From 5de122019fe14c6da5f37bad8115814d3e6b7888 Mon Sep 17 00:00:00 2001 From: Pavel Moravec Date: Thu, 8 Mar 2018 21:36:28 +0100 Subject: [openstack_*] obfuscate just passwords from connection URIs do not obfuscate whole connection URI but just the password there Resolves: #1246 Signed-off-by: Pavel Moravec --- sos/plugins/openstack_ceilometer.py | 24 ++++++++++++++++------- sos/plugins/openstack_cinder.py | 25 +++++++++++++++++------- sos/plugins/openstack_glance.py | 24 ++++++++++++++++------- sos/plugins/openstack_heat.py | 33 ++++++++++++++++++++----------- sos/plugins/openstack_ironic.py | 23 ++++++++++++++++------ sos/plugins/openstack_keystone.py | 23 ++++++++++++++++------ sos/plugins/openstack_manila.py | 24 ++++++++++++++++------- sos/plugins/openstack_neutron.py | 25 +++++++++++++++++------- sos/plugins/openstack_nova.py | 39 ++++++++++++++++++++++++------------- sos/plugins/openstack_sahara.py | 23 ++++++++++++++++------ sos/plugins/openstack_swift.py | 23 ++++++++++++++++------ sos/plugins/openstack_trove.py | 26 +++++++++++++++++-------- 12 files changed, 220 insertions(+), 92 deletions(-) diff --git a/sos/plugins/openstack_ceilometer.py b/sos/plugins/openstack_ceilometer.py index 1015a060..072b7202 100644 --- a/sos/plugins/openstack_ceilometer.py +++ b/sos/plugins/openstack_ceilometer.py @@ -49,20 +49,30 @@ class OpenStackCeilometer(Plugin): if self.get_option("verify"): self.add_cmd_output("rpm -V %s" % ' '.join(self.packages)) + def apply_regex_sub(self, regexp, subst): + self.do_path_regex_sub("/etc/ceilometer/*", regexp, subst) + self.do_path_regex_sub( + self.var_puppet_gen + "/etc/ceilometer/*", + regexp, subst + ) + def postproc(self): protect_keys = [ "admin_password", "connection_password", "host_password", "memcache_secret_key", "os_password", "password", "qpid_password", "rabbit_password", "readonly_user_password", "secret_key", - "ssl_key_password", "telemetry_secret", "connection", - "metering_secret" + "ssl_key_password", "telemetry_secret", "metering_secret" ] + connection_keys = ["connection"] - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) - self.do_path_regex_sub("/etc/ceilometer/*", regexp, r"\1*********") - self.do_path_regex_sub( - self.var_puppet_gen + "/etc/ceilometer/*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) diff --git a/sos/plugins/openstack_cinder.py b/sos/plugins/openstack_cinder.py index cc9181ef..70056708 100644 --- a/sos/plugins/openstack_cinder.py +++ b/sos/plugins/openstack_cinder.py @@ -88,6 +88,13 @@ class OpenStackCinder(Plugin): if self.get_option("verify"): self.add_cmd_output("rpm -V %s" % ' '.join(self.packages)) + def apply_regex_sub(self, regexp, subst): + self.do_path_regex_sub("/etc/cinder/*", regexp, subst) + self.do_path_regex_sub( + self.var_puppet_gen + "/etc/cinder/*", + regexp, subst + ) + def postproc(self): protect_keys = [ "admin_password", "backup_tsm_password", "chap_password", @@ -98,15 +105,19 @@ class OpenStackCinder(Plugin): "netapp_password", "netapp_sa_password", "nexenta_password", "password", "qpid_password", "rabbit_password", "san_password", "ssl_key_password", "vmware_host_password", "zadara_password", - "zfssa_initiator_password", "connection", "zfssa_target_password", - "os_privileged_user_password", "hmac_keys" + "zfssa_initiator_password", "hmac_keys", "zfssa_target_password", + "os_privileged_user_password" ] + connection_keys = ["connection"] - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) - self.do_path_regex_sub("/etc/cinder/*", regexp, r"\1*********") - self.do_path_regex_sub( - self.var_puppet_gen + "/etc/cinder/*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) diff --git a/sos/plugins/openstack_glance.py b/sos/plugins/openstack_glance.py index d7588abe..d92ff6f2 100644 --- a/sos/plugins/openstack_glance.py +++ b/sos/plugins/openstack_glance.py @@ -93,18 +93,28 @@ class OpenStackGlance(Plugin): else: self.add_cmd_output("openstack image list --long") + def