Merge pull request #140 from stackhpc/upstream/2023.1-2026-03-16

Synchronise 2023.1 with upstream

Author: priteau

cloudkitty/common/policy.py

@@ -23,6 +23,7 @@
 from oslo_policy import opts as policy_opts
 from oslo_policy import policy
 from oslo_utils import excutils
+from oslo_utils import strutils
 
 from cloudkitty.common import policies
 
@@ -108,8 +109,9 @@ def authorize(context, action, target):
     init()
 
     try:
-        LOG.debug('Authenticating user with credentials %(credentials)s',
-                  {'credentials': context.to_dict()})
+        LOG.debug(
+            'Authenticating user with credentials %(credentials)s',
+            {'credentials': strutils.mask_dict_password(context.to_dict())})
         return _ENFORCER.authorize(action, target, context,
                                    do_raise=True,
                                    exc=PolicyNotAuthorized,
@@ -120,9 +122,12 @@ def authorize(context, action, target):
             LOG.exception('Policy not registered')
     except Exception:
         with excutils.save_and_reraise_exception():
-            LOG.error('Policy check for %(action)s failed with credentials '
-                      '%(credentials)s',
-                      {'action': action, 'credentials': context.to_dict()})
+            LOG.error(
+                'Policy check for %(action)s failed with credentials '
+                '%(credentials)s', {
+                    'action': action,
+                    'credentials': strutils.mask_dict_password(
+                        context.to_dict())})
 
 
 def check_is_admin(context):

releasenotes/notes/hide-token-from-log-e29066d6c93f3ed4.yaml

@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Previously, cloudkitty-api recorded request token in plain text format when
+    a request does not comply with policy rules or debug log is enabled. This
+    has been fixed and now token is masked in logs.