Let VMDBLogger.log_hashes filter out the sensitive value.

[lfu]

VMDBLogger.log_hashes would log the sensitive value as FILTERED.

Blocks #manageiq/pull/14878.

@miq-bot assign @gmcculloug
@miq-bot add_label fine/yes, enhancement

[gmcculloug]

@Fryguy @jrafanie @bdunne
Looking for feedback on the enhancements to this logging method as we are looking to use it in other areas. Initially in PR ManageIQ/manageiq#14878 but thinking this could also replace the dump_obj calls for most of the providers during provisioning. (The VMware provision has some specific logging requirements, but others could switch to use this common method.)

I think the biggest change here is that the password lines would still be logged, so you could see the key exists, but the value would be marked as "[FILTERED]". Additionally any encrypted values would also be filtered out.

[carbonin]

This looks like it is changing behavior in an interesting way.

Before this, the entire line which contained a key in options[:filter] was not logged, but now the line has to match a regex and the key name is logged. Why make that change in addition to the filtering for MiqPassword::REGEXP?

[carbonin]

Ah I see @gmcculloug mentioned this:

I think the biggest change here is that the password lines would still be logged, so you could see the key exists,

[carbonin]

Is there a reason this is "FILTERED" and the other is "[FILTERED]" (with square brackets)?

[gmcculloug]

The substitution here ends up looking like v2:{FILTERED} where the braces come from the encrypted string. Adding [...] into the mix seemed useless.

[carbonin]

Oh weird, so if we remove the capture groups from that regex then this will probably break. Couldn't we just not even print the v2 part? Is that really that important?

[gmcculloug]

This is based on an existing regex constant from MiqPassword. Would just need to create a new constant there that captures the entire string. Wasn't sure if it was worth it initially.

[carbonin]

I think this would still work with the existing regex:

irb(main):002:0> "stuff...v2:{asbvawerfab}..morestuff".gsub(MiqPassword::REGEXP, "[FILTERED]")
=> "stuff...[FILTERED]..morestuff"

[carbonin]

Instead of doing string manipulation here, why not just dup the hash passed in and alter the value before doing the YAML.dump? That seems like it would be much more reliable than this regex dance.

[carbonin]

Unless of course you're intentionally trying to match keys like "password-but-not-really-a-password"?

[gmcculloug]

The method was doing a YAML.dump before which means we do not have to be concerned with the depth of embedded objects.

If we stick with the YAML string I think we could do a gsub! for any filters over the whole string outside of the .each loop. Also, would .each_line work here instead of .split("\n")?

[carbonin]

So this would match password_for_important_things: s3cr3t, but not root_password: s3cr3t

If we want it to match both we should test for that.

EDIT:

Nevermind, just tested this:

irb(main):008:0> l = "root_password: s3cret"
=> "root_password: s3cret"
irb(main):009:0> l.gsub!(/password.*: (.+)/) { |m| m.gsub!($1, "[FILTERED]") }
=> "root_password: [FILTERED]"

[lfu]

@gmcculloug .each_line would preserve the \n at the end of each line which would print out an extra blank line for each message in the log.

#135 (comment)

[carbonin]

A few things after talking to @gmcculloug

[carbonin]

So this would match password_for_important_things: s3cr3t, but not root_password: s3cr3t

If we want it to match both we should test for that.

EDIT:

Nevermind, just tested this:

irb(main):008:0> l = "root_password: s3cret"
=> "root_password: s3cret"
irb(main):009:0> l.gsub!(/password.*: (.+)/) { |m| m.gsub!($1, "[FILTERED]") }
=> "root_password: [FILTERED]"

[carbonin]

Can we change these specs to all compare against the expected message value directly?

That would make what log_hashes is doing a whole lot more clear.

[bdunne]

I know this isn't changed in this PR, but what is the value of writing a bunch of individual log lines rather than a single multi-line message?

[Fryguy]

My concern is that previously, this was intentionally a pretty blunt object. We filtered line by line and did a line.include? with the filter key, so although you might get false positives, it would kill the line. Now, the regex introduces a potential for something to slip through. I'm wondering if it's cleaner to still just do a line.include?

[lfu]

@Fryguy Updated.

[Fryguy]

I'm good with this, but I don't know why the bot is not kicking a rubocop check here.

[Fryguy]

@lfu Can you fix the bot warning...to solve it, just use parens around your if conditional...

if (key = filter.detect { |f| l.include?(f) })

[miq-bot]

Checked commit lfu@d5ae4de with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0
2 files checked, 0 offenses detected
Everything looks fine. ⭐

[simaishi]

Fine backport details:

$ git log -1
commit 8f6cd84d1290af555639ac279d408d9ca605b524
Author: Jason Frey <fryguy9@gmail.com>
Date:   Tue May 9 11:08:13 2017 -0400

    Merge pull request #135 from lfu/log_hashes
    
    Let VMDBLogger.log_hashes filter out the sensitive value.
    (cherry picked from commit 799ba5629dc9159a35e61f4d7730af704f874b03)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1458434