Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package yast2 for openSUSE:Factory checked in at 2021-04-29 22:44:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2 (Old) and /work/SRC/openSUSE:Factory/.yast2.new.1947 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2" Thu Apr 29 22:44:34 2021 rev:509 rq:888755 version:4.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2/yast2.changes 2021-04-23 17:50:23.354769788 +0200 +++ /work/SRC/openSUSE:Factory/.yast2.new.1947/yast2.changes 2021-04-29 22:44:44.084209900 +0200 @@ -1,0 +2,13 @@ +Tue Apr 27 10:51:35 UTC 2021 - Josef Reidinger <jreidin...@suse.com> + +- Add to yast2 mixin Yast2::SecretAttributes for hiding sensitive + information (bsc#1141017) +- 4.4.2 + +------------------------------------------------------------------- +Thu Apr 22 06:35:11 UTC 2021 - Imobach Gonzalez Sosa <igonzalezs...@suse.com> + +- The location given to the Y2Issue::Issue constructor can be a + string or a location object. + +------------------------------------------------------------------- Old: ---- yast2-4.4.1.tar.bz2 New: ---- yast2-4.4.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2.spec ++++++ --- /var/tmp/diff_new_pack.Zzjg6M/_old 2021-04-29 22:44:44.808206676 +0200 +++ /var/tmp/diff_new_pack.Zzjg6M/_new 2021-04-29 22:44:44.812206658 +0200 @@ -17,7 +17,7 @@ Name: yast2 -Version: 4.4.1 +Version: 4.4.2 Release: 0 Summary: YaST2 Main Package License: GPL-2.0-only ++++++ yast2-4.4.1.tar.bz2 -> yast2-4.4.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-4.4.1/library/general/src/lib/y2issues/issue.rb new/yast2-4.4.2/library/general/src/lib/y2issues/issue.rb --- old/yast2-4.4.1/library/general/src/lib/y2issues/issue.rb 2021-04-19 08:37:30.000000000 +0200 +++ new/yast2-4.4.2/library/general/src/lib/y2issues/issue.rb 2021-04-27 13:02:04.000000000 +0200 @@ -38,7 +38,7 @@ class Issue include Yast::I18n - # @return [String,nil] Where the error is located. + # @return [Location,nil] Where the error is located. attr_reader :location # @return [String] Error message attr_reader :message @@ -46,13 +46,13 @@ attr_reader :severity # @param message [String] User-oriented message describing the problem - # @param location [URI,String,nil] Where the error is located. Use a URI or + # @param location [String,nil] Where the error is located. Use a URI or # a string to represent the error location. Use 'nil' if it # does not exist an specific location. # @param severity [Symbol] warning (:warn) or fatal (:fatal) def initialize(message, location: nil, severity: :warn) @message = message - @location = Location.parse(location) if location + @location = location.is_a?(String) ? Location.parse(location) : location @severity = severity end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-4.4.1/library/general/src/lib/yast2/secret_attributes.rb new/yast2-4.4.2/library/general/src/lib/yast2/secret_attributes.rb --- old/yast2-4.4.1/library/general/src/lib/yast2/secret_attributes.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-4.4.2/library/general/src/lib/yast2/secret_attributes.rb 2021-04-27 13:02:04.000000000 +0200 @@ -0,0 +1,85 @@ +# Copyright (c) [2017] SUSE LLC +# +# All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of version 2 of the GNU General Public License as published +# by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +# more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, contact SUSE LLC. +# +# To contact SUSE LLC about this file by physical or electronic mail, you may +# find current contact information at www.suse.com. + +module Yast2 + # Mixin that enables a class to define attributes that are never exposed via + # #inspect, #to_s or similar methods, with the goal of preventing + # unintentional leaks of sensitive information in the application logs. + module SecretAttributes + # Inner class to store the value of the attribute without exposing it + # directly + class Attribute + attr_reader :value + + def initialize(value) + @value = value + end + + def to_s + value.nil? ? "" : "<secret>" + end + + def inspect + value.nil? ? "nil" : "<secret>" + end + + def instance_variables + # This adds even an extra barrier, just in case some formatter tries to + # use deep instrospection + [] + end + end + + # Class methods for the mixin + module ClassMethods + # Similar to .attr_accessor but with additional mechanisms to prevent + # exposing the internal value of the attribute + # + # @example + # class TheClass + # include Yast2::SecretAttributes + # + # attr_accessor :name + # secret_attr :password + # end + # + # one_object = TheClass.new + # one_object.name = "Aa" + # one_object.password = "42" + # + # one_object.password # => "42" + # one_object.inspect # => "#<TheClass:0x0f8 @password=<secret>, @name=\"Aa"\">" + def secret_attr(name) + define_method(:"#{name}") do + attribute = instance_variable_get(:"@#{name}") + attribute ? attribute.value : nil + end + + define_method(:"#{name}=") do |value| + instance_variable_set(:"@#{name}", Attribute.new(value)) + value + end + end + end + + def self.included(base) + base.extend(ClassMethods) + end + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-4.4.1/library/general/test/y2issues/issue_test.rb new/yast2-4.4.2/library/general/test/y2issues/issue_test.rb --- old/yast2-4.4.1/library/general/test/y2issues/issue_test.rb 2021-04-19 08:37:30.000000000 +0200 +++ new/yast2-4.4.2/library/general/test/y2issues/issue_test.rb 2021-04-27 13:02:04.000000000 +0200 @@ -25,7 +25,9 @@ describe "#new" do subject(:issue) do described_class.new( - "Something went wrong", location: "file:/etc/hosts", severity: :fatal + "Something went wrong", + location: Y2Issues::Location.parse("file:/etc/hosts"), + severity: :fatal ) end @@ -35,6 +37,19 @@ expect(issue.severity).to eq(:fatal) end + context "when location is given as a string" do + subject(:issue) do + described_class.new( + "Something went wrong", + location: "file:/etc/hosts" + ) + end + + it "parses the given location" do + expect(issue.location).to eq(Y2Issues::Location.parse("file:/etc/hosts")) + end + end + context "when a severity is not given" do subject(:issue) { described_class.new("Something went wrong") } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-4.4.1/library/general/test/yast2/secret_attributes_test.rb new/yast2-4.4.2/library/general/test/yast2/secret_attributes_test.rb --- old/yast2-4.4.1/library/general/test/yast2/secret_attributes_test.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-4.4.2/library/general/test/yast2/secret_attributes_test.rb 2021-04-27 13:02:04.000000000 +0200 @@ -0,0 +1,190 @@ +#!/usr/bin/env rspec +# Copyright (c) [2017] SUSE LLC +# +# All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of version 2 of the GNU General Public License as published +# by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +# more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, contact SUSE LLC. +# +# To contact SUSE LLC about this file by physical or electronic mail, you may +# find current contact information at www.suse.com. + +require_relative "../test_helper" +require "yast2/secret_attributes" +require "pp" + +describe Yast2::SecretAttributes do + # Dummy test clase + class ClassWithPassword + include Yast2::SecretAttributes + + attr_accessor :name + secret_attr :password + end + + # Another dummy test clase + class ClassWithData + include Yast2::SecretAttributes + + attr_accessor :name + secret_attr :data + end + + # Hypothetical custom formatter that uses instrospection to directly query the + # internal state of the object, ignoring the uniform access principle. + def custom_formatter(object) + object.instance_variables.each_with_object("") do |var, result| + result << "@#{var}: #{object.instance_variable_get(var)};\n" + end + end + + let(:with_password) { ClassWithPassword.new } + let(:with_password2) { ClassWithPassword.new } + let(:with_data) { ClassWithData.new } + let(:ultimate_hash) { { ultimate_question: 42 } } + + describe ".secret_attr" do + it "provides a getter returning nil by default" do + expect(with_password.password).to be_nil + expect(with_data.data).to be_nil + expect(with_data.send(:data)).to be_nil + end + + it "provides a setter" do + with_password.password = "super-secret" + expect(with_password.password).to eq "super-secret" + expect(with_password.send(:password)).to eq "super-secret" + end + + it "only adds the setter and getter to the correct class" do + expect { with_password.data }.to raise_error NoMethodError + expect { with_data.password }.to raise_error NoMethodError + expect { with_password.data = 2 }.to raise_error NoMethodError + expect { with_data.password = "xx" }.to raise_error NoMethodError + end + + it "does not mess attributes of different instances" do + with_password.password = "super-secret" + with_password2.password = "not so secret" + expect(with_password.password).to eq "super-secret" + expect(with_password2.password).to eq "not so secret" + end + + it "does not modify #inspect for the attribute" do + expect(with_data.data.inspect).to eq "nil" + + with_data.data = ultimate_hash + + expect(with_data.data.inspect).to