|
 |
2ed6e8 |
From 94b9b90c818eb18f0ca8d78fe063dc5b0677c885 Mon Sep 17 00:00:00 2001
|
|
|
2ed6e8 |
From: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
Date: Tue, 22 Jun 2021 12:58:03 +0200
|
|
|
2ed6e8 |
Subject: [PATCH] [rhui] add plugin to RHUI
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Add a new/revoked plugin for RHUI (newly based on python3 and pulp-3).
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Edditionally, collect /etc/pki/pulp certificates except for RSA keys.
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Resolves: #2590
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
---
|
|
|
2ed6e8 |
sos/report/plugins/pulpcore.py | 7 ++++-
|
|
|
2ed6e8 |
sos/report/plugins/rhui.py | 49 ++++++++++++++++++++++++++++++++++
|
|
|
2ed6e8 |
2 files changed, 55 insertions(+), 1 deletion(-)
|
|
|
2ed6e8 |
create mode 100644 sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py
|
|
|
2ed6e8 |
index ccaac3185..77ceacb92 100644
|
|
|
2ed6e8 |
--- a/sos/report/plugins/pulpcore.py
|
|
|
2ed6e8 |
+++ b/sos/report/plugins/pulpcore.py
|
|
|
2ed6e8 |
@@ -77,7 +77,12 @@ def separate_value(line, sep=':'):
|
|
|
2ed6e8 |
def setup(self):
|
|
|
2ed6e8 |
self.parse_settings_config()
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
- self.add_copy_spec("/etc/pulp/settings.py")
|
|
|
2ed6e8 |
+ self.add_copy_spec([
|
|
|
2ed6e8 |
+ "/etc/pulp/settings.py",
|
|
|
2ed6e8 |
+ "/etc/pki/pulp/*"
|
|
|
2ed6e8 |
+ ])
|
|
|
2ed6e8 |
+ # skip collecting certificate keys
|
|
|
2ed6e8 |
+ self.add_forbidden_path("/etc/pki/pulp/*.key")
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
self.add_cmd_output("rq info -u redis://localhost:6379/8",
|
|
|
2ed6e8 |
env={"LC_ALL": "en_US.UTF-8"},
|
|
|
2ed6e8 |
diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
new file mode 100644
|
|
|
2ed6e8 |
index 000000000..7acd3f49e
|
|
|
2ed6e8 |
--- /dev/null
|
|
|
2ed6e8 |
+++ b/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
@@ -0,0 +1,49 @@
|
|
|
2ed6e8 |
+# Copyright (C) 2021 Red Hat, Inc., Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+# This file is part of the sos project: https://github.com/sosreport/sos
|
|
|
2ed6e8 |
+#
|
|
|
2ed6e8 |
+# This copyrighted material is made available to anyone wishing to use,
|
|
|
2ed6e8 |
+# modify, copy, or redistribute it subject to the terms and conditions of
|
|
|
2ed6e8 |
+# version 2 of the GNU General Public License.
|
|
|
2ed6e8 |
+#
|
|
|
2ed6e8 |
+# See the LICENSE file in the source distribution for further information.
