Re: [PATCH master 13/15] luxid: give stern warnings about debug mode

Thu, 06 Feb 2014 05:55:36 -0800 

diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs
index 4072df4..35bb3c6 100644
--- a/src/Ganeti/Constants.hs
+++ b/src/Ganeti/Constants.hs
@@ -4766,6 +4766,6 @@ privateParametersBlacklist = [ "osparams_private"

 -- | Warn the user that the logging level is too low for production use.
 debugModeConfidentialityWarning :: String
-debugModeConfidentialityWarning = "ALERT: %s started in debug mode.\n\
-                                  \ Private and secret parameters WILL\
-                                  \ be logged!\n"
+debugModeConfidentialityWarning =
+  "ALERT: %s started in debug mode.\n\
+  \ Private and secret parameters WILL be logged!\n"
diff --git a/lib/daemon.py b/lib/daemon.py
index efe22bf..b6e2915 100644
--- a/lib/daemon.py
+++ b/lib/daemon.py
@@ -671,7 +671,7 @@ def GenericMain(daemon_name, optionparser,
                 check_fn, prepare_fn, exec_fn,
                 multithreaded=False, console_logging=False,
                 default_ssl_cert=None, default_ssl_key=None,
-                warn_about_private_values_and_debug_mode=False):
+                warn_breach=False):
   """Shared main function for daemons.

   @type daemon_name: string
@@ -698,10 +698,10 @@ def GenericMain(daemon_name, optionparser,
   @param default_ssl_cert: Default SSL certificate path
   @type default_ssl_key: string
   @param default_ssl_key: Default SSL key path
-  @type warn_about_private_values_and_debug_mode: bool
-  @param warn_about_private_values_and_debug_mode: issue a warning at daemon
-      launch time, before daemonizing, about the possibility of breaking
-      parameter privacy invariants through otherwise helpful debug logging.
+  @type warn_breach: bool
+  @param warn_breach: issue a warning at daemon launch time, before
+      daemonizing, about the possibility of breaking parameter privacy
+      invariants through otherwise helpful debug logging.

   """
   optionparser.add_option("-f", "--foreground", dest="fork",
@@ -806,7 +806,7 @@ def GenericMain(daemon_name, optionparser,
   log_filename = constants.DAEMONS_LOGFILES[daemon_name]

   # node-deamon logging in lib/http/server.py, _HandleServerRequestInner
-  if options.debug and warn_about_private_values_and_debug_mode:
+  if options.debug and warn_breach:
     sys.stderr.write(constants.DEBUG_MODE_CONFIDENTIALITY_WARNING %
daemon_name)
--- a/lib/server/noded.py
+++ b/lib/server/noded.py
@@ -1298,4 +1298,4 @@ def Main():
                      default_ssl_cert=pathutils.NODED_CERT_FILE,
                      default_ssl_key=pathutils.NODED_CERT_FILE,
                      console_logging=True,
-                     warn_about_private_values_and_debug_mode=True)
+                     warn_breach=True)
diff --git a/src/Ganeti/UDSServer.hs b/src/Ganeti/UDSServer.hs
index 4fd4c78..42dc42c 100644
--- a/src/Ganeti/UDSServer.hs
+++ b/src/Ganeti/UDSServer.hs
@@ -58,14 +58,14 @@ module Ganeti.UDSServer
 import Control.Applicative
 import Control.Concurrent (forkIO)
 import Control.Exception (catch)
-import Data.IORef
-import Data.List
+import Control.Monad
 import qualified Data.ByteString as B
 import qualified Data.ByteString.Lazy as BL
 import qualified Data.ByteString.UTF8 as UTF8
 import qualified Data.ByteString.Lazy.UTF8 as UTF8L
+import Data.IORef
+import Data.List
 import Data.Word (Word8)
-import Control.Monad
 import qualified Network.Socket as S
 import System.Directory (removeFile)
 import System.IO (hClose, hFlush, hWaitForInput, Handle, IOMode(..))
diff --git a/src/Ganeti/Logging.hs b/src/Ganeti/Logging.hs
index abb8d46..4cc5c62 100644
--- a/src/Ganeti/Logging.hs
+++ b/src/Ganeti/Logging.hs
@@ -50,6 +50,7 @@ module Ganeti.Logging
   , isDebugMode
   ) where

+import Control.Applicative ((<$>))
 import Control.Monad
 import Control.Monad.Error (Error(..), MonadError(..), catchError)
 import Control.Monad.Reader
@@ -179,9 +180,7 @@ logEmergency = logAt EMERGENCY
 -- | Check if the logging is at DEBUG level.
 -- DEBUG logging is unacceptable for production.
 isDebugMode :: IO Bool
-isDebugMode = do
-  logger <- getRootLogger
-  return $ getLevel logger == Just DEBUG
+isDebugMode = (Just DEBUG ==) . getLevel <$> getRootLogger

 -- * Logging in an error monad with rethrowing errors
diff --git a/src/Ganeti/UDSServer.hs b/src/Ganeti/UDSServer.hs
index 42dc42c..a1622d1 100644
--- a/src/Ganeti/UDSServer.hs
+++ b/src/Ganeti/UDSServer.hs
@@ -351,6 +351,11 @@ handleRawMessage handler payload =
         let (status, response) = prepareMsg call_result_json
         return (close, buildResponse status response)

+isRisky :: RecvResult -> Bool
+isRisky msg = case msg of
+  RecvOk payload -> any (`isInfixOf` payload) privateParametersBlacklist
+  _ -> False
+
 -- | Reads a request, passes it to a handler and sends a response back to the
 -- client.
 handleClient
@@ -378,10 +383,6 @@ handleClient handler client = do
       sendMsg client outMsg
       return close

-isRisky :: RecvResult -> Bool
-isRisky msg = case msg of
-  RecvOk payload -> any (`isInfixOf` payload) privateParametersBlacklist
-  _ -> False

 -- | Main client loop: runs one loop of 'handleClient', and if that
 -- doesn't report a finished (closed) connection, restarts itself.



-- 
Raffa Santi
Google Germany GmbH
Dienerstr. 12
80331 München


Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores

Reply via email to