summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2013-07-12 11:28:43 -0400
committerAlexander Bokovoy <abokovoy@redhat.com>2013-07-18 10:49:43 +0300
commit240b12169b9a52113426f6b7893ea9c6bfaf4ea4 (patch)
treedbb44e51bf2d45bde7a04497ec65290e269a5838
parent198d82d4cea94e401bffea1ebed9fd00d5fdd832 (diff)
downloadfreeipa-240b12169b9a52113426f6b7893ea9c6bfaf4ea4.zip
freeipa-240b12169b9a52113426f6b7893ea9c6bfaf4ea4.tar.gz
freeipa-240b12169b9a52113426f6b7893ea9c6bfaf4ea4.tar.xz
Hide sensitive attributes in LDAP updater logging and output
The LDAP updater prints the initial and final states of an entry, as well as details on the changes made to attributes. This has the potential to expose sensitive values so exclude those from logging. https://fedorahosted.org/freeipa/ticket/3782
-rw-r--r--ipaserver/install/ldapupdate.py66
1 files changed, 47 insertions, 19 deletions
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 8f3e892..35191e7 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -58,6 +58,29 @@ class BadSyntax(installutils.ScriptError):
def __str__(self):
return repr(self.value)
+def safe_output(attr, values):
+ """
+ Sanitizes values we do not want logged, like passwords.
+
+ This should be called in all debug statements that output values.
+
+ This list does not necessarily need to be exhaustive given the limited
+ scope of types of values that the updater manages.
+
+ This only supports lists, tuples and strings. If you pass a dict you may
+ get a string back.
+ """
+ sensitive_attributes = ['krbmkey', 'userpassword', 'passwordhistory', 'krbprincipalkey', 'sambalmpassword', 'sambantpassword', 'ipanthash']
+
+ if attr.lower() in sensitive_attributes:
+ if type(values) in (tuple, list):
+ # try to still look a little like what is in LDAP
+ return ['XXXXXXX'] * len(values)
+ else:
+ return 'XXXXXXXX'
+ else:
+ return values
+
class LDAPUpdate:
action_keywords = ["default", "add", "remove", "only", "onlyifexist", "deleteentry", "replace", "addifnew", "addifexist"]
@@ -572,51 +595,51 @@ class LDAPUpdate:
for update_value in update_values:
if action == 'remove':
- self.debug("remove: '%s' from %s, current value %s", update_value, attr, entry_values)
+ self.debug("remove: '%s' from %s, current value %s", safe_output(attr, update_value), attr, safe_output(attr,entry_values))
try:
entry_values.remove(update_value)
except ValueError:
self.warning("remove: '%s' not in %s", update_value, attr)
pass
entry[attr] = entry_values
- self.debug('remove: updated value %s', entry_values)
+ self.debug('remove: updated value %s', safe_output(attr, entry_values))
elif action == 'add':
- self.debug("add: '%s' to %s, current value %s", update_value, attr, entry_values)
+ self.debug("add: '%s' to %s, current value %s", safe_output(attr, update_value), attr, safe_output(attr, entry_values))
# Remove it, ignoring errors so we can blindly add it later
try:
entry_values.remove(update_value)
except ValueError:
pass
entry_values.append(update_value)
- self.debug('add: updated value %s', entry_values)
+ self.debug('add: updated value %s', safe_output(attr, entry_values))
entry[attr] = entry_values
elif action == 'addifnew':
- self.debug("addifnew: '%s' to %s, current value %s", update_value, attr, entry_values)
+ self.debug("addifnew: '%s' to %s, current value %s", safe_output(attr, update_value), attr, safe_output(attr, entry_values))
