← Back to team overview

sts-sponsors team mailing list archive

  1. sts-sponsors team
  2. Mailing list archive
  3. Message #01781

[Bug 1874526] Re: [landscape] Substitute oidc conf in service file

  Thread PreviousDate PreviousThread Next 
[VERIFICATION GROOVY]

Tested in groovy/20.10 with sosreport version "3.9-1ubuntu3"

I confirmed both "oidc-client-secret" & "oidc-client-id", if found in
"service.conf" & "service.conf.old" are obfuscated as follows:

::::::::::::::
etc/landscape/service.conf
::::::::::::::
oidc-client-secret = [********]
oidc-client-id = [********]

::::::::::::::
etc/landscape/service.conf.old
::::::::::::::
oidc-client-secret = [********]
oidc-client-id = [********]

** Description changed:

  [Impact]
  
  Landscape has added the ability to connect to OIDC.
  
  The plugin should be updated to obfuscate the sensitive information.
  
  https://docs.ubuntu.com/landscape/en/onprem-auth#openid-connect-support
  
  [Test Case]
  
  * Install sosreport
  * Run sosreport in a Landscape environment (client and server)
  * Extract archive and look at the content of sos_commands/landscape and most importantly make sure both "oidc-client-id" & "oidc-client-secret" are subsitute in files "/etc/landscape/service.conf" & "/etc/landscape/service.conf.old" as it should (if present).
+ 
+ Expected result:
+ oidc-client-secret = [********]
+ oidc-client-id = [********]
  
  Extra testing:
  * Look under "sos_reports" for full report.
  * Look under "sos_logs" for warnings/errors.
    $ grep -v "INFO:" sos_logs/sos.log
  * Run "simple.sh": A quick port of the travis tests to bash. Generating various type of sosreports collection.
  https://raw.githubusercontent.com/sosreport/sos/master
  
  [Regression]
  
  No regression expected, we don't change/impact core functionnalities nor
  affect other plugins. If something happens it will be isolate to the
  landscape plugin itself only.
  
  Worse case the OID substitution won't work as expected (corner case) and
  will reveal OID sensible information, but it is very unlikely to happen
  as it will be intensively tested during the testing phase, and the
  substitute mechanism in place has been proven to work for the same
  configuration files in the landscape plugin already.
  
  [Other Informations]
  
  Upstream bug:
  https://github.com/sosreport/sos/issues/2023
  
  Upstream PR:
  https://github.com/sosreport/sos/pull/2025
  
  Upstream commit:
  https://github.com/sosreport/sos/pull/2025/commits/0c4d821e26e1206a0b99f427b572931ba2fd9bb5

-- 
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1874526

Title:
  [landscape] Substitute oidc conf in service file

Status in sosreport package in Ubuntu:
  Fix Released
Status in sosreport source package in Xenial:
  In Progress
Status in sosreport source package in Bionic:
  In Progress
Status in sosreport source package in Eoan:
  In Progress
Status in sosreport source package in Focal:
  In Progress
Status in sosreport source package in Groovy:
  Fix Released

Bug description:
  [Impact]

  Landscape has added the ability to connect to OIDC.

  The plugin should be updated to obfuscate the sensitive information.

  https://docs.ubuntu.com/landscape/en/onprem-auth#openid-connect-
  support

  [Test Case]

  * Install sosreport
  * Run sosreport in a Landscape environment (client and server)
  * Extract archive and look at the content of sos_commands/landscape and most importantly make sure both "oidc-client-id" & "oidc-client-secret" are subsitute in files "/etc/landscape/service.conf" & "/etc/landscape/service.conf.old" as it should (if present).

  Expected result:
  oidc-client-secret = [********]
  oidc-client-id = [********]

  Extra testing:
  * Look under "sos_reports" for full report.
  * Look under "sos_logs" for warnings/errors.
    $ grep -v "INFO:" sos_logs/sos.log
  * Run "simple.sh": A quick port of the travis tests to bash. Generating various type of sosreports collection.
  https://raw.githubusercontent.com/sosreport/sos/master

  [Regression]

  No regression expected, we don't change/impact core functionnalities
  nor affect other plugins. If something happens it will be isolate to
  the landscape plugin itself only.

  Worse case the OID substitution won't work as expected (corner case)
  and will reveal OID sensible information, but it is very unlikely to
  happen as it will be intensively tested during the testing phase, and
  the substitute mechanism in place has been proven to work for the same
  configuration files in the landscape plugin already.

  [Other Informations]

  Upstream bug:
  https://github.com/sosreport/sos/issues/2023

  Upstream PR:
  https://github.com/sosreport/sos/pull/2025

  Upstream commit:
  https://github.com/sosreport/sos/pull/2025/commits/0c4d821e26e1206a0b99f427b572931ba2fd9bb5

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sosreport/+bug/1874526/+subscriptions
  Thread PreviousDate PreviousThread Next