integ/tools/collector/scripts/collect_mask_passwords
Eric MacDonald 81a1a248cb Change collect to use /etc/platform/openrc
The collect tool is failing to source the openrc file
needed to execute system commands to get inventory.

The openrc file has been moved to /etc/platform but
collect expects it to be in /etc/nova.

This update changes collect to source openrc from
/etc/platform in collect_utils and avoids needless
sourcing of that same file multiple times from the
other collect scripts. All collect scripts source
collect_utils.

The update also removes reference to the also recently
removed keyring which is also breaking collect in the
very same way.

Test Plan:
Run collect on individual hosts
Run collect all

Change-Id: I75ff6d3cb8f25a9d0dca182837c7d1b4854896d9
Closes-Bug: 1820421
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
2019-03-17 15:36:15 -04:00

124 lines
5.4 KiB
Bash

#! /bin/bash
#
# Copyright (c) 2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
COLLECT_NAME_DIR=$1
EXTRA_DIR=$2
# Strip the passwords from assorted config files
for conffile in \
${COLLECT_NAME_DIR}/etc/aodh/aodh.conf \
${COLLECT_NAME_DIR}/etc/barbican/barbican.conf \
${COLLECT_NAME_DIR}/etc/ceilometer/ceilometer.conf \
${COLLECT_NAME_DIR}/etc/cinder/cinder.conf \
${COLLECT_NAME_DIR}/etc/fm/fm.conf \
${COLLECT_NAME_DIR}/etc/glance/glance-api.conf \
${COLLECT_NAME_DIR}/etc/glance/glance-registry.conf \
${COLLECT_NAME_DIR}/etc/heat/heat.conf \
${COLLECT_NAME_DIR}/etc/ironic/ironic.conf \
${COLLECT_NAME_DIR}/etc/keystone/keystone.conf \
${COLLECT_NAME_DIR}/etc/magnum/magnum.conf \
${COLLECT_NAME_DIR}/etc/murano/murano.conf \
${COLLECT_NAME_DIR}/etc/neutron/metadata_agent.ini \
${COLLECT_NAME_DIR}/etc/neutron/neutron.conf \
${COLLECT_NAME_DIR}/etc/nfv/nfv_plugins/nfvi_plugins/config.ini \
${COLLECT_NAME_DIR}/etc/nova/nova.conf \
${COLLECT_NAME_DIR}/etc/nslcd.conf \
${COLLECT_NAME_DIR}/etc/openldap/slapd.conf.backup \
${COLLECT_NAME_DIR}/etc/openstack-dashboard/local_settings \
${COLLECT_NAME_DIR}/etc/panko/panko.conf \
${COLLECT_NAME_DIR}/etc/patching/patching.conf \
${COLLECT_NAME_DIR}/etc/proxy/nova-api-proxy.conf \
${COLLECT_NAME_DIR}/etc/rabbitmq/murano-rabbitmq.config \
${COLLECT_NAME_DIR}/etc/rabbitmq/rabbitmq.config \
${COLLECT_NAME_DIR}/etc/sysinv/api-paste.ini \
${COLLECT_NAME_DIR}/etc/sysinv/sysinv.conf \
${COLLECT_NAME_DIR}/var/extra/platform/sysinv/*/sysinv.conf.default \
${COLLECT_NAME_DIR}/etc/mtc.ini
do
if [ ! -f $conffile ]; then
continue
fi
sed -i -r 's/^(admin_password) *=.*/\1 = xxxxxx/;
s/^(auth_encryption_key) *=.*/\1 = xxxxxx/;
s/^(bindpw) .*/\1 xxxxxx/;
s/^(rootpw) .*/\1 xxxxxx/;
s/^(connection) *=.*/\1 = xxxxxx/;
s/^( *credentials) *=.*/\1 = xxxxxx/;
s/^(metadata_proxy_shared_secret) *=.*/\1 = xxxxxx/;
s/^(password) *=.*/\1 = xxxxxx/;
s/^(rabbit_password) *=.*/\1 = xxxxxx/;
s/^(sql_connection) *=.*/\1 = xxxxxx/;
s/^(stack_domain_admin_password) *=.*/\1 = xxxxxx/;
s/^(transport_url) *=.*/\1 = xxxxxx/;
s/^(SECRET_KEY) *=.*/\1 = xxxxxx/;
s/^(keystone_auth_pw) *=.*/\1 = xxxxxx/;
s/\{default_pass, <<\".*\">>\}/\{default_pass, <<\"xxxxxx\">>\}/' $conffile
done
find ${COLLECT_NAME_DIR} -name server-cert.pem | xargs --no-run-if-empty rm -f
rm -rf ${COLLECT_NAME_DIR}/var/extra/platform/config/*/ssh_config
rm -f ${COLLECT_NAME_DIR}/var/extra/platform/puppet/*/hieradata/secure*.yaml
# Mask user passwords in sysinv db dump
if [ -f ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt ]; then
sed -i -r '/COPY i_user/, /^--/ s/^(([^\t]*\t){10})[^\t]*(\t.*)/\1xxxxxx\3/;
/COPY i_community/, /^--/ s/^(([^\t]*\t){5})[^\t]*(\t.*)/\1xxxxxx\3/;
/COPY i_trap_destination/, /^--/ s/^(([^\t]*\t){6})[^\t]*(\t.*)/\1xxxxxx\3/;
s/(identity\t[^\t]*\tpassword\t)[^\t]*/\1xxxxxx/' \
${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt
fi
# Mask passwords in host profiles
grep -rl '\"name\": \"password\"' ${COLLECT_NAME_DIR}/var/extra/platform/sysinv/ \
| xargs --no-run-if-empty perl -i -e '
$prev="";
while (<>)
{
if (/\"name\": \"password\"/)
{
$prev =~ s/\"value\": \".*\"/\"value\": \"xxxxxx\"/;
}
print $prev;
$prev=$_;
}
print $prev;'
# Cleanup snmp
sed -i -r 's/(rocommunity[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
sed -i -r 's/(trap2sink *[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
# Mask passwords in bash.log and history logs
USER_HISTORY_FILES=$(find ${COLLECT_NAME_DIR} -type f -name .bash_history 2>/dev/null)
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' \
${USER_HISTORY_FILES} \
${COLLECT_NAME_DIR}/var/extra/history.info \
${COLLECT_NAME_DIR}/var/log/bash.log \
${COLLECT_NAME_DIR}/var/log/auth.log \
${COLLECT_NAME_DIR}/var/log/ldapscripts.log
for f in ${COLLECT_NAME_DIR}/var/log/bash.log.*.gz \
${COLLECT_NAME_DIR}/var/log/auth.log.*.gz \
${COLLECT_NAME_DIR}/var/log/ldapscripts.log.*.gz
do
zgrep -q 'snmp|password' $f || continue
gunzip $f
unzipped=${f%%.gz}
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' $unzipped
gzip $unzipped
done