sos/0004-aap_containerized-Carry-forward-postproc-from-other.patch

From 0c237bcaf476c9b5a28165b9124e08163af707ab Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Fri, 30 Jan 2026 21:50:52 +0100
Subject: [PATCH] [aap_containerized] Carry forward postproc from other AAP
 plugins

Secrets obfuscations from 2a46e99 commit must be reflected in
containerized plugin.

Further, fix a typo in a regexp, to properly obfuscate:

EMAIL_HOST_PASSWORD = 'FAKESECRET!!!'

in (both) controller's settings.

Closes: #4213

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
 sos/report/plugins/aap_containerized.py | 37 +++++++++++++++++++------
 sos/report/plugins/aap_controller.py    |  4 +--
 2 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/sos/report/plugins/aap_containerized.py b/sos/report/plugins/aap_containerized.py
index 7baa5fb3..0c85d4b2 100644
--- a/sos/report/plugins/aap_containerized.py
+++ b/sos/report/plugins/aap_containerized.py
@@ -41,6 +41,7 @@ class AAPContainerized(Plugin, RedHatPlugin):
     def setup(self):
         # Check if username is passed as argument
         username = self.get_option("username")
+        self.aap_directory_name = self.get_option("directory")
         if not username:
             self._log_warn("AAP username is missing, use '-k "
                            "aap_containerized.username=<user>' to set it")
@@ -61,16 +62,15 @@ class AAPContainerized(Plugin, RedHatPlugin):
                     return
 
         # Grab aap installation directory under user's home
-        if not self.get_option("directory"):
+        if not self.aap_directory_name:
             user_home_directory = os.path.expanduser(f"~{username}")
-            aap_directory_name = self.path_join(user_home_directory, "aap")
-        else:
-            aap_directory_name = self.get_option("directory")
+            self.aap_directory_name = self.path_join(user_home_directory,
+                                                     "aap")
 
         # Don't collect cert and key files from the installation directory
-        if self.path_exists(aap_directory_name):
+        if self.path_exists(self.aap_directory_name):
             forbidden_paths = [
-                self.path_join(aap_directory_name, path)
+                self.path_join(self.aap_directory_name, path)
                 for path in [
                     "containers",
                     "tls",
@@ -93,10 +93,10 @@ class AAPContainerized(Plugin, RedHatPlugin):
                 ]
             ]
             self.add_forbidden_path(forbidden_paths)
-            self.add_copy_spec(aap_directory_name)
+            self.add_copy_spec(self.aap_directory_name)
         else:
-            self._log_error(f"Directory {aap_directory_name} does not exist "
-                            "or invalid absolute path provided")
+            self._log_error(f"Directory {self.aap_directory_name} does not "
+                            "exist or invalid absolute path provided.")
 
         # Gather output of following podman commands as user
         podman_commands = [
@@ -200,6 +200,24 @@ class AAPContainerized(Plugin, RedHatPlugin):
         return False
 
     def postproc(self):
+        # remove controller email password
+        file_path = f"{self.aap_directory_name}/controller/etc/settings.py"
+        jreg = r"(EMAIL_HOST_PASSWORD\s*=\s*)\'(.+)\'"
+        repl = r"\1********"
+        self.do_path_regex_sub(file_path, jreg, repl)
+
+        # remove gateway database password
+        file_path = f"{self.aap_directory_name}/gateway/etc/settings.py"
+        jreg = r"(\s*'PASSWORD'\s*:\s*)('.*')"
+        repl = r"\1********"
+        self.do_path_regex_sub(file_path, jreg, repl)
+
+        # Mask EDA optional secrets
+        file_path = f"{self.aap_directory_name}/eda/etc/settings.yaml"
+        regex = r"(\s*)(PASSWORD|MQ_USER_PASSWORD|SECRET_KEY)(:\s*)(.*$)"
+        replacement = r'\1\2\3********'
+        self.do_path_regex_sub(file_path, regex, replacement)
+
         # Mask PASSWORD from print_settings command
         jreg = r'((["\']?PASSWORD["\']?\s*[:=]\s*)[rb]?["\'])(.*?)(["\'])'
         self.do_cmd_output_sub(
@@ -214,4 +232,5 @@ class AAPContainerized(Plugin, RedHatPlugin):
             jreg,
             r'\1**********\5')
 
+
 # vim: set et ts=4 sw=4 :
diff --git a/sos/report/plugins/aap_controller.py b/sos/report/plugins/aap_controller.py
index afb2508c..e2b5e39e 100644
--- a/sos/report/plugins/aap_controller.py
+++ b/sos/report/plugins/aap_controller.py
@@ -83,12 +83,12 @@ class AAPControllerPlugin(Plugin, RedHatPlugin):
         self.do_path_regex_sub("/etc/tower/conf.d/postgres.py", jreg, repl)
 
         # remove email password
-        jreg = r"(EMAIL_HOST_PASSWORD\s*=)\'(.+)\'"
+        jreg = r"(EMAIL_HOST_PASSWORD\s*=\s*)\'(.+)\'"
         repl = r"\1********"
         self.do_path_regex_sub("/etc/tower/settings.py", jreg, repl)
 
         # remove email password (if customized)
-        jreg = r"(EMAIL_HOST_PASSWORD\s*=)\'(.+)\'"
+        jreg = r"(EMAIL_HOST_PASSWORD\s*=\s*)\'(.+)\'"
         repl = r"\1********"
         self.do_path_regex_sub("/etc/tower/conf.d/custom.py", jreg, repl)
 
-- 
2.52.0