config: Also mask non-prefix config
The 'config show' command will show information about your current
configuration. When using a 'cloud.yaml' file and the 'OS_CLOUD'
environment variable, the output of this will look like so:
$ openstack config show
+---------------------------------------------+----------------------------------+
| Field | Value |
+---------------------------------------------+----------------------------------+
| additional_user_agent | [('osc-lib', '2.6.0')] |
| api_timeout | None |
| auth.auth_url | https://example.com:13000 |
| auth.password | <redacted> |
| auth.project_domain_id | default |
| auth.project_id | c73b7097d07c46f78eb4b4dcfbac5ca8 |
| auth.project_name | test-project |
| auth.user_domain_name | example.com |
| auth.username | john-doe |
...
All of the 'auth.'-prefixed values are extracted from the corresponding
entry in the 'clouds.yaml' file. You'll note that the 'auth.password'
value is not shown. Instead, it is masked and replaced with
'<redacted>'.
However, a 'clouds.yaml' file is not the only way to configure these
tools. You can also use old school environment variables. By using an
openrc file from Horizon (or the clouds2env tool [1]), we will set
various 'OS_'-prefixed environment variables. When you use the 'config
show' command with these environment variables set, we will see all of
these values appear in the output *without* an 'auth.' prefix. Scanning
down we will see the password value is not redacted.
$ openstack config show
+---------------------------------------------+----------------------------------+
| Field | Value |
+---------------------------------------------+----------------------------------+
| additional_user_agent | [('osc-lib', '2.6.0')] |
| api_timeout | None |
...
| password | secret-password |
...
This will also happen if using tokens. This is obviously incorrect.
These should be masked also. Make it so. This involves enhancing our
fake config generation code to generate config that looks like it came
from environment variables.
Change-Id: I560b928e5e6bcdcd89c409e0678dfc0d0b056c0e
Story: 2008816
Task: 42260
This commit is contained in:
ryanKor
Seongsoo Cho
parent
366e164738
commit
62c52f5e61
@ -45,7 +45,6 @@ class ShowConfiguration(command.ShowOne):
|
||||
return parser
|
||||
|
||||
def take_action(self, parsed_args):
|
||||
|
||||
info = self.app.client_manager.get_configuration()
|
||||
|
||||
# Assume a default secret list in case we do not have an auth_plugin
|
||||
@ -63,4 +62,9 @@ class ShowConfiguration(command.ShowOne):
|
||||
value = REDACTED
|
||||
info['auth.' + key] = value
|
||||
|
||||
if parsed_args.mask:
|
||||
for secret_opt in secret_opts:
|
||||
if secret_opt in info:
|
||||
info[secret_opt] = REDACTED
|
||||
|
||||
return zip(*sorted(info.items()))
|
||||
|
||||
@ -35,11 +35,14 @@ class TestConfiguration(utils.TestCommand):
|
||||
fakes.REGION_NAME,
|
||||
)
|
||||
|
||||
opts = [mock.Mock(secret=True, dest="password"),
|
||||
mock.Mock(secret=True, dest="token")]
|
||||
opts = [
|
||||
mock.Mock(secret=True, dest="password"),
|
||||
mock.Mock(secret=True, dest="token"),
|
||||
]
|
||||
|
||||
@mock.patch("keystoneauth1.loading.base.get_plugin_options",
|
||||
return_value=opts)
|
||||
@mock.patch(
|
||||
"keystoneauth1.loading.base.get_plugin_options", return_value=opts
|
||||
)
|
||||
def test_show(self, m_get_plugin_opts):
|
||||
arglist = []
|
||||
verifylist = [('mask', True)]
|
||||
@ -51,12 +54,14 @@ class TestConfiguration(utils.TestCommand):
|
||||
self.assertEqual(self.columns, columns)
|
||||
self.assertEqual(self.datalist, data)
|
||||
|
||||
@mock.patch("keystoneauth1.loading.base.get_plugin_options",
|
||||
return_value=opts)
|
||||
@mock.patch(
|
||||
"keystoneauth1.loading.base.get_plugin_options", return_value=opts
|
||||
)
|
||||
def test_show_unmask(self, m_get_plugin_opts):
|
||||
arglist = ['--unmask']
|
||||
verifylist = [('mask', False)]
|
||||
