[Engine-patches] Change in ovirt-reports[ovirt-3.3]: packaging: setup: hide passwords

Thu, 24 Apr 2014 07:03:09 -0700 

Yedidyah Bar David has uploaded a new change for review.

Change subject: packaging: setup: hide passwords
......................................................................

packaging: setup: hide passwords

Filter in log

Change mode for conf files

Change-Id: I7faca5776b63859f0a391a68832443197e54cfc5
Signed-off-by: Yedidyah Bar David <d...@redhat.com>
---
M packaging/common_utils.py
M packaging/ovirt-engine-reports-setup.py
2 files changed, 54 insertions(+), 16 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-reports refs/changes/53/27053/1

diff --git a/packaging/common_utils.py b/packaging/common_utils.py
index 49fe988..fdc4756 100755
--- a/packaging/common_utils.py
+++ b/packaging/common_utils.py
@@ -80,8 +80,9 @@
     in utils
     """
     maskedStr = string
-    for maskItem in maskList:
-        maskedStr = maskedStr.replace(maskItem, "*"*8)
+    if maskList:
+        for maskItem in maskList:
+            maskedStr = maskedStr.replace(maskItem, "*"*8)
 
     return maskedStr
 
@@ -1102,10 +1103,16 @@
         stdOut=output,
     )
 
-def runPostgresSuQuery(query, database=None, failOnError=True):
+def runPostgresSuQuery(query, database=None, failOnError=True, maskList=None):
+    logged_query = _maskString(
+        '\n'.join(query)
+        if isinstance(query, list) or isinstance(query, tuple)
+        else query,
+        maskList
+    )
     logging.debug("starting runPostgresSuQuery database: %s query: %s" %
                   (database,
-                   query))
+                   logged_query))
     command = [
         EXEC_PSQL,
         '--pset=tuples_only=on',
@@ -1141,6 +1148,7 @@
         cmdList=cmd,
         failOnError=failOnError,
         stdIn=stdIn,
+        maskList=maskList,
     )
 
 _RE_POSTGRES_PGHBA_LOCAL = re.compile(
@@ -1228,7 +1236,8 @@
         ).format(
             user=user,
             password=password,
-        )
+        ),
+        maskList=[password],
     )
 
 
@@ -1299,16 +1308,14 @@
         ret += c
     return ret
 
-def storeConf(db_dict):
+def storeConf(db_dict, uid, gid, perms):
     if not os.path.exists(DIR_DATABASE_REPORTS_CONFIG):
         os.makedirs(DIR_DATABASE_REPORTS_CONFIG)
-    with open(
-        os.path.join(
-            DIR_DATABASE_REPORTS_CONFIG,
-            FILE_DATABASE_REPORTS_CONFIG
-        ),
-        'w'
-    ) as rf:
+    configFile = os.path.join(
+        DIR_DATABASE_REPORTS_CONFIG,
+        FILE_DATABASE_REPORTS_CONFIG
+    )
+    with open(configFile, 'w') as rf:
         rf.write(
             (
                 'REPORTS_DB_DATABASE={database}\n'
@@ -1320,7 +1327,8 @@
                 password=escape(db_dict['password'], '"\\$'),
             )
         )
-
+    os.chown(configFile, uid, gid)
+    os.chmod(configFile, perms)
 
 def userExists(user):
     sql_query = '"select 1 from pg_roles where rolname=\'{user}\';"'.format(
diff --git a/packaging/ovirt-engine-reports-setup.py 
b/packaging/ovirt-engine-reports-setup.py
index cc26a45..ec459ed 100755
--- a/packaging/ovirt-engine-reports-setup.py
+++ b/packaging/ovirt-engine-reports-setup.py
@@ -11,6 +11,8 @@
 import os
 import sys
 import traceback
+import pwd
+import grp
 import getpass
 import shutil
 import cracklib
@@ -43,6 +45,7 @@
 FILE_JS_SMTP="%s/WEB-INF/js.quartz.properties" % DIR_WAR
 FILE_APPLICATION_SECURITY_WEB="%s/WEB-INF/applicationContext-security-web.xml" 
% DIR_WAR
 FILE_JRS_DATASOURCES="%s/WEB-INF/js-jboss7-ds.xml" % DIR_WAR
+FILE_WAR_CONTEXT = '%s/META-INF/context.xml' % DIR_WAR
 JRS_INSTALL_SCRIPT="js-install-ce.sh"
 
