4 files changed, 81 insertions, 6 deletions

diff --git a/keystoneclient/tests/auth/test_identity_v2.py b/keystoneclient/tests/auth/test_identity_v2.py
index a264edd..0beea83 100644
--- a/keystoneclient/tests/auth/test_identity_v2.py
+++ b/keystoneclient/tests/auth/test_identity_v2.py
@@ -11,6 +11,7 @@
 # under the License.
 
 import copy
+import uuid
 
 import httpretty
 from six.moves import urllib
@@ -255,3 +256,14 @@ class V2IdentityPlugin(utils.TestCase):
         self.assertEqual('token1', s.get_token())
         a.invalidate()
         self.assertEqual('token2', s.get_token())
+
+    @httpretty.activate
+    def test_doesnt_log_password(self):
+        self.stub_auth(json=self.TEST_RESPONSE_DICT)
+        password = uuid.uuid4().hex
+
+        a = v2.Password(self.TEST_URL, username=self.TEST_USER,
+                        password=password)
+        s = session.Session(auth=a)
+        self.assertEqual(self.TEST_TOKEN, s.get_token())
+        self.assertNotIn(password, self.logger.output)
diff --git a/keystoneclient/tests/auth/test_identity_v3.py b/keystoneclient/tests/auth/test_identity_v3.py
index d44c8e7..a147a31 100644
--- a/keystoneclient/tests/auth/test_identity_v3.py
+++ b/keystoneclient/tests/auth/test_identity_v3.py
@@ -11,6 +11,7 @@
 # under the License.
 
 import copy
+import uuid
 
 import httpretty
 from six.moves import urllib
@@ -408,3 +409,15 @@ class V3IdentityPlugin(utils.TestCase):
         self.assertEqual('token1', s.get_token())
         a.invalidate()
         self.assertEqual('token2', s.get_token())
+
+    @httpretty.activate
+    def test_doesnt_log_password(self):
+        self.stub_auth(json=self.TEST_RESPONSE_DICT)
+
+        password = uuid.uuid4().hex
+        a = v3.Password(self.TEST_URL, username=self.TEST_USER,
+                        password=password)
+        s = session.Session(a)
+        self.assertEqual(self.TEST_TOKEN, s.get_token())
+
+        self.assertNotIn(password, self.logger.output)
diff --git a/keystoneclient/tests/v2_0/test_users.py b/keystoneclient/tests/v2_0/test_users.py
index 4246a51..89901e4 100644
--- a/keystoneclient/tests/v2_0/test_users.py
+++ b/keystoneclient/tests/v2_0/test_users.py
@@ -47,10 +47,11 @@ class UserTests(utils.TestCase):
     def test_create(self):
         tenant_id = uuid.uuid4().hex
         user_id = uuid.uuid4().hex
+        password = uuid.uuid4().hex
         req_body = {
             "user": {
                 "name": "gabriel",
-                "password": "test",
+                "password": password,
                 "tenantId": tenant_id,
                 "email": "test@example.com",
                 "enabled": True,
@@ -63,7 +64,7 @@ class UserTests(utils.TestCase):
                 "enabled": True,
                 "tenantId": tenant_id,
                 "id": user_id,
-                "password": "test",
+                "password": password,
                 "email": "test@example.com",
             }
         }
@@ -80,6 +81,7 @@ class UserTests(utils.TestCase):
         self.assertEqual(user.name, "gabriel")
         self.assertEqual(user.email, "test@example.com")
         self.assertRequestBodyIs(json=req_body)
+        self.assertNotIn(password, self.logger.output)
 
