Don't log host passwords when they are set/modified

The host password was defined as a Str type so would be
logged in cleartext in the Apache log.

A new class, HostPassword, was defined to only override
safe_value() so it always returns an obfuscated value.

The Password class cannot be used because it has special treatment
in the frontend to manage prompting and specifically doesn't
allow a value to be passed into it. This breaks backwards
compatibility with older clients. Since this class is derived
from Str old clients treat it as a plain string value.

This also removes the search option from passwords.

https://pagure.io/freeipa/issue/8017

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

ipaserver/plugins/host.py

@@ -254,6 +254,18 @@ def validate_ipaddr(ugettext, ipaddr):
     return None
 
 
+class HostPassword(Str):
+    """
+    A data type for host passwords to not log password values
+
+    The Password type cannot be used because it disallows
+    setting a password on the command-line which would break
+    backwards compatibility.
+    """
+    def safe_value(self, value):
+        return u'********'
+
+
 @register()
 class host(LDAPObject):
     """
@@ -470,10 +482,11 @@ class host(LDAPObject):
             label=_('Operating system'),
             doc=_('Host operating system and version (e.g. "Fedora 9")'),
         ),
-        Str('userpassword?',
-            cli_name='password',
-            label=_('User password'),
-            doc=_('Password used in bulk enrollment'),
+        HostPassword('userpassword?',
+                     cli_name='password',
+                     label=_('User password'),
+                     doc=_('Password used in bulk enrollment'),
+                     flags=('no_search',),
         ),
         Flag('random?',
             doc=_('Generate a random password to be used in bulk enrollment'),