Hello community,
here is the log from the commit of package crmsh for openSUSE:Factory checked
in at 2020-10-10 00:29:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/crmsh (Old)
and /work/SRC/openSUSE:Factory/.crmsh.new.4249 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crmsh"
Sat Oct 10 00:29:36 2020 rev:194 rq:840390 version:4.2.0+git.1602225426.5f84efb5
Changes:
--------
--- /work/SRC/openSUSE:Factory/crmsh/crmsh.changes 2020-09-22
21:13:29.928051062 +0200
+++ /work/SRC/openSUSE:Factory/.crmsh.new.4249/crmsh.changes 2020-10-10
00:29:37.737161270 +0200
@@ -1,0 +2,15 @@
+Fri Oct 09 06:53:46 UTC 2020 - xli...@suse.com
+
+- Update to version 4.2.0+git.1602225426.5f84efb5:
+ * Dev: unittest: unit test for hb_report sanitize
+ * Dev: behave: functional test for hb_report sanitize
+ * Fix: hb_report: fix sanitize functionality(bsc#1163581)
+
+-------------------------------------------------------------------
+Thu Sep 24 02:53:05 UTC 2020 - xli...@suse.com
+
+- Update to version 4.2.0+git.1600915005.e8089225:
+ * FIx start_delay with start-delay
+ * fix on_fail should be on-fail
+
+-------------------------------------------------------------------
Old:
----
crmsh-4.2.0+git.1600742357.6be225e5.tar.bz2
New:
----
crmsh-4.2.0+git.1602225426.5f84efb5.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ crmsh.spec ++++++
--- /var/tmp/diff_new_pack.IbnFoH/_old 2020-10-10 00:29:38.373161585 +0200
+++ /var/tmp/diff_new_pack.IbnFoH/_new 2020-10-10 00:29:38.373161585 +0200
@@ -36,7 +36,7 @@
Summary: High Availability cluster command-line interface
License: GPL-2.0-or-later
Group: %{pkg_group}
-Version: 4.2.0+git.1600742357.6be225e5
+Version: 4.2.0+git.1602225426.5f84efb5
Release: 0
Url: http://crmsh.github.io
Source0: %{name}-%{version}.tar.bz2
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.IbnFoH/_old 2020-10-10 00:29:38.417161607 +0200
+++ /var/tmp/diff_new_pack.IbnFoH/_new 2020-10-10 00:29:38.417161607 +0200
@@ -5,4 +5,4 @@
<param
name="url">https://github.com/liangxin1300/crmsh.git</param>
<param
name="changesrevision">d8dc51b4cb34964aa72e918999ebc7f03b48f3c9</param></service><service
name="tar_scm">
<param
name="url">https://github.com/ClusterLabs/crmsh.git</param>
- <param
name="changesrevision">6be225e5a9e397eaab21e063693d87a854d1d170</param></service></servicedata>
\ No newline at end of file
+ <param
name="changesrevision">5f84efb5767a54c50095ce297864035a3fbeef6e</param></service></servicedata>
\ No newline at end of file
++++++ crmsh-4.2.0+git.1600742357.6be225e5.tar.bz2 ->
crmsh-4.2.0+git.1602225426.5f84efb5.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/crmsh-4.2.0+git.1600742357.6be225e5/.travis.yml
new/crmsh-4.2.0+git.1602225426.5f84efb5/.travis.yml
--- old/crmsh-4.2.0+git.1600742357.6be225e5/.travis.yml 2020-09-22
04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/.travis.yml 2020-10-09
08:37:06.000000000 +0200
@@ -24,7 +24,7 @@
script:
- docker run -t -v "$(pwd):/app" $IMAGE /bin/sh -c "cd /app;
TOXENV=py38-codeclimate; tox"
- - name: "functional test for hb_report"
+ - name: "functional test for hb_report bugs"
before_install:
- $FUNCTIONAL_TEST hb_report before_install
script:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/crmsh-4.2.0+git.1600742357.6be225e5/crm.conf.in
new/crmsh-4.2.0+git.1602225426.5f84efb5/crm.conf.in
--- old/crmsh-4.2.0+git.1600742357.6be225e5/crm.conf.in 2020-09-22
04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/crm.conf.in 2020-10-09
08:37:06.000000000 +0200
@@ -75,3 +75,42 @@
; collect_extra_logs = /var/log/messages /var/log/pacemaker.log
; remove_exist_dest = no
; single_node = no
+;
+; sanitize_rule = sanitize_pattern[:options] ...
