sos updates to 9.2.z / 9.3

completing previous fix but now for pulpcore plugin Resolves: RHEL-13701 Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
2023-10-18 13:59:23 +02:00 · 2023-10-18 13:59:23 +02:00 · 524641fda1
parent c97b0c22d3
commit 524641fda1
2 changed files with 62 additions and 1 deletions
--- a/sos-RHEL-13701-aap-passwords.patch
+++ b/sos-RHEL-13701-aap-passwords.patch
@ -39,3 +39,60 @@ index df007168a..f5c762f48 100644
         repl = r"\1 ********"
         self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl)
         self.do_cmd_output_sub("dynaconf list", key_pass_re, repl)
+From 866abe6119e846e243d586b1e353a6585ed83899 Mon Sep 17 00:00:00 2001
+From: Pavel Moravec <pmoravec@redhat.com>
+Date: Wed, 18 Oct 2023 13:38:29 +0200
+Subject: [PATCH] [pulpcore] Scrub AUTH_LDAP_BIND_PASSWORD value
+
+Likewise in #3379, scrub the password also in pulpcore plugin.
+
+Resolves: #3389
+
+Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
+---
+ sos/report/plugins/pulpcore.py | 27 ++++++++-------------------
+ 1 file changed, 8 insertions(+), 19 deletions(-)
+
+diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py
+index 04efae9f8..649626ada 100644
+--- a/sos/report/plugins/pulpcore.py
+++ b/sos/report/plugins/pulpcore.py
+@@ -144,29 +144,18 @@ def build_query_cmd(self, query, csv=False):
+         return _dbcmd % (self.dbhost, self.dbport, self.dbname, quote(query))
+ 
+     def postproc(self):
+-        # TODO obfuscate from /etc/pulp/settings.py :
+        # obfuscate from /etc/pulp/settings.py and "dynaconf list":
+         # SECRET_KEY = "eKfeDkTnvss7p5WFqYdGPWxXfHnsbDBx"
+         # 'PASSWORD': 'tGrag2DmtLqKLTWTQ6U68f6MAhbqZVQj',
+        # AUTH_LDAP_BIND_PASSWORD = 'ouch-a-secret'
+         # the PASSWORD can be also in an one-liner list, so detect its value
+         # in non-greedy manner till first ',' or '}'
+-        self.do_path_regex_sub(
+-            "/etc/pulp/settings.py",
+-            r"(SECRET_KEY\s*=\s*)(.*)",
+-            r"\1********")
+-        self.do_path_regex_sub(
+-            "/etc/pulp/settings.py",
+-            r"(PASSWORD\S*\s*:\s*)(.*?)(,|\})",
+-            r"\1********\3")
+-        # apply the same for "dynaconf list" output that prints settings.py
+-        # in a pythonic format
+-        self.do_cmd_output_sub(
+-            "dynaconf list",
+-            r"(SECRET_KEY<str>\s*)'(.*)'",
+-            r"\1********")
+-        self.do_cmd_output_sub(
+-            "dynaconf list",
+-            r"(PASSWORD\S*\s*:\s*)(.*)",
+-            r"\1********")
+        key_pass_re = r"((?:SECRET_KEY|AUTH_LDAP_BIND_PASSWORD)" \
+                      r"(?:\<.+\>)?(\s*=)?|(password|PASSWORD)" \
+                      r"(\"|'|:)+)\s*(\S*)"
+        repl = r"\1 ********"
+        self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl)
+        self.do_cmd_output_sub("dynaconf list", key_pass_re, repl)
+
+
+ # vim: set et ts=4 sw=4 :
+
--- a/sos.spec
+++ b/sos.spec
@ -5,7 +5,7 @@
 Summary: A set of tools to gather troubleshooting information from a system
 Name: sos
 Version: 4.6.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group: Applications/System
 Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
 Source1: sos-audit-%{auditversion}.tgz
@ -110,6 +110,10 @@ of the system.  Currently storage and filesystem commands are audited.


 %changelog
+* Wed Oct 18 2023 Pavel Moravec <pmoravec@redhat.com> = 4.6.0-5
+  [pulpcore] Scrub AUTH_LDAP_BIND_PASSWORD value
+  Resolves: RHEL-13701
+
 * Tue Oct 17 2023 Pavel Moravec <pmoravec@redhat.com> = 4.6.0-4
 - [pulp] Fix dynaconf obfuscation and add AUTH_LDAP_BIND_PASSWORD
  Resolves: RHEL-13701