Don't log host passwords when they are set/modified

The host password was defined as a Str type so would be logged in cleartext in the Apache log. A new class, HostPassword, was defined to only override safe_value() so it always returns an obfuscated value. The Password class cannot be used because it has special treatment in the frontend to manage prompting and specifically doesn't allow a value to be passed into it. This breaks backwards compatibility with older clients. Since this class is derived from Str old clients treat it as a plain string value. This also removes the search option from passwords. https://pagure.io/freeipa/issue/8017 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-09-17 17:24:12 -04:00 · 2019-09-17 17:24:12 -04:00 · 48a3f4af46
commit 48a3f4af46
parent e5e0693aa2
2 changed files with 20 additions and 8 deletions
--- a/API.txt
+++ b/API.txt
@ -2455,7 +2455,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
 option: Certificate('usercertificate*', cli_name='certificate')
 option: Str('userclass*', cli_name='class')
-option: Str('userpassword?', cli_name='password')
+option: HostPassword('userpassword?', cli_name='password')
 option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
@ -2566,7 +2566,7 @@ output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
 command: host_find/1
-args: 1,35,4
+args: 1,34,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('description?', autofill=False, cli_name='desc')
@ -2601,7 +2601,6 @@ option: Int('sizelimit?', autofill=False)
 option: Int('timelimit?', autofill=False)
 option: Certificate('usercertificate*', autofill=False, cli_name='certificate')
 option: Str('userclass*', autofill=False, cli_name='class')
 option: Str('userpassword?', autofill=False, cli_name='password')
 option: Str('version?')
 output: Output('count', type=[<type 'int'>])
 output: ListOfEntries('result')
@ -2634,7 +2633,7 @@ option: Str('setattr*', cli_name='setattr')
 option: Flag('updatedns?', autofill=True, default=False)
 option: Certificate('usercertificate*', autofill=False, cli_name='certificate')
 option: Str('userclass*', autofill=False, cli_name='class')
-option: Str('userpassword?', autofill=False, cli_name='password')
+option: HostPassword('userpassword?', autofill=False, cli_name='password')
 option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@ -254,6 +254,18 @@ def validate_ipaddr(ugettext, ipaddr):
    return None
 class HostPassword(Str):
    """
    A data type for host passwords to not log password values
    The Password type cannot be used because it disallows
    setting a password on the command-line which would break
    backwards compatibility.
    """
    def safe_value(self, value):
        return u'********'
@register()
 class host(LDAPObject):
    """
@ -470,10 +482,11 @@ class host(LDAPObject):
            label=_('Operating system'),
            doc=_('Host operating system and version (e.g. "Fedora 9")'),
        ),
-        Str('userpassword?',
+        HostPassword('userpassword?',
-            cli_name='password',
+                     cli_name='password',
-            label=_('User password'),
+                     label=_('User password'),
-            doc=_('Password used in bulk enrollment'),
+                     doc=_('Password used in bulk enrollment'),
                     flags=('no_search',),
        ),
        Flag('random?',
            doc=_('Generate a random password to be used in bulk enrollment'),