From 48a3f4af46517c7dbaddad7e2c5d4e82a6ef2f33 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 17 Sep 2019 17:24:12 -0400 Subject: [PATCH] Don't log host passwords when they are set/modified The host password was defined as a Str type so would be logged in cleartext in the Apache log. A new class, HostPassword, was defined to only override safe_value() so it always returns an obfuscated value. The Password class cannot be used because it has special treatment in the frontend to manage prompting and specifically doesn't allow a value to be passed into it. This breaks backwards compatibility with older clients. Since this class is derived from Str old clients treat it as a plain string value. This also removes the search option from passwords. https://pagure.io/freeipa/issue/8017 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- API.txt | 7 +++---- ipaserver/plugins/host.py | 21 +++++++++++++++++---- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/API.txt b/API.txt index 7607b6230..9ba175c04 100644 --- a/API.txt +++ b/API.txt @@ -2455,7 +2455,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Str('setattr*', cli_name='setattr') option: Certificate('usercertificate*', cli_name='certificate') option: Str('userclass*', cli_name='class') -option: Str('userpassword?', cli_name='password') +option: HostPassword('userpassword?', cli_name='password') option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) @@ -2566,7 +2566,7 @@ output: Output('completed', type=[]) output: Output('failed', type=[]) output: Entry('result') command: host_find/1 -args: 1,35,4 +args: 1,34,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('description?', autofill=False, cli_name='desc') @@ -2601,7 +2601,6 @@ option: Int('sizelimit?', autofill=False) option: Int('timelimit?', autofill=False) option: Certificate('usercertificate*', autofill=False, cli_name='certificate') option: Str('userclass*', autofill=False, cli_name='class') -option: Str('userpassword?', autofill=False, cli_name='password') option: Str('version?') output: Output('count', type=[]) output: ListOfEntries('result') @@ -2634,7 +2633,7 @@ option: Str('setattr*', cli_name='setattr') option: Flag('updatedns?', autofill=True, default=False) option: Certificate('usercertificate*', autofill=False, cli_name='certificate') option: Str('userclass*', autofill=False, cli_name='class') -option: Str('userpassword?', autofill=False, cli_name='password') +option: HostPassword('userpassword?', autofill=False, cli_name='password') option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 065eb3152..d7dae570f 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -254,6 +254,18 @@ def validate_ipaddr(ugettext, ipaddr): return None +class HostPassword(Str): + """ + A data type for host passwords to not log password values + + The Password type cannot be used because it disallows + setting a password on the command-line which would break + backwards compatibility. + """ + def safe_value(self, value): + return u'********' + + @register() class host(LDAPObject): """ @@ -470,10 +482,11 @@ class host(LDAPObject): label=_('Operating system'), doc=_('Host operating system and version (e.g. "Fedora 9")'), ), - Str('userpassword?', - cli_name='password', - label=_('User password'), - doc=_('Password used in bulk enrollment'), + HostPassword('userpassword?', + cli_name='password', + label=_('User password'), + doc=_('Password used in bulk enrollment'), + flags=('no_search',), ), Flag('random?', doc=_('Generate a random password to be used in bulk enrollment'),