Encrypt verify_credentials params before MiqQueue

Encrypt verify_credentials parameters before putting them on the queue to prevent the values showing up in system logs.
ManageIQ · Dec 21, 2023 · 9b0d339 · 9b0d339
1 parent 310ea27
commit 9b0d339
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 0 deletions.
diff --git a/app/models/host.rb b/app/models/host.rb
@@ -613,6 +613,8 @@ def verify_credentials_task(userid, auth_type = nil, options = {})
       :userid => userid
     }
 
+    encrypt_verify_credential_params!(options)
+
     queue_opts = {
       :args        => [auth_type, options],
       :class_name  => self.class.name,
@@ -1427,4 +1429,34 @@ def verbose_supports?(feature, description = nil)
       end
     end
   end
+
+  private
+
+  # Ensure that any passwords are encrypted before putting them onto the queue for any
+  # DDF fields which are a password type
+  def encrypt_verify_credential_params!(options)
+    # NOTE the API always symbolizes the username/password keys so it is safe
+    # to assume the keys will be symbols until we move to passing the DDF payload in
+    encrypted_columns = Authentication.encrypted_columns.map(&:to_sym)
+
+    traverse_hash(options) do |value, key_path|
+      value.slice(*encrypted_columns).each do |key, val|
+        options.store_path(key_path + [key], ManageIQ::Password.try_encrypt(val))
+      end
+    end
+  end
+
+  def traverse_hash(hash, path = [], &block)
+    hash.each do |key, val|
+      key_path = path << key
+
+      if val.kind_of?(Array)
+        val.each { |v| traverse_hash(v, key_path, &block)}
+      elsif val.kind_of?(Hash)
+        yield val, key_path
+
+        traverse_hash(val, key_path, &block)
+      end
+    end
+  end
 end
diff --git a/spec/models/host_spec.rb b/spec/models/host_spec.rb
@@ -244,6 +244,35 @@
           :queue_name  => @ems.queue_name_for_ems_operations
         )
       end
+
+      it "encryptes the password before putting it on the queue" do
+        credentials = {
+          "default" => {
+            :userid   => "root",
+            :auth_key => "SECRET"
+          },
+          "ws"      => {
+            :userid   => "root",
+            :password => "ALSO_SECRET"
+          }
+        }
+
+        expected_credentials = credentials.dup
+        expected_credentials["default"][:auth_key] = ManageIQ::Password.encrypt(credentials.dig("default", :auth_key))
+        expected_credentials["ws"][:password]      = ManageIQ::Password.encrypt(credentials.dig("ws", :password))
+
+        @host.verify_credentials_task(FactoryBot.create(:user).userid, :default, :credentials => credentials)
+
+        expect(MiqQueue.last).to have_attributes(
+          :args        => [:default, {:credentials => expected_credentials}],
+          :method_name => "verify_credentials?",
+          :instance_id => @host.id,
+          :class_name  => @host.class.name,
+          :role        => "ems_operations",
+          :zone        => @ems.zone.name,
+          :queue_name  => @ems.queue_name_for_ems_operations
+        )
+      end
     end
 
     context "default credentials" do