apply_regex_sub(self, regexp, subst): + self.do_path_regex_sub("/etc/glance/*", regexp, subst) + self.do_path_regex_sub( + self.var_puppet_gen + "/etc/glance/*", + regexp, subst + ) + def postproc(self): protect_keys = [ "admin_password", "password", "qpid_password", "rabbit_password", - "s3_store_secret_key", "ssl_key_password", "connection", - "vmware_server_password" + "s3_store_secret_key", "ssl_key_password", "vmware_server_password" ] + connection_keys = ["connection"] - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) - self.do_path_regex_sub("/etc/glance/*", regexp, r"\1*********") - self.do_path_regex_sub( - self.var_puppet_gen + "/etc/glance/*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) diff --git a/sos/plugins/openstack_heat.py b/sos/plugins/openstack_heat.py index 0cf7c859..d19274b4 100644 --- a/sos/plugins/openstack_heat.py +++ b/sos/plugins/openstack_heat.py @@ -104,27 +104,38 @@ class OpenStackHeat(Plugin): if self.get_option("verify"): self.add_cmd_output("rpm -V %s" % ' '.join(self.packages)) - def postproc(self): - protect_keys = [ - "admin_password", "memcache_secret_key", "password", "connection", - "qpid_password", "rabbit_password", "stack_domain_admin_password", - ] - - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) + def apply_regex_sub(self, regexp, subst): self.do_path_regex_sub( "/etc/heat/*", - regexp, r"\1*********") + regexp, subst) self.do_path_regex_sub( self.var_puppet_gen + "/etc/heat/*", - regexp, r"\1*********" + regexp, subst ) self.do_path_regex_sub( self.var_puppet_gen + "_api/etc/heat/*", - regexp, r"\1*********" + regexp, subst ) self.do_path_regex_sub( self.var_puppet_gen + "_api_cfn/etc/heat/*", - regexp, r"\1*********" + regexp, subst + ) + + def postproc(self): + protect_keys = [ + "admin_password", "memcache_secret_key", "password", + "qpid_password", "rabbit_password", "stack_domain_admin_password", + ] + connection_keys = ["connection"] + + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) diff --git a/sos/plugins/openstack_ironic.py b/sos/plugins/openstack_ironic.py index ddb094e0..b732fe72 100644 --- a/sos/plugins/openstack_ironic.py +++ b/sos/plugins/openstack_ironic.py @@ -88,16 +88,27 @@ class OpenStackIronic(Plugin): self.add_cmd_output("openstack baremetal port list --long") self.add_cmd_output("openstack baremetal port group list --long") + def apply_regex_sub(self, regexp, subst): + for conf in self.conf_list: + self.do_path_regex_sub(conf, regexp, subst) + def postproc(self): protect_keys = [ "dns_passkey", "memcache_secret_key", "rabbit_password", - "password", "qpid_password", "connection", "sql_connection", - "admin_password", "ssl_key_password", "os_password" + "password", "qpid_password", "admin_password", "ssl_key_password", + "os_password" ] - regexp = r"((?m)^\s*#*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) - - for conf in self.conf_list: - self.do_path_regex_sub(conf, regexp, r"\1*********") + connection_keys = ["connection", "sql_connection"] + + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" + ) class DebianIronic(OpenStackIronic, DebianPlugin, UbuntuPlugin): diff --git a/sos/plugins/openstack_keystone.py b/sos/plugins/openstack_keystone.py index bcbd01dc..953ba8c7 100644 --- a/sos/plugins/openstack_keystone.py +++ b/sos/plugins/openstack_keystone.py @@ -84,18 +84,29 @@ class OpenStackKeystone(Plugin): self.add_cmd_output("openstack endpoint list") self.add_cmd_output("openstack catalog list") + def apply_regex_sub(self, regexp, subst): + self.do_path_regex_sub("/etc/keystone/*", regexp, subst) + self.do_path_regex_sub( + self.var_puppet_gen + "/etc/keystone/*", + regexp, subst + ) + def postproc(self): protect_keys = [ "password", "qpid_password", "rabbit_password", "ssl_key_password", "ldap_dns_password", "neutron_admin_password", "host_password", - "connection", "admin_password", "admin_token", "ca_password" + "admin_password", "admin_token", "ca_password" ] + connection_keys = ["connection"] - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) - self.do_path_regex_sub("/etc/keystone/*", regexp, r"\1*********") - self.do_path_regex_sub( - self.var_puppet_gen + "/etc/keystone/*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) # obfuscate LDAP plaintext passwords in domain config dir diff --git a/sos/plugins/openstack_manila.py b/sos/plugins/openstack_manila.py index e2985936..b55e6001 100644 --- a/sos/plugins/openstack_manila.py +++ b/sos/plugins/openstack_manila.py @@ -50,19 +50,29 @@ class OpenStackManila(Plugin): "/var/log/containers/httpd/manila-api/*log" ], sizelimit=self.limit) + def apply_regex_sub(self, regexp, subst): + self.do_path_regex_sub("/etc/manila/*", regexp, subst) + self.do_path_regex_sub( + self.var_puppet_gen + "/etc/manila/*", + regexp, subst + ) + def postproc(self): protect_keys = [ "nova_admin_password", "rabbit_password", "qpid_password", "password", "netapp_nas_password", "cinder_admin_password", - "neutron_admin_password", "service_instance_password", - "connection", "sql_connection" + "neutron_admin_password", "service_instance_password" ] + connection_keys = ["connection", "sql_connection"] - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) - self.do_path_regex_sub("/etc/manila/*", regexp, r"\1*********") - self.do_path_regex_sub( - self.var_puppet_gen + "/etc/manila/*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) diff --git a/sos/plugins/openstack_neutron.py b/sos/plugins/openstack_neutron.py index 52268660..06093bd7 100644 --- a/sos/plugins/openstack_neutron.py +++ b/sos/plugins/openstack_neutron.py @@ -73,22 +73,33 @@ class OpenStackNeutron(Plugin): self.add_cmd_output("openstack floating ip list") self.add_cmd_output("openstack security group list") + def apply_regex_sub(self, regexp, subst): + self.do_path_regex_sub("/etc/neutron/*", regexp, subst) + self.do_path_regex_sub( + self.var_puppet_gen + "/etc/neutron/*", + regexp, subst + ) + def postproc(self): protect_keys = [ "rabbit_password", "qpid_password", "nova_admin_password", - "xenapi_connection_password", "password", "connection", + "xenapi_connection_password", "password", "server_auth", "admin_password", "metadata_proxy_shared_secret", "eapi_password", "crd_password", "primary_l3_host_password", "serverauth", "ucsm_password", "ha_vrrp_auth_password", "ssl_key_password", "nsx_password", "vcenter_password", "edge_appliance_password", - "tenant_admin_password", "apic_password", "server_auth" + "tenant_admin_password", "apic_password" ] - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) + connection_keys = ["connection"] - self.do_path_regex_sub("/etc/neutron/*", regexp, r"\1*********") - self.do_path_regex_sub( - self.var_puppet_gen + "/etc/neutron/*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) diff --git a/sos/plugins/openstack_nova.py b/sos/plugins/openstack_nova.py index e262ad1c..dcba18ba 100644 --- a/sos/plugins/openstack_nova.py +++ b/sos/plugins/openstack_nova.py @@ -138,29 +138,40 @@ class OpenStackNova(Plugin): if self.get_option("verify"): self.add_cmd_output("rpm -V %s" % ' '.join(self.packages)) + def apply_regex_sub(self, regexp, subst): + self.do_path_regex_sub("/etc/nova/*", regexp, subst) + self.do_path_regex_sub( + self.var_puppet_gen + "/etc/nova/*", + regexp, subst + ) + self.do_path_regex_sub( + self.var_puppet_gen + "_placement/etc/nova/*", + regexp, subst + ) + self.do_path_regex_sub( + self.var_puppet_gen + "_libvirt/etc/nova/*", + regexp, subst + ) + def postproc(self): protect_keys = [ "ldap_dns_password", "neutron_admin_password", "rabbit_password", "qpid_password", "powervm_mgr_passwd", "virtual_power_host_pass", "xenapi_connection_password", "password", "host_password", - "vnc_password", "connection", "sql_connection", "admin_password", - "connection_password", "memcache_secret_key", "s3_secret_key", + "vnc_password", "admin_password", "connection_password", + "memcache_secret_key", "s3_secret_key", "metadata_proxy_shared_secret", "fixed_key" ] + connection_keys = ["connection", "sql_connection"] - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) - self.do_path_regex_sub("/etc/nova/*", regexp, r"\1*********") - self.do_path_regex_sub( - self.var_puppet_gen + "/etc/nova/*", - regexp, r"\1*********" - ) - self.do_path_regex_sub( - self.var_puppet_gen + "_placement/etc/nova/*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" ) - self.do_path_regex_sub( - self.var_puppet_gen + "_libvirt/etc/nova/*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) diff --git a/sos/plugins/openstack_sahara.py b/sos/plugins/openstack_sahara.py index 68cf0b38..0f103187 100644 --- a/sos/plugins/openstack_sahara.py +++ b/sos/plugins/openstack_sahara.py @@ -49,18 +49,29 @@ class OpenStackSahara(Plugin): if self.get_option("verify"): self.add_cmd_output("rpm -V %s" % ' '.join(self.packages)) + def apply_regex_sub(self, regexp, subst): + self.do_path_regex_sub("/etc/sahara/*", regexp, subst) + self.do_path_regex_sub( + self.var_puppet_gen + "/etc/sahara/*", + regexp, subst + ) + def postproc(self): protect_keys = [ "admin_password", "memcache_secret_key", "password", "qpid_password", "rabbit_password", "ssl_key_password", - "xenapi_connection_password", "connection" + "xenapi_connection_password" ] + connection_keys = ["connection"] - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) - self.do_path_regex_sub("/etc/sahara/*", regexp, r"\1*********") - self.do_path_regex_sub( - self.var_puppet_gen + "/etc/sahara/*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) diff --git a/sos/plugins/openstack_swift.py b/sos/plugins/openstack_swift.py index 1688112f..6f6a3905 100644 --- a/sos/plugins/openstack_swift.py +++ b/sos/plugins/openstack_swift.py @@ -56,19 +56,30 @@ class OpenStackSwift(Plugin): if self.get_option("verify"): self.add_cmd_output("rpm -V %s" % ' '.join(self.packages)) + def apply_regex_sub(self, regexp, subst): + self.do_path_regex_sub("/etc/swift/.*\.conf.*", regexp, subst) + self.do_path_regex_sub( + self.var_puppet_gen + "/swift/etc/swift/.*\.conf.*", + regexp, subst + ) + def postproc(self): protect_keys = [ "ldap_dns_password", "neutron_admin_password", "rabbit_password", "qpid_password", "powervm_mgr_passwd", "virtual_power_host_pass", "xenapi_connection_password", "password", "host_password", - "vnc_password", "connection", "sql_connection", "admin_password" + "vnc_password", "admin_password" ] + connection_keys = ["connection", "sql_connection"] - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) - self.do_path_regex_sub("/etc/swift/.*\.conf.*", regexp, r"\1*********") - self.do_path_regex_sub( - self.var_puppet_gen + "/swift/etc/swift/.*\.conf.*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) diff --git a/sos/plugins/openstack_trove.py b/sos/plugins/openstack_trove.py index 093e5d58..714f542e 100644 --- a/sos/plugins/openstack_trove.py +++ b/sos/plugins/openstack_trove.py @@ -50,19 +50,29 @@ class OpenStackTrove(Plugin): if self.get_option("verify"): self.add_cmd_output("rpm -V %s" % ' '.join(self.packages)) - def postproc(self): + def apply_regex_sub(self, regexp, subst): + self.do_path_regex_sub("/etc/trove/*", regexp, subst) + self.do_path_regex_sub( + self.var_puppet_gen + "/etc/trove/*", + regexp, subst + ) + def postproc(self): protect_keys = [ "default_password_length", "notifier_queue_password", - "rabbit_password", "replication_password", "connection", - "admin_password", "dns_passkey" + "rabbit_password", "replication_password", "admin_password", + "dns_passkey" ] + connection_keys = ["connection"] - regexp = r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys) - self.do_path_regex_sub("/etc/trove/*", regexp, r"\1*********") - self.do_path_regex_sub( - self.var_puppet_gen + "/etc/trove/*", - regexp, r"\1*********" + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*)(.*)" % "|".join(protect_keys), + r"\1*********" + ) + self.apply_regex_sub( + r"((?m)^\s*(%s)\s*=\s*(.*)://(\w*):)(.*)(@(.*))" % + "|".join(connection_keys), + r"\1*********\6" ) -- cgit