From de5e07bbf1afa2ff33296379becfdbad35525dc8 Mon Sep 17 00:00:00 2001
From: "Bryn M. Reeves" <bmr@redhat.com>
Date: Mon, 23 Jun 2014 15:47:17 +0100
Subject: [PATCH 09/13] [bootloader] elide bootloader password

Backport of the following commits to rhel-6:

commit 6501013bb780161e941f5e078a6ed7052f670a51
Author: Bryn M. Reeves <bmr@redhat.com>
Date:   Mon Jun 2 15:27:10 2014 +0100

    Make sure grub password regex handles all cases

    The regex to match passwords in grub.conf needs to handle both
    the --md5 and non-md5 cases and to apply the substitution only
    to the secret part (password or password hash).

    This needs to deal with the fact that python will return 'None'
    for unmatched pattern groups leading to an exception in re.subn()
    if not all referenced groups match for a given string (in contrast
    to e.g. the perl approach of treating these groups as the empty
    string).

    Make this explicit by using an empty alternate in the possibly
    unmatched '--md5' group:

                r"(password\s*)(--md5\s*|\s*)(.*)",
                r"\1\2********"

    Signed-off-by: Bryn M. Reeves <bmr@redhat.com>

commit 23182c4f13fbadc9b7c2ab75c1ca249d5ba987d1
Author: Bryn M. Reeves <bmr@redhat.com>
Date:   Mon Jun 2 14:55:03 2014 +0100

    Elide bootloader password in grub plugin

    The grub.conf configuration file collected by the grub plugin may
    contain a plaintext or md5 hashed bootloader password. Add a regex
    substitution for all files matching '.*\/grub\.conf' and replace
    the password with '*'s.

    Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/bootloader.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sos/plugins/bootloader.py b/sos/plugins/bootloader.py
index e9bcea7..dd67c47 100644
--- a/sos/plugins/bootloader.py
+++ b/sos/plugins/bootloader.py
@@ -32,3 +32,10 @@ class bootloader(sos.plugintools.PluginBase):
         self.collectExtOutput("/bin/ls -laR /boot")
         return
 
+    def postproc(self):
+        self.doPathRegexSub(
+            r".*\/grub.conf",
+            r"(password\s*)(--md5\s*|\s*)(.*)",
+            r"\1\2********"
+        )
+
-- 
1.9.3