cmd = configuration.ShowConfiguration(self.app, None)
|
||||
|
||||
parsed_args = self.check_parser(cmd, arglist, verifylist)
|
||||
|
||||
columns, data = cmd.take_action(parsed_args)
|
||||
@ -71,15 +76,49 @@ class TestConfiguration(utils.TestCommand):
|
||||
)
|
||||
self.assertEqual(datalist, data)
|
||||
|
||||
@mock.patch("keystoneauth1.loading.base.get_plugin_options",
|
||||
return_value=opts)
|
||||
def test_show_mask(self, m_get_plugin_opts):
|
||||
@mock.patch(
|
||||
"keystoneauth1.loading.base.get_plugin_options", return_value=opts
|
||||
)
|
||||
def test_show_mask_with_cloud_config(self, m_get_plugin_opts):
|
||||
arglist = ['--mask']
|
||||
verifylist = [('mask', True)]
|
||||
self.app.client_manager.configuration_type = "cloud_config"
|
||||
cmd = configuration.ShowConfiguration(self.app, None)
|
||||
|
||||
parsed_args = self.check_parser(cmd, arglist, verifylist)
|
||||
|
||||
columns, data = cmd.take_action(parsed_args)
|
||||
|
||||
self.assertEqual(self.columns, columns)
|
||||
self.assertEqual(self.datalist, data)
|
||||
|
||||
@mock.patch(
|
||||
"keystoneauth1.loading.base.get_plugin_options", return_value=opts
|
||||
)
|
||||
def test_show_mask_with_global_env(self, m_get_plugin_opts):
|
||||
arglist = ['--mask']
|
||||
verifylist = [('mask', True)]
|
||||
self.app.client_manager.configuration_type = "global_env"
|
||||
column_list = (
|
||||
'identity_api_version',
|
||||
'password',
|
||||
'region',
|
||||
'token',
|
||||
'username',
|
||||
)
|
||||
datalist = (
|
||||
fakes.VERSION,
|
||||
configuration.REDACTED,
|
||||
fakes.REGION_NAME,
|
||||
configuration.REDACTED,
|
||||
fakes.USERNAME,
|
||||
)
|
||||
|
||||
cmd = configuration.ShowConfiguration(self.app, None)
|
||||
|
||||
parsed_args = self.check_parser(cmd, arglist, verifylist)
|
||||
|
||||
columns, data = cmd.take_action(parsed_args)
|
||||
|
||||
self.assertEqual(column_list, columns)
|
||||
self.assertEqual(datalist, data)
|
||||
|
||||
@ -11,7 +11,6 @@
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
import json
|
||||
import sys
|
||||
@ -49,21 +48,6 @@ TEST_RESPONSE_DICT_V3.set_project_scope()
|
||||
TEST_VERSIONS = fixture.DiscoveryList(href=AUTH_URL)
|
||||
|
||||
|
||||
def to_unicode_dict(catalog_dict):
|
||||
"""Converts dict to unicode dict
|
||||
|
||||
"""
|
||||
if isinstance(catalog_dict, dict):
|
||||
return {to_unicode_dict(key): to_unicode_dict(value)
|
||||
for key, value in catalog_dict.items()}
|
||||
elif isinstance(catalog_dict, list):
|
||||
return [to_unicode_dict(element) for element in catalog_dict]
|
||||
elif isinstance(catalog_dict, str):
|
||||
return catalog_dict + u""
|
||||
else:
|
||||
return catalog_dict
|
||||
|
||||
|
||||
class FakeStdout(object):
|
||||
|
||||
def __init__(self):
|
||||
@ -142,18 +126,30 @@ class FakeClientManager(object):
|
||||
self.network_endpoint_enabled = True
|
||||
self.compute_endpoint_enabled = True
|
||||
self.volume_endpoint_enabled = True
|
||||
# The source of configuration. This is either 'cloud_config' (a
|
||||
# clouds.yaml file) or 'global_env' ('OS_'-prefixed envvars)
|
||||
self.configuration_type = 'cloud_config'
|
||||
|
||||
def get_configuration(self):
|
||||
return {
|
||||
'auth': {
|
||||
'username': USERNAME,
|
||||
'password': PASSWORD,
|
||||
'token': AUTH_TOKEN,
|
||||
},
|
||||
|
||||
config = {
|
||||
'region': REGION_NAME,
|
||||
'identity_api_version': VERSION,
|
||||
}
|
||||
|
||||
if self.configuration_type == 'cloud_config':
|
||||
config['auth'] = {
|
||||
'username': USERNAME,
|
||||
'password': PASSWORD,
|
||||
'token': AUTH_TOKEN,
|
||||
}
|
||||
elif self.configuration_type == 'global_env':
|
||||
config['username'] = USERNAME
|
||||
config['password'] = PASSWORD
|
||||
config['token'] = AUTH_TOKEN
|
||||
|
||||
return config
|
||||
|
||||
def is_network_endpoint_enabled(self):
|
||||
return self.network_endpoint_enabled
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user