add support for base64 encoded obfuscate pattern

sni · Sep 20, 2024 · f896eeb · f896eeb
1 parent 51cc4e2
commit f896eeb
Show file tree

Hide file tree

Showing 5 changed files with 105 additions and 6 deletions.
diff --git a/Changes b/Changes
@@ -3,6 +3,7 @@ This file documents the revision history for the Monitoring Webinterface Thruk.
 next:
           - show host attributes on grid/overview pages
           - make status badges toggle buttons
+          - add support for base64 encoded obfuscate pattern
           - Rest:
             - add support for host/service note commands
               ex.: /hosts/<name>/cmd/note

diff --git a/docs/documentation/configuration.asciidoc b/docs/documentation/configuration.asciidoc
@@ -1199,6 +1199,39 @@ ex.:
   commandline_obfuscate_pattern = /(check_.*\--pw )(\S+)/$1"***"/
   commandline_obfuscate_pattern = /(check_.*\"password\": )(\S+)/$1"***"/
 
+Another way is to create a `_OBFUSCATE_REGEXP` custom variable which will then be used
+for its host/service. The syntax is slightly different, you only set the regexp
+pattern which will be replaced:
+
+ex.:
+
+  define host {
+    host_name          test
+    _OBFUSCATE_REGEXP  pass\W+
+  }
+
+The password can be base64 encoded to mitigate escaping issues. Encode the regexp
+and add the `b64:` prefix.
+
+  %>echo -n "password" | base64
+  cGFzc3dvcmQ=
+
+then use this in your naemon configuration:
+
+  define host {
+    host_name          test
+    _OBFUSCATE_REGEXP  b64:cGFzc3dvcmQ=
+  }
+
+If regular expressions are not required, you can use the `_OBFUSCATE_STRING` custom
+variable. This is a simple text replacement with no regular expressions.
+
+ex.:
+
+  define host {
+    host_name          test
+    _OBFUSCATE_STRING  password
+  }
 
 
 === show_full_commandline_source

diff --git a/lib/Thruk/Backend/Manager.pm b/lib/Thruk/Backend/Manager.pm
@@ -4,6 +4,7 @@ use warnings;
 use strict;
 use Carp qw/confess croak/;
 use Data::Dumper qw/Dumper/;
+use MIME::Base64 ();
 use Scalar::Util qw/looks_like_number/;
 use Time::HiRes qw/gettimeofday tv_interval/;
 
@@ -1402,17 +1403,28 @@ sub _get_obfuscated_string {
         return $string;
     }
 
-    if (defined $macros->{'$_SERVICEOBFUSCATE_ME$'}) {
+    # regexp pattern
+    for my $m ($macros->{'$_SERVICEOBFUSCATE_ME$'}, $macros->{'$_HOSTOBFUSCATE_ME$'}, $macros->{'$_SERVICEOBFUSCATE_REGEXP$'}, $macros->{'$_HOSTOBFUSCATE_REGEXP$'}, $macros->{'$_SERVICEOBFUSCATE_REGEX$'}, $macros->{'$_HOSTOBFUSCATE_REGEX$'}) {
+        next unless defined $m;
+        if($m =~ m/^(b64|base64):(.*)$/gmx) {
+            $m = MIME::Base64::decode_base64($2);
+        }
         eval {
             ## no critic
-            $string =~ s/$macros->{'$_SERVICEOBFUSCATE_ME$'}/\*\*\*/g;
+            $string =~ s/$m/\*\*\*/g;
             ## use critic
         };
     }
-    if (defined $macros->{'$_HOSTOBFUSCATE_ME$'}) {
+
+    # string pattern
+    for my $m ($macros->{'$_SERVICEOBFUSCATE_STRING$'}, $macros->{'$_HOSTOBFUSCATE_STRING$'}, $macros->{'$_SERVICEOBFUSCATE_STR$'}, $macros->{'$_HOSTOBFUSCATE_STR$'}) {
+        next unless defined $m;
+        if($m =~ m/^(b64|base64):(.*)$/gmx) {
+            $m = MIME::Base64::decode_base64($2);
+        }
         eval {
             ## no critic
-            $string =~ s/$macros->{'$_HOSTOBFUSCATE_ME$'}/\*\*\*/g;
+            $string =~ s/\Q$m\E/\*\*\*/g;
             ## use critic
         };
     }

