URL: https://github.com/freeipa/freeipa/pull/3688 Author: rcritten Title: #3688: [Backport][ipa-4-7] Don't log host passwords when they are set/modified Action: opened
PR body: """ This PR was opened automatically because PR #3677 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3688/head:pr3688 git checkout pr3688
From 491f8e2070f4e6c17318beeeec1cfa177958664a Mon Sep 17 00:00:00 2001 From: Rob Crittenden <[email protected]> Date: Tue, 17 Sep 2019 17:24:12 -0400 Subject: [PATCH] Don't log host passwords when they are set/modified The host password was defined as a Str type so would be logged in cleartext in the Apache log. A new class, HostPassword, was defined to only override safe_value() so it always returns an obfuscated value. The Password class cannot be used because it has special treatment in the frontend to manage prompting and specifically doesn't allow a value to be passed into it. This breaks backwards compatibility with older clients. Since this class is derived from Str old clients treat it as a plain string value. This also removes the search option from passwords. https://pagure.io/freeipa/issue/8017 Signed-off-by: Rob Crittenden <[email protected]> --- API.txt | 7 +++---- ipaserver/plugins/host.py | 21 +++++++++++++++++---- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/API.txt b/API.txt index 599cfa7e91..424f6291d5 100644 --- a/API.txt +++ b/API.txt @@ -2455,7 +2455,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Str('setattr*', cli_name='setattr') option: Certificate('usercertificate*', cli_name='certificate') option: Str('userclass*', cli_name='class') -option: Str('userpassword?', cli_name='password') +option: HostPassword('userpassword?', cli_name='password') option: Str('version?') output: Entry('result') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) @@ -2566,7 +2566,7 @@ output: Output('completed', type=[<type 'int'>]) output: Output('failed', type=[<type 'dict'>]) output: Entry('result') command: host_find/1 -args: 1,35,4 +args: 1,34,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('description?', autofill=False, cli_name='desc') @@ -2601,7 +2601,6 @@ option: Int('sizelimit?', autofill=False) option: Int('timelimit?', autofill=False) option: Certificate('usercertificate*', autofill=False, cli_name='certificate') option: Str('userclass*', autofill=False, cli_name='class') -option: Str('userpassword?', autofill=False, cli_name='password') option: Str('version?') output: Output('count', type=[<type 'int'>]) output: ListOfEntries('result') @@ -2634,7 +2633,7 @@ option: Str('setattr*', cli_name='setattr') option: Flag('updatedns?', autofill=True, default=False) option: Certificate('usercertificate*', autofill=False, cli_name='certificate') option: Str('userclass*', autofill=False, cli_name='class') -option: Str('userpassword?', autofill=False, cli_name='password') +option: HostPassword('userpassword?', autofill=False, cli_name='password') option: Str('version?') output: Entry('result') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index c0c4f7060b..796617d91f 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -254,6 +254,18 @@ def validate_ipaddr(ugettext, ipaddr): return None +class HostPassword(Str): + """ + A data type for host passwords to not log password values + + The Password type cannot be used because it disallows + setting a password on the command-line which would break + backwards compatibility. + """ + def safe_value(self, value): + return u'********' + + @register() class host(LDAPObject): """ @@ -470,10 +482,11 @@ class host(LDAPObject): label=_('Operating system'), doc=_('Host operating system and version (e.g. "Fedora 9")'), ), - Str('userpassword?', - cli_name='password', - label=_('User password'), - doc=_('Password used in bulk enrollment'), + HostPassword('userpassword?', + cli_name='password', + label=_('User password'), + doc=_('Password used in bulk enrollment'), + flags=('no_search',), ), Flag('random?', doc=_('Generate a random password to be used in bulk enrollment'),
_______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
