Stop logging sensitive data in cell_v2 provider

Parses the nova cell_v2 transport_uri/database_connection and rebuilds with the password hidden in is_to_s and should_to_s (used for logging the changes). Change-Id: I6523ed70536e438d38d9165e31d5d4d214bbc62c
2018-07-31 21:44:35 +01:00 · 2018-07-31 21:44:35 +01:00 · 6938710091
commit 6938710091
parent dc503260b0
2 changed files with 177 additions and 0 deletions
--- a/lib/puppet/type/nova_cell_v2.rb
+++ b/lib/puppet/type/nova_cell_v2.rb
@ -1,3 +1,35 @@
+require 'uri/generic'
+
+def sanitize_uri(sensitive_uri)
+  begin
+    uri = URI.parse(sensitive_uri)
+  rescue URI::InvalidURIError
+    return '<Invalid URI>'
+  end
+
+  sanitized_userinfo = nil
+  unless uri.userinfo.nil?
+    user, password = uri.userinfo.split(':', 2)
+    unless user.nil?
+      sanitized_userinfo = user
+      unless password.nil?
+        sanitized_userinfo << ':****'
+      end
+    end
+  end
+  return URI::Generic.new(
+    uri.scheme,
+    sanitized_userinfo,
+    uri.host,
+    uri.port,
+    uri.registry,
+    uri.path,
+    uri.opaque,
+    uri.query,
+    uri.fragment
+  ).to_s
+end
+
 Puppet::Type.newtype(:nova_cell_v2) do
  ensurable

@ -10,10 +42,44 @@ Puppet::Type.newtype(:nova_cell_v2) do

  newproperty(:transport_url) do
    defaultto 'default'
+
+    def is_to_s( currentvalue )
+      if currentvalue == 'default'
+        return currentvalue
+      else
+        return sanitize_uri(currentvalue)
+      end
+    end
+
+    def should_to_s( newvalue )
+      if newvalue == 'default'
+        return newvalue
+      else
+        return sanitize_uri(newvalue)
+      end
+    end
+
  end

  newproperty(:database_connection) do
    defaultto 'default'
+
+    def is_to_s( currentvalue )
+      if currentvalue == 'default'
+        return currentvalue
+      else
+        return sanitize_uri(currentvalue)
+      end
+    end
+
+    def should_to_s( newvalue )
+      if newvalue == 'default'
+        return newvalue
+      else
+        return sanitize_uri(newvalue)
+      end
+    end
+
  end