+;
+; This defines the way to hide sensitive data generated by hb_report.
+;
+; 'sanitize_pattern' is a RegEx string, which is used to matches 'name'
+; field of CIB params. The sanitize process will hide 'value' of those
+; matched 'name:value' pairs in CIB, PE, pacemaker.log.
+;
+; 'options' is the predefined, and 'raw' is the only one defined
+; currently. With ':raw" option, the sanitize process will fetch
+; 'value' results out of CIB 'name:value' pairs, and use them to
+; hide all clear text occurence from all files hb_report collected.
+;
+; Example 1:
+; sanitize_rule = passw.*
+;
+; This is the default. It will hide password nam:value pairs.
+; The result of hb_report clould be like
+; name="password", value=******
+; @name=password @value=******
+; passwd=******
+;
+;
+; Example 2:
+; sanitize_rule = ip.*:raw
+;
+; This will only hide ip addresses. Example, the sanitize process will fetch
+; ip=10.10.10.10 and replace all clear text occurrence of "10.10.10.10"
+;
+;
+; Example 3:
+; sanitize_rule = passw.*|ip.*:raw
+;
+; This is useful for the higher security concern.
+; The sanitize process will hide all "name:value" pair for password like in
+; example 1, and all clear text ip addresses like in example 2 above.
+;
+; sanitize_rule = passw.*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/crmsh-4.2.0+git.1600742357.6be225e5/crmsh/config.py
new/crmsh-4.2.0+git.1602225426.5f84efb5/crmsh/config.py
--- old/crmsh-4.2.0+git.1600742357.6be225e5/crmsh/config.py 2020-09-22
04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/crmsh/config.py 2020-10-09
08:37:06.000000000 +0200
@@ -280,7 +280,8 @@
'speed_up': opt_boolean('no'),
'collect_extra_logs': opt_string('/var/log/messages
/var/log/pacemaker/pacemaker.log /var/log/pacemaker.log
/var/log/crmsh/ha-cluster-bootstrap.log'),
'remove_exist_dest': opt_boolean('no'),
- 'single_node': opt_boolean('no')
+ 'single_node': opt_boolean('no'),
+ 'sanitize_rule': opt_string('passw.*')
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/crmsh-4.2.0+git.1600742357.6be225e5/hb_report/constants.py
new/crmsh-4.2.0+git.1602225426.5f84efb5/hb_report/constants.py
--- old/crmsh-4.2.0+git.1600742357.6be225e5/hb_report/constants.py
2020-09-22 04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/hb_report/constants.py
2020-10-09 08:37:06.000000000 +0200
@@ -17,7 +17,12 @@
CTS = ""
DEST = ""
DESTDIR = ""
-DO_SANITIZE = 0
+DO_SANITIZE = False
+SANITIZE_RULE = "passw.*"
+SANITIZE_RULE_DICT = dict()
+SANITIZE_VALUE_CIB = []
+SANITIZE_KEY_CIB = []
+SANITIZE_VALUE_RAW = []
EXTRA_LOGS = config.report.collect_extra_logs
FORCE_REMOVE_DEST = config.report.remove_exist_dest
FROM_TIME = ""
@@ -40,7 +45,6 @@
PCMK_LOG = "/var/log/pacemaker/pacemaker.log /var/log/pacemaker.log"
PE_STATE_DIR = None
PTEST = "crm_simulate"
-SANITIZE = "passw.*"
SKIP_LVL = config.report.speed_up
SLAVE = 0
SLAVEPIDS = None
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/crmsh-4.2.0+git.1600742357.6be225e5/hb_report/hb_report.in
new/crmsh-4.2.0+git.1602225426.5f84efb5/hb_report/hb_report.in
--- old/crmsh-4.2.0+git.1600742357.6be225e5/hb_report/hb_report.in
