utilities/tools/collector/scripts/collect_mask_passwords

#! /bin/bash
#
# Copyright (c) 2017 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#

COLLECT_NAME_DIR=$1
EXTRA_DIR=$2

# Strip the passwords from assorted config files
for conffile in \
    ${COLLECT_NAME_DIR}/etc/aodh/aodh.conf \
    ${COLLECT_NAME_DIR}/etc/barbican/barbican.conf \
    ${COLLECT_NAME_DIR}/etc/ceilometer/ceilometer.conf \
    ${COLLECT_NAME_DIR}/etc/cinder/cinder.conf \
    ${COLLECT_NAME_DIR}/etc/fm/fm.conf \
    ${COLLECT_NAME_DIR}/etc/glance/glance-api.conf \
    ${COLLECT_NAME_DIR}/etc/glance/glance-registry.conf \
    ${COLLECT_NAME_DIR}/etc/heat/heat.conf \
    ${COLLECT_NAME_DIR}/etc/ironic/ironic.conf \
    ${COLLECT_NAME_DIR}/etc/keystone/keystone.conf \
    ${COLLECT_NAME_DIR}/etc/magnum/magnum.conf \
    ${COLLECT_NAME_DIR}/etc/murano/murano.conf \
    ${COLLECT_NAME_DIR}/etc/neutron/metadata_agent.ini \
    ${COLLECT_NAME_DIR}/etc/neutron/neutron.conf \
    ${COLLECT_NAME_DIR}/etc/nfv/nfv_plugins/nfvi_plugins/config.ini \
    ${COLLECT_NAME_DIR}/etc/nova/nova.conf \
    ${COLLECT_NAME_DIR}/etc/nslcd.conf \
    ${COLLECT_NAME_DIR}/etc/openldap/slapd.conf.backup \
    ${COLLECT_NAME_DIR}/etc/openstack-dashboard/local_settings \
    ${COLLECT_NAME_DIR}/etc/panko/panko.conf \
    ${COLLECT_NAME_DIR}/etc/patching/patching.conf \
    ${COLLECT_NAME_DIR}/etc/proxy/nova-api-proxy.conf \
    ${COLLECT_NAME_DIR}/etc/rabbitmq/murano-rabbitmq.config \
    ${COLLECT_NAME_DIR}/etc/rabbitmq/rabbitmq.config \
    ${COLLECT_NAME_DIR}/etc/sysinv/api-paste.ini \
    ${COLLECT_NAME_DIR}/etc/sysinv/sysinv.conf \
    ${COLLECT_NAME_DIR}/var/extra/platform/sysinv/*/sysinv.conf.default \
    ${COLLECT_NAME_DIR}/etc/mtc.ini

do
    if [ ! -f $conffile ]; then
        continue
    fi

    sed -i -r 's/^(admin_password) *=.*/\1 = xxxxxx/;
               s/^(auth_encryption_key) *=.*/\1 = xxxxxx/;
               s/^(bindpw) .*/\1 xxxxxx/;
               s/^(rootpw) .*/\1 xxxxxx/;
               s/^(connection) *=.*/\1 = xxxxxx/;
               s/^( *credentials) *=.*/\1 = xxxxxx/;
               s/^(metadata_proxy_shared_secret) *=.*/\1 = xxxxxx/;
               s/^(password) *=.*/\1 = xxxxxx/;
               s/^(rabbit_password) *=.*/\1 = xxxxxx/;
               s/^(sql_connection) *=.*/\1 = xxxxxx/;
               s/^(stack_domain_admin_password) *=.*/\1 = xxxxxx/;
               s/^(transport_url) *=.*/\1 = xxxxxx/;
               s/^(SECRET_KEY) *=.*/\1 = xxxxxx/;
               s/^(keystone_auth_pw) *=.*/\1 = xxxxxx/;
               s/\{default_pass, <<\".*\">>\}/\{default_pass, <<\"xxxxxx\">>\}/' $conffile
done

find ${COLLECT_NAME_DIR} -name server-cert.pem | xargs --no-run-if-empty rm -f
rm -rf ${COLLECT_NAME_DIR}/var/extra/platform/config/*/ssh_config
rm -f ${COLLECT_NAME_DIR}/var/extra/platform/puppet/*/hieradata/secure*.yaml
rm -f ${COLLECT_NAME_DIR}/etc/puppet/cache/hieradata/secure*.yaml

