[ovirt] answer files: Filter out all password keys

Instead of hard-coding specific keys and having to maintain them over time, replace the values of all keys that have 'password' in their name. I think this covers all our current and hopefully future keys. It might add "false positives" - keys that are not passwords but have 'password' in their name - and I think that's a risk worth taking. A partial list of keys added since the replaced code was written: - grafana-related stuff - keycloak-related stuff - otopi-style answer files
sosreport · May 26, 2022 · f9b8ae7 · f9b8ae7
1 parent fe81417
commit f9b8ae7
Showing 1 changed file with 11 additions and 14 deletions.
diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py
@@ -241,20 +241,17 @@ def postproc(self):
                 r'{key}=********'.format(key=key)
             )
 
-        # Answer files contain passwords
-        for key in (
-            'OVESETUP_CONFIG/adminPassword',
-            'OVESETUP_CONFIG/remoteEngineHostRootPassword',
-            'OVESETUP_DWH_DB/password',
-            'OVESETUP_DB/password',
-            'OVESETUP_REPORTS_CONFIG/adminPassword',
-            'OVESETUP_REPORTS_DB/password',
-        ):
-            self.do_path_regex_sub(
-                r'/var/lib/ovirt-engine/setup/answers/.*',
-                r'{key}=(.*)'.format(key=key),
-                r'{key}=********'.format(key=key)
-            )
+        # Answer files contain passwords.
+        # Replace all keys that have 'password' in them, instead of hard-coding
+        # here the list of keys, which changes between versions.
+        self.do_path_regex_sub(
+            r'/var/lib/ovirt-engine/setup/answers/.*',
+            re.compile(
+                r'(?P<key>[^=]*password[^=]*)=.*',
+                flags=re.IGNORECASE
+            ),
+            r'\g<key>=********'
+        )
 
         # aaa profiles contain passwords
         protect_keys = [