     @httpretty.activate
     def test_create_user_without_email(self):
@@ -210,10 +212,11 @@ class UserTests(utils.TestCase):
                 "name": "gabriel",
             }
         }
+        password = uuid.uuid4().hex
         req_2 = {
             "user": {
                 "id": self.DEMO_USER_ID,
-                "password": "swordfish",
+                "password": password,
             }
         }
         tenant_id = uuid.uuid4().hex
@@ -245,18 +248,22 @@ class UserTests(utils.TestCase):
                                  name='gabriel',
                                  email='gabriel@example.com')
         self.assertRequestBodyIs(json=req_1)
-        self.client.users.update_password(self.DEMO_USER_ID, 'swordfish')
+        self.client.users.update_password(self.DEMO_USER_ID, password)
         self.assertRequestBodyIs(json=req_2)
         self.client.users.update_tenant(self.DEMO_USER_ID, tenant_id)
         self.assertRequestBodyIs(json=req_3)
         self.client.users.update_enabled(self.DEMO_USER_ID, False)
         self.assertRequestBodyIs(json=req_4)
+        self.assertNotIn(password, self.logger.output)
 
     @httpretty.activate
     def test_update_own_password(self):
+        old_password = uuid.uuid4().hex
+        new_password = uuid.uuid4().hex
         req_body = {
             'user': {
-                'password': 'ABCD', 'original_password': 'DCBA'
+                'password': new_password,
+                'original_password': old_password
             }
         }
         resp_body = {
@@ -267,8 +274,10 @@ class UserTests(utils.TestCase):
                       json=resp_body)
 
         self.client.user_id = user_id
-        self.client.users.update_own_password('DCBA', 'ABCD')
+        self.client.users.update_own_password(old_password, new_password)
         self.assertRequestBodyIs(json=req_body)
+        self.assertNotIn(old_password, self.logger.output)
+        self.assertNotIn(new_password, self.logger.output)
 
     @httpretty.activate
     def test_user_role_listing(self):
diff --git a/keystoneclient/tests/v3/test_users.py b/keystoneclient/tests/v3/test_users.py
index 153e27a..0841e9d 100644
--- a/keystoneclient/tests/v3/test_users.py
+++ b/keystoneclient/tests/v3/test_users.py
@@ -97,6 +97,25 @@ class UserTests(utils.TestCase, utils.CrudTests):
                           group=None)
 
     @httpretty.activate
+    def test_create_doesnt_log_password(self):
+        password = uuid.uuid4().hex
+        ref = self.new_ref()
+
+        self.stub_entity(httpretty.POST, [self.collection_key],
+                         status=201, entity=ref)
+
+        req_ref = ref.copy()
+        req_ref.pop('id')
+        param_ref = req_ref.copy()
+
+        param_ref['password'] = password
+        params = utils.parameterize(param_ref)
+
+        self.manager.create(**params)
+
+        self.assertNotIn(password, self.logger.output)
+
+    @httpretty.activate
     def test_create_with_project(self):
         # Can create a user with the deprecated project option rather than
         # default_project_id.
@@ -149,6 +168,26 @@ class UserTests(utils.TestCase, utils.CrudTests):
         self.assertEntityRequestBodyIs(req_ref)
 
     @httpretty.activate
+    def test_update_doesnt_log_password(self):
+        password = uuid.uuid4().hex
+        ref = self.new_ref()
+
+        req_ref = ref.copy()
+        req_ref.pop('id')
+        param_ref = req_ref.copy()
+
+        self.stub_entity(httpretty.PATCH,
+                         [self.collection_key, ref['id']],
+                         status=200, entity=ref)
+
+        param_ref['password'] = password
+        params = utils.parameterize(param_ref)
+
+        self.manager.update(ref['id'], **params)
+
+        self.assertNotIn(password, self.logger.output)
+
+    @httpretty.activate
     def test_update_with_project(self):
         # Can update a user with the deprecated project option rather than
         # default_project_id.
@@ -217,6 +256,8 @@ class UserTests(utils.TestCase, utils.CrudTests):
         self.assertEqual('/v3/users/test/password',
                          httpretty.last_request().path)
         self.assertRequestBodyIs(json=exp_req_body)
+        self.assertNotIn(old_password, self.logger.output)
+        self.assertNotIn(new_password, self.logger.output)
 
     def test_update_password_with_bad_inputs(self):
         old_password = uuid.uuid4().hex