[apt] Obfuscate passwords for configs/sources

The configuration of apt was not being obfuscated if any of the URLs had a password; one example was the proxy. There is also a new format for the deb sources, so ensuring that would be obfuscated in the same way. Add some tests to ensure that this is always being obfuscated. Resolves: SET-732 Signed-off-by: Arif Ali <[email protected]>
jcastill · Jun 6, 2024 · 91c7c54 · 91c7c54
1 parent 6a2845a
commit 91c7c54
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 8 deletions.
diff --git a/sos/report/plugins/apt.py b/sos/report/plugins/apt.py
@@ -47,16 +47,20 @@ def setup(self):
 
     def postproc(self):
         super().postproc()
-        self.do_file_sub(
+
+        common_regex = r"(http(s)?://)\S+:\S+(@.*)"
+        common_replace = r"\1******:******\3"
+
+        files_to_sub = [
             "/etc/apt/sources.list",
-            r"(deb\shttp(s)?://)\S+:\S+(@.*)",
-            r"\1******:******\3"
-        )
-        self.do_path_regex_sub(
             "/etc/apt/sources.list.d/",
-            r"(deb\shttp(s)?://)\S+:\S+(@.*)",
-            r"\1******:******\3"
-        )
+            "/etc/apt/apt.conf",
+            "/etc/apt/apt.conf.d/",
+        ]
 
+        for file in files_to_sub:
+            self.do_path_regex_sub(
+                file, common_regex, common_replace
+            )
 
 # vim: set et ts=4 sw=4 :
diff --git a/tests/report_tests/plugin_tests/apt/apt-proxy.conf b/tests/report_tests/plugin_tests/apt/apt-proxy.conf
@@ -0,0 +1,3 @@
+Acquire::http::proxy "http://username:[email protected]:80";
+Acquire::https::proxy "http://username:[email protected]:80";
+Acquire::ftp::proxy "http://username:[email protected]:80";
diff --git a/tests/report_tests/plugin_tests/apt/apt-sources.list b/tests/report_tests/plugin_tests/apt/apt-sources.list
@@ -0,0 +1 @@
+deb http://username:[email protected]/ubuntu jammy main
diff --git a/tests/report_tests/plugin_tests/apt/apt-sources.sources b/tests/report_tests/plugin_tests/apt/apt-sources.sources
@@ -0,0 +1,4 @@
+Types: deb
+URIs: http://username:[email protected]/ubuntu
+Suites: jammy
+Components: main
diff --git a/tests/report_tests/plugin_tests/apt/apt.py b/tests/report_tests/plugin_tests/apt/apt.py
@@ -0,0 +1,45 @@
+# Copyright (C) 2024 Canonical Ltd., Arif Ali <[email protected]>
+#
+# This file is part of the sos project: https://github.com/sosreport/sos
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of
+# version 2 of the GNU General Public License.
+#
+# See the LICENSE file in the source distribution for further information.
+
+from sos_tests import StageTwoReportTest
+
+
+class AptConfScrubTest(StageTwoReportTest):
+    """Ensure that sources.list and apt conf are picked up and properly
+    scrubbed
+
+    :avocado: tags=stagetwo
+    """
+
+    sos_cmd = '-o apt'
+    ubuntu_only = True
+    files = [
+        ('apt-proxy.conf', '/etc/apt/apt.conf.d/50-apt-proxy'),
+        ('apt-sources.list', '/etc/apt/sources.list'),
+        ('apt-sources.sources', '/etc/apt/sources.list.d/ubuntu.sources'),
+    ]
+
+    def test_apt_sources_and_apt_confs_collected(self):
+        self.assertFileCollected('/etc/apt/apt.conf.d/50-apt-proxy')
+        self.assertFileCollected('/etc/apt/sources.list')
+        self.assertFileCollected('/etc/apt/ubuntu.sources')
+
+    def test_apt_sources_and_proxy_scrubbed(self):
+        # Ensure that we scrubbed all passwords
+        files_to_check = [
+            '/etc/apt/apt.conf.d/50-apt-proxy',
+            '/etc/apt/sources.list',
+            '/etc/apt/sources.list.d/ubuntu.sources',
+        ]
+        password = 'somesecretpassword'
+        for file in files_to_check:
+            self.assertFileNotHasContent(file, password)
+
+# vim: set et ts=4 sw=4 :