From c445c39081df2a0218d5cbc48b45232f0286b761 Mon Sep 17 00:00:00 2001 From: Yedidyah Bar David Date: Thu, 26 May 2022 16:43:21 +0300 Subject: [PATCH] [ovirt] answer files: Filter out all password keys Instead of hard-coding specific keys and having to maintain them over time, replace the values of all keys that have 'password' in their name. I think this covers all our current and hopefully future keys. It might add "false positives" - keys that are not passwords but have 'password' in their name - and I think that's a risk worth taking. Sadly, the engine admin password prompt's name is 'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has to be listed specifically. A partial list of keys added since the replaced code was written: - grafana-related stuff - keycloak-related stuff - otopi-style answer files Signed-off-by: Yedidyah Bar David Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba --- sos/report/plugins/ovirt.py | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py index 09647bf148..99c86a8ffc 100644 --- a/sos/report/plugins/ovirt.py +++ b/sos/report/plugins/ovirt.py @@ -241,19 +241,23 @@ def postproc(self): r'{key}=********'.format(key=key) ) - # Answer files contain passwords - for key in ( - 'OVESETUP_CONFIG/adminPassword', - 'OVESETUP_CONFIG/remoteEngineHostRootPassword', - 'OVESETUP_DWH_DB/password', - 'OVESETUP_DB/password', - 'OVESETUP_REPORTS_CONFIG/adminPassword', - 'OVESETUP_REPORTS_DB/password', + + # Answer files contain passwords. + # Replace all keys that have 'password' in them, instead of hard-coding + # here the list of keys, which changes between versions. + # Sadly, the engine admin password prompt name does not contain + # 'password'... so neither does the env key. + for item in ( + 'password', + 'OVESETUP_CONFIG_ADMIN_SETUP', ): self.do_path_regex_sub( r'/var/lib/ovirt-engine/setup/answers/.*', - r'{key}=(.*)'.format(key=key), - r'{key}=********'.format(key=key) + re.compile( + r'(?P[^=]*{item}[^=]*)=.*'.format(item=item), + flags=re.IGNORECASE + ) + r'\g=********' ) # aaa profiles contain passwords