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+from sos.report.plugins import Plugin, RedHatPlugin
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+class Rhui(Plugin, RedHatPlugin):
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+ short_desc = 'Red Hat Update Infrastructure'
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+ plugin_name = "rhui"
|
|
|
2ed6e8 |
+ commands = ("rhui-manager",)
|
|
|
2ed6e8 |
+ files = ("/etc/ansible/facts.d/rhui_auth.fact", "/usr/lib/rhui/cds.py")
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+ def setup(self):
|
|
|
2ed6e8 |
+ self.add_copy_spec([
|
|
|
2ed6e8 |
+ "/etc/rhui/rhui-tools.conf",
|
|
|
2ed6e8 |
+ "/etc/rhui/registered_subscriptions.conf",
|
|
|
2ed6e8 |
+ "/etc/pki/rhui/*",
|
|
|
2ed6e8 |
+ "/var/log/rhui-subscription-sync.log",
|
|
|
2ed6e8 |
+ "/var/cache/rhui/*",
|
|
|
2ed6e8 |
+ "/root/.rhui/*",
|
|
|
2ed6e8 |
+ ])
|
|
|
2ed6e8 |
+ # skip collecting certificate keys
|
|
|
2ed6e8 |
+ self.add_forbidden_path("/etc/pki/rhui/*.key")
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+ self.add_cmd_output([
|
|
|
2ed6e8 |
+ "rhui-manager status",
|
|
|
2ed6e8 |
+ "rhui-manager cert info",
|
|
|
2ed6e8 |
+ "ls -lR /var/lib/rhui/remote_share",
|
|
|
2ed6e8 |
+ ])
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+ def postproc(self):
|
|
|
2ed6e8 |
+ # obfuscate admin_pw and secret_key values
|
|
|
2ed6e8 |
+ for prop in ["admin_pw", "secret_key"]:
|
|
|
2ed6e8 |
+ self.do_path_regex_sub(
|
|
|
2ed6e8 |
+ "/etc/ansible/facts.d/rhui_auth.fact",
|
|
|
2ed6e8 |
+ r"(%s\s*=\s*)(.*)" % prop,
|
|
|
2ed6e8 |
+ r"\1********")
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+# vim: set et ts=4 sw=4 :
|
|
|
2ed6e8 |
From bd15dc764c9d4554d8e8f08163228d65ca099985 Mon Sep 17 00:00:00 2001
|
|
|
2ed6e8 |
From: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
Date: Thu, 24 Jun 2021 17:53:27 +0200
|
|
|
2ed6e8 |
Subject: [PATCH 1/4] [plugins] Allow add_forbidden_path to apply glob
|
|
|
2ed6e8 |
recursively
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Add option to apply glob.glob to forbidden path recursively.
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
---
|
|
|
2ed6e8 |
sos/report/plugins/__init__.py | 6 ++++--
|
|
|
2ed6e8 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
diff --git a/sos/report/plugins/__init__.py b/sos/report/plugins/__init__.py
|
|
|
2ed6e8 |
index 06923300..6fd1a3b2 100644
|
|
|
2ed6e8 |
--- a/sos/report/plugins/__init__.py
|
|
|
2ed6e8 |
+++ b/sos/report/plugins/__init__.py
|
|
|
2ed6e8 |
@@ -1187,12 +1187,14 @@ class Plugin(object):
|
|
|
2ed6e8 |
'symlink': "no"
|
|
|
2ed6e8 |
})
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
- def add_forbidden_path(self, forbidden):
|
|
|
2ed6e8 |
+ def add_forbidden_path(self, forbidden, recursive=False):
|
|
|
2ed6e8 |
"""Specify a path, or list of paths, to not copy, even if it's part of
|
|
|
2ed6e8 |
an ``add_copy_spec()`` call
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
:param forbidden: A filepath to forbid collection from
|
|
|
2ed6e8 |
:type forbidden: ``str`` or a ``list`` of strings
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
+ :param recursive: Should forbidden glob be applied recursively
|
