mirror of
https://github.com/GAM-team/GAM.git
synced 2026-07-03 20:31:35 +00:00
config debug_redaction removes credentials in debug output
This commit is contained in:
@@ -49,7 +49,7 @@ from email.policy import SMTP as policySMTP
|
|||||||
import hashlib
|
import hashlib
|
||||||
from html.entities import name2codepoint
|
from html.entities import name2codepoint
|
||||||
from html.parser import HTMLParser
|
from html.parser import HTMLParser
|
||||||
import http.client as http_client
|
import http.client
|
||||||
import importlib
|
import importlib
|
||||||
from importlib.metadata import version as lib_version
|
from importlib.metadata import version as lib_version
|
||||||
import io
|
import io
|
||||||
@@ -375,6 +375,31 @@ YUBIKEY_VALUE_ERROR_RC = 85
|
|||||||
YUBIKEY_MULTIPLE_CONNECTED_RC = 86
|
YUBIKEY_MULTIPLE_CONNECTED_RC = 86
|
||||||
YUBIKEY_NOT_FOUND_RC = 87
|
YUBIKEY_NOT_FOUND_RC = 87
|
||||||
|
|
||||||
|
def redact_sensitive_google_text(text):
|
||||||
|
patterns = [
|
||||||
|
r'ya29.[0-9A-Za-z-_]+', # Access token
|
||||||
|
r'1/[0-9A-Za-z-]{43}|1/[0-9A-Za-z-]{64}', # Refresh token
|
||||||
|
r'4/[0-9A-Za-z-_]+', # Auth code
|
||||||
|
r'GOCSPX-[0-9a-zA-Z-_]{28}', # Client secret
|
||||||
|
r'AIza[0-9A-Za-z-_]{35}', # API key
|
||||||
|
]
|
||||||
|
for pattern in patterns:
|
||||||
|
text = re.sub(pattern, '****', text)
|
||||||
|
return text
|
||||||
|
|
||||||
|
def redactable_debug_print(*args):
|
||||||
|
processed_args = []
|
||||||
|
for arg in args:
|
||||||
|
if arg.startswith('b\''):
|
||||||
|
sbytes = arg[2:-1]
|
||||||
|
sbytes = bytes(sbytes, 'utf-8')
|
||||||
|
arg = sbytes.decode()
|
||||||
|
arg = arg.replace('\\r\\n', "\n ")
|
||||||
|
if GC.Values[GC.DEBUG_REDACTION]:
|
||||||
|
arg = redact_sensitive_google_text(arg)
|
||||||
|
processed_args.append(arg)
|
||||||
|
print(*processed_args)
|
||||||
|
|
||||||
# Multiprocessing lock
|
# Multiprocessing lock
|
||||||
mplock = None
|
mplock = None
|
||||||
|
|
||||||
@@ -4124,6 +4149,8 @@ def SetGlobalVariables():
|
|||||||
GM.Globals[GM.OAUTH2_TXT_LOCK] = f'{GC.Values[GC.OAUTH2_TXT]}.lock'
|
GM.Globals[GM.OAUTH2_TXT_LOCK] = f'{GC.Values[GC.OAUTH2_TXT]}.lock'
|
||||||
# Override httplib2 settings
|
# Override httplib2 settings
|
||||||
httplib2.debuglevel = GC.Values[GC.DEBUG_LEVEL]
|
httplib2.debuglevel = GC.Values[GC.DEBUG_LEVEL]
|
||||||
|
# Use our own print function for http.client so we can redact and cleanup
|
||||||
|
http.client.print = redactable_debug_print
|
||||||
# Reset global variables if required
|
# Reset global variables if required
|
||||||
if prevExtraArgsTxt != GC.Values[GC.EXTRA_ARGS]:
|
if prevExtraArgsTxt != GC.Values[GC.EXTRA_ARGS]:
|
||||||
GM.Globals[GM.EXTRA_ARGS_LIST] = [('prettyPrint', GC.Values[GC.DEBUG_LEVEL] > 0)]
|
GM.Globals[GM.EXTRA_ARGS_LIST] = [('prettyPrint', GC.Values[GC.DEBUG_LEVEL] > 0)]
|
||||||
@@ -4775,7 +4802,7 @@ def getService(api, httpObj):
|
|||||||
waitOnFailure(n, triesLimit, INVALID_JSON_RC, str(e))
