sos/SOURCES/sos-RHEL-13701-aap-passwords.patch
2023-11-02 22:09:37 +00:00

99 lines
4.0 KiB
Diff

From c6ab24eb8e2bf02c75d0ffa8447032543eb4ea43 Mon Sep 17 00:00:00 2001
From: "Dr. Jason Breitweg" <jason@breitweg.com>
Date: Tue, 10 Oct 2023 09:50:29 +0200
Subject: [PATCH] Fix dynaconf obfuscation and add AUTH_LDAP_BIND_PASSWORD
Signed-off-by: Dr. Jason Breitweg <jason@breitweg.com>
Fixed style issues
Signed-off-by: Jason Breitweg jbreitwe@redhat.com
Signed-off-by: Dr. Jason Breitweg <jason@breitweg.com>
Fixed yet more linting errors
Signed-off-by: Jason Breitweg jbreitwe@redhat.com
Signed-off-by: Dr. Jason Breitweg <jason@breitweg.com>
---
sos/report/plugins/pulp.py | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/sos/report/plugins/pulp.py b/sos/report/plugins/pulp.py
index df007168a..f5c762f48 100644
--- a/sos/report/plugins/pulp.py
+++ b/sos/report/plugins/pulp.py
@@ -170,10 +170,13 @@ def postproc(self):
repl = r"\1********"
self.do_path_regex_sub("/etc/pulp(.*)(.json$)", jreg, repl)
- # obfuscate SECRET_KEY = .. and 'PASSWORD': .. in dynaconf list output
- # and also in settings.py
+ # obfuscate SECRET_KEY = .., 'PASSWORD': ..,
+ # and AUTH_LDAP_BIND_PASSWORD = ..
+ # in dynaconf list output and also in settings.py
# count with option that PASSWORD is with(out) quotes or in capitals
- key_pass_re = r"(SECRET_KEY\s*=|(password|PASSWORD)(\"|'|:)+)\s*(\S*)"
+ key_pass_re = r"((?:SECRET_KEY|AUTH_LDAP_BIND_PASSWORD)" \
+ r"(?:\<.+\>)?(\s*=)?|(password|PASSWORD)" \
+ r"(\"|'|:)+)\s*(\S*)"
repl = r"\1 ********"
self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl)
self.do_cmd_output_sub("dynaconf list", key_pass_re, repl)
From 866abe6119e846e243d586b1e353a6585ed83899 Mon Sep 17 00:00:00 2001
From: Pavel Moravec <pmoravec@redhat.com>
Date: Wed, 18 Oct 2023 13:38:29 +0200
Subject: [PATCH] [pulpcore] Scrub AUTH_LDAP_BIND_PASSWORD value
Likewise in #3379, scrub the password also in pulpcore plugin.
Resolves: #3389
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
---
sos/report/plugins/pulpcore.py | 27 ++++++++-------------------
1 file changed, 8 insertions(+), 19 deletions(-)
diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py
index 04efae9f8..649626ada 100644
--- a/sos/report/plugins/pulpcore.py
+++ b/sos/report/plugins/pulpcore.py
@@ -144,29 +144,18 @@ def build_query_cmd(self, query, csv=False):
return _dbcmd % (self.dbhost, self.dbport, self.dbname, quote(query))
def postproc(self):
- # TODO obfuscate from /etc/pulp/settings.py :
+ # obfuscate from /etc/pulp/settings.py and "dynaconf list":
# SECRET_KEY = "eKfeDkTnvss7p5WFqYdGPWxXfHnsbDBx"
# 'PASSWORD': 'tGrag2DmtLqKLTWTQ6U68f6MAhbqZVQj',
+ # AUTH_LDAP_BIND_PASSWORD = 'ouch-a-secret'
# the PASSWORD can be also in an one-liner list, so detect its value
# in non-greedy manner till first ',' or '}'
- self.do_path_regex_sub(
- "/etc/pulp/settings.py",
- r"(SECRET_KEY\s*=\s*)(.*)",
- r"\1********")
- self.do_path_regex_sub(
- "/etc/pulp/settings.py",
- r"(PASSWORD\S*\s*:\s*)(.*?)(,|\})",
- r"\1********\3")
- # apply the same for "dynaconf list" output that prints settings.py
- # in a pythonic format
- self.do_cmd_output_sub(
- "dynaconf list",
- r"(SECRET_KEY<str>\s*)'(.*)'",
- r"\1********")
- self.do_cmd_output_sub(
- "dynaconf list",
- r"(PASSWORD\S*\s*:\s*)(.*)",
- r"\1********")
+ key_pass_re = r"((?:SECRET_KEY|AUTH_LDAP_BIND_PASSWORD)" \
+ r"(?:\<.+\>)?(\s*=)?|(password|PASSWORD)" \
+ r"(\"|'|:)+)\s*(\S*)"
+ repl = r"\1 ********"
+ self.do_path_regex_sub("/etc/pulp/settings.py", key_pass_re, repl)
+ self.do_cmd_output_sub("dynaconf list", key_pass_re, repl)
# vim: set et ts=4 sw=4 :