From 3f2f70e0785e11434f6f863ce8eacc1b0ef1782d Mon Sep 17 00:00:00 2001
From: Zhongyue Luo <zhongyue.nah@intel.com>
Date: Wed, 31 Jul 2013 16:46:00 +0800
Subject: Helper function to sanitize db url credentials

The database url is sanitized in logfiles because of security issues.
However the connected url itself is useful information to devs and admins.
This patch provides a helper function to sanitize only the credentials
in a database url. All projects must process the CONF.database.connection
value using "sanitize_db_url" when updating the db package

Fixes bug #1076833

Change-Id: Id6cf7b120ef6c3fcda7f33fd26676b62a4475bb2
---
 openstack/common/db/sqlalchemy/session.py |  6 ++----
 openstack/common/db/sqlalchemy/utils.py   | 11 +++++++++++
 2 files changed, 13 insertions(+), 4 deletions(-)

(limited to 'openstack')

diff --git a/openstack/common/db/sqlalchemy/session.py b/openstack/common/db/sqlalchemy/session.py
index e83009c..236136e 100644
--- a/openstack/common/db/sqlalchemy/session.py
+++ b/openstack/common/db/sqlalchemy/session.py
@@ -279,13 +279,11 @@ database_opts = [
                deprecated_opts=[cfg.DeprecatedOpt('sql_connection',
                                                   group='DEFAULT'),
                                 cfg.DeprecatedOpt('sql_connection',
-                                                  group='DATABASE')],
-               secret=True),
+                                                  group='DATABASE')]),
     cfg.StrOpt('slave_connection',
                default='',
                help='The SQLAlchemy connection string used to connect to the '
-                    'slave database',
-               secret=True),
+                    'slave database'),
     cfg.IntOpt('idle_timeout',
                default=3600,
                deprecated_opts=[cfg.DeprecatedOpt('sql_idle_timeout',
diff --git a/openstack/common/db/sqlalchemy/utils.py b/openstack/common/db/sqlalchemy/utils.py
index caf5569..64edec2 100644
--- a/openstack/common/db/sqlalchemy/utils.py
+++ b/openstack/common/db/sqlalchemy/utils.py
@@ -18,6 +18,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import re
+
 from migrate.changeset import UniqueConstraint
 import sqlalchemy
 from sqlalchemy import Boolean
@@ -45,6 +47,15 @@ from openstack.common import timeutils
 
 LOG = logging.getLogger(__name__)
 
+_DBURL_REGEX = re.compile(r"[^:]+://([^:]+):([^@]+)@.+")
+
+
+def sanitize_db_url(url):
+    match = _DBURL_REGEX.match(url)
+    if match:
+        return '%s****:****%s' % (url[:match.start(1)], url[match.end(2):])
+    return url
+
 
 class InvalidSortKey(Exception):
     message = _("Sort key supplied was not valid.")
-- 
cgit