|
waitOnFailure(n, triesLimit, INVALID_JSON_RC, str(e))
|
||||||
continue
|
continue
|
||||||
systemErrorExit(INVALID_JSON_RC, str(e))
|
systemErrorExit(INVALID_JSON_RC, str(e))
|
||||||
except (http_client.ResponseNotReady, OSError, googleapiclient.errors.HttpError) as e:
|
except (http.client.ResponseNotReady, OSError, googleapiclient.errors.HttpError) as e:
|
||||||
errMsg = f'Connection error: {str(e) or repr(e)}'
|
errMsg = f'Connection error: {str(e) or repr(e)}'
|
||||||
if n != triesLimit:
|
if n != triesLimit:
|
||||||
waitOnFailure(n, triesLimit, SOCKET_ERROR_RC, errMsg)
|
waitOnFailure(n, triesLimit, SOCKET_ERROR_RC, errMsg)
|
||||||
@@ -5088,7 +5115,7 @@ def callGData(service, function,
|
|||||||
e = e.args[0]
|
e = e.args[0]
|
||||||
handleOAuthTokenError(e, GDATA.SERVICE_NOT_APPLICABLE in throwErrors)
|
handleOAuthTokenError(e, GDATA.SERVICE_NOT_APPLICABLE in throwErrors)
|
||||||
raise GDATA.ERROR_CODE_EXCEPTION_MAP[GDATA.SERVICE_NOT_APPLICABLE](str(e))
|
raise GDATA.ERROR_CODE_EXCEPTION_MAP[GDATA.SERVICE_NOT_APPLICABLE](str(e))
|
||||||
except (http_client.ResponseNotReady, OSError) as e:
|
except (http.client.ResponseNotReady, OSError) as e:
|
||||||
errMsg = f'Connection error: {str(e) or repr(e)}'
|
errMsg = f'Connection error: {str(e) or repr(e)}'
|
||||||
if n != triesLimit:
|
if n != triesLimit:
|
||||||
waitOnFailure(n, triesLimit, SOCKET_ERROR_RC, errMsg)
|
waitOnFailure(n, triesLimit, SOCKET_ERROR_RC, errMsg)
|
||||||
@@ -5398,7 +5425,7 @@ def callGAPI(service, function,
|
|||||||
e = e.args[0]
|
e = e.args[0]
|
||||||
handleOAuthTokenError(e, GAPI.SERVICE_NOT_AVAILABLE in throwReasons)
|
handleOAuthTokenError(e, GAPI.SERVICE_NOT_AVAILABLE in throwReasons)
|
||||||
raise GAPI.REASON_EXCEPTION_MAP[GAPI.SERVICE_NOT_AVAILABLE](str(e))
|
raise GAPI.REASON_EXCEPTION_MAP[GAPI.SERVICE_NOT_AVAILABLE](str(e))
|
||||||
except (http_client.ResponseNotReady, OSError) as e:
|
except (http.client.ResponseNotReady, OSError) as e:
|
||||||
errMsg = f'Connection error: {str(e) or repr(e)}'
|
errMsg = f'Connection error: {str(e) or repr(e)}'
|
||||||
if n != triesLimit:
|
if n != triesLimit:
|
||||||
waitOnFailure(n, triesLimit, SOCKET_ERROR_RC, errMsg)
|
waitOnFailure(n, triesLimit, SOCKET_ERROR_RC, errMsg)
|
||||||
|
|||||||
@@ -149,6 +149,8 @@ CSV_OUTPUT_USERS_AUDIT = 'csv_output_users_audit'
|
|||||||
CUSTOMER_ID = 'customer_id'
|
CUSTOMER_ID = 'customer_id'
|
||||||
# If debug_level > 0: extra_args['prettyPrint'] = True, httplib2.debuglevel = gam_debug_level, appsObj.debug = True
|
# If debug_level > 0: extra_args['prettyPrint'] = True, httplib2.debuglevel = gam_debug_level, appsObj.debug = True
|
||||||
DEBUG_LEVEL = 'debug_level'
|
DEBUG_LEVEL = 'debug_level'
|
||||||
|
# redact sensitive credentials from debug output
|
||||||
|
DEBUG_REDACTION = 'debug_redaction'
|
||||||
# Developer Preview API Key
|
# Developer Preview API Key
|
||||||
DEVELOPER_PREVIEW_API_KEY = 'developer_preview_api_key'
|
