From 75ac8763c90e4f30a61f0f4f1fdddb47e0e6390f Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Wed, 18 Oct 2023 14:16:46 +0200
Subject: [PATCH] sos updates to 8.9

completing previous fix but now for pulpcore plugin

Resolves: RHEL-13697

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
 sos-RHEL-13697-aap-passwords.patch | 57 ++++++++++++++++++++++++++++++
 sos.spec                           |  6 +++-
 2 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/sos-RHEL-13697-aap-passwords.patch b/sos-RHEL-13697-aap-passwords.patch
index f744a64..7d3caa0 100644
--- a/sos-RHEL-13697-aap-passwords.patch
+++ b/sos-RHEL-13697-aap-passwords.patch
@@ -39,3 +39,60 @@ index df007168a..f5c762f48 100644
          repl = r"\1 ********"
          self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl)
          self.do_cmd_output_sub("dynaconf list", key_pass_re, repl)
+From 866abe6119e846e243d586b1e353a6585ed83899 Mon Sep 17 00:00:00 2001
+From: Pavel Moravec <pmoravec@redhat.com>
+Date: Wed, 18 Oct 2023 13:38:29 +0200
+Subject: [PATCH] [pulpcore] Scrub AUTH_LDAP_BIND_PASSWORD value
+
+Likewise in #3379, scrub the password also in pulpcore plugin.
+
+Resolves: #3389
+
+Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
+---
+ sos/report/plugins/pulpcore.py | 27 ++++++++-------------------
+ 1 file changed, 8 insertions(+), 19 deletions(-)
+
+diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py
+index 04efae9f8..649626ada 100644
+--- a/sos/report/plugins/pulpcore.py
++++ b/sos/report/plugins/pulpcore.py
+@@ -144,29 +144,18 @@ def build_query_cmd(self, query, csv=False):
+         return _dbcmd % (self.dbhost, self.dbport, self.dbname, quote(query))
+ 
+     def postproc(self):
+-        # TODO obfuscate from /etc/pulp/settings.py :
++        # obfuscate from /etc/pulp/settings.py and "dynaconf list":
+         # SECRET_KEY = "eKfeDkTnvss7p5WFqYdGPWxXfHnsbDBx"
+         # 'PASSWORD': 'tGrag2DmtLqKLTWTQ6U68f6MAhbqZVQj',
++        # AUTH_LDAP_BIND_PASSWORD = 'ouch-a-secret'
+         # the PASSWORD can be also in an one-liner list, so detect its value
+         # in non-greedy manner till first ',' or '}'
+-        self.do_path_regex_sub(
+-            "/etc/pulp/settings.py",
+-            r"(SECRET_KEY\s*=\s*)(.*)",
+-            r"\1********")
+-        self.do_path_regex_sub(
+-            "/etc/pulp/settings.py",
+-            r"(PASSWORD\S*\s*:\s*)(.*?)(,|\})",
+-            r"\1********\3")
+-        # apply the same for "dynaconf list" output that prints settings.py
+-        # in a pythonic format
+-        self.do_cmd_output_sub(
+-            "dynaconf list",
+-            r"(SECRET_KEY<str>\s*)'(.*)'",
+-            r"\1********")
+-        self.do_cmd_output_sub(
+-            "dynaconf list",
+-            r"(PASSWORD\S*\s*:\s*)(.*)",
+-            r"\1********")
++        key_pass_re = r"((?:SECRET_KEY|AUTH_LDAP_BIND_PASSWORD)" \
++                      r"(?:\<.+\>)?(\s*=)?|(password|PASSWORD)" \
++                      r"(\"|'|:)+)\s*(\S*)"
++        repl = r"\1 ********"
++        self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl)
++        self.do_cmd_output_sub("dynaconf list", key_pass_re, repl)
+
+
+ # vim: set et ts=4 sw=4 :
+
diff --git a/sos.spec b/sos.spec
index 289a64d..045d714 100644
--- a/sos.spec
+++ b/sos.spec
@@ -5,7 +5,7 @@
 Summary: A set of tools to gather troubleshooting information from a system
 Name: sos
 Version: 4.6.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group: Applications/System
 Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
 Source1: sos-audit-%{auditversion}.tgz
@@ -111,6 +111,10 @@ of the system. Currently storage and filesystem commands are audited.
 %ghost /etc/audit/rules.d/40-sos-storage.rules
 
 %changelog
+* Wed Oct 18 2023 Pavel Moravec <pmoravec@redhat.com> = 4.6.0-5
+  [pulpcore] Scrub AUTH_LDAP_BIND_PASSWORD value
+  Resolves: RHEL-13697
+
 * Tue Oct 17 2023 Pavel Moravec <pmoravec@redhat.com> = 4.6.0-4
 - [pulp] Fix dynaconf obfuscation and add AUTH_LDAP_BIND_PASSWORD
   Resolves: RHEL-13697