sos/SOURCES/0002-openstack_nova-Improve-scrubbing.patch

From 6378a4ee9fa3eeaf384bd87fc87e24a0c5608658 Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Tue, 19 Aug 2025 09:08:15 +0200
Subject: [PATCH] [openstack_nova] Improve scrubbing

Improve postproc obfuscation in two ways:
- apply postproc also to /var/lib/openstack/config/nova on RedHatNova
- obfuscate just password from transport_url, not the whole URL

Closes: #4108

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
 sos/report/plugins/openstack_nova.py | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/sos/report/plugins/openstack_nova.py b/sos/report/plugins/openstack_nova.py
index 728aed1e..2635866e 100644
--- a/sos/report/plugins/openstack_nova.py
+++ b/sos/report/plugins/openstack_nova.py
@@ -29,6 +29,7 @@ class OpenStackNova(Plugin):
     var_puppet_gen = "/var/lib/config-data/puppet-generated/nova"
     service_name = "openstack-nova-api.service"
     apachepkg = None
+    postproc_dirs = ["/etc/nova/",]
 
     def setup(self):
 
@@ -141,12 +142,13 @@ class OpenStackNova(Plugin):
         self.add_copy_spec(specs)
 
     def apply_regex_sub(self, regexp, subst):
-        """ Apply regex substitution """
-        self.do_path_regex_sub("/etc/nova/*", regexp, subst)
-        for npath in ['', '_libvirt', '_metadata', '_placement']:
-            self.do_path_regex_sub(
-                f"{self.var_puppet_gen}{npath}/etc/nova/*",
-                regexp, subst)
+        """ Apply regex substitution to all sensitive dirs """
+        for _dir in self.postproc_dirs:
+            self.do_path_regex_sub(f"{_dir}/*", regexp, subst)
+            for npath in ['', '_libvirt', '_metadata', '_placement']:
+                self.do_path_regex_sub(
+                    f"{self.var_puppet_gen}{npath}{_dir}/*",
+                    regexp, subst)
 
     def postproc(self):
         protect_keys = [
@@ -155,10 +157,9 @@ class OpenStackNova(Plugin):
             "xenapi_connection_password", "password", "host_password",
             "vnc_password", "admin_password", "connection_password",
             "memcache_secret_key", "s3_secret_key",
-            "metadata_proxy_shared_secret", "fixed_key", "transport_url",
-            "rbd_secret_uuid"
+            "metadata_proxy_shared_secret", "fixed_key", "rbd_secret_uuid"
         ]
-        connection_keys = ["connection", "sql_connection"]
+        connection_keys = ["connection", "sql_connection", "transport_url"]
 
         join_con_keys = "|".join(connection_keys)
 
@@ -214,6 +215,7 @@ class RedHatNova(OpenStackNova, RedHatPlugin):
     apachepkg = "httpd"
     nova = False
     packages = ('openstack-selinux',)
+    postproc_dirs = ["/etc/nova/", "/var/lib/openstack/config/nova"]
 
     def setup(self):
         super().setup()
-- 
2.49.0