From d5ae4de73abeff934f389617f25cf536f8f0f527 Mon Sep 17 00:00:00 2001
From: Lucy Fu <lufu@redhat.com>
Date: Tue, 25 Apr 2017 10:44:13 -0400
Subject: [PATCH] Let VMDBLogger.log_hashes filter out the sensitive value.

---
 lib/gems/pending/util/vmdb-logger.rb |  8 ++++--
 spec/util/vmdb-logger_spec.rb        | 38 +++++++++++++++++++++++++---
 2 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/lib/gems/pending/util/vmdb-logger.rb b/lib/gems/pending/util/vmdb-logger.rb
index 09ad82dcc..b780f7e7e 100644
--- a/lib/gems/pending/util/vmdb-logger.rb
+++ b/lib/gems/pending/util/vmdb-logger.rb
@@ -108,9 +108,13 @@ def self.log_hashes(logger, h, options = {})
     filter = Array(options[:filter]).flatten.compact.map(&:to_s) << "password"
     filter.uniq!
 
-    YAML.dump(h).split("\n").each do |l|
+    values = YAML.dump(h).gsub(MiqPassword::REGEXP, "[FILTERED]")
+    values.split("\n").each do |l|
       next if l[0...3] == '---'
-      logger.send(level, "  #{l}") unless filter.any? { |f| l.include?(f) }
+      if (key = filter.detect { |f| l.include?(f) })
+        l.gsub!(/#{key}.*: (.+)/) { |m| m.gsub!($1, "[FILTERED]") }
+      end
+      logger.send(level, "  #{l}")
     end
   end
 
diff --git a/spec/util/vmdb-logger_spec.rb b/spec/util/vmdb-logger_spec.rb
index a965f4b65..dfcf9a3ea 100644
--- a/spec/util/vmdb-logger_spec.rb
+++ b/spec/util/vmdb-logger_spec.rb
@@ -1,4 +1,5 @@
 require 'util/vmdb-logger'
+require 'util/miq-password'
 
 describe VMDBLogger do
   describe "#log_hashes" do
@@ -10,7 +11,7 @@
       logger.log_hashes(hash)
 
       buffer.rewind
-      expect(buffer.read).to_not include("pa$$w0rd")
+      expect(buffer.read).to include(":password: [FILTERED]")
     end
 
     it "filters out passwords when keys are strings" do
@@ -18,7 +19,7 @@
       logger.log_hashes(hash)
 
       buffer.rewind
-      expect(buffer.read).to_not include("pa$$w0rd")
+      expect(buffer.read).to include("password: [FILTERED]")
     end
 
     it "with :filter option, filters out given keys and passwords" do
@@ -26,7 +27,9 @@
       logger.log_hashes(hash, :filter => :extra_key)
 
       buffer.rewind
-      expect(buffer.read).to_not include("pa$$w0rd")
+      message = buffer.read
+      expect(message).to include(':extra_key: [FILTERED]')
+      expect(message).to include(':password: [FILTERED]')
     end
 
     it "when :filter option is a Set object, filters out the given Set elements" do
@@ -34,7 +37,34 @@
       logger.log_hashes(hash, :filter => %i(bind_pwd password amazon_secret).to_set)
 
       buffer.rewind
-      expect(buffer.read).to_not include("pa$$w0rd")
+      message = buffer.read
+      expect(message).to include(':bind_pwd: [FILTERED]')
+      expect(message).to include(':amazon_secret: [FILTERED]')
+      expect(message).to include(':password: [FILTERED]')
+    end
+
+    it "filters out encrypted value" do
+      hash = {:a => {:b => 1, :extra_key => "v2:{c5qTeiuz6JgbBOiDqp3eiQ==}"}}
+      logger.log_hashes(hash)
+
+      buffer.rewind
+      expect(buffer.read).to include(':extra_key: [FILTERED]')
+    end
+
+    it "filters out root_password" do
+      hash = {"a" => {"b" => 1, "root_password" => "pa$$w0rd"}}
+      logger.log_hashes(hash)
+
+      buffer.rewind
+      expect(buffer.read).to include("root_password: [FILTERED]")
+    end
+
+    it "filters out password_for_important_thing" do
+      hash = {:a => {:b => 1, :password_for_important_thing => "pa$$w0rd"}}
+      logger.log_hashes(hash)
+
+      buffer.rewind
+      expect(buffer.read).to include(":password_for_important_thing: [FILTERED]")
     end
   end