diff --git a/plugins/plugins-available/node-control/lib/Thruk/Utils/CLI/Nodecontrol.pm b/plugins/plugins-available/node-control/lib/Thruk/Utils/CLI/Nodecontrol.pm
@@ -114,7 +114,12 @@ sub cmd {
                 }
             }
             if(!$facts || $facts->{'last_error'} || $facts->{'last_facts_error'}) {
-                _error("%s updating %s failed: %s\n", $peer->{'name'}, $mode, ($facts->{'last_facts_error'}//$facts->{'last_error'}//'unknown error'));
+                my $err = sprintf("%s updating %s failed: %s\n", $peer->{'name'}, $mode, ($facts->{'last_facts_error'}//$facts->{'last_error'}//'unknown error'));
+                if($ENV{'THRUK_CRON'}) {
+                    _warn($err); # don't fill the log with errors from cronjobs
+                } else {
+                    _error($err);
+                }
             } else {
                 _info("%s updated %s sucessfully: OK\n", $peer->{'name'}, $mode);
             }

diff --git a/t/100-model_Thruk.t b/t/100-model_Thruk.t
@@ -9,7 +9,7 @@ use Thruk::Utils ();
 BEGIN {
     plan skip_all => 'internal test only' if defined $ENV{'PLACK_TEST_EXTERNALSERVER_URI'};
     plan skip_all => 'backends required' if(!-s 'thruk_local.conf' and !defined $ENV{'PLACK_TEST_EXTERNALSERVER_URI'});
-    plan tests => 42;
+    plan tests => 46;
 }
 
 BEGIN {
@@ -210,6 +210,54 @@ $cmd = $b->expand_command(
 );
 is($cmd->{'line_expanded'}, '/tmp/check_test -H '.$hosts->[0]->{'name'}.' -p "***"', 'expanded command: '.$cmd->{'line_expanded'});
 
+################################################################################
+# test obfuscation (from host macro)
+$c->{'config'}->{'expand_user_macros'} = ["ALL"];
+$cmd = $b->expand_command(
+    'host'    => {(%{$hosts->[0]}, ('custom_variable_names' => ['OBFUSCATE_REGEXP'], 'custom_variable_values' => ['pa.*ord']))},
+    'command' => {
+        'name' => 'check_test',
+        'line' => '$USER1$/check_test -H $HOSTNAME$ -p "password"',
+    },
+);
+is($cmd->{'line_expanded'}, '/tmp/check_test -H '.$hosts->[0]->{'name'}.' -p "***"', 'expanded command: '.$cmd->{'line_expanded'});
+
+################################################################################
+# test obfuscation (from host macro)
+$c->{'config'}->{'expand_user_macros'} = ["ALL"];
+$cmd = $b->expand_command(
+    'host'    => {(%{$hosts->[0]}, ('custom_variable_names' => ['OBFUSCATE_STRING'], 'custom_variable_values' => ['*as+w$r/']))},
+    'command' => {
+        'name' => 'check_test',
+        'line' => '$USER1$/check_test -H $HOSTNAME$ -p "*as+w$r/"',
+    },
+);
+is($cmd->{'line_expanded'}, '/tmp/check_test -H '.$hosts->[0]->{'name'}.' -p "***"', 'expanded command: '.$cmd->{'line_expanded'});
+
+################################################################################
+# test base64 obfuscation (from host macro)
+$c->{'config'}->{'expand_user_macros'} = ["ALL"];
+$cmd = $b->expand_command(
+    'host'    => {(%{$hosts->[0]}, ('custom_variable_names' => ['OBFUSCATE_ME'], 'custom_variable_values' => ['b64:cGFzc3dvcmQ=']))},
+    'command' => {
+        'name' => 'check_test',
+        'line' => '$USER1$/check_test -H $HOSTNAME$ -p "password"',
+    },
+);
+is($cmd->{'line_expanded'}, '/tmp/check_test -H '.$hosts->[0]->{'name'}.' -p "***"', 'expanded command: '.$cmd->{'line_expanded'});
+
+################################################################################
+# test base64 obfuscation (from host macro)
+$c->{'config'}->{'expand_user_macros'} = ["ALL"];
+$cmd = $b->expand_command(
+    'host'    => {(%{$hosts->[0]}, ('custom_variable_names' => ['OBFUSCATE_STR'], 'custom_variable_values' => ['b64:cGFzc3dvcmQ=']))},
+    'command' => {
+        'name' => 'check_test',
+        'line' => '$USER1$/check_test -H $HOSTNAME$ -p "password"',
+    },
+);
+is($cmd->{'line_expanded'}, '/tmp/check_test -H '.$hosts->[0]->{'name'}.' -p "***"', 'expanded command: '.$cmd->{'line_expanded'});
+
 ################################################################################
 # test obfuscation (from global config)
 $c->{'config'}->{'expand_user_macros'}            = ["ALL"];