This is an automated email from the ASF dual-hosted git repository.
dahn pushed a commit to branch 4.20
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.20 by this push:
new 42f1e19362a Mask vncPasswd being logged in agent.log (#12404)
42f1e19362a is described below
commit 42f1e19362ab9030117dc3808dbf3854b6a9f92d
Author: Manoj Kumar <[email protected]>
AuthorDate: Mon Jan 19 18:50:18 2026 +0530
Mask vncPasswd being logged in agent.log (#12404)
---
.../wrapper/LibvirtMigrateCommandWrapper.java | 24 +++++++++++---------
.../wrapper/LibvirtStartCommandWrapper.java | 5 +++--
.../wrapper/LibvirtMigrateCommandWrapperTest.java | 26 +++++++++++++++++++++-
3 files changed, 42 insertions(+), 13 deletions(-)
diff --git
a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
index 32f2a4b122c..1f14402c85e 100644
---
a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
+++
b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
@@ -158,7 +158,7 @@ public final class LibvirtMigrateCommandWrapper extends
CommandWrapper<MigrateCo
final String target = command.getDestinationIp();
xmlDesc = dm.getXMLDesc(xmlFlag);
if (logger.isDebugEnabled()) {
- logger.debug(String.format("VM [%s] with XML configuration
[%s] will be migrated to host [%s].", vmName, xmlDesc, target));
+ logger.debug("VM {} with XML configuration {} will be migrated
to host {}.", vmName, maskSensitiveInfoInXML(xmlDesc), target);
}
// Limit the VNC password in case the length is greater than 8
characters
@@ -173,7 +173,7 @@ public final class LibvirtMigrateCommandWrapper extends
CommandWrapper<MigrateCo
logger.debug(String.format("Editing mount path of ISO from %s
to %s", oldIsoVolumePath, newIsoVolumePath));
xmlDesc = replaceDiskSourceFile(xmlDesc, newIsoVolumePath,
vmName);
if (logger.isDebugEnabled()) {
- logger.debug(String.format("Replaced disk mount point [%s]
with [%s] in Instance [%s] XML configuration. New XML configuration is [%s].",
oldIsoVolumePath, newIsoVolumePath, vmName, xmlDesc));
+ logger.debug("Replaced disk mount point {} with {} in
Instance {} XML configuration. New XML configuration is {}.", oldIsoVolumePath,
newIsoVolumePath, vmName, maskSensitiveInfoInXML(xmlDesc));
}
}
@@ -204,11 +204,11 @@ public final class LibvirtMigrateCommandWrapper extends
CommandWrapper<MigrateCo
if (migrateStorage) {
if (logger.isDebugEnabled()) {
- logger.debug(String.format("Changing VM [%s] volumes
during migration to host: [%s].", vmName, target));
+ logger.debug("Changing VM {} volumes during migration to
host: {}.", vmName, target);
}
xmlDesc = replaceStorage(xmlDesc, mapMigrateStorage,
migrateStorageManaged);
if (logger.isDebugEnabled()) {
- logger.debug(String.format("Changed VM [%s] XML
configuration of used storage. New XML configuration is [%s].", vmName,
xmlDesc));
+ logger.debug("Changed VM {} XML configuration of used
storage. New XML configuration is {}.", vmName,
maskSensitiveInfoInXML(xmlDesc));
}
migrateDiskLabels = getMigrateStorageDeviceLabels(disks,
mapMigrateStorage);
}
@@ -216,11 +216,11 @@ public final class LibvirtMigrateCommandWrapper extends
CommandWrapper<MigrateCo
Map<String, DpdkTO> dpdkPortsMapping =
command.getDpdkInterfaceMapping();
if (MapUtils.isNotEmpty(dpdkPortsMapping)) {
if (logger.isTraceEnabled()) {
- logger.trace(String.format("Changing VM [%s] DPDK
interfaces during migration to host: [%s].", vmName, target));
+ logger.trace("Changing VM {} DPDK interfaces during
migration to host: {}.", vmName, target);
}
xmlDesc = replaceDpdkInterfaces(xmlDesc, dpdkPortsMapping);
if (logger.isDebugEnabled()) {
- logger.debug(String.format("Changed VM [%s] XML
configuration of DPDK interfaces. New XML configuration is [%s].", vmName,
xmlDesc));
+ logger.debug("Changed VM {} XML configuration of DPDK
interfaces. New XML configuration is {}.", vmName,
maskSensitiveInfoInXML(xmlDesc));
}
}
@@ -233,7 +233,7 @@ public final class LibvirtMigrateCommandWrapper extends
CommandWrapper<MigrateCo
}
//run migration in thread so we can monitor it
- logger.info(String.format("Starting live migration of instance
[%s] to destination host [%s] having the final XML configuration: [%s].",
vmName, dconn.getURI(), xmlDesc));
+ logger.info("Starting live migration of instance {} to destination