2020-09-22 04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/hb_report/hb_report.in
2020-10-09 08:37:06.000000000 +0200
@@ -42,8 +42,8 @@
env_dict["NODES"] = constants.NODES
env_dict["HA_LOG"] = constants.HA_LOG
# env_dict["UNIQUE_MSG"] = constants.UNIQUE_MSG
- env_dict["SANITIZE"] = constants.SANITIZE
- env_dict["DO_SANITIZE"] = int(constants.DO_SANITIZE)
+ env_dict["SANITIZE_RULE_DICT"] = constants.SANITIZE_RULE_DICT
+ env_dict["DO_SANITIZE"] = constants.DO_SANITIZE
env_dict["SKIP_LVL"] = constants.SKIP_LVL
env_dict["EXTRA_LOGS"] = constants.EXTRA_LOGS
env_dict["PCMK_LOG"] = constants.PCMK_LOG
@@ -120,8 +120,8 @@
constants.NODES = env_dict["NODES"]
constants.HA_LOG = env_dict["HA_LOG"]
# constants.UNIQUE_MSG = env_dict["UNIQUE_MSG"]
- constants.SANITIZE = env_dict["SANITIZE"]
- constants.DO_SANITIZE = int(env_dict["DO_SANITIZE"])
+ constants.SANITIZE_RULE_DICT = env_dict["SANITIZE_RULE_DICT"]
+ constants.DO_SANITIZE = env_dict["DO_SANITIZE"]
constants.SKIP_LVL = utillib.str_to_bool(env_dict["SKIP_LVL"])
constants.EXTRA_LOGS = env_dict["EXTRA_LOGS"]
constants.PCMK_LOG = env_dict["PCMK_LOG"]
@@ -164,9 +164,9 @@
if args == "-e":
constants.EDITOR = option
if args == "-p":
- constants.SANITIZE += " %s" % option
+ constants.SANITIZE_RULE += " %s" % option
if args == "-s":
- constants.DO_SANITIZE = 1
+ constants.DO_SANITIZE = True
if args == "-Q":
constants.SKIP_LVL = True
if args == "-L":
@@ -186,6 +186,13 @@
if args == '-d':
constants.COMPRESS = False
+ if config.report.sanitize_rule:
+ constants.DO_SANITIZE = True
+ temp_pattern_set = set()
+ temp_pattern_set |= set(re.split('\s*\|\s*|\s+',
config.report.sanitize_rule.strip('|')))
+ constants.SANITIZE_RULE += " {}".format(' '.join(temp_pattern_set))
+ utillib.parse_sanitize_rule(constants.SANITIZE_RULE)
+
if not constants.FROM_TIME:
from_time = config.report.from_time
if re.search("^-[1-9][0-9]*[YmdHM]$", from_time):
@@ -297,6 +304,9 @@
for p in p_list:
p.join()
+ if not constants.SKIP_LVL:
+ utillib.sanitize()
+
if constants.COMPRESS:
utillib.pick_compress()
cmd = r"(cd %s/.. && tar cf - %s)|%s > %s/%s.tar%s" % (
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/crmsh-4.2.0+git.1600742357.6be225e5/hb_report/utillib.py
new/crmsh-4.2.0+git.1602225426.5f84efb5/hb_report/utillib.py
--- old/crmsh-4.2.0+git.1600742357.6be225e5/hb_report/utillib.py
2020-09-22 04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/hb_report/utillib.py
2020-10-09 08:37:06.000000000 +0200
@@ -311,8 +311,6 @@
for p in process_list:
p.join()
- if not constants.SKIP_LVL:
- sanitize()
for l in constants.EXTRA_LOGS.split():
if not os.path.isfile(l):
@@ -1407,48 +1405,48 @@
"""
replace sensitive info with '****'
"""
- workdir = constants.WORKDIR
- conf = os.path.join(workdir, constants.B_CONF)
- if os.path.isfile(conf):
- sanitize_one(conf)
- cib_f = os.path.join(workdir, constants.CIB_F)
- rc = 0
- for f in [cib_f] + glob.glob(os.path.join(workdir, "pengine", "*")):
- if os.path.isfile(f):
- if constants.DO_SANITIZE == 1:
- sanitize_one(f)
- else:
- rc = sanitize_one(f, "test")
