openstack/python-openstackclient
Code Issues Proposed changes
77266bd9c3
python-openstackclient/openstackclient/common/configuration.py
ryanKor 62c52f5e61 config: Also mask non-prefix config 
The 'config show' command will show information about your current
configuration. When using a 'cloud.yaml' file and the 'OS_CLOUD'
environment variable, the output of this will look like so:

  $ openstack config show
  +---------------------------------------------+----------------------------------+
  | Field                                       | Value                            |
  +---------------------------------------------+----------------------------------+
  | additional_user_agent                       | [('osc-lib', '2.6.0')]           |
  | api_timeout                                 | None                             |
  | auth.auth_url                               | https://example.com:13000        |
  | auth.password                               | <redacted>                       |
  | auth.project_domain_id                      | default                          |
  | auth.project_id                             | c73b7097d07c46f78eb4b4dcfbac5ca8 |
  | auth.project_name                           | test-project                     |
  | auth.user_domain_name                       | example.com                      |
  | auth.username                               | john-doe                         |
  ...

All of the 'auth.'-prefixed values are extracted from the corresponding
entry in the 'clouds.yaml' file. You'll note that the 'auth.password'
value is not shown. Instead, it is masked and replaced with
'<redacted>'.

However, a 'clouds.yaml' file is not the only way to configure these
tools. You can also use old school environment variables. By using an
openrc file from Horizon (or the clouds2env tool [1]), we will set
various 'OS_'-prefixed environment variables. When you use the 'config
show' command with these environment variables set, we will see all of
these values appear in the output *without* an 'auth.' prefix. Scanning
down we will see the password value is not redacted.

  $ openstack config show
  +---------------------------------------------+----------------------------------+
  | Field                                       | Value                            |
  +---------------------------------------------+----------------------------------+
  | additional_user_agent                       | [('osc-lib', '2.6.0')]           |
  | api_timeout                                 | None                             |
  ...
  | password                                    | secret-password                  |
  ...

This will also happen if using tokens. This is obviously incorrect.
These should be masked also. Make it so. This involves enhancing our
fake config generation code to generate config that looks like it came
from environment variables.

Change-Id: I560b928e5e6bcdcd89c409e0678dfc0d0b056c0e
Story: 2008816
Task: 42260
2022-08-01 19:54:44 +09:00

71 lines
2.3 KiB
Python
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
"""Configuration action implementations"""
from keystoneauth1.loading import base
from osc_lib.command import command
from openstackclient.i18n import _
REDACTED = "<redacted>"
class ShowConfiguration(command.ShowOne):
_description = _("Display configuration details")
auth_required = False
def get_parser(self, prog_name):
parser = super(ShowConfiguration, self).get_parser(prog_name)
mask_group = parser.add_mutually_exclusive_group()
mask_group.add_argument(
"--mask",
dest="mask",
action="store_true",
default=True,
help=_("Attempt to mask passwords (default)"),
)
mask_group.add_argument(
"--unmask",
dest="mask",
action="store_false",
help=_("Show password in clear text"),
)
return parser
def take_action(self, parsed_args):
info = self.app.client_manager.get_configuration()
# Assume a default secret list in case we do not have an auth_plugin
secret_opts = ["password", "token"]
if getattr(self.app.client_manager, "auth_plugin_name", None):
auth_plg_name = self.app.client_manager.auth_plugin_name
secret_opts = [
o.dest for o in base.get_plugin_options(auth_plg_name)
if o.secret
]
for key, value in info.pop('auth', {}).items():
if parsed_args.mask and key.lower() in secret_opts:
value = REDACTED
info['auth.' + key] = value
if parsed_args.mask:
for secret_opt in secret_opts:
if secret_opt in info:
info[secret_opt] = REDACTED
return zip(*sorted(info.items()))
View Git Blame Copy Permalink