#include <cc/data.h>
#include <cc/command_interpreter.h>
#include <testutils/user_context_utils.h>
+#include <process/redact_config.h>
#include <process/testutils/d_test_stubs.h>
#include <agent/ca_cfg_mgr.h>
#include <agent/parser_context.h>
// update authentication directory
dirReplacer(ca);
+ // redact passwords
+ ca = redactConfig(ca, { "*" }, "-----");
+
// try AGENT configure
ConstElementPtr status;
try {
"authentication": {
"clients": [
{
- "password": "1234",
+ "password": "-----",
"user": "admin",
"user-context": {
"comment": "admin is authorized"
" \"clients\": [ {"
" \"comment\": \"admin is authorized\","
" \"user\": \"admin\","
- " \"password\": \"1234\""
+ " \"password\": \"foobar\""
" } ]"
" }"
"}"
" \"clients\": [ {"
" \"comment\": \"admin is authorized\","
" \"user\": \"admin\","
- " \"password\": \"1234\""
+ " \"password\": \"foobar\""
" } ]"
" }"
" }"
ASSERT_TRUE(client->get("user"));
ASSERT_EQ("\"admin\"", client->get("user")->str());
ASSERT_TRUE(client->get("password"));
- ASSERT_EQ("\"1234\"", client->get("password")->str());
+ ASSERT_EQ("\"foobar\"", client->get("password")->str());
ConstElementPtr ctx_client = client->get("user-context");
ASSERT_TRUE(ctx_client);
ASSERT_EQ(1, ctx_client->size());
#include <dhcpsrv/lease_mgr_factory.h>
#include <dhcpsrv/utils.h>
#include <dhcpsrv/host_mgr.h>
+#include <process/redact_config.h>
#include <stats/stats_mgr.h>
#include <testutils/gtest_utils.h>
#include <util/encode/encode.h>
using namespace isc::db;
using namespace isc::dhcp;
using namespace isc::dhcp::test;
+using namespace isc::process;
using namespace isc::util;
using namespace std;
mutable_config->set(string("hooks-libraries"), Element::createList());
// Remove TLS parameters
ConstElementPtr hosts = dhcp4->get("hosts-database");
- removeTlsParameters(hosts);
+ if (hosts) {
+ removeTlsParameters(hosts);
+ hosts = redactConfig(hosts, { "*" }, "keatest");
+ mutable_config->set("hosts-database", hosts);
+ }
hosts = dhcp4->get("hosts-databases");
if (hosts) {
for (auto const& host : hosts->listValue()) {
removeTlsParameters(host);
}
+ hosts = redactConfig(hosts, { "*" }, "keatest");
+ mutable_config->set("hosts-databases", hosts);
}
// Remove authentication clients using files.
ConstElementPtr control_sockets = dhcp4->get("control-socket");
if (control_sockets) {
removeAuthFiles(control_sockets);
+ control_sockets = redactConfig(control_sockets, { "*" }, "-----");
+ mutable_config->set("control-socket", control_sockets);
}
control_sockets = dhcp4->get("control-sockets");
if (control_sockets) {
for (int i = 0; i < control_sockets->size(); ++i) {
removeAuthFiles(control_sockets->get(i));
}
+ control_sockets = redactConfig(control_sockets, { "*" }, "-----");
+ mutable_config->set("control-sockets", control_sockets);
}
ASSERT_NO_THROW(Dhcpv4SrvTest::configure(dhcp4->str(), true, true, true, true));
" \"authentication\": {\n"
" \"clients\": [\n"
" {\n"
-" \"password\": \"1234\",\n"
+" \"password\": \"foobar\",\n"
" \"user\": \"admin\",\n"
" \"user-context\": {\n"
" \"comment\": \"admin is authorized\"\n"
" \"authentication\": {\n"
" \"clients\": [\n"
" {\n"
-" \"password\": \"1234\",\n"
+" \"password\": \"foobar\",\n"
" \"user\": \"admin\",\n"
" \"user-context\": {\n"
" \"comment\": \"admin is authorized\"\n"
" \"clients\": [ {"
" \"comment\": \"admin is authorized\","
" \"user\": \"admin\","
- " \"password\": \"1234\""
+ " \"password\": \"foobar\""
" } ]"
" }"
" }"
ASSERT_TRUE(client->get("user"));
ASSERT_EQ("\"admin\"", client->get("user")->str());
ASSERT_TRUE(client->get("password"));
- ASSERT_EQ("\"1234\"", client->get("password")->str());
+ ASSERT_EQ("\"foobar\"", client->get("password")->str());
ConstElementPtr ctx_client = client->get("user-context");
ASSERT_TRUE(ctx_client);
ASSERT_EQ(1, ctx_client->size());
#include <dhcpsrv/lease_mgr_factory.h>
#include <dhcpsrv/host_mgr.h>
#include <dhcpsrv/utils.h>
+#include <process/redact_config.h>
#include <stats/stats_mgr.h>
#include <testutils/gtest_utils.h>
#include <util/buffer.h>
using namespace isc::db;
using namespace isc::dhcp;
using namespace isc::dhcp::test;
+using namespace isc::process;
using namespace isc::util;
using namespace std;
mutable_config->set(string("hooks-libraries"), Element::createList());
// Remove TLS parameters
ConstElementPtr hosts = dhcp6->get("hosts-database");
- removeTlsParameters(hosts);
+ if (hosts) {
+ removeTlsParameters(hosts);
+ hosts = redactConfig(hosts, { "*" }, "keatest");
+ mutable_config->set("hosts-database", hosts);
+ }
hosts = dhcp6->get("hosts-databases");
if (hosts) {
for (auto const& host : hosts->listValue()) {
removeTlsParameters(host);
}
+ hosts = redactConfig(hosts, { "*" }, "keatest");
+ mutable_config->set("hosts-databases", hosts);
}
// Remove authentication clients using files.