- if rc != 0:
- log_warning("some PE or CIB files contain possibly sensitive data")
- log_warning("you may not want to send this report to a public mailing
list")
+ log_debug("Check or replace sensitive info from cib, pe and log files")
+ get_sensitive_key_value_list()
-def sanitize_one(in_file, mode=None):
- open_ = None
- if re.search("gz$", in_file):
- open_ = gzip.open
- elif re.search("bz2$", in_file):
- open_ = bz2.BZ2File
- else:
- open_ = open
- with open_(in_file, 'r') as f:
- data = f.read()
+ work_dir = constants.WORKDIR
+ file_list = []
+ for (dirpath, dirnames, filenames) in os.walk(work_dir):
+ for _file in filenames:
+ file_list.append(os.path.join(dirpath, _file))
- if mode == "test":
- if sub_string_test(data):
- return 1
- else:
- return 0
+ for f in [item for item in file_list if os.path.isfile(item)]:
+ rc = sanitize_one(f)
+ if rc == 1:
+ log_warning("Some PE/CIB/log files contain possibly sensitive
data")
+ log_warning("Using \"-s\" option can replace sensitive data")
+ break
- ref = create_tempfile()
- add_tempfiles(ref)
- touch_r(in_file, ref)
- with open_(in_file, 'w') as f:
- f.write(sub_string(data))
+def sanitize_one(in_file):
+ """
+ Open the file, replace sensitive string and write back
+ """
+ data = read_from_file(in_file)
+ if not data:
+ return
+ if not include_sensitive_data(data):
+ return
+ if not constants.DO_SANITIZE:
+ return 1
+ log_debug("Replace sensitive info for {}".format(in_file))
+ write_to_file(in_file, sub_sensitive_string(data))
+
- touch_r(ref, in_file)
+def parse_sanitize_rule(rule_string):
+ for rule in rule_string.split():
+ if ':' in rule:
+ key, value = rule.split(':')
+ if value != "raw":
+ log_fatal("For sanitize_pattern {}, option should be
\"raw\"".format(key))
+ constants.SANITIZE_RULE_DICT[key] = value
+ else:
+ constants.SANITIZE_RULE_DICT[rule] = None
def say_ssh_user():
@@ -1554,28 +1552,6 @@
return v.lower() in ["true"]
-def sub_string(in_string,
- pattern=constants.SANITIZE,
- sub_pattern=' value=".*" ',
- repl=' value="******" '):
- res_string = ""
- pattern_string = re.sub(" ", "|", pattern)
- for line in in_string.split('\n')[:-1]:
- if re.search('name="%s"' % pattern_string, line):
- res_string += re.sub(sub_pattern, repl, line) + '\n'
- else:
- res_string += line + '\n'
- return res_string
-
-
-def sub_string_test(in_string, pattern=constants.SANITIZE):
- pattern_string = re.sub(" ", "|", pattern)
- for line in crmutils.to_ascii(in_string).split('\n'):
- if re.search('name="%s"' % pattern_string, line):
- return True
- return False
-
-
def sys_info():
"""
some basic system info and stats
@@ -1786,4 +1762,60 @@
f.write(data)
else:
f.write(data.encode('utf-8'))
+
+
+def get_sensitive_key_value_list():
+ """
+ For each defined sanitize rule, get the sensitive value or key list
+ """
+ for key, value in constants.SANITIZE_RULE_DICT.items():
+ try:
+ if value == "raw":
+ constants.SANITIZE_VALUE_RAW +=
extract_sensitive_value_list(key)
+ else:
+ constants.SANITIZE_VALUE_CIB +=
extract_sensitive_value_list(key)
+ constants.SANITIZE_KEY_CIB.append(key.strip('.*?')+'.*?')
