Do not log DM password in ca/kra installation logs

https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
author: Stanislav Laznicka <slaznick@redhat.com> 2016-11-10 14:24:26 +0100
committer: Martin Babinsky <mbabinsk@redhat.com> 2016-11-25 09:13:56 +0100
commit: e617f895e70e6812836870f504af6e22a5dc7def (patch)
tree: 2c8e1541506a5ac4156a864fb2ac93cdaa642073
parent: c223130d5f429278202aaf8bf87af53911a3b448 (diff)
download: freeipa-e617f895e70e6812836870f504af6e22a5dc7def.tar.gz
freeipa-e617f895e70e6812836870f504af6e22a5dc7def.tar.xz
freeipa-e617f895e70e6812836870f504af6e22a5dc7def.zip
3 files changed, 11 insertions, 11 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 26755ee28..1aa6b8d4e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -602,7 +602,10 @@ class CAInstance(DogtagInstance):
 
         self.backup_state('installed', True)
         try:
-            DogtagInstance.spawn_instance(self, cfg_file)
+            DogtagInstance.spawn_instance(
+                self, cfg_file,
+                nolog_list=(self.dm_password, self.admin_password)
+            )
         finally:
             os.remove(cfg_file)
 
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 2cc62dc13..fb18ee18e 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -152,19 +152,13 @@ class DogtagInstance(service.Service):
         return os.path.exists(os.path.join(
             paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower()))
 
-    def spawn_instance(self, cfg_file, nolog_list=None):
+    def spawn_instance(self, cfg_file, nolog_list=()):
         """
         Create and configure a new Dogtag instance using pkispawn.
         Passes in a configuration file with IPA-specific
         parameters.
         """
         subsystem = self.subsystem
-
-        # Define the things we don't want logged
-        if nolog_list is None:
-            nolog_list = []
-        nolog = tuple(nolog_list) + (self.admin_password,)
-
         args = [paths.PKISPAWN,
                 "-s", subsystem,
                 "-f", cfg_file]
@@ -172,10 +166,10 @@ class DogtagInstance(service.Service):
         with open(cfg_file) as f:
             self.log.debug(
                 'Contents of pkispawn configuration file (%s):\n%s',
-                cfg_file, ipautil.nolog_replace(f.read(), nolog))
+                cfg_file, ipautil.nolog_replace(f.read(), nolog_list))
 
         try:
-            ipautil.run(args, nolog=nolog)
+            ipautil.run(args, nolog=nolog_list)
         except ipautil.CalledProcessError as e:
             self.handle_setup_error(e)
 
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 38245847c..554811c6c 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -263,7 +263,10 @@ class KRAInstance(DogtagInstance):
             config.write(f)
 
         try:
-            DogtagInstance.spawn_instance(self, cfg_file)
+            DogtagInstance.spawn_instance(
+                self, cfg_file,
+                nolog_list=(self.dm_password, self.admin_password)
+            )
         finally:
             os.remove(p12_tmpfile_name)
             os.remove(cfg_file)
author	Stanislav Laznicka <slaznick@redhat.com>	2016-11-10 14:24:26 +0100
committer	Martin Babinsky <mbabinsk@redhat.com>	2016-11-25 09:13:56 +0100
commit	e617f895e70e6812836870f504af6e22a5dc7def (patch)
tree	2c8e1541506a5ac4156a864fb2ac93cdaa642073
parent	c223130d5f429278202aaf8bf87af53911a3b448 (diff)
download	freeipa-e617f895e70e6812836870f504af6e22a5dc7def.tar.gz freeipa-e617f895e70e6812836870f504af6e22a5dc7def.tar.xz freeipa-e617f895e70e6812836870f504af6e22a5dc7def.zip