From d1340572c500f13442d467fc6863b1be796060fd Mon Sep 17 00:00:00 2001
From: Arun Kant <arun.kant@hpe.com>
Date: Thu, 7 Apr 2016 15:16:12 -0700
Subject: [PATCH] Censoring secrets payload value from debug log

Added utility method to censor dict values by keys.

Change-Id: I1ec4050c9f9e0906635eff764add16b4b804804e
Closes-Bug: #1567029
---
 barbicanclient/base.py            |  8 ++++++++
 barbicanclient/containers.py      |  3 ++-
 barbicanclient/secrets.py         |  4 ++--
 barbicanclient/tests/test_base.py | 10 ++++++++++
 4 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/barbicanclient/base.py b/barbicanclient/base.py
index 56313ad0..168ece12 100644
--- a/barbicanclient/base.py
+++ b/barbicanclient/base.py
@@ -22,6 +22,14 @@ def filter_null_keys(dictionary):
     return dict(((k, v) for k, v in dictionary.items() if v is not None))
 
 
+def censored_copy(data_dict, censor_keys):
+    '''Returns redacted dict copy for censored keys'''
+    if censor_keys is None:
+        censor_keys = []
+    return {k: v if k not in censor_keys else '<redacted>' for k, v in
+            data_dict.items()}
+
+
 def validate_ref(ref, entity):
     """Verifies that there is a real uuid at the end of the uri
 
diff --git a/barbicanclient/containers.py b/barbicanclient/containers.py
index 5cae098b..a2c17f3e 100644
--- a/barbicanclient/containers.py
+++ b/barbicanclient/containers.py
@@ -221,7 +221,8 @@ class Container(ContainerFormatter):
 
     def _get_secrets_and_store_them_if_necessary(self):
         # Save all secrets if they are not yet saved
-        LOG.debug("Storing secrets: {0}".format(self.secrets))
+        LOG.debug("Storing secrets: {0}".format(base.censored_copy(
+                                                self.secrets, ['payload'])))
         secret_refs = []
         for name, secret in six.iteritems(self.secrets):
             if secret and not secret.secret_ref:
diff --git a/barbicanclient/secrets.py b/barbicanclient/secrets.py
index 6b5ce9c3..cf707ba6 100644
--- a/barbicanclient/secrets.py
+++ b/barbicanclient/secrets.py
@@ -331,8 +331,8 @@ class Secret(SecretFormatter):
             secret_dict['payload_content_type'] = u'text/plain'
 
         secret_dict = base.filter_null_keys(secret_dict)
-
-        LOG.debug("Request body: {0}".format(secret_dict))
+        LOG.debug("Request body: {0}".format(base.censored_copy(secret_dict,
+                                                                ['payload'])))
 
         # Save, store secret_ref and return
         response = self._api.post(self._entity, json=secret_dict)
diff --git a/barbicanclient/tests/test_base.py b/barbicanclient/tests/test_base.py
index a186c4c4..d03aa9dc 100644
--- a/barbicanclient/tests/test_base.py
+++ b/barbicanclient/tests/test_base.py
@@ -12,3 +12,13 @@ class TestValidateRef(testtools.TestCase):
     def test_invalid_uuid(self):
         ref = 'http://localhost/not_a_uuid'
         self.assertRaises(ValueError, base.validate_ref, ref, 'Thing')
+
+    def test_censored_copy(self):
+        d1 = {'a': '1', 'password': 'my_password', 'payload': 'my_key',
+              'b': '2'}
+        d2 = base.censored_copy(d1, None)
+        self.assertEqual(d1, d2, 'd2 contents are unchanged')
+        self.assertFalse(d1 is d2, 'd1 and d2 are different instances')
+        d3 = base.censored_copy(d1, ['payload'])
+        self.assertNotEqual(d1, d3, 'd3 has redacted payload value')
+        self.assertNotEqual(d3['payload'], 'my_key', 'no key in payload')