+ except (FileNotFoundError, EOFError) as e:
+ log_warning(e)
+
+
+def extract_sensitive_value_list(rule):
+ """
+ Extract sensitive value from cib.xml
+ """
+ cib_file = os.path.join(constants.WORKDIR, constants.WE, constants.CIB_F)
+ if not os.path.exists(cib_file):
+ raise FileNotFoundError("File {} was not
collected".format(constants.CIB_F))
+
+ with open(cib_file) as fd:
+ data = fd.read()
+ if not data:
+ raise EOFError("File {} is empty".format(cib_file))
+
+ value_list = re.findall(r'name="({})"
value="(.*?)"'.format(rule.strip('?')+'?'), data)
+ return [value[1] for value in value_list]
+
+
+def include_sensitive_data(data):
+ """
+ Check whether contain sensitive data
+ """
+ if constants.SANITIZE_VALUE_RAW or constants.SANITIZE_VALUE_CIB:
+ return True
+ return False
+
+
+def sub_sensitive_string(data):
+ """
+ Do the replace job
+
+ For the raw sanitize_pattern option, replace exactly the value
+ For the key:value nvpair sanitize_pattern, replace the value in which line
contain the key
+ """
+ result = data
+ if constants.SANITIZE_VALUE_RAW:
+ result =
re.sub(r'\b({})\b'.format('|'.join(constants.SANITIZE_VALUE_RAW)), "******",
data)
+ if constants.SANITIZE_VALUE_CIB:
+ result =
re.sub('({})({})'.format('|'.join(constants.SANITIZE_KEY_CIB),
'|'.join(constants.SANITIZE_VALUE_CIB)), '\\1******', result)
+ return result
# vim:ts=4:sw=4:et:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/crmsh-4.2.0+git.1600742357.6be225e5/scripts/lvm/main.yml
new/crmsh-4.2.0+git.1602225426.5f84efb5/scripts/lvm/main.yml
--- old/crmsh-4.2.0+git.1600742357.6be225e5/scripts/lvm/main.yml
2020-09-22 04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/scripts/lvm/main.yml
2020-10-09 08:37:06.000000000 +0200
@@ -18,4 +18,4 @@
type: string
ops: |
op monitor interval=130s timeout=130s
- op stop timeout=130s on_fail=fence
+ op stop timeout=130s on-fail=fence
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/crmsh-4.2.0+git.1600742357.6be225e5/scripts/raid1/main.yml
new/crmsh-4.2.0+git.1602225426.5f84efb5/scripts/raid1/main.yml
--- old/crmsh-4.2.0+git.1600742357.6be225e5/scripts/raid1/main.yml
2020-09-22 04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/scripts/raid1/main.yml
2020-10-09 08:37:06.000000000 +0200
@@ -14,4 +14,4 @@
required: true
type: string
ops: |
- op monitor interval=60s timeout=130s on_fail=fence
+ op monitor interval=60s timeout=130s on-fail=fence
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/crmsh-4.2.0+git.1600742357.6be225e5/scripts/sapdb/main.yml
new/crmsh-4.2.0+git.1602225426.5f84efb5/scripts/sapdb/main.yml
--- old/crmsh-4.2.0+git.1600742357.6be225e5/scripts/sapdb/main.yml
2020-09-22 04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/scripts/sapdb/main.yml
2020-10-09 08:37:06.000000000 +0200
@@ -27,6 +27,6 @@
- cib: |
primitive {{id}} ocf:heartbeat:SAPDatabase
params SID="{{SID}}" DBTYPE="{{DBTYPE}}"
- op monitor interval="120" timeout="60" start_delay="180"