 db_dict = None
@@ -55,6 +58,7 @@
 REPORTS_SERVER_BUILDOMATIC_DIR = "%s/buildomatic" % REPORTS_SERVER_DIR
 REPORTS_DB_UPGRADE_SCRIPTS_DIR = "%s/install_resources/sql/postgresql" % 
REPORTS_SERVER_BUILDOMATIC_DIR
 FILE_JASPER_DB_CONN = "%s/default_master.properties" % 
REPORTS_SERVER_BUILDOMATIC_DIR
+REPORTS_SERVER_BUILD_CONF_DIR = '%s/build_conf' % 
REPORTS_SERVER_BUILDOMATIC_DIR
 FILE_DATABASE_ENGINE_CONFIG = 
"/etc/ovirt-engine/engine.conf.d/10-setup-database.conf"
 FILE_DATABASE_DWH_CONFIG = 
"/etc/ovirt-engine-dwh/ovirt-engine-dwhd.conf.d/10-setup-database.conf"
 FILE_DATABASE_REPORTS_CONFIG = 
"/etc/ovirt-engine-reports/ovirt-engine-reports.conf.d/10-setup-database.conf"
@@ -93,6 +97,8 @@
 For other cases, please ask your DBA to remove the aforementioned DB."
 
 DIR_TEMP_SCHEDULE=tempfile.mkdtemp()
+OVIRT_UID = pwd.getpwnam('ovirt')[2]
+OVIRT_GID = grp.getgrnam('ovirt')[2]
 
 log_file = None
 
@@ -276,6 +282,8 @@
     file_handler.editParam("webAppNameCE", JRS_APP_NAME)
     file_handler.editParam("appServerDir", DIR_DEPLOY)
     file_handler.close()
+    os.chown(FILE_JASPER_DB_CONN, 0, OVIRT_GID)
+    os.chmod(FILE_JASPER_DB_CONN, 0o640)
 
 def setReportsDatasource(db_dict):
     logging.debug("editing reports datasource file %s", FILE_DB_DATA_SOURCE)
@@ -285,6 +293,8 @@
     
xml_editor.editParams({'/jdbcDataSource/connectionUser':db_dict["dwh_db_user"]})
     
xml_editor.editParams({'/jdbcDataSource/connectionPassword':db_dict["dwh_db_password"]})
     xml_editor.close()
+    os.chown(FILE_DB_DATA_SOURCE, 0, OVIRT_GID)
+    os.chmod(FILE_DB_DATA_SOURCE, 0o640)
 
 def resetReportsDatasourcePassword():
     logging.debug("editing reports datasource file %s", FILE_DB_DATA_SOURCE)
@@ -292,6 +302,8 @@
     xml_editor.open()
     xml_editor.editParams({'/jdbcDataSource/connectionPassword':""})
     xml_editor.close()
+    os.chown(FILE_DB_DATA_SOURCE, 0, OVIRT_GID)
+    os.chmod(FILE_DB_DATA_SOURCE, 0o640)
 
 @transactionDisplay("Updating Redirect Servlet")
 def updateServletDbRecord(TEMP_PGPASS):
@@ -489,6 +501,8 @@
     node.setContent(password)
     logging.debug("closing file")
     xmlObj.close()
+    os.chown(xmlFile, 0, OVIRT_GID)
+    os.chmod(xmlFile, 0o640)
 
 @transactionDisplay("Customizing Server")
 def customizeJs():
@@ -854,6 +868,8 @@
         xml_editor.addNodes("/datasources", newDriver)
     logging.debug("closing file")
     xml_editor.close()
+    os.chown(FILE_JRS_DATASOURCES, 0, OVIRT_GID)
+    os.chmod(FILE_JRS_DATASOURCES, 0o640)
 
 def updateApplicationSecurity():
     """
@@ -1033,7 +1049,12 @@
                         )
                     )
                     utils.updateDbOwner(db_dict)
-                utils.storeConf(db_dict)
+                utils.storeConf(
+                    db_dict,
+                    uid=0,
+                    gid=OVIRT_GID,
+                    perms=0o640,
+                )
             else:
                 # remote
                 if hasData:
@@ -1183,6 +1204,10 @@
                 ):
                     if os.path.exists(path):
                         shutil.rmtree(path)
+                os.chown(REPORTS_SERVER_BUILD_CONF_DIR, 0, OVIRT_GID)
+                os.chmod(REPORTS_SERVER_BUILD_CONF_DIR, 0o750)
+                os.chown(FILE_WAR_CONTEXT, 0, OVIRT_GID)
+                os.chmod(FILE_WAR_CONTEXT, 0o640)
 
             # Restore previous version
             except:
@@ -1199,7 +1224,12 @@
 
             # Restart the httpd service
             utils.restartHttpd()
-            utils.storeConf(db_dict)
+            utils.storeConf(
+                db_dict,
+                uid=0,
+                gid=OVIRT_GID,
+                perms=0o640,
+            )
             print "Succesfully installed %s." % JRS_APP_NAME
             print "The installation log file is available at: %s" % log_file
 


-- 
To view, visit http://gerrit.ovirt.org/27053
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7faca5776b63859f0a391a68832443197e54cfc5
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-reports
Gerrit-Branch: ovirt-3.3
Gerrit-Owner: Yedidyah Bar David <d...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to