From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 99D10F4E4 for ; Fri, 16 Dec 2022 11:32:04 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 755672088A for ; Fri, 16 Dec 2022 11:31:34 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 16 Dec 2022 11:31:33 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D55E444757 for ; Fri, 16 Dec 2022 11:31:32 +0100 (CET) Message-ID: <5ff58ac5-f760-25b3-44ff-ae4f0946e2f9@proxmox.com> Date: Fri, 16 Dec 2022 11:31:31 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Thunderbird/109.0 Content-Language: en-GB To: Proxmox VE development discussion , Mira Limbeck References: <20221215165700.2061397-1-m.limbeck@proxmox.com> From: Thomas Lamprecht In-Reply-To: <20221215165700.2061397-1-m.limbeck@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.028 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [report.pm] Subject: Re: [pve-devel] [PATCH manager] report: filter comments in VM/CT configs X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2022 10:32:04 -0000 On 15/12/2022 17:57, Mira Limbeck wrote: > Since some users keep their passwords in the VM/CT configs as comments > and those are most of the time unnecessary when looking through the > report, filter those. I'd rather have this optional, opt-out is fine, where the CLI gets a switch and the web interface gets a dialogue with a checkbox for filtering comments in guest configs. A lot of sane admins don't sprinkle plain text PWs into www-data readable plain text configs but possible relevant setup info. If you want to get this faster in it's fine to focus on CLI only for now, but I think some more options might be relevant for the report in the near term, be it filtering other stuff (e.g., public IP addresses) or also adding extra info (e.g., (parts of) journal/syslogs), so laying out a bit foundations for that now could be reused for that; but as said, no need to do all that now. Also please separate adding and using file2text and adding the filter part into two commits, those are different things. > > In addition to the comments, also filter the `cipassword` option > since it contains the hash of the password. > > To facilitate the filtering, a new sub 'file2text' is introduced that > can filter the file contents if required. > This sub replaces the 'cat ...' commands. > > Signed-off-by: Mira Limbeck > --- > I did not add print to STDERR in file2text for now since it got quite > chatty. > If this is wanted, I'll send a v2 adding it. But since file2text is also > called by dir2text the 'OK' at the end won't always align, especially > when dir2text is used. > > PVE/Report.pm | 48 +++++++++++++++++++++++++++++++++--------------- > 1 file changed, 33 insertions(+), 15 deletions(-) > > diff --git a/PVE/Report.pm b/PVE/Report.pm > index 90b7cb1c..7ebe98f7 100644 > --- a/PVE/Report.pm > +++ b/PVE/Report.pm > @@ -5,16 +5,34 @@ use warnings; > > use PVE::Tools; > > +my sub file2text { > + my ($file, $filter) = @_; > + my $text = "\n# cat $file\n"; I agree with the sentiment of Stefan's comment but comment something else that we do is IMO not ideal, tends to get out of date soon and might be hard to output a grep invocation that behaves really 1:1 as the code here does, or will do sometimes. So maybe just output something like: my $text = "\n# ". ($filter ? 'filtered' : '') ." cat $file\n"; > + > + my $contents = PVE::Tools::file_get_contents($file); > + if ($filter) { > + foreach my $line (split('\n', $contents)) { > + next if $line =~ m/^\s*#/; > + next if $line =~ m/^cipassword/; not sure if it's a good idea to just plainly filter, I mean only guest configs are setting $filter anyway, but IMO it's still a bid odd coupling; maybe switch to a $code-ref and calling that, with a filter_guest_config sub passed then on the call sites?