+ op monitor interval="120" timeout="60" start-delay="180"
op start timeout="1800"
op stop timeout="1800"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/crmsh-4.2.0+git.1600742357.6be225e5/scripts/sapinstance/main.yml
new/crmsh-4.2.0+git.1602225426.5f84efb5/scripts/sapinstance/main.yml
--- old/crmsh-4.2.0+git.1600742357.6be225e5/scripts/sapinstance/main.yml
2020-09-22 04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/scripts/sapinstance/main.yml
2020-10-09 08:37:06.000000000 +0200
@@ -43,6 +43,6 @@
InstanceName="{{InstanceName}}"
AUTOMATIC_RECOVER="{{AUTOMATIC_RECOVER}}"
START_PROFILE="{{START_PROFILE}}"
- op monitor interval="180" timeout="60" start_delay="240"
+ op monitor interval="180" timeout="60" start-delay="240"
op start timeout="240"
- op stop timeout="240" on_fail="block"
+ op stop timeout="240" on-fail="block"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/crmsh-4.2.0+git.1600742357.6be225e5/test/features/hb_report_bugs.feature
new/crmsh-4.2.0+git.1602225426.5f84efb5/test/features/hb_report_bugs.feature
---
old/crmsh-4.2.0+git.1600742357.6be225e5/test/features/hb_report_bugs.feature
2020-09-22 04:39:17.000000000 +0200
+++
new/crmsh-4.2.0+git.1602225426.5f84efb5/test/features/hb_report_bugs.feature
2020-10-09 08:37:06.000000000 +0200
@@ -1,24 +1,21 @@
@hb_report
-Feature: hb_report functional test
+Feature: hb_report functional test for verifying bugs
Tag @clean means need to stop cluster service if the service is available
- @clean
- Scenario: Verify hb_report options
+ Background: Setup a two nodes cluster
Given Cluster service is "stopped" on "hanode1"
And Cluster service is "stopped" on "hanode2"
When Run "crm cluster init -y" on "hanode1"
Then Cluster service is "started" on "hanode1"
+ And Show cluster status on "hanode1"
When Run "crm cluster join -c hanode1 -y" on "hanode2"
Then Cluster service is "started" on "hanode2"
And Online nodes are "hanode1 hanode2"
+ And Show cluster status on "hanode1"
- When Run "hb_report" on "hanode1"
- Then Default hb_report tar file created
- When Remove default hb_report tar file
-
- @clean
- Scenario: Include archived logs(bsc#1148873)
+ @clean
+ Scenario: Include archived logs(bsc#1148873)
When Write multi lines to file "/var/log/log1"
"""
Sep 08 08:36:34 node1 log message line1
@@ -44,3 +41,48 @@
Sep 08 09:37:12 node1 log message line5
"""
When Run "rm -rf report1.tar.gz report1" on "hanode1"
+
+ @clean
+ Scenario: Replace sensitive data(bsc#1163581)
+ # Set sensitive data TEL and password
+ When Run "crm node utilization hanode1 set TEL 13356789876" on "hanode1"
+ When Run "crm node utilization hanode1 set password qwertyui" on
"hanode1"
+ When Run "hb_report report" on "hanode1"
+ When Run "tar jxf report.tar.bz2" on "hanode1"
+ And Try "grep -R "qwertyui" report"
+ # hb_report mask passw.* by default
+ # No password here
+ Then Expected return code is "1"
