Merge pull request #135 from lfu/log_hashes

Let VMDBLogger.log_hashes filter out the sensitive value.
ManageIQ · May 9, 2017 · 799ba56 · 799ba56
2 parents 5c31234 + d5ae4de
commit 799ba56
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 6 deletions.
diff --git a/lib/gems/pending/util/vmdb-logger.rb b/lib/gems/pending/util/vmdb-logger.rb
@@ -108,9 +108,13 @@ def self.log_hashes(logger, h, options = {})
     filter = Array(options[:filter]).flatten.compact.map(&:to_s) << "password"
     filter.uniq!
 
-    YAML.dump(h).split("\n").each do |l|
+    values = YAML.dump(h).gsub(MiqPassword::REGEXP, "[FILTERED]")
+    values.split("\n").each do |l|
       next if l[0...3] == '---'
-      logger.send(level, "  #{l}") unless filter.any? { |f| l.include?(f) }
+      if (key = filter.detect { |f| l.include?(f) })
+        l.gsub!(/#{key}.*: (.+)/) { |m| m.gsub!($1, "[FILTERED]") }
+      end
+      logger.send(level, "  #{l}")
     end
   end
 

diff --git a/spec/util/vmdb-logger_spec.rb b/spec/util/vmdb-logger_spec.rb
@@ -1,4 +1,5 @@
 require 'util/vmdb-logger'
+require 'util/miq-password'
 
 describe VMDBLogger do
   describe "#log_hashes" do
@@ -10,31 +11,60 @@
       logger.log_hashes(hash)
 
       buffer.rewind
-      expect(buffer.read).to_not include("pa$$w0rd")
+      expect(buffer.read).to include(":password: [FILTERED]")
     end
 
     it "filters out passwords when keys are strings" do
       hash = {"a" => {"b" => 1, "password" => "pa$$w0rd"}}
       logger.log_hashes(hash)
 
       buffer.rewind
-      expect(buffer.read).to_not include("pa$$w0rd")
+      expect(buffer.read).to include("password: [FILTERED]")
     end
 
     it "with :filter option, filters out given keys and passwords" do
       hash = {:a => {:b => 1, :extra_key => "pa$$w0rd", :password => "pa$$w0rd"}}
       logger.log_hashes(hash, :filter => :extra_key)
 
       buffer.rewind
-      expect(buffer.read).to_not include("pa$$w0rd")
+      message = buffer.read
+      expect(message).to include(':extra_key: [FILTERED]')
+      expect(message).to include(':password: [FILTERED]')
     end
 
     it "when :filter option is a Set object, filters out the given Set elements" do
       hash = {:a => {:b => 1, :bind_pwd => "pa$$w0rd", :amazon_secret => "pa$$w0rd", :password => "pa$$w0rd"}}
       logger.log_hashes(hash, :filter => %i(bind_pwd password amazon_secret).to_set)
 
       buffer.rewind
-      expect(buffer.read).to_not include("pa$$w0rd")
+      message = buffer.read
+      expect(message).to include(':bind_pwd: [FILTERED]')
+      expect(message).to include(':amazon_secret: [FILTERED]')
+      expect(message).to include(':password: [FILTERED]')
+    end
+
+    it "filters out encrypted value" do
+      hash = {:a => {:b => 1, :extra_key => "v2:{c5qTeiuz6JgbBOiDqp3eiQ==}"}}
+      logger.log_hashes(hash)
+
+      buffer.rewind
+      expect(buffer.read).to include(':extra_key: [FILTERED]')
+    end
+
+    it "filters out root_password" do
+      hash = {"a" => {"b" => 1, "root_password" => "pa$$w0rd"}}
+      logger.log_hashes(hash)
+
+      buffer.rewind
+      expect(buffer.read).to include("root_password: [FILTERED]")
+    end
+
+    it "filters out password_for_important_thing" do
+      hash = {:a => {:b => 1, :password_for_important_thing => "pa$$w0rd"}}
+      logger.log_hashes(hash)
+
+      buffer.rewind
+      expect(buffer.read).to include(":password_for_important_thing: [FILTERED]")
     end
   end