Striping Pre-Shared keys from AWS configs. (#196)

netconan/sensitive_item_removal.py

@@ -65,6 +65,11 @@
 _PASSWORD_ENCLOSING_HEAD_TEXT = _PASSWORD_ENCLOSING_TEXT + ["[", "{"]
 _PASSWORD_ENCLOSING_TAIL_TEXT = _PASSWORD_ENCLOSING_TEXT + ["]", "}", ";", ","]
 
+aws_regexes = [
+    [(r"(?<=\<pre_shared_key\>).{32}(?=\<\/pre_shared_key)", 0)],
+    [(r"(?<=PreSharedKey\": \").{32}", 0)],
+]
+
 # These are extra regexes to find lines that seem like they might contain
 # sensitive info (these are not already caught by RANCID default regexes)
 extra_password_regexes = [
@@ -326,7 +331,10 @@ def _extract_enclosing_text(in_val, head="", tail=""):
 def generate_default_sensitive_item_regexes():
     """Compile and return the default password and community line regexes."""
     combined_regexes = (
-        default_pwd_line_regexes + default_com_line_regexes + extra_password_regexes
+        aws_regexes
+        + default_pwd_line_regexes
+        + default_com_line_regexes
+        + extra_password_regexes
     )
     return [
         [(re.compile(_ALLOWED_REGEX_PREFIX + regex_), num) for regex_, num in group]

tests/unit/test_sensitive_item_removal.py

@@ -196,6 +196,11 @@
     ("hello-authentication-key {}", "$9$i.m5OBEevLz3RSevx7-VwgZj5TFCA0Tz9p"),
 ]
 
+aws_lines = [
+    ("<pre_shared_key>{}</pre_shared_key>", "cRr9m5bWF4D1P7EsGw53WWzWMO_xcvnY"),
+    ('"PreSharedKey": "{}",', "OzWcYvwcG19WW5bMr5mEn3DF7sRWPx_4"),
+]
+
 misc_password_lines = [
     ("my password is ", "$1$salt$abcdefghijklmnopqrs"),
     ("set community {} trailing text", "RemoveMe"),
@@ -210,6 +215,7 @@
     + fortinet_password_lines
     + juniper_password_lines
     + misc_password_lines
+    + aws_lines
 )
 
 sensitive_items_and_formats = [