DEVELOPER_PREVIEW_API_KEY = 'developer_preview_api_key'
|
||||||
# When retrieving lists of ChromeOS devices from API, how many should be retrieved in each chunk
|
# When retrieving lists of ChromeOS devices from API, how many should be retrieved in each chunk
|
||||||
@@ -378,6 +380,7 @@ Defaults = {
|
|||||||
CSV_OUTPUT_USERS_AUDIT: FALSE,
|
CSV_OUTPUT_USERS_AUDIT: FALSE,
|
||||||
CUSTOMER_ID: MY_CUSTOMER,
|
CUSTOMER_ID: MY_CUSTOMER,
|
||||||
DEBUG_LEVEL: '0',
|
DEBUG_LEVEL: '0',
|
||||||
|
DEBUG_REDACTION: True,
|
||||||
DEVELOPER_PREVIEW_API_KEY: '',
|
DEVELOPER_PREVIEW_API_KEY: '',
|
||||||
DEVICE_MAX_RESULTS: '200',
|
DEVICE_MAX_RESULTS: '200',
|
||||||
DOMAIN: '',
|
DOMAIN: '',
|
||||||
@@ -547,6 +550,7 @@ VAR_INFO = {
|
|||||||
CSV_OUTPUT_USERS_AUDIT: {VAR_TYPE: TYPE_BOOLEAN},
|
CSV_OUTPUT_USERS_AUDIT: {VAR_TYPE: TYPE_BOOLEAN},
|
||||||
CUSTOMER_ID: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'CUSTOMER_ID', VAR_LIMITS: (0, None)},
|
CUSTOMER_ID: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'CUSTOMER_ID', VAR_LIMITS: (0, None)},
|
||||||
DEBUG_LEVEL: {VAR_TYPE: TYPE_INTEGER, VAR_SIGFILE: 'debug.gam', VAR_LIMITS: (0, None), VAR_SFFT: ('0', '4')},
|
DEBUG_LEVEL: {VAR_TYPE: TYPE_INTEGER, VAR_SIGFILE: 'debug.gam', VAR_LIMITS: (0, None), VAR_SFFT: ('0', '4')},
|
||||||
|
DEBUG_REDACTION: {VAR_TYPE: TYPE_BOOLEAN},
|
||||||
DEVELOPER_PREVIEW_API_KEY: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
|
DEVELOPER_PREVIEW_API_KEY: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
|
||||||
DEVICE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
|
DEVICE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
|
||||||
DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
|
DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
|
||||||
|
|||||||
@@ -107,6 +107,8 @@ CURRENT_SVCACCT_USER = 'csa'
|
|||||||
DATETIME_NOW = 'dtno'
|
DATETIME_NOW = 'dtno'
|
||||||
# If debug_level > 0: extra_args['prettyPrint'] = True, httplib2.debuglevel = gam_debug_level, appsObj.debug = True
|
# If debug_level > 0: extra_args['prettyPrint'] = True, httplib2.debuglevel = gam_debug_level, appsObj.debug = True
|
||||||
DEBUG_LEVEL = 'dbgl'
|
DEBUG_LEVEL = 'dbgl'
|
||||||
|
# Whether debug output should redact sensitive credentials
|
||||||
|
DEBUG_REDACTION = 'dbrd'
|
||||||
# Decoded ID token
|
# Decoded ID token
|
||||||
DECODED_ID_TOKEN = 'didt'
|
DECODED_ID_TOKEN = 'didt'
|
||||||
# Index of start of <UserTypeEntity> in command line
|
# Index of start of <UserTypeEntity> in command line
|
||||||
@@ -263,6 +265,7 @@ Globals = {
|
|||||||
CURRENT_SVCACCT_USER: None,
|
CURRENT_SVCACCT_USER: None,
|
||||||
DATETIME_NOW: None,
|
DATETIME_NOW: None,
|
||||||
DEBUG_LEVEL: 0,
|
DEBUG_LEVEL: 0,
|
||||||
|
DEBUG_REDACTION: True,
|
||||||
DECODED_ID_TOKEN: None,
|
DECODED_ID_TOKEN: None,
|
||||||
ENTITY_CL_DELAY_START: 1,
|
ENTITY_CL_DELAY_START: 1,
|
||||||
ENTITY_CL_START: 1,
|
ENTITY_CL_START: 1,
|
||||||
|
|||||||
Reference in New Issue
Block a user