|
|
2ed6e8 |
"""
|
|
|
2ed6e8 |
if isinstance(forbidden, str):
|
|
|
2ed6e8 |
forbidden = [forbidden]
|
|
|
2ed6e8 |
@@ -1202,7 +1204,7 @@ class Plugin(object):
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
for forbid in forbidden:
|
|
|
2ed6e8 |
self._log_info("adding forbidden path '%s'" % forbid)
|
|
|
2ed6e8 |
- for path in glob.glob(forbid):
|
|
|
2ed6e8 |
+ for path in glob.glob(forbid, recursive=recursive):
|
|
|
2ed6e8 |
self.forbidden_paths.append(path)
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
def get_all_options(self):
|
|
|
2ed6e8 |
--
|
|
|
2ed6e8 |
2.31.1
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
From b695201baeb629a6543445d98dbb04f357670621 Mon Sep 17 00:00:00 2001
|
|
|
2ed6e8 |
From: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
Date: Thu, 24 Jun 2021 17:57:48 +0200
|
|
|
2ed6e8 |
Subject: [PATCH 2/4] [pulpcore] improve settings.py parsing
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
- deal with /etc/pulp/settings.py as a one-line string
|
|
|
2ed6e8 |
- parse dbname from it as well
|
|
|
2ed6e8 |
- dont collect any *.key file from whole /etc/pki/pulp dir
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Related: #2593
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
---
|
|
|
2ed6e8 |
sos/report/plugins/pulpcore.py | 23 +++++++++++++++--------
|
|
|
2ed6e8 |
1 file changed, 15 insertions(+), 8 deletions(-)
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py
|
|
|
2ed6e8 |
index 77ceacb9..be526035 100644
|
|
|
2ed6e8 |
--- a/sos/report/plugins/pulpcore.py
|
|
|
2ed6e8 |
+++ b/sos/report/plugins/pulpcore.py
|
|
|
2ed6e8 |
@@ -28,9 +28,10 @@ class PulpCore(Plugin, IndependentPlugin):
|
|
|
2ed6e8 |
databases_scope = False
|
|
|
2ed6e8 |
self.dbhost = "localhost"
|
|
|
2ed6e8 |
self.dbport = 5432
|
|
|
2ed6e8 |
+ self.dbname = "pulpcore"
|
|
|
2ed6e8 |
self.dbpasswd = ""
|
|
|
2ed6e8 |
# TODO: read also redis config (we dont expect much customisations)
|
|
|
2ed6e8 |
- # TODO: read also db user (pulp) and database name (pulpcore)
|
|
|
2ed6e8 |
+ # TODO: read also db user (pulp)
|
|
|
2ed6e8 |
self.staticroot = "/var/lib/pulp/assets"
|
|
|
2ed6e8 |
self.uploaddir = "/var/lib/pulp/media/upload"
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
@@ -44,7 +45,10 @@ class PulpCore(Plugin, IndependentPlugin):
|
|
|
2ed6e8 |
return val
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
try:
|
|
|
2ed6e8 |
- for line in open("/etc/pulp/settings.py").read().splitlines():
|
|
|
2ed6e8 |
+ # split the lines to "one option per line" format
|
|
|
2ed6e8 |
+ for line in open("/etc/pulp/settings.py").read() \
|
|
|
2ed6e8 |
+ .replace(',', ',\n').replace('{', '{\n') \
|
|
|
2ed6e8 |
+ .replace('}', '\n}').splitlines():
|
|
|
2ed6e8 |
# skip empty lines and lines with comments
|
|
|
2ed6e8 |
if not line or line[0] == '#':
|
|
|
2ed6e8 |
continue
|
|
|
2ed6e8 |
@@ -53,11 +57,14 @@ class PulpCore(Plugin, IndependentPlugin):
|
|
|
2ed6e8 |
continue
|
|
|
2ed6e8 |
# example HOST line to parse:
|
|
|
2ed6e8 |
# 'HOST': 'localhost',
|
|
|
2ed6e8 |
- if databases_scope and match(r"\s+'HOST'\s*:\s+\S+", line):
|
|
|
2ed6e8 |
+ pattern = r"\s*['|\"]%s['|\"]\s*:\s*\S+"
|
|
|
2ed6e8 |
+ if databases_scope and match(pattern % 'HOST', line):
