50c17f8e57
Add explicit collect of certificates files for the platform.
Delete all crt, pem and key files in collect before including those
files explicitly listed in certs.include file. Use openssl command to
omit all but certificate information from the files.
Test Plan:
PASS AIO-SX, AIO-DX+, DC with AIO-SX subcloud
PASS options --skip-mask, --omit-certs, --subcloud
PASS bashate
PASS unit test for collect_certificates
PASS collect output contains no crt, pem and key files except those
listed in certs.include
PASS If a file listed in certs.include does not exist on the filesystem
then the absence is ignored - it is ok for a specified file not to
exist.
PASS file with key omits key - only certs are copied
PASS manual verify of file paths (including those on DC subcloud)
Closes-Bug: 2029302
Change-Id: I9fafe5fde39a1a7de9a887424f274986b13e053a
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
135 lines
6.2 KiB
Bash
135 lines
6.2 KiB
Bash
#! /bin/bash
|
|
#
|
|
# Copyright (c) 2017 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
COLLECT_NAME_DIR=$1
|
|
EXTRA_DIR=$2
|
|
|
|
# Strip the passwords from assorted config files
|
|
for conffile in \
|
|
${COLLECT_NAME_DIR}/etc/aodh/aodh.conf \
|
|
${COLLECT_NAME_DIR}/etc/barbican/barbican.conf \
|
|
${COLLECT_NAME_DIR}/etc/ceilometer/ceilometer.conf \
|
|
${COLLECT_NAME_DIR}/etc/cinder/cinder.conf \
|
|
${COLLECT_NAME_DIR}/etc/fm/fm.conf \
|
|
${COLLECT_NAME_DIR}/etc/glance/glance-api.conf \
|
|
${COLLECT_NAME_DIR}/etc/glance/glance-registry.conf \
|
|
${COLLECT_NAME_DIR}/etc/heat/heat.conf \
|
|
${COLLECT_NAME_DIR}/etc/ironic/ironic.conf \
|
|
${COLLECT_NAME_DIR}/etc/keystone/keystone.conf \
|
|
${COLLECT_NAME_DIR}/etc/magnum/magnum.conf \
|
|
${COLLECT_NAME_DIR}/etc/murano/murano.conf \
|
|
${COLLECT_NAME_DIR}/etc/neutron/metadata_agent.ini \
|
|
${COLLECT_NAME_DIR}/etc/neutron/neutron.conf \
|
|
${COLLECT_NAME_DIR}/etc/nfv/nfv_plugins/nfvi_plugins/config.ini \
|
|
${COLLECT_NAME_DIR}/etc/nova/nova.conf \
|
|
${COLLECT_NAME_DIR}/etc/openldap/slapd.conf.backup \
|
|
${COLLECT_NAME_DIR}/etc/openstack-dashboard/local_settings \
|
|
${COLLECT_NAME_DIR}/etc/panko/panko.conf \
|
|
${COLLECT_NAME_DIR}/etc/patching/patching.conf \
|
|
${COLLECT_NAME_DIR}/etc/proxy/nova-api-proxy.conf \
|
|
${COLLECT_NAME_DIR}/etc/rabbitmq/murano-rabbitmq.config \
|
|
${COLLECT_NAME_DIR}/etc/rabbitmq/rabbitmq.config \
|
|
${COLLECT_NAME_DIR}/etc/sysinv/api-paste.ini \
|
|
${COLLECT_NAME_DIR}/etc/sysinv/sysinv.conf \
|
|
${COLLECT_NAME_DIR}/var/extra/platform/sysinv/*/sysinv.conf.default \
|
|
${COLLECT_NAME_DIR}/etc/mtc.ini
|
|
|
|
do
|
|
if [ ! -f $conffile ]; then
|
|
continue
|
|
fi
|
|
|
|
sed -i -r 's/^(admin_password) *=.*/\1 = xxxxxx/;
|
|
s/^(auth_encryption_key) *=.*/\1 = xxxxxx/;
|
|
s/^(bindpw) .*/\1 xxxxxx/;
|
|
s/^(rootpw) .*/\1 xxxxxx/;
|
|
s/^(connection) *=.*/\1 = xxxxxx/;
|
|
s/^( *credentials) *=.*/\1 = xxxxxx/;
|
|
s/^(metadata_proxy_shared_secret) *=.*/\1 = xxxxxx/;
|
|
s/^(password) *=.*/\1 = xxxxxx/;
|
|
s/^(rabbit_password) *=.*/\1 = xxxxxx/;
|
|
s/^(sql_connection) *=.*/\1 = xxxxxx/;
|
|
s/^(stack_domain_admin_password) *=.*/\1 = xxxxxx/;
|
|
s/^(transport_url) *=.*/\1 = xxxxxx/;
|
|
s/^(SECRET_KEY) *=.*/\1 = xxxxxx/;
|
|
s/^(keystone_auth_pw) *=.*/\1 = xxxxxx/;
