[subscription_manager] Obfuscate proxy password from curl cmdline

[pmoravec]

Curl to https://subscription.rhsm.redhat.com contains proxy password in plaintext. That is visible in process listing, stored in cmd output filename and kept in few other places (manifest, sos.log,..).

When proxy password is set, use an auxiliary curl config file to store the password.

Resolves: #3880

---

Please place an 'X' inside each '[]' to confirm you adhere to our Contributor Guidelines

• Is the commit message split over multiple lines and hard-wrapped at 72 characters?
• Is the subject and message clear and concise?
• Does the subject start with [plugin_name] if submitting a plugin patch or a [section_name] if part of the core sosreport code?
• Does the commit contain a Signed-off-by: First Lastname [email protected]?
• Are any related Issues or existing PRs properly referenced via a Closes (Issue) or Resolved (PR) line?
• Are all passwords or private data gathered by this PR obfuscated?

[packit-as-a-service]

Congratulations! One of the builds has completed. 🍾

You can install the built RPMs by following these steps:

• sudo yum install -y dnf-plugins-core on RHEL 8
• sudo dnf install -y dnf-plugins-core on Fedora
• dnf copr enable packit/sosreport-sos-3880
• And now you can install the packages.

Please note that the RPMs should be used only in a testing environment.

[pmoravec]

Reproducer:

# grep ^proxy /etc/rhsm/rhsm.conf
proxy_hostname = localhost
proxy_scheme = http
proxy_port = 3128
proxy_user = USER
proxy_password = SECRETPASSWORD
#

Then sos report -o subscription_manager contains the password on various places:

# grep -r SECRET .  # inside the sos build dir
./sos_logs/sos.log:2024-12-13 09:27:55,115 INFO: [plugin:subscription_manager] added cmd output 'curl -vv https://subscription.rhsm.redhat.com:443/subscription --cacert /etc/rhsm/ca/redhat-uep.pem --proxy http://localhost:3128 --proxy-user USER:SECRETPASSWORD'
./sos_logs/sos.log:2024-12-13 09:27:55,127 INFO: [plugin:subscription_manager] collecting output of 'curl -vv https://subscription.rhsm.redhat.com:443/subscription --cacert /etc/rhsm/ca/redhat-uep.pem --proxy http://localhost:3128 --proxy-user USER:SECRETPASSWORD'
./sos_reports/sos.txt:  * curl -vv https://subscription.rhsm.redhat.com:443/subscription --cacert /etc/rhsm/ca/redhat-uep.pem --proxy http://localhost:3128 --proxy-user USER:SECRETPASSWORD
./sos_reports/sos.json:                    "name": "curl -vv https://subscription.rhsm.redhat.com:443/subscription --cacert /etc/rhsm/ca/redhat-uep.pem --proxy http://localhost:3128 --proxy-user USER:SECRETPASSWORD",
./sos_reports/sos.json:                    "href": "../sos_commands/subscription_manager/curl_-vv_https_..subscription.rhsm.redhat.com_443.subscription_--cacert_.etc.rhsm.ca.redhat-uep.pem_--proxy_http_..localhost_3128_--proxy-user_USER_SECRETPASSWORD"
./sos_reports/sos.html:<li><a href="../sos_commands/subscription_manager/curl_-vv_https_..subscription.rhsm.redhat.com_443.subscription_--cacert_.etc.rhsm.ca.redhat-uep.pem_--proxy_http_..localhost_3128_--proxy-user_USER_SECRETPASSWORD">curl -vv https://subscription.rhsm.redhat.com:443/subscription --cacert /etc/rhsm/ca/redhat-uep.pem --proxy http://localhost:3128 --proxy-user USER:SECRETPASSWORD</a></li>
./sos_reports/manifest.json:                                "USER:SECRETPASSWORD"
./sos_reports/manifest.json:                            "exec": "curl -vv https://subscription.rhsm.redhat.com:443/subscription --cacert /etc/rhsm/ca/redhat-uep.pem --proxy http://localhost:3128 --proxy-user USER:SECRETPASSWORD",
./sos_reports/manifest.json:                            "filepath": "sos_commands/subscription_manager/curl_-vv_https_..subscription.rhsm.redhat.com_443.subscription_--cacert_.etc.rhsm.ca.redhat-uep.pem_--proxy_http_..localhost_3128_--proxy-user_USER_SECRETPASSWORD",

Newly, we call something like curl -vv https://subscription.rhsm.redhat.com:443/subscription --cacert /etc/rhsm/ca/redhat-uep.pem --proxy http://localhost:3128 --config /var/tmp/sos.nywwnci0/sosreport-pmoravec-rhel9-8675309-2024-12-13-tvggopn/rhsm_curl_cfg (and delete the rhsm_curl_cfg file afterwards).

I would prefer to have the rhsm_curl_cfg file outside sosreport directory (in /var/tmp/sos.nywwnci0/) to really ensure we wont collect it, but sos.archive class does not support access to _tmp_dir /o.

[arif-ali]

One thing here is that we're changing something in the OS, would this one item be excluded because we're creating/removing from the archive directory. The key ethos being that we don't change anything on the FS?

i.e. do we want this as allow system changes?

[pmoravec]

(I am checking the failed tests)

One thing here is that we're changing something in the OS, would this one item be excluded because we're creating/removing from the archive directory. The key ethos being that we don't change anything on the FS?

i.e. do we want this as allow system changes?

What are we changing in the OS? The plugin just creates a file (inside sosreport build directory, that is not optimal - how to create it one dir above?), uses the file as curl config and deletes the file - nothing else.

Or do I miss some side effect..?

[arif-ali]

What are we changing in the OS? The plugin just creates a file (inside sosreport build directory, that is not optimal - how to create it one dir above?), uses the file as curl config and deletes the file - nothing else.

Or do I miss some side effect..?

Cool, sounds good to me