+ When Run "rm -rf report.tar.bz2 report" on "hanode1"
+
+ # mask password and ip address by using crm.conf
+ When Run "crm configure primitive ip2 IPaddr2 params ip=10.10.10.124"
on "hanode1"
+ And Run "sed -i 's/; \[report\]/[report]/' /etc/crm/crm.conf" on
"hanode1"
+ And Run "sed -i 's/; sanitize_rule = .*$/sanitize_rule =
passw.*|ip.*:raw/g' /etc/crm/crm.conf" on "hanode1"
+ And Run "hb_report report" on "hanode1"
+ And Run "tar jxf report.tar.bz2" on "hanode1"
+ And Try "grep -R -E "10.10.10.124|qwertyui" report"
+ # No password here
+ Then Expected return code is "1"
+ When Run "rm -rf report.tar.bz2 report" on "hanode1"
+
+ # Do sanitize job, also for TEL
+ When Run "hb_report -s -p TEL report" on "hanode1"
+ When Run "tar jxf report.tar.bz2" on "hanode1"
+ And Try "grep -R "qwertyui" report"
+ # No password here
+ Then Expected return code is "1"
+ When Try "grep -R "13356789876" report"
+ # No TEL number here
+ Then Expected return code is "1"
+ When Run "rm -rf report.tar.bz2 report" on "hanode1"
+
+ # disable sanitize
+ When Run "sed -i 's/; \[report\]/[report]/' /etc/crm/crm.conf" on
"hanode1"
+ And Run "sed -i 's/sanitize_rule = .*$/sanitize_rule = /g'
/etc/crm/crm.conf" on "hanode1"
+ When Run "hb_report report" on "hanode1"
+ When Run "tar jxf report.tar.bz2" on "hanode1"
+ And Try "grep -R "qwertyui" report"
+ # found password
+ Then Expected return code is "0"
+ When Run "rm -rf report.tar.bz2 report" on "hanode1"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/crmsh-4.2.0+git.1600742357.6be225e5/test/unittests/test_report.py
new/crmsh-4.2.0+git.1602225426.5f84efb5/test/unittests/test_report.py
--- old/crmsh-4.2.0+git.1600742357.6be225e5/test/unittests/test_report.py
2020-09-22 04:39:17.000000000 +0200
+++ new/crmsh-4.2.0+git.1602225426.5f84efb5/test/unittests/test_report.py
2020-10-09 08:37:06.000000000 +0200
@@ -5,7 +5,7 @@
from unittest import mock
sys.path.append('../..')
-from hb_report.utillib import which, ts_to_dt, sub_string, random_string,\
+from hb_report.utillib import which, ts_to_dt, random_string,\
head, create_tempfile, tail, grep,\
get_stamp_rfc5424, get_stamp_syslog,\
find_getstampproc_raw, find_getstampproc,\
@@ -13,7 +13,8 @@
add_tempfiles, make_temp_dir,\
find_decompressor, find_files, filter_lines,\
findln_by_time, get_conf_var, is_conf_set,\
- line_time, get_command_info, Tempfile
+ line_time, get_command_info, Tempfile,
sub_sensitive_string,\
+ extract_sensitive_value_list
from hb_report import constants
import hb_report
import crmsh.utils
@@ -302,24 +303,6 @@
assert len(random_string(8)) == 8
-def test_sub_string():
- in_string = """
-some text some text
-I like name="OSS" value="redhat" target="mememe".
-I like name="password" value="123456" some="more".
-some number some number
-"""
-
- out_string = """
-some text some text
-I like name="OSS" value="******" target="mememe".
-I like name="password" value="******" some="more".
