Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[foreman] Obfuscate http_proxy passwords. PR-3878 improvement #3881

Merged
merged 1 commit into from
Dec 13, 2024

Conversation

pafernanr
Copy link
Contributor


Please place an 'X' inside each '[]' to confirm you adhere to our Contributor Guidelines

  • Is the commit message split over multiple lines and hard-wrapped at 72 characters?
  • Is the subject and message clear and concise?
  • Does the subject start with [plugin_name] if submitting a plugin patch or a [section_name] if part of the core sosreport code?
  • Does the commit contain a Signed-off-by: First Lastname [email protected]?
  • Are any related Issues or existing PRs properly referenced via a Closes (Issue) or Resolved (PR) line?
  • Are all passwords or private data gathered by this PR obfuscated?

Copy link

Congratulations! One of the builds has completed. 🍾

You can install the built RPMs by following these steps:

  • sudo yum install -y dnf-plugins-core on RHEL 8
  • sudo dnf install -y dnf-plugins-core on Fedora
  • dnf copr enable packit/sosreport-sos-3881
  • And now you can install the packages.

Please note that the RPMs should be used only in a testing environment.

@jcastill
Copy link
Member

@pafernanr can you squash these two commits into one please?

@@ -328,16 +328,14 @@ def postproc(self):
r"((\:|\s*)(passw|cred|token|secret|key).*(\:\s|=))(.*)",
r'\1"********"')
# hide proxy credentials..
self.do_paths_http_sub([
'/var/log/foreman/production.log*',
])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is is really necessary to remove this function? This obfuscates *_PROXY vars, and the change below doesn't do that, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do_paths_http_sub function replaces only one occurrence of r"(http(s)?://)\S+:\S+(@.*)", r"\1******:******\3").

In the foreman case there could be one or two occurrences on the same line. That's the reason to remove that function and improve the regex on foreman.py to capture one or multiple occurrences.

*_PROXY vars are being obfuscated at https://github.com/sosreport/sos/blob/main/sos/report/plugins/foreman.py#L299

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmmm. I think the description for do_paths_http_sub is not accurate:

  • Obfuscate credentials in *_PROXY variables...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the description is a historic artifact from some first PR draft and should be updated.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pmoravec can you help with this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, the do_paths_http_sub can match just one instance on a given line - that is why my #3878 already obfuscates the logfile(s) twice. Which is ridiculous and this PR aims to improve it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you agree, we might modify it to something like "Obfuscate BASIC_AUTH credentials in URLs for all files in the...".
But again that function suffer the same issue. Only one match is being replaced /o\

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created #3882 for that. Usually, there is just one password on a line, so usually the method is sufficient, I think.

Or are there instances where we need to obfuscate a secret on the same line multiple times? This is generic question, not specific to the do_paths_http_sub method. As the method just calls something internal that is used everywhere, incl. by do_path_regex_sub method.

(i.e. should we utilize repeatedly option of do_path_regex_sub?)

Copy link
Contributor

@pmoravec pmoravec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works well for me, tested against all instances of the original PR reproducer.

@jcastill jcastill added Reviewed/Needs 2nd Ack Require a 2nd ack from a maintainer Status/Needs Review This issue still needs a review from project members labels Dec 13, 2024
@arif-ali arif-ali added Reviewed/Ready for Merge Has been reviewed, ready for merge and removed Reviewed/Needs 2nd Ack Require a 2nd ack from a maintainer labels Dec 13, 2024
@pmoravec
Copy link
Contributor

Hold on merging this, @pafernanr should have an elegant improvement of do_paths_http_sub.

Improve `do_paths_http_sub` function to replace multiple BASIC_AUTH occurrences
on URLs

Related: SAT-30137
Closes: sosreport#3878

Signed-off-by: Pablo Fernández Rodríguez <[email protected]>
Copy link
Contributor

@pmoravec pmoravec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool! This makes my recent PR obsolete, I will drop it.

@arif-ali
Copy link
Member

not for this PR, would we benefit on a test for multiple items on one line. I know I have the apt example in stagetwo already, which is a http_sub test for one item?

@pmoravec
Copy link
Contributor

not for this PR, would we benefit on a test for multiple items on one line.

Yeah we should add some test for either proxy credentials or for multiple passwords on a line.

I know I have the apt example in stagetwo already, which is a http_sub test for one item?

I dont understand you here.

@arif-ali
Copy link
Member

I know I have the apt example in stagetwo already, which is a http_sub test for one item?

I dont understand you here.

i.e. there is a stagetwo test for apt, that checks for http obfuscation, but that just has single http credentials on one line :)

@arif-ali arif-ali merged commit 092de85 into sosreport:main Dec 13, 2024
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Reviewed/Ready for Merge Has been reviewed, ready for merge Status/Needs Review This issue still needs a review from project members
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants