mask private keys for the ssh power driver.

As this driver is deprecated masking here (opposed to strutils) is simpler, and easier to backport. This can be removed along with support for the ssh power driver. Change-Id: I107f2ce4ee2cd22558455de7ed595c2b3a7c6845 Closes-Bug: #1638596
2016-11-21 13:57:20 +00:00 · 2016-11-21 13:57:20 +00:00 · ca585bec9d
commit ca585bec9d
parent 5a8d3d6594
3 changed files with 24 additions and 0 deletions
--- a/ironic/api/controllers/v1/node.py
+++ b/ironic/api/controllers/v1/node.py
@ -838,6 +838,14 @@ class Node(base.APIBase):
        if not show_driver_secrets and node.driver_info != wtypes.Unset:
            node.driver_info = strutils.mask_dict_password(
                node.driver_info, "******")
+
+            # NOTE(derekh): mask ssh keys for the ssh power driver.
+            # As this driver is deprecated masking here (opposed to strutils)
+            # is simpler, and easier to backport. This can be removed along
+            # with support for the ssh power driver.
+            if node.driver_info.get('ssh_key_contents'):
+                node.driver_info['ssh_key_contents'] = "******"
+
        if not show_instance_secrets and node.instance_info != wtypes.Unset:
            node.instance_info = strutils.mask_dict_password(
                node.instance_info, "******")
--- a/ironic/tests/unit/api/v1/test_nodes.py
+++ b/ironic/tests/unit/api/v1/test_nodes.py
@ -1043,6 +1043,18 @@ class TestListNodes(test_api_base.BaseApiTest):
        # rpc_node lookup and pass that downwards
        mock_vdi.assert_called_once_with(mock.ANY, node.uuid, 'test-topic')

+    def test_ssh_creds_masked(self):
+        driver_info = {"ssh_password": "password", "ssh_key_contents": "key"}
+        node = obj_utils.create_test_node(self.context,
+                                          chassis_id=self.chassis.id,
+                                          driver_info=driver_info)
+        data = self.get_json(
+            '/nodes/%s' % node.uuid,
+            headers={api_base.Version.string: str(api_v1.MAX_VER)})
+
+        self.assertEqual("******", data["driver_info"]["ssh_password"])
+        self.assertEqual("******", data["driver_info"]["ssh_key_contents"])
+

 class TestPatch(test_api_base.BaseApiTest):

--- a/releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml
+++ b/releasenotes/notes/mask-ssh-creds-54ab7b2656578d2e.yaml
@ -0,0 +1,4 @@
+---
+security:
+  - private ssh keys are now masked when using the ssh power driver
+    and node details are requested.