IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Provide mechanism in ipautil.run() to not log all arguments.

Browse Source 
This is primarily designed to not log passwords but it could have other
uses.

567867
This commit is contained in:
Rob Crittenden 2010-03-15 17:06:24 -04:00 committed by Jason Gerard DeRose
parent a887922fa9
commit 99da0d88f0
2 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
ipapython/ipautil.py
View File

@ -89,7 +89,32 @@ def write_tmp_file(txt):
return fd return fd
def run(args, stdin=None, raiseonerr=True): def run(args, stdin=None, raiseonerr=True, nolog=()):
"""
Execute a command and return stdin, stdout and the process return code.
args is a list of arguments for the command
stdin is used if you want to pass input to the command
raiseonerr raises an exception if the return code is not zero
nolog is a tuple of tuple values that describes things in the argument
list that shouldn't be logged, like passwords. Each tuple consists of
a value to search for in the argument list and an offset from this
location to set to XXX.
For example, the command ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser']
We don't want to log the password so nolog would be set to:
(('--password', 1),)
The resulting log output would be:
/usr/bin/setpasswd --password XXXXXXXX someuser
If an argument isn't found in the list it is silently ignored.
"""
if stdin: if stdin:
p = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) p = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True)
stdout,stderr = p.communicate(stdin) stdout,stderr = p.communicate(stdin)
@ -97,6 +122,14 @@ def run(args, stdin=None, raiseonerr=True):
p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True)
stdout,stderr = p.communicate() stdout,stderr = p.communicate()
# The command may include passwords that we don't want to log. Run through
# the nolog items
for (item, offset) in nolog:
try:
item_offset = args.index(item) + offset
args[item_offset] = 'XXXXXXXX'
except ValueError:
pass
logging.info('args=%s' % ' '.join(args)) logging.info('args=%s' % ' '.join(args))
logging.info('stdout=%s' % stdout) logging.info('stdout=%s' % stdout)
logging.info('stderr=%s' % stderr) logging.info('stderr=%s' % stderr)

11
ipaserver/install/cainstance.py
View File

@ -614,8 +614,17 @@ class CAInstance(service.Service):
args.append("-clone") args.append("-clone")
args.append("false") args.append("false")
# Define the things we don't want logged
nolog = (('-client_certdb_pwd', 1),
('-admin_password', 1),
('-bind_password', 1),
('-backup_pwd', 1),
('-clone_p12_password', 1),
('-sd_admin_password', 1),
)
logging.debug(args) logging.debug(args)
ipautil.run(args) ipautil.run(args, nolog=nolog)
if self.external == 1: if self.external == 1:
print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file