|
|
|
2ed6e8 |
self.dbhost = separate_value(line)
|
|
|
2ed6e8 |
- if databases_scope and match(r"\s+'PORT'\s*:\s+\S+", line):
|
|
|
2ed6e8 |
+ if databases_scope and match(pattern % 'PORT', line):
|
|
|
2ed6e8 |
self.dbport = separate_value(line)
|
|
|
2ed6e8 |
- if databases_scope and match(r"\s+'PASSWORD'\s*:\s+\S+", line):
|
|
|
2ed6e8 |
+ if databases_scope and match(pattern % 'NAME', line):
|
|
|
2ed6e8 |
+ self.dbname = separate_value(line)
|
|
|
2ed6e8 |
+ if databases_scope and match(pattern % 'PASSWORD', line):
|
|
|
2ed6e8 |
self.dbpasswd = separate_value(line)
|
|
|
2ed6e8 |
# if line contains closing '}' database_scope end
|
|
|
2ed6e8 |
if databases_scope and '}' in line:
|
|
|
2ed6e8 |
@@ -82,7 +89,7 @@ class PulpCore(Plugin, IndependentPlugin):
|
|
|
2ed6e8 |
"/etc/pki/pulp/*"
|
|
|
2ed6e8 |
])
|
|
|
2ed6e8 |
# skip collecting certificate keys
|
|
|
2ed6e8 |
- self.add_forbidden_path("/etc/pki/pulp/*.key")
|
|
|
2ed6e8 |
+ self.add_forbidden_path("/etc/pki/pulp/**/*.key", recursive=True)
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
self.add_cmd_output("rq info -u redis://localhost:6379/8",
|
|
|
2ed6e8 |
env={"LC_ALL": "en_US.UTF-8"},
|
|
|
2ed6e8 |
@@ -104,8 +111,8 @@ class PulpCore(Plugin, IndependentPlugin):
|
|
|
2ed6e8 |
_query = "select * from %s where pulp_last_updated > NOW() - " \
|
|
|
2ed6e8 |
"interval '%s days' order by pulp_last_updated" % \
|
|
|
2ed6e8 |
(table, task_days)
|
|
|
2ed6e8 |
- _cmd = "psql -h %s -p %s -U pulp -d pulpcore -c %s" % \
|
|
|
2ed6e8 |
- (self.dbhost, self.dbport, quote(_query))
|
|
|
2ed6e8 |
+ _cmd = "psql -h %s -p %s -U pulp -d %s -c %s" % \
|
|
|
2ed6e8 |
+ (self.dbhost, self.dbport, self.dbname, quote(_query))
|
|
|
2ed6e8 |
self.add_cmd_output(_cmd, env=self.env, suggest_filename=table)
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
def postproc(self):
|
|
|
2ed6e8 |
--
|
|
|
2ed6e8 |
2.31.1
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
From 0286034da44bce43ab368dfc6815da7d74d60719 Mon Sep 17 00:00:00 2001
|
|
|
2ed6e8 |
From: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
Date: Thu, 24 Jun 2021 17:59:36 +0200
|
|
|
2ed6e8 |
Subject: [PATCH 3/4] [rhui] call rhui-* commands with proper env and timeout
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
rhui-manager commands timeout when not being logged in, which
|
|
|
2ed6e8 |
should be reacted by adding proper cmd timeout.
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Adding the env.variable ensures potentially unaswered "RHUI Username:"
|
|
|
2ed6e8 |
is also printed/colected.
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Further, prevent collecting any *.key file from the whole /etc/pki/rhui
|
|
|
2ed6e8 |
dir.
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Related: #2593
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
---
|
|
|
2ed6e8 |
sos/report/plugins/rhui.py | 7 +++++--
|
|
|
2ed6e8 |
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
index 7acd3f49..5a152427 100644
|
|
|
2ed6e8 |
--- a/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
+++ b/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
@@ -29,13 +29,16 @@ class Rhui(Plugin, RedHatPlugin):
|
|
|
2ed6e8 |
"/root/.rhui/*",
|
|
|
