From c3ef170b88fa467463559d5262bfef6c3e025dce Mon Sep 17 00:00:00 2001
From: "Bryn M. Reeves" <bmr@redhat.com>
Date: Tue, 3 Jun 2014 19:23:46 +0100
Subject: [PATCH 77/77] Elide passwords in grub2 plugin

Remove both plaintext and pbkdf2 passwords from grub configuration
files and command output. Since grub does not mandate any
particular location for its authentication data we have to apply
these liberaly (to all grub*.cfg as well as to all /etc/grub.d
fragments and the output of grub2-mkconfig).

Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
---
 sos/plugins/grub2.py | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/sos/plugins/grub2.py b/sos/plugins/grub2.py
index 95c1218..5f74981 100644
--- a/sos/plugins/grub2.py
+++ b/sos/plugins/grub2.py
@@ -34,4 +34,35 @@ class Grub2(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
         self.add_cmd_output("ls -lanR /boot")
         self.add_cmd_output("grub2-mkconfig")
 
+    def postproc(self):
+        # the trailing space is required; python treats '_' as whitespace
+        # causing the passwd_exp to match pbkdf2 passwords and mangle them.
+        passwd_exp        = r"(password )\s*(\S*)\s*(\S*)"
+        passwd_pbkdf2_exp = r"(password_pbkdf2)\s*(\S*)\s*(\S*)"
+        passwd_sub        = r"\1 \2 ********"
+        passwd_pbkdf2_sub = r"\1 \2 grub.pbkdf2.********"
+
+        self.do_cmd_output_sub(
+            "grub2-mkconfig",
+            passwd_pbkdf2_exp,
+            passwd_pbkdf2_sub
+        )
+        self.do_cmd_output_sub(
+            "grub2-mkconfig",
+            passwd_exp,
+            passwd_sub
+        )
+
+        self.do_path_regex_sub(
+            r".*\/grub\.",
+            passwd_exp,
+            passwd_sub
+        )
+
+        self.do_path_regex_sub(
+            r".*\/grub\.",
+            passwd_pbkdf2_exp,
+            passwd_pbkdf2_sub
+        )
+
 # vim: et ts=4 sw=4
-- 
1.9.3