LDAP config: don't log bind password
Add a way to prevent json body logging for routes with sensitive data
such as passwords.
This is basically done via a list of URLs. Add the LDAP create config
URL to this list.
Tested:
Before:
phosphor-gevent[1481]: <BMC IP> user:root POST
http://127.0.0.1:8081/xyz/openbmc_project/user/ldap/action/CreateConfig
json:{u'data': [False, u'ldap://<LDAP server IP>/',
u'cn=Sivas,cn=Users,dc=Corp,dc=ibm,dc=com',
u'cn=Users,dc=Corp,dc=ibm,dc=com', u'<password>',
u'xyz.openbmc_project.User.Ldap.Create.SearchScope.sub',
u'xyz.openbmc_project.User.Ldap.Create.Type.ActiveDirectory']} 200 OK
After:
phosphor-gevent[1710]: <BMC IP> user:root POST
http://127.0.0.1:8081/xyz/openbmc_project/user/ldap/action/CreateConfig
json:None 200 OK
Change-Id: I99979e5e373784c7eabb55861dae70bb283859a4
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
diff --git a/module/obmc/wsgi/apps/rest_dbus.py b/module/obmc/wsgi/apps/rest_dbus.py
index f52032a..bf7db41 100644
--- a/module/obmc/wsgi/apps/rest_dbus.py
+++ b/module/obmc/wsgi/apps/rest_dbus.py
@@ -1600,6 +1600,9 @@
self.logging_enabled = None
self.bus = dbus.SystemBus()
self.dbus_path = '/xyz/openbmc_project/logging/rest_api_logs'
+ self.no_json = [
+ '/xyz/openbmc_project/user/ldap/action/CreateConfig'
+ ]
self.bus.add_signal_receiver(
self.properties_changed_handler,
dbus_interface=dbus.PROPERTIES_IFACE,
@@ -1616,6 +1619,8 @@
json = request.json
if self.suppress_json_logging:
json = None
+ elif any(substring in request.url for substring in self.no_json):
+ json = None
session = self.app.session_handler.get_session_from_cookie()
user = None
if "/login" in request.url: