WIP -- How would we hide the display on /tests/$id#settings pages? --…

… Add support for configurable secrets variables Related progress issue: https://progress.opensuse.org/issues/162086
os-autoinst · Jun 11, 2024 · 3b7630f · 3b7630f
1 parent 4c94cca
commit 3b7630f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/lib/OpenQA/Log.pm b/lib/OpenQA/Log.pm
@@ -208,8 +208,13 @@ sub setup_log ($app, $logfile = undef, $logdir = undef, $level = undef) {
     OpenQA::App->set_singleton($app);
 }
 
+# same approach as in os-autoinst bmwqemu.pm
 sub redact_settings ($vars) {
-    return {map { $_ !~ qr/(^_SECRET_|_PASSWORD)/ ? ($_ => $vars->{$_}) : ($_ => '[redacted]') } keys %$vars};
+    my $hide_re = '^_SECRET_|_PASSWORD';
+    my $custom_hide_re = eval { qr/$vars->{_HIDE_SECRETS_REGEX}/ } if $vars->{_HIDE_SECRETS_REGEX};
+    $vars->{_HIDE_SECRETS_REGEX} = "(invalid regex specified: $@)" if $@;
+    $hide_re .= "|$custom_hide_re" if $custom_hide_re;
+    return {map { /($hide_re)/ ? ($_ => '[redacted]') : ($_ => $vars->{$_}) } keys %$vars};
 }
 
 sub redact_settings_in_file ($file) {

diff --git a/t/28-logging.t b/t/28-logging.t
@@ -14,6 +14,7 @@ use OpenQA::Worker::App;
 use File::Path qw(make_path remove_tree);
 use Test::MockModule qw(strict);
 use Test::Output qw(stdout_like stderr_like stdout_from stderr_from);
+use Test::Fatal;
 use Sys::Hostname;
 use File::Spec::Functions 'catfile';
 use FindBin;
@@ -579,6 +580,12 @@ subtest 'Formatting settings' => sub {
     like $log, qr/FOO=bar.*THE_PASSWORD.*_SECRET_TOKEN/s, 'all keys and normal values present';
     unlike $log, qr/token/, 'secret token not present';
     unlike $log, qr/123/, 'password not present';
+    $log
+      = format_settings {FOO => 'bar', SNEAKY_TEXT => 'secret', _HIDE_SECRETS_REGEX => 'SNEAK', _SECRET_KEY => 'foo'};
+    like $log, qr/FOO=bar.*SNEAKY.*HIDE.*_SECRET_KEY/s, 'keys and normal values present with customized hiding';
+    unlike $log, qr/secret/, 'value of custom secret key not present';
+    $log = format_settings {_HIDE_SECRETS_REGEX => '['};
+    like $log, qr/invalid regex.*Unmatched \[/, 'invalid hide regex yields non-critical error information';
 };
 
 ok get_channel_handle, 'get_channel_handle returns valid handle from app';