From: Alfredo Deza <adeza@redhat.com>
Date: Mon, 16 Oct 2017 10:50:27 +0000 (-0400)
Subject: ceph-volume process allow obfuscating a key or index when logging commands
X-Git-Tag: v13.0.1~463^2~33
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=bbcca70d962855d991f0aa8e86a19f1855345668;p=ceph.git

ceph-volume process allow obfuscating a key or index when logging commands

Signed-off-by: Alfredo Deza <adeza@redhat.com>
---

diff --git a/src/ceph-volume/ceph_volume/process.py b/src/ceph-volume/ceph_volume/process.py
index 188e730c97bb..4b6a9c284741 100644
--- a/src/ceph-volume/ceph_volume/process.py
+++ b/src/ceph-volume/ceph_volume/process.py
@@ -48,6 +48,47 @@ def log_descriptors(reads, process, terminal_logging):
             pass
 
 
+def obfuscate(command_, on=None):
+    """
+    Certain commands that are useful to log might contain information that
+    should be replaced by '*' like when creating OSDs and the keyryings are
+    being passed, which should not be logged.
+
+    :param on: A string (will match a flag) or an integer (will match an index)
+
+    If matching on a flag (when ``on`` is a string) it will obfuscate on the
+    value for that flag. That is a command like ['ls', '-l', '/'] that calls
+    `obfuscate(command, on='-l')` will obfustace '/' which is the value for
+    `-l`.
+
+    The reason for `on` to allow either a string or an integer, altering
+    behavior for both is because it is easier for ``run`` and ``call`` to just
+    pop a value to obfuscate (vs. allowing an index or a flag)
+    """
+    command = command_[:]
+    msg = "Running command: %s" % ' '.join(command)
+    if on in [None, False]:
+        return msg
+
+    if isinstance(on, int):
+        index = on
+
+    else:
+        try:
+            index = command.index(on) + 1
+        except ValueError:
+            # if the flag just doesn't exist then it doesn't matter just return
+            # the base msg
+            return msg
+
+    try:
+        command[index] = '*' * len(command[index])
+    except IndexError: # the index was completely out of range
+        return msg
+
+    return "Running command: %s" % ' '.join(command)
+
+
 def run(command, **kw):
     """
     A real-time-logging implementation of a remote subprocess.Popen call where
@@ -57,7 +98,7 @@ def run(command, **kw):
     :param stop_on_error: If a nonzero exit status is return, it raises a ``RuntimeError``
     """
     stop_on_error = kw.pop('stop_on_error', True)
-    command_msg = "Running command: %s" % ' '.join(command)
+    command_msg = obfuscate(command, kw.pop('obfuscate', None))
     stdin = kw.pop('stdin', None)
     logger.info(command_msg)
     terminal.write(command_msg)