From 3f8ad27ee7284cb1d6a998f7327805eb17464389 Mon Sep 17 00:00:00 2001
From: Ken Gaillot <kgaillot@redhat.com>
Date: Tue, 19 Sep 2017 13:40:21 -0500
Subject: [pacemaker] Improve Pacemaker password scrubbing

Scrub the crm shell output as well as the pcs output,
and use an equivalent scrub pattern in all places.

Resolves: #1106

Signed-off-by: Ken Gaillot <kgaillot@redhat.com>
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/pacemaker.py | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/sos/plugins/pacemaker.py b/sos/plugins/pacemaker.py
index 9576db54..fb511bc1 100644
--- a/sos/plugins/pacemaker.py
+++ b/sos/plugins/pacemaker.py
@@ -34,6 +34,20 @@ class Pacemaker(Plugin, DebianPlugin, UbuntuPlugin):
         ("crm_scrub", "enable password scrubbing for crm_report", "", True),
     ]
 
+    def postproc_crm_shell(self):
+        self.do_cmd_output_sub(
+            "crm configure show",
+            r"passw(\S*)=\S+",
+            r"passw\1=********"
+        )
+
+    def postproc_pcs(self):
+        self.do_cmd_output_sub(
+            "pcs config",
+            r"passw(\S*)=\S+",
+            r"passw\1=********"
+        )
+
     def setup(self):
         self.add_copy_spec([
             # Pacemaker cluster configuration file
@@ -73,8 +87,9 @@ class Pacemaker(Plugin, DebianPlugin, UbuntuPlugin):
                     "default" % self.get_option("crm_from"))
 
         crm_dest = self.get_cmd_output_path(name="crm_report", make=False)
-        crm_scrub = '-p "passw.*"'
-        if not self.get_option("crm_scrub"):
+        if self.get_option("crm_scrub"):
+            crm_scrub = '-p "passw.*"'
+        else:
             crm_scrub = ""
             self._log_warn("scrubbing of crm passwords has been disabled:")
             self._log_warn("data collected by crm_report may contain"
@@ -100,11 +115,8 @@ class Pacemaker(Plugin, DebianPlugin, UbuntuPlugin):
                         self.add_copy_spec(logfile)
 
     def postproc(self):
-        self.do_cmd_output_sub(
-            "pcs config",
-            r"(passwd=|incoming_password=)\S+",
-            r"\1********"
-        )
+        self.postproc_crm_shell()
+        self.postproc_pcs()
 
 
 class RedHatPacemaker(Pacemaker, RedHatPlugin):
-- 
cgit