From c6ab24eb8e2bf02c75d0ffa8447032543eb4ea43 Mon Sep 17 00:00:00 2001 From: "Dr. Jason Breitweg" Date: Tue, 10 Oct 2023 09:50:29 +0200 Subject: [PATCH] Fix dynaconf obfuscation and add AUTH_LDAP_BIND_PASSWORD Signed-off-by: Dr. Jason Breitweg Fixed style issues Signed-off-by: Jason Breitweg jbreitwe@redhat.com Signed-off-by: Dr. Jason Breitweg Fixed yet more linting errors Signed-off-by: Jason Breitweg jbreitwe@redhat.com Signed-off-by: Dr. Jason Breitweg --- sos/report/plugins/pulp.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sos/report/plugins/pulp.py b/sos/report/plugins/pulp.py index df007168a..f5c762f48 100644 --- a/sos/report/plugins/pulp.py +++ b/sos/report/plugins/pulp.py @@ -170,10 +170,13 @@ def postproc(self): repl = r"\1********" self.do_path_regex_sub("/etc/pulp(.*)(.json$)", jreg, repl) - # obfuscate SECRET_KEY = .. and 'PASSWORD': .. in dynaconf list output - # and also in settings.py + # obfuscate SECRET_KEY = .., 'PASSWORD': .., + # and AUTH_LDAP_BIND_PASSWORD = .. + # in dynaconf list output and also in settings.py # count with option that PASSWORD is with(out) quotes or in capitals - key_pass_re = r"(SECRET_KEY\s*=|(password|PASSWORD)(\"|'|:)+)\s*(\S*)" + key_pass_re = r"((?:SECRET_KEY|AUTH_LDAP_BIND_PASSWORD)" \ + r"(?:\<.+\>)?(\s*=)?|(password|PASSWORD)" \ + r"(\"|'|:)+)\s*(\S*)" repl = r"\1 ********" self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl) self.do_cmd_output_sub("dynaconf list", key_pass_re, repl) From 866abe6119e846e243d586b1e353a6585ed83899 Mon Sep 17 00:00:00 2001 From: Pavel Moravec Date: Wed, 18 Oct 2023 13:38:29 +0200 Subject: [PATCH] [pulpcore] Scrub AUTH_LDAP_BIND_PASSWORD value Likewise in #3379, scrub the password also in pulpcore plugin. Resolves: #3389 Signed-off-by: Pavel Moravec --- sos/report/plugins/pulpcore.py | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py index 04efae9f8..649626ada 100644 --- a/sos/report/plugins/pulpcore.py +++ b/sos/report/plugins/pulpcore.py @@ -144,29 +144,18 @@ def build_query_cmd(self, query, csv=False): return _dbcmd % (self.dbhost, self.dbport, self.dbname, quote(query)) def postproc(self): - # TODO obfuscate from /etc/pulp/settings.py : + # obfuscate from /etc/pulp/settings.py and "dynaconf list": # SECRET_KEY = "eKfeDkTnvss7p5WFqYdGPWxXfHnsbDBx" # 'PASSWORD': 'tGrag2DmtLqKLTWTQ6U68f6MAhbqZVQj', + # AUTH_LDAP_BIND_PASSWORD = 'ouch-a-secret' # the PASSWORD can be also in an one-liner list, so detect its value # in non-greedy manner till first ',' or '}' - self.do_path_regex_sub( - "/etc/pulp/settings.py", - r"(SECRET_KEY\s*=\s*)(.*)", - r"\1********") - self.do_path_regex_sub( - "/etc/pulp/settings.py", - r"(PASSWORD\S*\s*:\s*)(.*?)(,|\})", - r"\1********\3") - # apply the same for "dynaconf list" output that prints settings.py - # in a pythonic format - self.do_cmd_output_sub( - "dynaconf list", - r"(SECRET_KEY\s*)'(.*)'", - r"\1********") - self.do_cmd_output_sub( - "dynaconf list", - r"(PASSWORD\S*\s*:\s*)(.*)", - r"\1********") + key_pass_re = r"((?:SECRET_KEY|AUTH_LDAP_BIND_PASSWORD)" \ + r"(?:\<.+\>)?(\s*=)?|(password|PASSWORD)" \ + r"(\"|'|:)+)\s*(\S*)" + repl = r"\1 ********" + self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl) + self.do_cmd_output_sub("dynaconf list", key_pass_re, repl) # vim: set et ts=4 sw=4 :