From 4b412ac926aaed11a9c335827d7c37d972399d0d Mon Sep 17 00:00:00 2001 From: Deepak Kodihalli Date: Mon, 15 Oct 2018 12:45:18 -0500 Subject: LDAP config: don't log bind password Add a way to prevent json body logging for routes with sensitive data such as passwords. This is basically done via a list of URLs. Add the LDAP create config URL to this list. Tested: Before: phosphor-gevent[1481]: user:root POST http://127.0.0.1:8081/xyz/openbmc_project/user/ldap/action/CreateConfig json:{u'data': [False, u'ldap:///', u'cn=Sivas,cn=Users,dc=Corp,dc=ibm,dc=com', u'cn=Users,dc=Corp,dc=ibm,dc=com', u'', u'xyz.openbmc_project.User.Ldap.Create.SearchScope.sub', u'xyz.openbmc_project.User.Ldap.Create.Type.ActiveDirectory']} 200 OK After: phosphor-gevent[1710]: user:root POST http://127.0.0.1:8081/xyz/openbmc_project/user/ldap/action/CreateConfig json:None 200 OK Change-Id: I99979e5e373784c7eabb55861dae70bb283859a4 Signed-off-by: Deepak Kodihalli --- module/obmc/wsgi/apps/rest_dbus.py | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'module') diff --git a/module/obmc/wsgi/apps/rest_dbus.py b/module/obmc/wsgi/apps/rest_dbus.py index f52032a..bf7db41 100644 --- a/module/obmc/wsgi/apps/rest_dbus.py +++ b/module/obmc/wsgi/apps/rest_dbus.py @@ -1600,6 +1600,9 @@ class LoggingPlugin(object): self.logging_enabled = None self.bus = dbus.SystemBus() self.dbus_path = '/xyz/openbmc_project/logging/rest_api_logs' + self.no_json = [ + '/xyz/openbmc_project/user/ldap/action/CreateConfig' + ] self.bus.add_signal_receiver( self.properties_changed_handler, dbus_interface=dbus.PROPERTIES_IFACE, @@ -1616,6 +1619,8 @@ class LoggingPlugin(object): json = request.json if self.suppress_json_logging: json = None + elif any(substring in request.url for substring in self.no_json): + json = None session = self.app.session_handler.get_session_from_cookie() user = None if "/login" in request.url: -- cgit v1.2.1