# Only add the attribute if it doesn't exist. Only works
# with single-value attributes.
if len(entry_values) == 0:
entry_values.append(update_value)
- self.debug('addifnew: set %s to %s', attr, entry_values)
+ self.debug('addifnew: set %s to %s', attr, safe_output(attr, entry_values))
entry[attr] = entry_values
elif action == 'addifexist':
- self.debug("addifexist: '%s' to %s, current value %s", update_value, attr, entry_values)
+ self.debug("addifexist: '%s' to %s, current value %s", safe_output(attr, update_value), attr, safe_output(attr, entry_values))
# Only add the attribute if the entry doesn't exist. We
# determine this based on whether it has an objectclass
if entry.get('objectclass'):
entry_values.append(update_value)
- self.debug('addifexist: set %s to %s', attr, entry_values)
+ self.debug('addifexist: set %s to %s', attr, safe_output(attr, entry_values))
entry[attr] = entry_values
elif action == 'only':
- self.debug("only: set %s to '%s', current value %s", attr, update_value, entry_values)
+ self.debug("only: set %s to '%s', current value %s", attr, safe_output(attr, update_value), safe_output(attr, entry_values))
if only.get(attr):
entry_values.append(update_value)
else:
entry_values = [update_value]
only[attr] = True
entry[attr] = entry_values
- self.debug('only: updated value %s', entry_values)
+ self.debug('only: updated value %s', safe_output(attr, entry_values))
elif action == 'onlyifexist':
- self.debug("onlyifexist: '%s' to %s, current value %s", update_value, attr, entry_values)
+ self.debug("onlyifexist: '%s' to %s, current value %s", safe_output(attr, update_value), attr, safe_output(attr, entry_values))
# Only set the attribute if the entry exist's. We
# determine this based on whether it has an objectclass
if entry.get('objectclass'):
@@ -625,7 +648,7 @@ class LDAPUpdate:
else:
entry_values = [update_value]
only[attr] = True
- self.debug('onlyifexist: set %s to %s', attr, entry_values)
+ self.debug('onlyifexist: set %s to %s', attr, safe_output(attr, entry_values))
entry[attr] = entry_values
elif action == 'deleteentry':
# skip this update type, it occurs in __delete_entries()
@@ -651,20 +674,22 @@ class LDAPUpdate:
# compare normalized values
replaced_values.append(schema_elem)
self.debug('replace: replace %s "%s" with "%s"',
- schema_elem_name, old, new)
+ schema_elem_name,
+ safe_output(attr, old),
+ safe_output(attr, new))
if not replaced_values:
self.debug('replace: no match for replaced %s "%s"',
- schema_elem_name, old)
+ schema_elem_name, safe_output(attr, old))
continue
for value in replaced_values:
entry_values.remove(value)
else:
entry_values.remove(old)
entry_values.append(new)
- self.debug('replace: updated value %s', entry_values)
+ self.debug('replace: updated value %s', safe_output(attr, entry_values))
entry[attr] = entry_values
except ValueError:
- self.debug('replace: %s not found, skipping', old)
+ self.debug('replace: %s not found, skipping', safe_output(attr, old))
return entry
@@ -678,9 +703,9 @@ class LDAPUpdate:
if isinstance(value, (list, tuple)):
self.debug('%s:', a)
for l in value:
- self.debug("\t%s", l)
+ self.debug("\t%s", safe_output(a, l))
else:
- self.debug('%s: %s', a, value)
+ self.debug('%s: %s', a, safe_output(a, value))
def is_schema_updated(self, s):
"""Compare the schema in 's' with the current schema in the DS to
@@ -794,7 +819,10 @@ class LDAPUpdate:
else:
if len(changes) >= 1:
updated = True
- self.debug("%s" % changes)
+ safe_changes = []
+ for (type, attr, values) in changes:
+ safe_changes.append((type, attr, safe_output(attr, values)))
+ self.debug("%s" % safe_changes)
self.debug("Live %d, updated %d" % (self.live_run, updated))
if self.live_run and updated:
self.conn.updateEntry(entry.dn, entry.origDataDict(), entry.toDict())