Clean up the password field and value in automate and evm.log #228
Conversation
lfu
changed the title
|
|
||
| def attribute_for_vmdb_object?(klass, value) | ||
| Kernel.const_defined?(klass) && value.to_i.nonzero? | ||
| rescue NameError |
There was a problem hiding this comment.
Should use klass.safe_constantize here which will return nil if the class does not exist.
| @@ -310,4 +310,10 @@ def self.ae_user_object(options = {}) | |||
| $miq_ae_logger.info("User [#{obj.userid}] with current group ID [#{obj.current_group.id}] name [#{obj.current_group.description}]") | |||
| end | |||
| end | |||
|
|
|||
| V2_PASSWORD_REGEXP = /v([0-9]+)%3A%7B(.*?)%7D/ | |||
There was a problem hiding this comment.
Push this to the top of the file to group with the other constant. Also, I would recommend adding a comment clarifying why this one is different then the one in MiqPassword.
|
|
||
| V2_PASSWORD_REGEXP = /v([0-9]+)%3A%7B(.*?)%7D/ | ||
|
|
||
| def self.sanitize_string(str) |
There was a problem hiding this comment.
I would recommend changing this name to be more specific since it is really handling the special use-case of an encoded string.
Maybe: sanitize_encoded_string
@bdunne Do you think this should live in MiqPassword? A bit of a special case.
lfu
force-pushed
the
password_log_1619385
branch
2 times, most recently
from
2b29f8f to
643fce9
Compare
|
@miq-bot add_label blocker |
|
|
||
| def self.instantiate(uri, user) | ||
| $miq_ae_logger.info("MiqAeEngine: Instantiating Workspace for URI=#{uri}") | ||
| $miq_ae_logger.info("MiqAeEngine: Instantiating Workspace for URI=#{sanitize_encoded_string(uri)}") |
There was a problem hiding this comment.
@lfu Why can't we use MiqPassword.sanitize_string here?
There was a problem hiding this comment.
The string is URL encoded so it no longer matches the regex in MiqPassword.
There was a problem hiding this comment.
@lfu @gmcculloug
Are we getting passwords as URL's?
Can the function sanitize_encoded_string to MiqPassword so its all in one place and we can control if it should be asterisk or [FILTERED] or something else
There was a problem hiding this comment.
Its the password coming in from Dialogs any dialog_field that is marked as encrypted comes in with the v2 string.
|
@lfu @gmcculloug @mkanoor I know we've always used "********" in our logs for password fields. production.log:[----] I, [2018-08-30T10:12:03.800666 #2303:1170470] |
|
|
|
The I would suggest we look into including the support for encoded password strings into MiqPassword as @mkanoor and I mentioned (#228 (comment) and #228 (comment)) and the discussion about what replacement string to use should be a separate PR/issue. |
The "_id" attribute is not meant for fields like password::dialog_password_field. https://bugzilla.redhat.com/show_bug.cgi?id=1619385
lfu
force-pushed
the
password_log_1619385
branch
from
643fce9 to
b25ce0b
Compare
lfu
force-pushed
the
password_log_1619385
branch
from
b25ce0b to
4a3cf53
Compare
|
Checked commits lfu/manageiq-automation_engine@c9a6e98~...4a3cf53 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 |
Clean up the password field and value in automate and evm.log (cherry picked from commit f294b56) https://bugzilla.redhat.com/show_bug.cgi?id=1634808
|
Gaprindashvili backport details: |
Hide password values in automate.log and evm.log.
Add "_id" attribute only for VMDB objects.
Depends on ManageIQ/manageiq-gems-pending#373.
Includes ManageIQ/manageiq#17986.
https://bugzilla.redhat.com/show_bug.cgi?id=1619385
@miq-bot add_label bug, gaprindashvili/yes