Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed return and logging of password-like props in clear text #1093

Merged
merged 1 commit into from
Nov 29, 2024
Merged

Fixed return and logging of password-like props in clear text #1093

merged 1 commit into from
Nov 29, 2024

Conversation

andy-maier
Copy link
Member

@andy-maier andy-maier commented Nov 28, 2024
edited
Loading

For details, see the commit message.

End2end tests:

  • Tested on A224 with a playbook with log_file enabled that creates an LDAP server definition with bind password - checked the module output and the log file - passed
  • Ran TESTCASES=test_zhmc_ldap_server_definition.py make end2end on A224 - passed
  • Ran TESTCASES=test_zhmc_user.py make end2end on A224 - passed
  • Ran TESTCASES=test_zhmc_partition.py make end2end on A224 - passed
  • Tested that the updated end2end testcases from this PR with the collection code from the master branch fail due to the password-like properties in the module output, with TESTCASES=test_zhmc_ldap_server_definition.py make end2end on A224 - passed

Note: test_zhmc_lpar.py was not run.

@andy-maier andy-maier self-assigned this Nov 28, 2024
@andy-maier andy-maier added this to the 1.10.0 milestone Nov 28, 2024
@andy-maier andy-maier mentioned this pull request Nov 28, 2024
Merged
@coveralls
Copy link

coveralls commented Nov 28, 2024
edited
Loading

Coverage Status

coverage: 43.057% (+0.08%) from 42.98%
when pulling 08b4ceb on andy/fix-password-logging
into 052cfd8 on master.

@andy-maier andy-maier force-pushed the andy/fix-password-logging branch 4 times, most recently from 92b218a to 20e4c1b Compare November 29, 2024 06:22
@andy-maier
Fixed return and logging of password-like props in clear text
08b4ceb 
Details:

* Increased minimum version of zhmcclient to 1.8.2 to pick up fixes for no
  longer logging password-like properties in clear-text.

* Fixed that all password-like input parameters that were written in clear text
  to the module entry log are now blanked out. This affected the following
  modules: zhmc_ldap_server_definition, zhmc_lpar, zhmc_partition, zhmc_user.

* Fixed that all password-like input parameters that were added to the
  module return value in clear text for 'state' values that created or updated
  the resource are now removed from the return value. This affected the
  following modules: zhmc_ldap_server_definition, zhmc_lpar, zhmc_partition.

* The 'hmc_auth' input parameter is no longer completely removed from the
  module entry log, but instead its sensitive items 'password' and 'session_id'
  are now blanked out.

* In support of the above, added common functions blanked_params(),
  blanked_dict() and removed_dict(). Added unit tests for these new functions.

* Improved the end2end tests for the affected modules to check that the module
  output does not contain the password-like properties.

Signed-off-by: Andreas Maier <[email protected]>
@andy-maier andy-maier force-pushed the andy/fix-password-logging branch from 20e4c1b to 08b4ceb Compare November 29, 2024 08:31
@andy-maier andy-maier merged commit 848d51f into master Nov 29, 2024
16 checks passed
@andy-maier andy-maier deleted the andy/fix-password-logging branch November 29, 2024 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simon-spinner simon-spinner simon-spinner approved these changes

Assignees

@andy-maier andy-maier

Labels
review needed roll back/fwd done
Projects
None yet
Milestone
1.10.0
Development

Successfully merging this pull request may close these issues.
3 participants
@andy-maier @coveralls @simon-spinner