# dir /etc/kubernetes/pki was etc.excluded
if [ -d "/etc/kubernetes/pki" ] ; then
    # grab the public certificates if /etc/kubernetes/pki exists
    mkdir -p ${COLLECT_NAME_DIR}/etc/kubernetes/pki
    cp -a /etc/kubernetes/pki/*.crt ${COLLECT_NAME_DIR}/etc/kubernetes/pki 2>/dev/null 1>/dev/null
fi

# Mask user passwords in sysinv db dump
if [ -f ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt ]; then
    sed -i -r '/COPY i_user/, /^--/ s/^(([^\t]*\t){10})[^\t]*(\t.*)/\1xxxxxx\3/;
               /COPY i_community/, /^--/ s/^(([^\t]*\t){5})[^\t]*(\t.*)/\1xxxxxx\3/;
               /COPY i_trap_destination/, /^--/ s/^(([^\t]*\t){6})[^\t]*(\t.*)/\1xxxxxx\3/;
               s/(identity\t[^\t]*\tpassword\t)[^\t]*/\1xxxxxx/' \
        ${COLLECT_NAME_DIR}/var/extra/database/sysinv.db.sql.txt
fi

# Mask passwords in host profiles
grep -rl '\"name\": \"password\"' ${COLLECT_NAME_DIR}/var/extra/platform/sysinv/ \
    | xargs --no-run-if-empty perl -i -e '
        $prev="";
        while (<>)
        {
            if (/\"name\": \"password\"/)
            {
                $prev =~ s/\"value\": \".*\"/\"value\": \"xxxxxx\"/;
            }
            print $prev;
            $prev=$_;
        }
        print $prev;'

# Cleanup snmp
sed -i -r 's/(rocommunity[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*
sed -i -r 's/(trap2sink  *[^ ]*).*/\1 xxxxxx/' ${COLLECT_NAME_DIR}/var/extra/platform/config/*/snmp/*

# Mask passwords in bash.log and history logs
USER_HISTORY_FILES=$(find ${COLLECT_NAME_DIR} -type f -name .bash_history 2>/dev/null)
sed -i -r 's/(snmp-comm-(delete|show))  *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
           s/(snmp.*)  *(--community|-c)  *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
           s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
           s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
           s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g;
           s/(password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)'\''/\1:xxxxxx'\''/g;
           s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
           s/(ldapmodifyuser.*userPassword  *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' \
    ${USER_HISTORY_FILES} \
    ${COLLECT_NAME_DIR}/var/extra/history.info \
    ${COLLECT_NAME_DIR}/var/log/bash.log \
    ${COLLECT_NAME_DIR}/var/log/auth.log \
    ${COLLECT_NAME_DIR}/var/log/user.log \
    ${COLLECT_NAME_DIR}/var/log/ldapscripts.log

for f in ${COLLECT_NAME_DIR}/var/log/bash.log.*.gz \
         ${COLLECT_NAME_DIR}/var/log/auth.log.*.gz \
         ${COLLECT_NAME_DIR}/var/log/user.log.*.gz \
         ${COLLECT_NAME_DIR}/var/log/ldapscripts.log.*.gz
do
    zgrep -q -E 'snmp|password' $f || continue
    gunzip $f
    unzipped=${f%%.gz}
    sed -i -r 's/(snmp-comm-(delete|show))  *((\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*) *){1,}/\1 xxxxxx/;
               s/(snmp.*)  *(--community|-c)  *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
               s/(-password)=(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1=xxxxxx/;
               s/(-password) (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/g;
               s/(password)'\'': (\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1'\':' xxxxxx/g;
               s/(password):(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)'\''/\1:xxxxxx'\''/g;
               s/(openstack.*) *(--password) *(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 \2 xxxxxx/;
               s/(ldapmodifyuser.*userPassword  *)(\"[^\"]*\"|'\''[^'"'"']*'"'"'|[^ ]*)/\1 xxxxxx/' $unzipped
    gzip $unzipped
done