2ed6e8 |
])
|
|
|
2ed6e8 |
# skip collecting certificate keys
|
|
|
2ed6e8 |
- self.add_forbidden_path("/etc/pki/rhui/*.key")
|
|
|
2ed6e8 |
+ self.add_forbidden_path("/etc/pki/rhui/**/*.key", recursive=True)
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
+ # call rhui-manager commands with 1m timeout and
|
|
|
2ed6e8 |
+ # with an env. variable ensuring that "RHUI Username:"
|
|
|
2ed6e8 |
+ # even unanswered prompt gets collected
|
|
|
2ed6e8 |
self.add_cmd_output([
|
|
|
2ed6e8 |
"rhui-manager status",
|
|
|
2ed6e8 |
"rhui-manager cert info",
|
|
|
2ed6e8 |
"ls -lR /var/lib/rhui/remote_share",
|
|
|
2ed6e8 |
- ])
|
|
|
2ed6e8 |
+ ], timeout=60, env={'PYTHONUNBUFFERED': '1'})
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
def postproc(self):
|
|
|
2ed6e8 |
# obfuscate admin_pw and secret_key values
|
|
|
2ed6e8 |
--
|
|
|
2ed6e8 |
2.31.1
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
From a656bd239ab86dfd8973f733ae2c0fbd0c57d416 Mon Sep 17 00:00:00 2001
|
|
|
2ed6e8 |
From: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
Date: Thu, 24 Jun 2021 18:01:14 +0200
|
|
|
2ed6e8 |
Subject: [PATCH 4/4] [rhui] fix broken obfuscation
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
- /etc/ansible/facts.d/rhui_*.fact must be collected by
|
|
|
2ed6e8 |
rhui plugin to let some file to be obfuscated there
|
|
|
2ed6e8 |
- obfuscate also cookies values that can grant login access
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Resolves: #2593
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
---
|
|
|
2ed6e8 |
sos/report/plugins/ansible.py | 3 +++
|
|
|
2ed6e8 |
sos/report/plugins/rhui.py | 7 +++++++
|
|
|
2ed6e8 |
2 files changed, 10 insertions(+)
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
diff --git a/sos/report/plugins/ansible.py b/sos/report/plugins/ansible.py
|
|
|
2ed6e8 |
index 3e5d3d37..5991b786 100644
|
|
|
2ed6e8 |
--- a/sos/report/plugins/ansible.py
|
|
|
2ed6e8 |
+++ b/sos/report/plugins/ansible.py
|
|
|
2ed6e8 |
@@ -29,4 +29,7 @@ class Ansible(Plugin, RedHatPlugin, UbuntuPlugin):
|
|
|
2ed6e8 |
"ansible --version"
|
|
|
2ed6e8 |
])
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
+ # let rhui plugin collects the RHUI specific files
|
|
|
2ed6e8 |
+ self.add_forbidden_path("/etc/ansible/facts.d/rhui_*.fact")
|
|
|
2ed6e8 |
+
|
|
|
2ed6e8 |
# vim: set et ts=4 sw=4 :
|
|
|
2ed6e8 |
diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
index 5a152427..1d479f85 100644
|
|
|
2ed6e8 |
--- a/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
+++ b/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
@@ -27,6 +27,7 @@ class Rhui(Plugin, RedHatPlugin):
|
|
|
2ed6e8 |
"/var/log/rhui-subscription-sync.log",
|
|
|
2ed6e8 |
"/var/cache/rhui/*",
|
|
|
2ed6e8 |
"/root/.rhui/*",
|
|
|
2ed6e8 |
+ "/etc/ansible/facts.d/rhui_*.fact",
|
|
|
2ed6e8 |
])
|
|
|
2ed6e8 |
# skip collecting certificate keys
|
|
|
2ed6e8 |
self.add_forbidden_path("/etc/pki/rhui/**/*.key", recursive=True)
|
|
|
2ed6e8 |
@@ -47,6 +48,12 @@ class Rhui(Plugin, RedHatPlugin):
|
|
|
2ed6e8 |
"/etc/ansible/facts.d/rhui_auth.fact",
|
|
|
2ed6e8 |
r"(%s\s*=\s*)(.*)" % prop,
|
|
|
2ed6e8 |
r"\1********")
|
|
|
2ed6e8 |
+ # obfuscate twoo cookies for login session
|
|
|
2ed6e8 |
