core: Replace cloud-init password in debug logs

The password is currently replaced in meta data but it occurs in user data. Let’s replace it there too.
oVirt · Sep 22, 2022 · 7c086d6 · 7c086d6
1 parent d3c17fd
commit 7c086d6
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/...s/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/CloudInitHandler.java b/...s/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/CloudInitHandler.java
@@ -11,6 +11,8 @@
 import java.util.Map;
 import java.util.UUID;
 import java.util.function.Supplier;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.StringUtils;
@@ -41,6 +43,7 @@ public class CloudInitHandler {
     private Map<String, Object> networkData;
 
     private final String passwordKey = "password";
+    private static final Pattern PASSWORD_PATTERN = Pattern.compile("(password: *)'.*'");
 
     public List<EngineMessage> validate(VmInit vmInit) {
         // validate only if 'Initial Run' parameters were specified
@@ -118,6 +121,10 @@ public Map<String, byte[]> getFileData()
             String newStr = String.format("\"%s\" : ***", passwordKey);
             metaDataStr = metaDataStr.replace(oldStr, newStr);
         }
+        if (userDataStr.contains(passwordKey)) {
+            Matcher matcher = PASSWORD_PATTERN.matcher(userDataStr);
+            userDataStr = matcher.replaceAll("$1'***'");
+        }
         log.debug("cloud-init meta-data:\n{}", metaDataStr);
         log.debug("cloud-init user-data:\n{}", userDataStr);
         return files;