[ovirt] answer files: Filter out all password keys

Instead of hard-coding specific keys and having to maintain them over time, replace the values of all keys that have 'password' in their name. I think this covers all our current and hopefully future keys. It might add "false positives" - keys that are not passwords but have 'password' in their name - and I think that's a risk worth taking. Sadly, the engine admin password prompt's name is 'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has to be listed specifically. A partial list of keys added since the replaced code was written: - grafana-related stuff - keycloak-related stuff - otopi-style answer files Signed-off-by: Yedidyah Bar David <didi@redhat.com> Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba
sosreport · May 30, 2022 · 0b60273 · 0b60273
1 parent fe81417
commit 0b60273
Showing 1 changed file with 14 additions and 10 deletions.
diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py
@@ -241,19 +241,23 @@ def postproc(self):
                 r'{key}=********'.format(key=key)
             )
 
-        # Answer files contain passwords
-        for key in (
-            'OVESETUP_CONFIG/adminPassword',
-            'OVESETUP_CONFIG/remoteEngineHostRootPassword',
-            'OVESETUP_DWH_DB/password',
-            'OVESETUP_DB/password',
-            'OVESETUP_REPORTS_CONFIG/adminPassword',
-            'OVESETUP_REPORTS_DB/password',
+
+        # Answer files contain passwords.
+        # Replace all keys that have 'password' in them, instead of hard-coding
+        # here the list of keys, which changes between versions.
+        # Sadly, the engine admin password prompt name does not contain
+        # 'password'... so neither does the env key.
+        for item in (
+            'password',
+            'OVESETUP_CONFIG_ADMIN_SETUP',
         ):
             self.do_path_regex_sub(
                 r'/var/lib/ovirt-engine/setup/answers/.*',
-                r'{key}=(.*)'.format(key=key),
-                r'{key}=********'.format(key=key)
+                re.compile(
+                    r'(?P<key>[^=]*{item}[^=]*)=.*'.format(item=item),
+                    flags=re.IGNORECASE
+                ),
+                r'\g<key>=********'
             )
 
         # aaa profiles contain passwords