+ for cookie in ["csrftoken", "sessionid"]:
|
|
|
2ed6e8 |
+ self.do_path_regex_sub(
|
|
|
2ed6e8 |
+ r"/root/\.rhui/.*/cookies.txt",
|
|
|
2ed6e8 |
+ r"(%s\s+)(\S+)" % cookie,
|
|
|
2ed6e8 |
+ r"\1********")
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
# vim: set et ts=4 sw=4 :
|
|
|
2ed6e8 |
--
|
|
|
2ed6e8 |
2.31.1
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
From 4e5bebffca9936bcdf4d38aad9989970a15dd72b Mon Sep 17 00:00:00 2001
|
|
|
2ed6e8 |
From: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
Date: Tue, 3 Aug 2021 21:54:33 +0200
|
|
|
2ed6e8 |
Subject: [PATCH] [rhui] Update the plugin on several places
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
- obfuscate "rhui_manager_password: xxx" in /root/.rhui/answers.yaml*
|
|
|
2ed6e8 |
- no need to collect or obfuscate anything from /etc/ansible/facts.d
|
|
|
2ed6e8 |
- newly detect the plugin via /etc/rhui/rhui-tools.conf file or rhui-manager
|
|
|
2ed6e8 |
command (only)
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Resolves: #2637
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
|
|
|
2ed6e8 |
---
|
|
|
2ed6e8 |
sos/report/plugins/rhui.py | 14 ++++++--------
|
|
|
2ed6e8 |
1 file changed, 6 insertions(+), 8 deletions(-)
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
index 1d479f85..52065fb4 100644
|
|
|
2ed6e8 |
--- a/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
+++ b/sos/report/plugins/rhui.py
|
|
|
2ed6e8 |
@@ -16,8 +16,8 @@ class Rhui(Plugin, RedHatPlugin):
|
|
|
2ed6e8 |
short_desc = 'Red Hat Update Infrastructure'
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
plugin_name = "rhui"
|
|
|
2ed6e8 |
- commands = ("rhui-manager",)
|
|
|
2ed6e8 |
- files = ("/etc/ansible/facts.d/rhui_auth.fact", "/usr/lib/rhui/cds.py")
|
|
|
2ed6e8 |
+ commands = ("rhui-manager", )
|
|
|
2ed6e8 |
+ files = ("/etc/rhui/rhui-tools.conf", )
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
def setup(self):
|
|
|
2ed6e8 |
self.add_copy_spec([
|
|
|
2ed6e8 |
@@ -27,7 +27,6 @@ class Rhui(Plugin, RedHatPlugin):
|
|
|
2ed6e8 |
"/var/log/rhui-subscription-sync.log",
|
|
|
2ed6e8 |
"/var/cache/rhui/*",
|
|
|
2ed6e8 |
"/root/.rhui/*",
|
|
|
2ed6e8 |
- "/etc/ansible/facts.d/rhui_*.fact",
|
|
|
2ed6e8 |
])
|
|
|
2ed6e8 |
# skip collecting certificate keys
|
|
|
2ed6e8 |
self.add_forbidden_path("/etc/pki/rhui/**/*.key", recursive=True)
|
|
|
2ed6e8 |
@@ -42,11 +41,10 @@ class Rhui(Plugin, RedHatPlugin):
|
|
|
2ed6e8 |
], timeout=60, env={'PYTHONUNBUFFERED': '1'})
|
|
|
2ed6e8 |
|
|
|
2ed6e8 |
def postproc(self):
|
|
|
2ed6e8 |
- # obfuscate admin_pw and secret_key values
|
|
|
2ed6e8 |
- for prop in ["admin_pw", "secret_key"]:
|
|
|
2ed6e8 |
- self.do_path_regex_sub(
|
|
|
2ed6e8 |
- "/etc/ansible/facts.d/rhui_auth.fact",
|
|
|
2ed6e8 |
- r"(%s\s*=\s*)(.*)" % prop,
|
|
|
2ed6e8 |
+ # hide rhui_manager_password value in (also rotated) answers file
|
|
|
2ed6e8 |
+ self.do_path_regex_sub(
|
|
|
2ed6e8 |
+ r"/root/\.rhui/answers.yaml.*",
|
|
|
2ed6e8 |
+ r"(\s*rhui_manager_password\s*:)\s*(\S+)",
|
|
|
2ed6e8 |
r"\1********")
|
|
|
2ed6e8 |
# obfuscate twoo cookies for login session
|
|
|
2ed6e8 |
for cookie in ["csrftoken", "sessionid"]:
|
|
|
2ed6e8 |
--
|
|
|
2ed6e8 |
2.31.1
|
|
|
2ed6e8 |
|