ConstElementPtr control_sockets = dhcp6->get("control-socket");
if (control_sockets) {
removeAuthFiles(control_sockets);
+ control_sockets = redactConfig(control_sockets, { "*" }, "-----");
+ mutable_config->set("control-socket", control_sockets);
}
control_sockets = dhcp6->get("control-sockets");
if (control_sockets) {
for (int i = 0; i < control_sockets->size(); ++i) {
removeAuthFiles(control_sockets->get(i));
}
+ control_sockets = redactConfig(control_sockets, { "*" }, "-----");
+ mutable_config->set("control-sockets", control_sockets);
}
ASSERT_NO_THROW(Dhcpv6SrvTest::configure(dhcp6->str(), true, true, true, true));
" \"authentication\": {\n"
" \"clients\": [\n"
" {\n"
-" \"password\": \"1234\",\n"
+" \"password\": \"foobar\",\n"
" \"user\": \"admin\",\n"
" \"user-context\": {\n"
" \"comment\": \"admin is authorized\"\n"
" \"authentication\": {\n"
" \"clients\": [\n"
" {\n"
-" \"password\": \"1234\",\n"
+" \"password\": \"foobar\",\n"
" \"user\": \"admin\",\n"
" \"user-context\": {\n"
" \"comment\": \"admin is authorized\"\n"
template <typename ElementPtrType>
ElementPtrType
-redact(ElementPtrType const& element, list<string> json_path) {
+redact(ElementPtrType const& element, list<string> json_path, string obscure) {
if (!element) {
isc_throw(BadValue, "redact() got a null pointer");
}
// Then redact all children.
result = Element::createList();
for (ElementPtr const& child : element->listValue()) {
- result->add(redact(child, json_path));
+ result->add(redact(child, json_path, obscure));
}
return result;
}
if (boost::algorithm::ends_with(key, "password") ||
boost::algorithm::ends_with(key, "secret")) {
// Sensitive data
- result->set(key, Element::create(string("*****")));
+ result->set(key, Element::create(obscure));
} else if (key == "user-context") {
// Skip user contexts.
result->set(key, value);
result->set(key, value);
} else {
// We are looking for anything '*' so redact further.
- result->set(key, redact(value, json_path));
+ result->set(key, redact(value, json_path, obscure));
}
}
}
if (child) {
result = isc::data::copy(element, 1);
json_path.pop_front();
- result->set(next_key, redact(child, json_path));
+ result->set(next_key, redact(child, json_path, obscure));
return result;
}
}
namespace process {
ConstElementPtr
-redactConfig(ConstElementPtr const& element, list<string> const& json_path) {
- return redact(element, json_path);
+redactConfig(ConstElementPtr const& element, list<string> const& json_path,
+ string obscure) {
+ return redact(element, json_path, obscure);
}
} // namespace process
///
/// This method walks on the configuration tree:
/// - it copies only subtrees where a change was done.
-/// - it replaces passwords and secrets by asterisks.
+/// - it replaces passwords and secrets by obscure argument
+/// (default 5 asterisks).
/// - it skips user context.
/// - if a not empty list of keywords is given it follows only them.
///
/// @param element initially the Element tree structure that describe the
/// configuration and smaller subtrees in recursive calls.
/// @param json_path JSON path to redact
+/// @param obscure new value of secrets / passwords
///
/// @return a copy of the config where passwords and secrets were replaced by
/// asterisks so it can be safely logged to an unprivileged place.
isc::data::ConstElementPtr
redactConfig(isc::data::ConstElementPtr const& element,
- std::list<std::string> const& json_path = {"*"});
+ std::list<std::string> const& json_path = {"*"},
+ std::string obscure = "*****");
} // namespace process
} // namespace isc
projects / thirdparty / kea.git / commitdiff
