mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
Remove sensitive information from logs
When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378
This commit is contained in:
parent
0cb65fd9f6
commit
02520ab98c
@ -210,8 +210,6 @@ def run(args, stdin=None, raiseonerr=True,
|
|||||||
if capture_output:
|
if capture_output:
|
||||||
p_out = subprocess.PIPE
|
p_out = subprocess.PIPE
|
||||||
p_err = subprocess.PIPE
|
p_err = subprocess.PIPE
|
||||||
elif len(nolog):
|
|
||||||
raise RuntimeError("Can't use nolog if output is not captured")
|
|
||||||
|
|
||||||
p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
|
p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
|
||||||
close_fds=True, env=env)
|
close_fds=True, env=env)
|
||||||
@ -224,13 +222,14 @@ def run(args, stdin=None, raiseonerr=True,
|
|||||||
for value in nolog:
|
for value in nolog:
|
||||||
if not isinstance(value, basestring):
|
if not isinstance(value, basestring):
|
||||||
continue
|
continue
|
||||||
args = args.replace(value, 'XXXXXXXX')
|
|
||||||
stdout = stdout.replace(value, 'XXXXXXXX')
|
|
||||||
stderr = stderr.replace(value, 'XXXXXXXX')
|
|
||||||
quoted = urllib2.quote(value)
|
quoted = urllib2.quote(value)
|
||||||
args = args.replace(quoted, 'XXXXXXXX')
|
for nolog_value in (value, quoted):
|
||||||
stdout = stdout.replace(quoted, 'XXXXXXXX')
|
if capture_output:
|
||||||
stderr = stderr.replace(quoted, 'XXXXXXXX')
|
stdout = stdout.replace(nolog_value, 'XXXXXXXX')
|
||||||
|
stderr = stderr.replace(nolog_value, 'XXXXXXXX')
|
||||||
|
args = args.replace(nolog_value, 'XXXXXXXX')
|
||||||
|
|
||||||
logging.debug('args=%s' % args)
|
logging.debug('args=%s' % args)
|
||||||
if capture_output:
|
if capture_output:
|
||||||
logging.debug('stdout=%s' % stdout)
|
logging.debug('stdout=%s' % stdout)
|
||||||
|
@ -55,15 +55,16 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
|
|||||||
"--auto-master-check", "--realm", realm,
|
"--auto-master-check", "--realm", realm,
|
||||||
"--principal", "admin",
|
"--principal", "admin",
|
||||||
"--hostname", host_name]
|
"--hostname", host_name]
|
||||||
|
nolog=tuple()
|
||||||
|
|
||||||
if admin_password:
|
if admin_password:
|
||||||
args.extend(["--password", admin_password])
|
args.extend(["--password", admin_password])
|
||||||
|
nolog=(admin_password,)
|
||||||
|
|
||||||
if check_ca:
|
if check_ca:
|
||||||
args.append('--check-ca')
|
args.append('--check-ca')
|
||||||
logging.debug("Running ipa-replica-conncheck with following arguments: %s" %
|
(stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False,capture_output=False,
|
||||||
" ".join(args))
|
nolog=nolog)
|
||||||
(stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False, capture_output=False)
|
|
||||||
|
|
||||||
if returncode != 0:
|
if returncode != 0:
|
||||||
sys.exit("Connection check failed!" +
|
sys.exit("Connection check failed!" +
|
||||||
|
Loading…
Reference in New Issue
Block a user