 end
--- a/spec/unit/type/nova_cell_v2.rb
+++ b/spec/unit/type/nova_cell_v2.rb
@ -0,0 +1,111 @@
+require 'spec_helper'
+require 'puppet'
+require 'puppet/type/nova_cell_v2'
+
+describe 'Puppet::Type.type(:nova_cell_v2)' do
+
+  before :each do
+    Puppet::Type.rmtype(:nova_cell_v2)
+  end
+
+  it 'should sanitize transport_url in logs' do
+    nova_cell_v2 = Puppet::Type.type(:nova_cell_v2).new(:title => 'foo')
+    expect(
+      nova_cell_v2.property('transport_url').change_to_s('default', 'foo://bar:secret@example.com')
+    ).to_not include('secret')
+    expect(
+      nova_cell_v2.property('transport_url').change_to_s('foo://bar:secret@example.com', 'default')
+    ).to_not include('secret')
+  end
+
+  it 'should sanitize database_connection in logs' do
+    nova_cell_v2 = Puppet::Type.type(:nova_cell_v2).new(:title => 'foo')
+    expect(
+      nova_cell_v2.property('database_connection').change_to_s('default', 'foo://bar:secret@example.com')
+    ).to_not include('secret')
+    expect(
+      nova_cell_v2.property('database_connection').change_to_s('foo://bar:secret@example.com', 'default')
+    ).to_not include('secret')
+  end
+
+  it 'should not alter transport_url \'default\' in is_to_s/should_to_s' do
+    nova_cell_v2 = Puppet::Type.type(:nova_cell_v2).new(:title => 'foo')
+    expect(
+      nova_cell_v2.property('transport_url').is_to_s('default')
+    ).to eq('default')
+    expect(
+      nova_cell_v2.property('transport_url').should_to_s('default')
+    ).to eq('default')
+  end
+
+  it 'should not alter database_connection \'default\' in is_to_s/should_to_s' do
+    nova_cell_v2 = Puppet::Type.type(:nova_cell_v2).new(:title => 'foo')
+    expect(
+      nova_cell_v2.property('database_connection').is_to_s('default')
+    ).to eq('default')
+    expect(
+      nova_cell_v2.property('database_connection').should_to_s('default')
+    ).to eq('default')
+  end
+
+  it 'should not alter transport_url with no password in is_to_s/should_to_s' do
+    nova_cell_v2 = Puppet::Type.type(:nova_cell_v2).new(:title => 'foo')
+    expect(
+      nova_cell_v2.property('transport_url').is_to_s('foo://bar@example.com')
+    ).to eq('foo://bar@example.com')
+    expect(
+      nova_cell_v2.property('transport_url').should_to_s('foo://bar@example.com')
+    ).to eq('foo://bar@example.com')
+  end
+
+  it 'should not alter database_connection with no password in is_to_s/should_to_s' do
+    nova_cell_v2 = Puppet::Type.type(:nova_cell_v2).new(:title => 'foo')
+    expect(
+      nova_cell_v2.property('database_connection').is_to_s('foo://bar@example.com')
+    ).to eq('foo://bar@example.com')
+    expect(
+      nova_cell_v2.property('database_connection').should_to_s('foo://bar@example.com')
+    ).to eq('foo://bar@example.com')
+  end
+
+  it 'should not alter transport_url with no creds in is_to_s/should_to_s' do
+    nova_cell_v2 = Puppet::Type.type(:nova_cell_v2).new(:title => 'foo')
+    expect(
+      nova_cell_v2.property('transport_url').is_to_s('foo://example.com')
+    ).to eq('foo://example.com')
+    expect(
+      nova_cell_v2.property('transport_url').should_to_s('foo://example.com')
+    ).to eq('foo://example.com')
+  end
+
+  it 'should not alter database_connection with no creds in is_to_s/should_to_s' do
+    nova_cell_v2 = Puppet::Type.type(:nova_cell_v2).new(:title => 'foo')
+    expect(
+      nova_cell_v2.property('database_connection').is_to_s('foo://example.com')
+    ).to eq('foo://example.com')
+    expect(
+      nova_cell_v2.property('database_connection').should_to_s('foo://example.com')
+    ).to eq('foo://example.com')
+  end
+
+  it 'should mask transport_url password in is_to_s/should_to_s' do
+    nova_cell_v2 = Puppet::Type.type(:nova_cell_v2).new(:title => 'foo')
+    expect(
+      nova_cell_v2.property('transport_url').is_to_s('foo://bar:secret@example.com')
+    ).to eq('foo://bar:****@example.com')
+    expect(
+      nova_cell_v2.property('transport_url').should_to_s('foo://bar:secret@example.com')
+    ).to eq('foo://bar:****@example.com')
+  end
+
+  it 'should mask database_connection password in is_to_s/should_to_s' do
+    nova_cell_v2 = Puppet::Type.type(:nova_cell_v2).new(:title => 'foo')
+    expect(
+      nova_cell_v2.property('database_connection').is_to_s('foo://bar:secret@example.com')
+    ).to eq('foo://bar:****@example.com')
+    expect(
+      nova_cell_v2.property('database_connection').should_to_s('foo://bar:secret@example.com')
+    ).to eq('foo://bar:****@example.com')
+  end
+
+end