From f0a81c284d2f533e0fe8adc747c5bd0532a7684f Mon Sep 17 00:00:00 2001
From: lin-hua-cheng <os.lcheng@gmail.com>
Date: Tue, 6 Oct 2015 20:42:40 -0700
Subject: [PATCH] Mask the sensitive values in debug log

Change-Id: I0eb11a648c3be21749690f079229c8e63a678e6c
Closes-Bug: #1501598
---
 openstackclient/common/clientmanager.py |  4 +++-
 openstackclient/shell.py                | 10 +++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/openstackclient/common/clientmanager.py b/openstackclient/common/clientmanager.py
index 55c6fe53f0..edabf65e57 100644
--- a/openstackclient/common/clientmanager.py
+++ b/openstackclient/common/clientmanager.py
@@ -20,6 +20,7 @@ import logging
 import pkg_resources
 import sys
 
+from oslo_utils import strutils
 import requests
 
 from openstackclient.api import auth
@@ -167,7 +168,8 @@ class ClientManager(object):
             self._project_name = self._auth_params['tenant_name']
 
         LOG.info('Using auth plugin: %s' % self.auth_plugin_name)
-        LOG.debug('Using parameters %s' % self._auth_params)
+        LOG.debug('Using parameters %s' %
+                  strutils.mask_password(self._auth_params))
         self.auth = auth_plugin.load_from_options(**self._auth_params)
         # needed by SAML authentication
         request_session = requests.session()
diff --git a/openstackclient/shell.py b/openstackclient/shell.py
index 5b36b8b2fa..1a5055bd42 100644
--- a/openstackclient/shell.py
+++ b/openstackclient/shell.py
@@ -25,6 +25,7 @@ from cliff import app
 from cliff import command
 from cliff import complete
 from cliff import help
+from oslo_utils import strutils
 
 import openstackclient
 from openstackclient.common import clientmanager
@@ -201,8 +202,10 @@ class OpenStackShell(app.App):
 
         # Parent __init__ parses argv into self.options
         super(OpenStackShell, self).initialize_app(argv)
-        self.log.info("START with options: %s", self.command_options)
-        self.log.debug("options: %s", self.options)
+        self.log.info("START with options: %s",
+                      strutils.mask_password(self.command_options))
+        self.log.debug("options: %s",
+                       strutils.mask_password(self.options))
 
         # Set the default plugin to token_endpoint if url and token are given
         if (self.options.url and self.options.token):
@@ -246,7 +249,8 @@ class OpenStackShell(app.App):
         self.log_configurator.configure(self.cloud)
         self.dump_stack_trace = self.log_configurator.dump_trace
         self.log.debug("defaults: %s", cc.defaults)
-        self.log.debug("cloud cfg: %s", self.cloud.config)
+        self.log.debug("cloud cfg: %s",
+                       strutils.mask_password(self.cloud.config))
 
         # Set up client TLS
         # NOTE(dtroyer): --insecure is the non-default condition that