[enh] Redact secrets from logs #742
Note when working on this, I realized that the "python argument" case is already covered, c.f. these :
So here's an attempt to redact at least most of the sensitive / secret data in the logs. So far I was able to cover :
The last item is the least easiest and least "clean" one. It's all built on the way bash logs or not information ... So for example, we are somewhat lucky that this line only results in showing the secret for the first time as :
(and there's no weird intermediate output already showing the secret). Otherwise, it would be much more difficult to catch and we might end up having to rewrite already written stuff in the file which would complicates stuff (though not impossible but ugh)
So the current mechanism relies on catching matches for this regex :
So for example :
and therefore covers mysql and postgresql dbs created with the standard helpers. This also covers getting passwords from the setting file, as done with e.g.
Hopefully that's a relatively understandable explanation
Tested on the app install of my_webapp on my side ... seems to be kinda working
How to test
Run some app install (and also remove, upgrade, ... any special case that could show a password or other info we would want to redact)
Yea sorry about that... In the end of the meeting it wasn't so clear who was taking care of it and I already had many ideas in mind ... But clearly should have focused on other todo's. We'll try to be more careful next times :/
Thanks for speaking out
Jul 2, 2019
Well, for the yunohost-cli and yunohost-api, what would be the solution. Will we need to make an other PR ? I started a work which fix also that. This work is still useful ?