From: Thomas Markwalder <tmark@isc.org>
Date: Mon, 15 Sep 2025 13:03:00 +0000 (-0400)
Subject: [#4086] Addressed review comments
X-Git-Tag: Kea-3.1.2~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9b637a4fa8a74c36b17f878a47656ec2a8047ddc;p=thirdparty%2Fkea.git

[#4086] Addressed review comments

modified:   changelog_unreleased/4086-password-leaked-to-logs
modified:   src/lib/asiolink/process_spawn.cc
modified:   src/lib/asiolink/tests/process_spawn_unittest.cc
modified:   src/lib/mysql/mysql_connection.cc
modified:   src/lib/pgsql/pgsql_connection.cc
---

diff --git a/changelog_unreleased/4086-password-leaked-to-logs b/changelog_unreleased/4086-password-leaked-to-logs
index 386a631dd2..b015deec3a 100644
--- a/changelog_unreleased/4086-password-leaked-to-logs
+++ b/changelog_unreleased/4086-password-leaked-to-logs
@@ -1,5 +1,5 @@
 [sec]		tmark
 	Removed logging of database password as clear
-	text when kea-dhcp4 or kea-dhcp6 initialize
+	text when kea-dhcp4 or kea-dhcp6 initializes
 	the schema.
 	(Gitlab #4086)
diff --git a/src/lib/asiolink/process_spawn.cc b/src/lib/asiolink/process_spawn.cc
index 5bc868d01e..51cf1f0c3b 100644
--- a/src/lib/asiolink/process_spawn.cc
+++ b/src/lib/asiolink/process_spawn.cc
@@ -93,6 +93,7 @@ public:
     ~ProcessSpawnImpl();
 
     /// @brief Returns full command line, including arguments, for the process.
+    ///
     /// @param redact_args list of arguments to redact.
     std::string getCommandLine(std::unordered_set<std::string> redact_args = {}) const;
 
diff --git a/src/lib/asiolink/tests/process_spawn_unittest.cc b/src/lib/asiolink/tests/process_spawn_unittest.cc
index 10a898c21b..365a51bed7 100644
--- a/src/lib/asiolink/tests/process_spawn_unittest.cc
+++ b/src/lib/asiolink/tests/process_spawn_unittest.cc
@@ -582,27 +582,25 @@ TEST_F(ProcessSpawnTest, inheritEnvWithParentVarSync) {
 // This test verifies that the full command line for the process is
 // returned with specific arguments redacted.
 TEST_F(ProcessSpawnTest, getCommandLineRedacted) {
-    {
-        // Case 1: arguments present.
-        ProcessArgs args;
-        args.push_back("db-init");
-        args.push_back("mysql");
-        args.push_back("--host");
-        args.push_back("example.com");
-        args.push_back("--user");
-        args.push_back("someone");
-        args.push_back("--password");
-        args.push_back("sesame");
-        args.push_back("--other");
-        args.push_back("stuff");
-        args.push_back("foo");
+    // Case 1: arguments present.
+    ProcessArgs args;
+    args.push_back("db-init");
+    args.push_back("mysql");
+    args.push_back("--host");
+    args.push_back("example.com");
+    args.push_back("--user");
+    args.push_back("someone");
+    args.push_back("--password");
+    args.push_back("sesame");
+    args.push_back("--other");
+    args.push_back("stuff");
+    args.push_back("foo");
 
-        ProcessSpawn process(ProcessSpawn::ASYNC, TEST_SCRIPT_SH, args);
-        std::string expected = TEST_SCRIPT_SH;
-        expected += " db-init mysql --host example.com --user ***** --password ***** --other stuff foo";
-        std::unordered_set<std::string> redact_args = { "--user", "--password", "--not-there" };
-        EXPECT_EQ(expected, process.getCommandLine(redact_args));
-    }
+    ProcessSpawn process(ProcessSpawn::ASYNC, TEST_SCRIPT_SH, args);
+    std::string expected = TEST_SCRIPT_SH;
+    expected += " db-init mysql --host example.com --user ***** --password ***** --other stuff foo";
+    std::unordered_set<std::string> redact_args = { "--user", "--password", "--not-there" };
+    EXPECT_EQ(expected, process.getCommandLine(redact_args));
 }
 
 } // end of anonymous namespace
diff --git a/src/lib/mysql/mysql_connection.cc b/src/lib/mysql/mysql_connection.cc
index 8dc0c315a3..8874f9503c 100644
--- a/src/lib/mysql/mysql_connection.cc
+++ b/src/lib/mysql/mysql_connection.cc
@@ -478,7 +478,7 @@ MySqlConnection::initializeSchema(const ParameterMap& parameters) {
     ProcessSpawn kea_admin(ProcessSpawn::SYNC, KEA_ADMIN_, kea_admin_parameters, vars,
                            /* inherit_env = */ true);
     DB_LOG_INFO(MYSQL_INITIALIZE_SCHEMA)
-        .arg(kea_admin.getCommandLine(std::unordered_set<std::string>{"--user", "--password"}));
+        .arg(kea_admin.getCommandLine(std::unordered_set<std::string>{"--password"}));
     pid_t const pid(kea_admin.spawn());
     if (kea_admin.isRunning(pid)) {
         isc_throw(SchemaInitializationFailed, "kea-admin still running");
diff --git a/src/lib/pgsql/pgsql_connection.cc b/src/lib/pgsql/pgsql_connection.cc
index cf8d82410e..b8146f708b 100644
--- a/src/lib/pgsql/pgsql_connection.cc
+++ b/src/lib/pgsql/pgsql_connection.cc
@@ -234,7 +234,7 @@ PgSqlConnection::initializeSchema(const ParameterMap& parameters) {
     ProcessSpawn kea_admin(ProcessSpawn::SYNC, KEA_ADMIN_, kea_admin_parameters, vars,
                            /* inherit_env = */ true);
     DB_LOG_INFO(PGSQL_INITIALIZE_SCHEMA)
-        .arg(kea_admin.getCommandLine(std::unordered_set<std::string>{"--user", "--password"}));
+        .arg(kea_admin.getCommandLine(std::unordered_set<std::string>{"--password"}));
     pid_t const pid(kea_admin.spawn());
     if (kea_admin.isRunning(pid)) {
         isc_throw(SchemaInitializationFailed, "kea-admin still running");