|
|
s/\{default_pass, <<\".*\">>\}/\{default_pass, <<\"xxxxxx\">>\}/' $conffile
|
|
done
|
|
|
|
# Remove all certificate and key files. Certificates without secrets
|
|
# will be added to collect by collect_certificates.
|
|
find ${COLLECT_NAME_DIR} -name "*.pem" -o -name "*.crt" -o -name "*.key" \
|
|
| xargs --no-run-if-empty rm -f
|
|
# Remove ssh config and platform secrets files
|
|
rm -rf ${COLLECT_NAME_DIR}/var/extra/platform/config/*/ssh_config
|
|
rm -f ${COLLECT_NAME_DIR}/var/extra/platform/puppet/*/hieradata/secure*.yaml
|
|
rm -f ${COLLECT_NAME_DIR}/etc/puppet/cache/hieradata/secure*.yaml
|
|
|
|
# Mask user passwords in sysinv db dump
|
|
if [ -f ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt ]; then
|
|
sed -i -r '/COPY i_user/, /^--/ s/^(([^\t]*\t){10})[^\t]*(\t.*)/\1xxxxxx\3/;
|
|
/COPY i_community/, /^--/ s/^(([^\t]*\t){5})[^\t]*(\t.*)/\1xxxxxx\3/;
|
|
/COPY i_trap_destination/, /^--/ s/^(([^\t]*\t){6})[^\t]*(\t.*)/\1xxxxxx\3/;
|
|
s/(identity\t[^\t]*\tpassword\t)[^\t]*/\1xxxxxx/' \
|
|
${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt
|
|
fi
|
|
|
|
# Mask passwords in host profiles
|
|
grep -rl '\"name\": \"password\"' ${COLLECT_NAME_DIR}/var/extra/platform/sysinv/ \
|
|
| xargs --no-run-if-empty perl -i -e '
|
|
$prev="";
|
|
while (<>)
|
|
{
|
|
if (/\"name\": \"password\"/)
|
|
{
|
|
$prev =~ s/\"value\": \".*\"/\"value\": \"xxxxxx\"/;
|
|
}
|
|
print $prev;
|
|
$prev=$_;
|
|
}
|
|
print $prev;'
|
|
|
|
# Cleanup snmp
|
|
sed -i -r 's/(rocommunity[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
|
|
sed -i -r 's/(trap2sink *[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
|
|
|
|
# Mask passwords in bash.log and history logs
|
|
USER_HISTORY_FILES=$(find ${COLLECT_NAME_DIR} -type f -name .bash_history 2>/dev/null)
|
|
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
|
|
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
|
|
s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
|
|
s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
|
|
s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g;
|
|
s/(password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)'\''/\1:xxxxxx'\''/g;
|
|
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
|
|
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' \
|
|
${USER_HISTORY_FILES} \
|
|
${COLLECT_NAME_DIR}/var/extra/history.info \
|
|
${COLLECT_NAME_DIR}/var/log/bash.log \
|
|
${COLLECT_NAME_DIR}/var/log/auth.log \
|
|
${COLLECT_NAME_DIR}/var/log/user.log \
|
|
${COLLECT_NAME_DIR}/var/log/ldapscripts.log
|
|
|
|
for f in ${COLLECT_NAME_DIR}/var/log/bash.log.*.gz \
|
|
${COLLECT_NAME_DIR}/var/log/auth.log.*.gz \
|
|
${COLLECT_NAME_DIR}/var/log/user.log.*.gz \
|
|
${COLLECT_NAME_DIR}/var/log/ldapscripts.log.*.gz
|
|
do
|
|
zgrep -q -E 'snmp|password' $f || continue
|
|
gunzip $f
|
|
unzipped=${f%%.gz}
|
|
sed -i -r 's/(snmp-comm-(delete|show)) *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
|
|
s/(snmp.*) *(--community|-c) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
|
|
s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
|
|
s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
|
|
s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g;
|
|
s/(password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)'\''/\1:xxxxxx'\''/g;
|
|
s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
|
|
s/(ldapmodifyuser.*userPassword *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' $unzipped
|
|
gzip $unzipped
|
|
done
|