From 7175a057339d9eea5d560e4fa9cdd6aa1c83b9b9 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Sun, 4 Aug 2024 11:17:09 -0700 Subject: [PATCH] backups: Mark secret strings in privileged actions Tests: - Run affected privileged actions through UI and notice that secret strings are not logged (except initializing init/info a new SSH repository). Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- plinth/modules/backups/privileged.py | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/plinth/modules/backups/privileged.py b/plinth/modules/backups/privileged.py index 33d477246..aa2f3298e 100644 --- a/plinth/modules/backups/privileged.py +++ b/plinth/modules/backups/privileged.py @@ -8,7 +8,7 @@ import re import subprocess import tarfile -from plinth.actions import privileged +from plinth.actions import privileged, secret_str from plinth.utils import Version TIMEOUT = 30 @@ -22,7 +22,7 @@ class AlreadyMountedError(Exception): @privileged def mount(mountpoint: str, remote_path: str, ssh_keyfile: str | None = None, - password: str | None = None, + password: secret_str | None = None, user_known_hosts_file: str = '/dev/null'): """Mount a remote ssh path via sshfs.""" try: @@ -120,13 +120,14 @@ def _init_repository(path: str, encryption: str, @privileged -def init(path: str, encryption: str, encryption_passphrase: str | None = None): +def init(path: str, encryption: str, + encryption_passphrase: secret_str | None = None): """Initialize the borg repository.""" _init_repository(path, encryption, encryption_passphrase) @privileged -def info(path: str, encryption_passphrase: str | None = None) -> dict: +def info(path: str, encryption_passphrase: secret_str | None = None) -> dict: """Show repository information.""" process = _run(['borg', 'info', '--json', path], encryption_passphrase, stdout=subprocess.PIPE) @@ -134,7 +135,8 @@ def info(path: str, encryption_passphrase: str | None = None) -> dict: @privileged -def list_repo(path: str, encryption_passphrase: str | None = None) -> dict: +def list_repo(path: str, + encryption_passphrase: secret_str | None = None) -> dict: """List repository contents.""" process = _run(['borg', 'list', '--json', '--format="{comment}"', path], encryption_passphrase, stdout=subprocess.PIPE) @@ -149,7 +151,7 @@ def _get_borg_version(): @privileged def create_archive(path: str, paths: list[str], comment: str | None = None, - encryption_passphrase: str | None = None): + encryption_passphrase: secret_str | None = None): """Create archive.""" existing_paths = filter(os.path.exists, paths) command = ['borg', 'create', '--json'] @@ -167,7 +169,7 @@ def create_archive(path: str, paths: list[str], comment: str | None = None, @privileged -def delete_archive(path: str, encryption_passphrase: str | None = None): +def delete_archive(path: str, encryption_passphrase: secret_str | None = None): """Delete archive.""" _run(['borg', 'delete', path], encryption_passphrase) @@ -197,7 +199,7 @@ def _extract(archive_path, destination, encryption_passphrase, locations=None): @privileged -def export_tar(path: str, encryption_passphrase: str | None = None): +def export_tar(path: str, encryption_passphrase: secret_str | None = None): """Export archive contents as tar stream on stdout.""" _run(['borg', 'export-tar', path, '-', '--tar-filter=gzip'], encryption_passphrase) @@ -211,8 +213,9 @@ def _read_archive_file(archive, filepath, encryption_passphrase): @privileged -def get_archive_apps(path: str, - encryption_passphrase: str | None = None) -> list[str]: +def get_archive_apps( + path: str, + encryption_passphrase: secret_str | None = None) -> list[str]: """Get list of apps included in archive.""" manifest_folder = os.path.relpath(MANIFESTS_FOLDER, '/') borg_call = [ @@ -284,7 +287,7 @@ def get_exported_archive_apps(path: str) -> list[str]: @privileged def restore_archive(archive_path: str, destination: str, directories: list[str], files: list[str], - encryption_passphrase: str | None = None): + encryption_passphrase: secret_str | None = None): """Restore files from an archive.""" locations_all = directories + files locations_all = [