From b001f5884b80624b424b01a35acb75c5bd9a3353 Mon Sep 17 00:00:00 2001
From: Marc Paradise <marc@chef.io>
Date: Mon, 27 Jun 2016 15:46:06 -0400
Subject: [PATCH 1/2] do not log password in ssh connection output

A longer-term approach may be to refactor Options to be a class
insteaad of a simple hash, so that this can be applied across all transports.
---
 lib/train/transports/ssh_connection.rb | 4 +++-
 test/unit/transports/ssh_test.rb       | 9 +++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/train/transports/ssh_connection.rb b/lib/train/transports/ssh_connection.rb
index c4a60a6b..65e150c1 100644
--- a/lib/train/transports/ssh_connection.rb
+++ b/lib/train/transports/ssh_connection.rb
@@ -216,7 +216,9 @@ def session(retry_options = {})
     #
     # @api private
     def to_s
-      "#{@username}@#{@hostname}<#{@options.inspect}>"
+      options_to_print = @options.clone
+      options_to_print[:password] = "<hidden>" if options_to_print.has_key?(:password)
+      "#{@username}@#{@hostname}<#{options_to_print.inspect}>"
     end
 
     class OS < OSCommon
diff --git a/test/unit/transports/ssh_test.rb b/test/unit/transports/ssh_test.rb
index 4792e1f5..fb60ac19 100644
--- a/test/unit/transports/ssh_test.rb
+++ b/test/unit/transports/ssh_test.rb
@@ -82,6 +82,15 @@ def detect_family
     end
   end
 
+  describe 'converting connection to string for logging' do
+   it "masks passwords" do
+      assert_output(/.*:password=>"<hidden>".*/) do
+        connection = cls.new(conf).connection
+        puts "#{connection}"
+      end
+    end
+  end
+
   describe 'failed configuration' do
     it 'works with a minimum valid config' do
       cls.new(conf).connection

From 25b4589473b3241652240ee7045c6a129114a724 Mon Sep 17 00:00:00 2001
From: Stephan Renatus <srenatus@chef.io>
Date: Tue, 28 Jun 2016 09:40:48 +0200
Subject: [PATCH 2/2] fix lint

---
 lib/train/transports/ssh_connection.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/train/transports/ssh_connection.rb b/lib/train/transports/ssh_connection.rb
index 65e150c1..5e07194c 100644
--- a/lib/train/transports/ssh_connection.rb
+++ b/lib/train/transports/ssh_connection.rb
@@ -217,7 +217,7 @@ def session(retry_options = {})
     # @api private
     def to_s
       options_to_print = @options.clone
-      options_to_print[:password] = "<hidden>" if options_to_print.has_key?(:password)
+      options_to_print[:password] = '<hidden>' if options_to_print.key?(:password)
       "#{@username}@#{@hostname}<#{options_to_print.inspect}>"
     end