From 153c0154050a111fd7e5bcf4a685f906a1dea737 Mon Sep 17 00:00:00 2001
From: Jose Castillo <jcastillo@redhat.com>
Date: Wed, 10 Mar 2021 15:33:50 +0100
Subject: [PATCH] [ds] Mask password and encription keys in ldif files

Both /etc/dirsrv/slapd*/dse.ldif{,.startOK} files contain
sensitive information :
- all the nsSymmetricKey entries : symmetric encryption key
- nsslapd-rootpw : the admin password's hash

This patch masks these entries in the files we collect.

Resolves: #2442

Signed-off-by: Jose Castillo <jcastillo@redhat.com>
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
---
 sos/report/plugins/ds.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/sos/report/plugins/ds.py b/sos/report/plugins/ds.py
index f4d68d6e..d467dc89 100644
--- a/sos/report/plugins/ds.py
+++ b/sos/report/plugins/ds.py
@@ -74,4 +74,22 @@ class DirectoryServer(Plugin, RedHatPlugin):
 
         self.add_cmd_output("ls -l /var/lib/dirsrv/slapd-*/db/*")
 
+    def postproc(self):
+        # Example for scrubbing rootpw hash
+        #
+        # nsslapd-rootpw: AAAAB3NzaC1yc2EAAAADAQABAAABAQDeXYA3juyPqaUuyfWV2HuIM
+        # v3gebb/5cvx9ehEAFF2yIKvsQN2EJGTV+hBM1DEOB4eyy/H11NqcNwm/2QsagDB3PVwYp
+        # 9VKN3BdhQjlhuoYKhLwgtYUMiGL8AX5g1qxjirIkTRJwjbXkSNuQaXig7wVjmvXnB2o7B
+        # zLtu99DiL1AizfVeZTYA+OVowYKYaXYljVmVKS+g3t29Obaom54ZLpfuoGMmyO64AJrWs
+        #
+        # to
+        #
+        # nsslapd-rootpw:********
+
+        regexppass = r"(nsslapd-rootpw(\s)*:(\s)*)(\S+)([\r\n]\s.*)*\n"
+        regexpkey = r"(nsSymmetricKey(\s)*::(\s)*)(\S+)([\r\n]\s.*)*\n"
+        repl = r"\1********\n"
+        self.do_path_regex_sub('/etc/dirsrv/*', regexppass, repl)
+        self.do_path_regex_sub('/etc/dirsrv/*', regexpkey, repl)
+
 # vim: set et ts=4 sw=4 :
-- 
2.26.3