mask_dict_password(payload))
+
+        payload = {'passwords': {'keystonecredential0': 'c5FijjS'}}
+        expected = {'passwords': {'keystonecredential0': '***'}}
+        self.assertEqual(expected,
+                         strutils.mask_dict_password(payload))
+
     def test_do_no_harm(self):
         payload = {}
         expected = {}

releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml

@@ -0,0 +1,9 @@
+---
+security:
+  - |
+    This patch ensures that we mask sensitive data when masking dicts, even if
+    the case doesn't match. This means the behaviour of mask_password and
+    mask_dict_password is now the same.
+  - |
+    Additional password names were included from real world logs that contained
+    sensitive information.