host {} having the final XML configuration: {}.", vmName, dconn.getURI(),
maskSensitiveInfoInXML(xmlDesc));
final ExecutorService executor = Executors.newFixedThreadPool(1);
boolean migrateNonSharedInc = command.isMigrateNonSharedInc() &&
!migrateStorageManaged;
@@ -575,9 +575,7 @@ public final class LibvirtMigrateCommandWrapper extends
CommandWrapper<MigrateCo
graphElem = graphElem.replaceAll("passwd='([^\\s]+)'",
"passwd='" + vncPassword + "'");
}
xmlDesc = xmlDesc.replaceAll(GRAPHICS_ELEM_START +
CONTENTS_WILDCARD + GRAPHICS_ELEM_END, graphElem);
- if (logger.isDebugEnabled()) {
- logger.debug(String.format("Replaced the VNC IP address
[%s] with [%s] in VM [%s].", originalGraphElem, graphElem, vmName));
- }
+ logger.debug("Replaced the VNC IP address {} with {} in VM
{}.", maskSensitiveInfoInXML(originalGraphElem),
maskSensitiveInfoInXML(graphElem), vmName);
}
}
return xmlDesc;
@@ -910,4 +908,10 @@ public final class LibvirtMigrateCommandWrapper extends
CommandWrapper<MigrateCo
}
return false;
}
+
+ public static String maskSensitiveInfoInXML(String xmlDesc) {
+ if (xmlDesc == null) return null;
+ return
xmlDesc.replaceAll("(graphics\\s+[^>]*type=['\"]vnc['\"][^>]*passwd=['\"])([^'\"]*)(['\"])",
+ "$1*****$3");
+ }
}
diff --git
a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
index a174c9a6f14..6e978715755 100644
---
a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
+++
b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
@@ -80,8 +80,9 @@ public final class LibvirtStartCommandWrapper extends
CommandWrapper<StartComman
}
libvirtComputingResource.createVifs(vmSpec, vm);
-
- logger.debug("starting " + vmName + ": " + vm.toString());
+ if (logger.isDebugEnabled()) {
+ logger.debug("Starting {} : {}", vmName,
LibvirtMigrateCommandWrapper.maskSensitiveInfoInXML(vm.toString()));
+ }
String vmInitialSpecification = vm.toString();
String vmFinalSpecification =
performXmlTransformHook(vmInitialSpecification, libvirtComputingResource);
libvirtComputingResource.startVM(conn, vmName,
vmFinalSpecification);
diff --git
a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapperTest.java
b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapperTest.java
index 3c5e54e2ba8..05d89cc3d97 100644
---
a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapperTest.java
+++
b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapperTest.java
@@ -589,7 +589,7 @@ public class LibvirtMigrateCommandWrapperTest {
@Test
public void testReplaceIpForVNCInDescFile() {
final String targetIp = "192.168.22.21";
- final String result =
libvirtMigrateCmdWrapper.replaceIpForVNCInDescFileAndNormalizePassword(fullfile,
targetIp, null, "");
+ final String result =
libvirtMigrateCmdWrapper.replaceIpForVNCInDescFileAndNormalizePassword(fullfile,
targetIp, "vncSecretPwd", "");
assertEquals("transformation does not live up to expectation:\n" +
result, targetfile, result);
}
@@ -1019,4 +1019,28 @@ public class LibvirtMigrateCommandWrapperTest {
Assert.assertTrue(finalXml.contains(newIsoVolumePath));
}
+
+ @Test
+ public void testMaskVncPwdDomain() {
+ // Test case 1: Single quotes
+ String xml1 = "<graphics type='vnc' port='5900' passwd='secret123'/>";
+ String expected1 = "<graphics type='vnc' port='5900' passwd='*****'/>";
+ assertEquals(expected1,
LibvirtMigrateCommandWrapper.maskSensitiveInfoInXML(xml1));
+
+ // Test case 2: Double quotes
+ String xml2 = "<graphics type=\"vnc\" port=\"5901\"
passwd=\"mypassword\"/>";
+ String expected2 = "<graphics type=\"vnc\" port=\"5901\"
passwd=\"*****\"/>";
+ assertEquals(expected2,
LibvirtMigrateCommandWrapper.maskSensitiveInfoInXML(xml2));
+
+ // Test case 3: Non-VNC graphics (should remain unchanged)
+ String xml3 = "<graphics type='spice' port='5902' passwd='notvnc'/>";
+ assertEquals(xml3,
LibvirtMigrateCommandWrapper.maskSensitiveInfoInXML(xml3));
+
+ // Test case 4: Multiple VNC entries in one string
+ String xml4 = "<graphics type='vnc' port='5900' passwd='a'/>\n" +
+ "<graphics type='vnc' port='5901' passwd='b'/>";
+ String expected4 = "<graphics type='vnc' port='5900'
passwd='*****'/>\n" +
+ "<graphics type='vnc' port='5901' passwd='*****'/>";
+ assertEquals(expected4,
LibvirtMigrateCommandWrapper.maskSensitiveInfoInXML(xml4));
+ }
}