-some number some number
-"""
- pattern = "passw.* OSS"
- assert sub_string(in_string, pattern) == out_string
-
-
def test_tail():
temp_file = create_tempfile()
with open(temp_file, 'w') as f:
@@ -377,3 +360,96 @@
mock.call("cat /proc/10002/comm"),
mock.call("cat /proc/10002/stack")
])
+
+@mock.patch('hb_report.utillib.constants')
+def test_sub_sensitive_string(mock_const):
+ data = """
+node 1084783193: node2 \
+ utilization passwd=1234567890
+node 1084783297: node1 \
+ utilization password=qwertyu12345
+ utilization TEL=0987654321
+
+10.10.10.1
+
+<nvpair name="password" value="qwertyu12345"
id="nodes-1084783297-utilization-password"/>
+<nvpair name="passwd" value="1234567890"
id="nodes-1084783193-utilization-passwd"/>
+<nvpair name="TEL" value="0987654321"
id="nodes-1084783193-utilization-passwd"/>
+<nvpair name="ip" value="10.10.10.1" id="nodes-1084783193-utilization-passwd"/>
+
+1234567890
+qwertyu12345
+
+Sep 27 16:53:12 node1 pacemaker-based [20562] (cib_perform_op) info:
+
/cib/configuration/nodes/node[@id='1084783297']/utilization[@id='nodes-1084783297-utilization']/nvpair[@id='nodes-1084783297-utilization-password']:
@value=qwertyu12345
+ """
+
+ expected = """
+node 1084783193: node2 \
+ utilization passwd=******
+node 1084783297: node1 \
+ utilization password=******
+ utilization TEL=******
+
+******
+
+<nvpair name="password" value="******"
id="nodes-1084783297-utilization-password"/>
+<nvpair name="passwd" value="******" id="nodes-1084783193-utilization-passwd"/>
+<nvpair name="TEL" value="******" id="nodes-1084783193-utilization-passwd"/>
+<nvpair name="ip" value="******" id="nodes-1084783193-utilization-passwd"/>
+
+1234567890
+qwertyu12345
+
+Sep 27 16:53:12 node1 pacemaker-based [20562] (cib_perform_op) info:
+
/cib/configuration/nodes/node[@id='1084783297']/utilization[@id='nodes-1084783297-utilization']/nvpair[@id='nodes-1084783297-utilization-password']:
@value=******
+ """
+ mock_const.SANITIZE_VALUE_RAW = ["10.10.10.1"]
+ mock_const.SANITIZE_VALUE_CIB = ["1234567890", "qwertyu12345",
"0987654321"]
+ mock_const.SANITIZE_KEY_CIB = ["passw.*?", "TEL.*?"]
+
+ res = sub_sensitive_string(data)
+ assert res == expected
+
+
+cib_data = """
+<nodes>
+ <node id="1084783297" uname="node1">
+ <utilization id="nodes-1084783297-utilization">
+ <nvpair name="password" value="qwertyu12345"
id="nodes-1084783297-utilization-password"/>
+ <nvpair id="nodes-1084783297-utilization-TEL" name="TEL"
value="13356789876"/>
+ </utilization>
+ </node>
+ <node id="1084783193" uname="node2">
+ <utilization id="nodes-1084783193-utilization">
+ <nvpair name="passwd" value="1234567890"
id="nodes-1084783193-utilization-passwd"/>
+ </utilization>
+ </node>
+ </nodes>
+ <resources>
+ <primitive id="ip2" class="ocf" provider="heartbeat" type="IPaddr2">
+ <instance_attributes id="ip2-instance_attributes">
+ <nvpair name="ip" value="10.10.10.158"
id="ip2-instance_attributes-ip"/>
+ </instance_attributes>
+ <operations>
+ <op name="monitor" timeout="20s" interval="10s"
id="ip2-monitor-10s"/>
+ </operations>
+ </primitive>
+ <primitive id="ip1" class="ocf" provider="heartbeat" type="IPaddr2">
+ <instance_attributes id="ip1-instance_attributes">
+ <nvpair name="ip" value="10.10.10.157"
id="ip1-instance_attributes-ip"/>
+"""
+
+@mock.patch("builtins.open", new_callable=mock.mock_open, read_data=cib_data)
+@mock.patch('os.path.exists')
+@mock.patch('hb_report.utillib.constants')
+@mock.patch('os.path.join')
+def test_extract_sensitive_value_list(mock_join, mock_const, mock_exists,
mock_open):
+ mock_const.WORKDIR = "/tmp"
+ mock_const.WE = "node1"
+ mock_const.CIB_F = "cib.xml"
+ mock_join.return_value = "/tmp/node1/cib.xml"
+ mock_exists.return_value = True
+
+ res = extract_sensitive_value_list("passw.*")
+ assert res == ['qwertyu12345', '1234567890']
+ res = extract_sensitive_value_list("ip.*")
+ assert res == ['10.10.10.158', '10.10.10.157']
