New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hide secrets in all log_call invocations #2002
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2002 +/- ##
==========================================
+ Coverage 77.50% 77.52% +0.01%
==========================================
Files 70 70
Lines 7261 7262 +1
==========================================
+ Hits 5628 5630 +2
+ Misses 1633 1632 -1
Continue to review full report at Codecov.
|
Great PR! Please pay attention to the following items before merging: Files matching
This is an automatically generated QA checklist based on modified files |
Maybe "hide" would be a better word than "stash" here? |
LGTM , also I am closing my version which was trying to achieve the same . Nice work Yannis ! |
The `log_call` here looks duplicated as it is called again when it is inside the os-autoinst/consoles/serial_screen.pm Thus this is unneeded and removing it, it can clean up the os-autoinst.txt logs Signed-off-by: ybonatakis <ybonatakis@suse.com>
I removed the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better rephrase the "Hide" commit message as "Hide secrets in all log_call invocations"
and please wrap your git commit messages consistently at 80 characters per line.
@okurz @Martchus @asmorodskyi changes are made. But i cant comment on the conversations anymore, for some reason. I guess also that the recommendation from the bot is not needed, right? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure what your intention with the tests is but it should be obvious that we won't merge your PR as long as you have disabled a big chunk of tests with comments :)
Well, if the only real change is that the string output in log messages changes then the API version does not need to be bumped. |
@b10n1k please only push updates if you actually address the review comments. I was getting notified multiple times but have seen the changes not implemented. |
sub log_call_test_secret { | ||
bmwqemu::log_call(text => "passwd\n", secret => 1); | ||
} | ||
stderr_like(\&log_call_test_secret, qr{\Q<<< main::log_call_test_secret(text="[masked]", secret=1)}, 'log_call hides sensitive info'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sub log_call_test_secret { | |
bmwqemu::log_call(text => "passwd\n", secret => 1); | |
} | |
stderr_like(\&log_call_test_secret, qr{\Q<<< main::log_call_test_secret(text="[masked]", secret=1)}, 'log_call hides sensitive info'); | |
sub log_call_test_secret { | |
bmwqemu::log_call(text => "passwd\n", secret => 1); | |
} | |
stderr_like { bmwqemu::log_call(text => "passwd\n", secret => 1) } qr{\Q<<< main::log_call_test_secret(text="[masked]", secret=1)}, 'log_call hides sensitive info'; |
My first idea was to encrypt the text and then decrypt it when it is needed for the call. However the concern was about the logs and i found that the only thing that it needs to be done is to update the log_call, because this is what is called from all the backends. in this way nothing else seems to need to change (in sense of manipulate the _text_ before pass to log_call) in testapi or anywhere else. So i have removed condition in testapi but the question is do you need the `log_call` there. Seems like an extra line in os-autoinst ``` [2022-03-28T12:34:13.170200+02:00] [debug] tests/console/aaa_base.pm:31 called opensusebasetest::select_serial_terminal -> lib/opensusebasetest.pm:1288 called testapi::select_console -> lib/susedistribution.pm:754 called serial_terminal::login -> lib/serial_terminal.pm:142 called testapi::type_password [2022-03-28T12:34:13.170414+02:00] [debug] <<< testapi::type_string(text="*****", secret=1, max_interval=100) [2022-03-28T12:34:13.171423+02:00] [debug] <<< consoles::serial_screen::type_string(max_interval=100, cmd="backend_type_string", text="*****", secret=1, json_cmd_token="nJFsVgxh") ``` Signed-off-by: ybonatakis <ybonatakis@suse.com>
This breaks the use of With this change, Maybe we should recover I created this ticket https://progress.opensuse.org/issues/111010
|
Background: os-autoinst#2002 This PR is printing $string on the logs regardless if it's a secret or not.
Background: os-autoinst#2002 This PR is printing $string on the logs regardless if it's a secret or not.
Background: os-autoinst#2002 This PR is printing $string on the logs regardless if it's a secret or not.
Background: os-autoinst#2002 This PR is printing $string on the logs regardless if it's a secret or not.
Background: os-autoinst#2002 This PR is printing $string on the logs regardless if it's a secret or not.
Background: os-autoinst#2002 This PR is printing $string on the logs regardless if it's a secret or not.
Background: os-autoinst#2002 This PR is printing $string on the logs regardless if it's a secret or not.
My first idea was to encrypt the text and then decrypt it when it is needed for the call.
However the concern was about the logs and i found that the only thing that it needs to be done
is to update the log_call, because this is what is called from all the backends. in this way nothing
else seems to need to change in testapi or anywhere else.
Signed-off-by: ybonatakis ybonatakis@suse.com
http://aquarius.suse.cz/tests/9012/logfile?filename=autoinst-log.txt