sos updates to 8.9
completing previous fix but now for pulpcore plugin Resolves: RHEL-13697 Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
This commit is contained in:
		
							parent
							
								
									a0a6eb1b30
								
							
						
					
					
						commit
						75ac8763c9
					
				| @ -39,3 +39,60 @@ index df007168a..f5c762f48 100644 | ||||
|          repl = r"\1 ********" | ||||
|          self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl) | ||||
|          self.do_cmd_output_sub("dynaconf list", key_pass_re, repl) | ||||
| From 866abe6119e846e243d586b1e353a6585ed83899 Mon Sep 17 00:00:00 2001 | ||||
| From: Pavel Moravec <pmoravec@redhat.com> | ||||
| Date: Wed, 18 Oct 2023 13:38:29 +0200 | ||||
| Subject: [PATCH] [pulpcore] Scrub AUTH_LDAP_BIND_PASSWORD value | ||||
| 
 | ||||
| Likewise in #3379, scrub the password also in pulpcore plugin. | ||||
| 
 | ||||
| Resolves: #3389 | ||||
| 
 | ||||
| Signed-off-by: Pavel Moravec <pmoravec@redhat.com> | ||||
| ---
 | ||||
|  sos/report/plugins/pulpcore.py | 27 ++++++++------------------- | ||||
|  1 file changed, 8 insertions(+), 19 deletions(-) | ||||
| 
 | ||||
| diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py
 | ||||
| index 04efae9f8..649626ada 100644
 | ||||
| --- a/sos/report/plugins/pulpcore.py
 | ||||
| +++ b/sos/report/plugins/pulpcore.py
 | ||||
| @@ -144,29 +144,18 @@ def build_query_cmd(self, query, csv=False):
 | ||||
|          return _dbcmd % (self.dbhost, self.dbport, self.dbname, quote(query)) | ||||
|   | ||||
|      def postproc(self): | ||||
| -        # TODO obfuscate from /etc/pulp/settings.py :
 | ||||
| +        # obfuscate from /etc/pulp/settings.py and "dynaconf list":
 | ||||
|          # SECRET_KEY = "eKfeDkTnvss7p5WFqYdGPWxXfHnsbDBx" | ||||
|          # 'PASSWORD': 'tGrag2DmtLqKLTWTQ6U68f6MAhbqZVQj', | ||||
| +        # AUTH_LDAP_BIND_PASSWORD = 'ouch-a-secret'
 | ||||
|          # the PASSWORD can be also in an one-liner list, so detect its value | ||||
|          # in non-greedy manner till first ',' or '}' | ||||
| -        self.do_path_regex_sub(
 | ||||
| -            "/etc/pulp/settings.py",
 | ||||
| -            r"(SECRET_KEY\s*=\s*)(.*)",
 | ||||
| -            r"\1********")
 | ||||
| -        self.do_path_regex_sub(
 | ||||
| -            "/etc/pulp/settings.py",
 | ||||
| -            r"(PASSWORD\S*\s*:\s*)(.*?)(,|\})",
 | ||||
| -            r"\1********\3")
 | ||||
| -        # apply the same for "dynaconf list" output that prints settings.py
 | ||||
| -        # in a pythonic format
 | ||||
| -        self.do_cmd_output_sub(
 | ||||
| -            "dynaconf list",
 | ||||
| -            r"(SECRET_KEY<str>\s*)'(.*)'",
 | ||||
| -            r"\1********")
 | ||||
| -        self.do_cmd_output_sub(
 | ||||
| -            "dynaconf list",
 | ||||
| -            r"(PASSWORD\S*\s*:\s*)(.*)",
 | ||||
| -            r"\1********")
 | ||||
| +        key_pass_re = r"((?:SECRET_KEY|AUTH_LDAP_BIND_PASSWORD)" \
 | ||||
| +                      r"(?:\<.+\>)?(\s*=)?|(password|PASSWORD)" \
 | ||||
| +                      r"(\"|'|:)+)\s*(\S*)"
 | ||||
| +        repl = r"\1 ********"
 | ||||
| +        self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl)
 | ||||
| +        self.do_cmd_output_sub("dynaconf list", key_pass_re, repl)
 | ||||
| 
 | ||||
| 
 | ||||
|  # vim: set et ts=4 sw=4 : | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										6
									
								
								sos.spec
									
									
									
									
									
								
							
							
						
						
									
										6
									
								
								sos.spec
									
									
									
									
									
								
							| @ -5,7 +5,7 @@ | ||||
| Summary: A set of tools to gather troubleshooting information from a system | ||||
| Name: sos | ||||
| Version: 4.6.0 | ||||
| Release: 4%{?dist} | ||||
| Release: 5%{?dist} | ||||
| Group: Applications/System | ||||
| Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz | ||||
| Source1: sos-audit-%{auditversion}.tgz | ||||
| @ -111,6 +111,10 @@ of the system. Currently storage and filesystem commands are audited. | ||||
| %ghost /etc/audit/rules.d/40-sos-storage.rules | ||||
| 
 | ||||
| %changelog | ||||
| * Wed Oct 18 2023 Pavel Moravec <pmoravec@redhat.com> = 4.6.0-5 | ||||
|   [pulpcore] Scrub AUTH_LDAP_BIND_PASSWORD value | ||||
|   Resolves: RHEL-13697 | ||||
| 
 | ||||
| * Tue Oct 17 2023 Pavel Moravec <pmoravec@redhat.com> = 4.6.0-4 | ||||
| - [pulp] Fix dynaconf obfuscation and add AUTH_LDAP_BIND_PASSWORD | ||||
|   Resolves: RHEL-13697 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user