eq ultimate_hash.inspect + end + + it "does not modify #to_s for the attribute" do + expect(with_data.data.to_s).to eq "" + + with_data.data = ultimate_hash + + expect(with_data.data.to_s).to eq ultimate_hash.to_s + expect(with_data.send(:data).to_s).to eq ultimate_hash.to_s + end + + it "does not modify interpolation for the attribute" do + expect("String: #{with_data.data}").to eq "String: " + + with_data.data = ultimate_hash + + expect("String: #{with_data.data}").to eq "String: #{ultimate_hash}" + end + + it "is copied in dup just like .attr_accessor" do + with_password.name = "data1" + with_password.password = "xxx" + duplicate = with_password.dup + + expect(duplicate.name).to eq "data1" + expect(duplicate.password).to eq "xxx" + + duplicate.password = "yyy" + expect(duplicate.password).to eq "yyy" + expect(with_password.password).to eq "xxx" + + with_password2.name = "data2" + with_password2.password = "xx2" + duplicate2 = with_password2.dup + duplicate2.name.concat("X") + duplicate2.password.concat("X") + + expect(with_password2.name).to eq "data2X" + expect(with_password2.password).to eq "xx2X" + end + + context "when the attribute has never been set" do + it "is not displayed in #inspect (like .attr_accessor)" do + expect(with_password.inspect).to_not include "@name" + expect(with_password.inspect).to_not include "@password" + end + + it "is not displayed by pp (like .attr_accessor)" do + expect(with_password.inspect).to_not include "@name" + expect(with_password.inspect).to_not include "@password" + end + + it "is not exposed to formatters directly inspecting the internal state" do + expect(custom_formatter(with_password)).to_not include "@name:" + expect(custom_formatter(with_password)).to_not include "@password:" + end + end + + context "when the attribute has been set to nil" do + before do + with_password.name = nil + with_password.password = nil + end + + it "is displayed as nil in #inspect (like .attr_accessor)" do + expect(with_password.inspect).to include "@name=nil" + expect(with_password.inspect).to include "@password=nil" + end + + it "is displayed as nil by pp (like .attr_accessor)" do + expect(with_password.inspect).to include "@name=nil" + expect(with_password.inspect).to include "@password=nil" + end + + it "is reported as empty to formatters directly inspecting the internal state" do + expect(custom_formatter(with_password)).to include "@name:" + expect(custom_formatter(with_password)).to include "@password:" + end + end + + context "when the attribute has a value" do + before do + with_password.name = "Skroob" + with_password.password = "12345" + end + + it "is hidden in #inspect" do + expect(with_password.inspect).to include "@name=\"Skroob\"" + expect(with_password.inspect).to include "@password=<secret>" + end + + it "is hidden to pp" do + expect(with_password.inspect).to include "@name=\"Skroob\"" + expect(with_password.inspect).to include "@password=<secret>" + end + + it "is hidden from formatters directly inspecting the internal state" do + expect(custom_formatter(with_password)).to include "@name: Skroob;" + expect(custom_formatter(with_password)).to include "@password: <secret>;" + end + end + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-4.4.1/package/yast2.changes new/yast2-4.4.2/package/yast2.changes --- old/yast2-4.4.1/package/yast2.changes 2021-04-19 08:37:30.000000000 +0200 +++ new/yast2-4.4.2/package/yast2.changes 2021-04-27 13:02:04.000000000 +0200 @@ -1,4 +1,17 @@ ------------------------------------------------------------------- +Tue Apr 27 10:51:35 UTC 2021 - Josef Reidinger <jreidin...@suse.com> + +- Add to yast2 mixin Yast2::SecretAttributes for hiding sensitive + information (bsc#1141017) +- 4.4.2 + +------------------------------------------------------------------- +Thu Apr 22 06:35:11 UTC 2021 - Imobach Gonzalez Sosa <igonzalezs...@suse.com> + +- The location given to the Y2Issue::Issue constructor can be a + string or a location object. + +------------------------------------------------------------------- Fri Apr 16 12:03:50 UTC 2021 - Imobach Gonzalez Sosa <igonzalezs...@suse.com> - Add a mechanism to report issues to the user (related to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-4.4.1/package/yast2.spec new/yast2-4.4.2/package/yast2.spec --- old/yast2-4.4.1/package/yast2.spec 2021-04-19 08:37:30.000000000 +0200 +++ new/yast2-4.4.2/package/yast2.spec 2021-04-27 13:02:04.000000000 +0200 @@ -17,7 +17,7 @@ Name: yast2 -Version: 4.4.1 +Version: 4.4.2 Release: 0 Summary: YaST2 Main Package License: GPL-2.0-only