[foreman] Obfuscate http_proxy passwords. PR-3878 improvement #3881
Conversation
|
Congratulations! One of the builds has completed. 🍾 You can install the built RPMs by following these steps:
Please note that the RPMs should be used only in a testing environment. |
|
@pafernanr can you squash these two commits into one please? |
| @@ -328,16 +328,14 @@ def postproc(self): | |||
| r"((\:|\s*)(passw|cred|token|secret|key).*(\:\s|=))(.*)", | |||
| r'\1"********"') | |||
| # hide proxy credentials.. | |||
| self.do_paths_http_sub([ | |||
| '/var/log/foreman/production.log*', | |||
| ]) | |||
There was a problem hiding this comment.
Is is really necessary to remove this function? This obfuscates *_PROXY vars, and the change below doesn't do that, right?
There was a problem hiding this comment.
do_paths_http_sub function replaces only one occurrence of r"(http(s)?://)\S+:\S+(@.*)", r"\1******:******\3").
In the foreman case there could be one or two occurrences on the same line. That's the reason to remove that function and improve the regex on foreman.py to capture one or multiple occurrences.
*_PROXY vars are being obfuscated at https://github.com/sosreport/sos/blob/main/sos/report/plugins/foreman.py#L299
There was a problem hiding this comment.
hmmm. I think the description for do_paths_http_sub is not accurate:
- Obfuscate credentials in *_PROXY variables...
There was a problem hiding this comment.
Yes, the description is a historic artifact from some first PR draft and should be updated.
There was a problem hiding this comment.
@pmoravec can you help with this?
There was a problem hiding this comment.
Indeed, the do_paths_http_sub can match just one instance on a given line - that is why my #3878 already obfuscates the logfile(s) twice. Which is ridiculous and this PR aims to improve it.
There was a problem hiding this comment.
If you agree, we might modify it to something like "Obfuscate BASIC_AUTH credentials in URLs for all files in the...".
But again that function suffer the same issue. Only one match is being replaced /o\
There was a problem hiding this comment.
I created #3882 for that. Usually, there is just one password on a line, so usually the method is sufficient, I think.
Or are there instances where we need to obfuscate a secret on the same line multiple times? This is generic question, not specific to the do_paths_http_sub method. As the method just calls something internal that is used everywhere, incl. by do_path_regex_sub method.
(i.e. should we utilize repeatedly option of do_path_regex_sub?)
jcastill
added
Reviewed/Needs 2nd Ack
arif-ali
added
Reviewed/Ready for Merge
|
Hold on merging this, @pafernanr should have an elegant improvement of |
Improve `do_paths_http_sub` function to replace multiple BASIC_AUTH occurrences on URLs Related: SAT-30137 Closes: sosreport#3878 Signed-off-by: Pablo Fernández Rodríguez <[email protected]>
|
not for this PR, would we benefit on a test for multiple items on one line. I know I have the apt example in stagetwo already, which is a http_sub test for one item? |
Yeah we should add some test for either proxy credentials or for multiple passwords on a line.
I dont understand you here. |
i.e. there is a stagetwo test for apt, that checks for http obfuscation, but that just has single http credentials on one line :) |
Please place an 'X' inside each '[]' to confirm you adhere to our Contributor Guidelines