diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-03-15 17:06:24 -0400 |
|---|---|---|
| committer | Jason Gerard DeRose <jderose@redhat.com> | 2010-03-19 07:59:24 -0600 |
| commit | 99da0d88f066826fc33562045d47f6cc760633b5 (patch) | |
| tree | 94e5637b8a5eb2aa2838c0220e85a3ae05de710a /ipapython | |
| parent | a887922fa97a43c31139dcd4159dfbee0f9c2093 (diff) | |
Provide mechanism in ipautil.run() to not log all arguments.
This is primarily designed to not log passwords but it could have other
uses.
567867
Diffstat (limited to 'ipapython')
| -rw-r--r-- | ipapython/ipautil.py | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 7c41d787..efc7e028 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -89,7 +89,32 @@ def write_tmp_file(txt): return fd -def run(args, stdin=None, raiseonerr=True): +def run(args, stdin=None, raiseonerr=True, nolog=()): + """ + Execute a command and return stdin, stdout and the process return code. + + args is a list of arguments for the command + + stdin is used if you want to pass input to the command + + raiseonerr raises an exception if the return code is not zero + + nolog is a tuple of tuple values that describes things in the argument + list that shouldn't be logged, like passwords. Each tuple consists of + a value to search for in the argument list and an offset from this + location to set to XXX. + + For example, the command ['/usr/bin/setpasswd', '--password', 'Secret123', 'someuser'] + + We don't want to log the password so nolog would be set to: + (('--password', 1),) + + The resulting log output would be: + + /usr/bin/setpasswd --password XXXXXXXX someuser + + If an argument isn't found in the list it is silently ignored. + """ if stdin: p = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) stdout,stderr = p.communicate(stdin) @@ -97,6 +122,14 @@ def run(args, stdin=None, raiseonerr=True): p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True) stdout,stderr = p.communicate() + # The command may include passwords that we don't want to log. Run through + # the nolog items + for (item, offset) in nolog: + try: + item_offset = args.index(item) + offset + args[item_offset] = 'XXXXXXXX' + except ValueError: + pass logging.info('args=%s' % ' '.join(args)) logging.info('stdout=%s' % stdout) logging.info('stderr=%s' % stderr) |