From 0ab1bf552d6c7c7f839917b77df6fb810a6ba2e4 Mon Sep 17 00:00:00 2001
From: "Crank, Daniel (dc6350)" <dc6350@att.com>
Date: Tue, 23 Apr 2019 16:15:13 -0500
Subject: [PATCH] Don't log OS_PASSWORD in auth.log

By default, all sudo commands are logged to auth.log with their
full command line. Previously, Shipyard scripts called 'sudo docker'
with -e OS_PASSWORD=foo, resulting in the password value appearing
in auth.log in plaintext. This change adds -E to the sudo command
to pass the user's environment through, and removes the value from
-e OS_PASSWORD which tells Docker to use the environment value
directly. This prevents the password value from being logged.

Change-Id: Ifcf7f6525876144a609ff42be42da57a3f7f6f60
---
 tools/run_shipyard.sh                 | 5 +++++
 tools/shipyard.sh                     | 8 ++++++--
 tools/shipyard_docker_base_command.sh | 4 ++--
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/tools/run_shipyard.sh b/tools/run_shipyard.sh
index e2edb918..1647d4ce 100755
--- a/tools/run_shipyard.sh
+++ b/tools/run_shipyard.sh
@@ -34,6 +34,11 @@ set -e
 DIR="$(realpath $(dirname "${BASH_SOURCE}"))"
 source "${DIR}/shipyard_docker_base_command.sh"
 SHIPYARD_HOSTPATH=${SHIPYARD_HOSTPATH:-"/home/shipyard/host"}
+# set default value for OS_PASSWORD if it's not set
+# this doesn't actually get exported to environment
+# unless the script is sourced
+export OS_PASSWORD=${OS_PASSWORD:-password}
+
 # Execute Shipyard CLI
 #
 # NOTE: We will mount the current directory so that any directories
diff --git a/tools/shipyard.sh b/tools/shipyard.sh
index 36b1cb8b..9ed8e1f6 100755
--- a/tools/shipyard.sh
+++ b/tools/shipyard.sh
@@ -39,17 +39,21 @@ set -e
 SHIPYARD_HOSTPATH=${SHIPYARD_HOSTPATH:-"/target"}
 NAMESPACE="${NAMESPACE:-ucp}"
 SHIPYARD_IMAGE="${SHIPYARD_IMAGE:-quay.io/airshipit/shipyard:master}"
+# set default value for OS_PASSWORD if it's not set
+# this doesn't actually get exported to environment
+# unless the script is sourced
+export OS_PASSWORD=${OS_PASSWORD:-password}
 
 # Define Base Docker Command
 base_docker_command=$(cat << EndOfCommand
-sudo docker run -t --rm --net=host
+sudo -E docker run -t --rm --net=host
 -e http_proxy=${HTTP_PROXY}
 -e https_proxy=${HTTPS_PROXY}
 -e no_proxy=${NO_PROXY:-127.0.0.1,localhost,.svc.cluster.local}
 -e OS_AUTH_URL=${OS_AUTH_URL:-http://keystone.${NAMESPACE}.svc.cluster.local:80/v3}
 -e OS_USERNAME=${OS_USERNAME:-shipyard}
 -e OS_USER_DOMAIN_NAME=${OS_USER_DOMAIN_NAME:-default}
--e OS_PASSWORD=${OS_PASSWORD:-password}
+-e OS_PASSWORD
 -e OS_PROJECT_DOMAIN_NAME=${OS_PROJECT_DOMAIN_NAME:-default}
 -e OS_PROJECT_NAME=${OS_PROJECT_NAME:-service}
 EndOfCommand
diff --git a/tools/shipyard_docker_base_command.sh b/tools/shipyard_docker_base_command.sh
index 197e77c4..a5a9f0a1 100644
--- a/tools/shipyard_docker_base_command.sh
+++ b/tools/shipyard_docker_base_command.sh
@@ -23,14 +23,14 @@ SHIPYARD_IMAGE="${SHIPYARD_IMAGE:-quay.io/airshipit/shipyard:master}"
 
 # Define Base Docker Command
 base_docker_command=$(cat << EndOfCommand
-sudo docker run -t --rm --net=host
+sudo -E docker run -t --rm --net=host
 -e http_proxy=${HTTP_PROXY}
 -e https_proxy=${HTTPS_PROXY}
 -e no_proxy=${NO_PROXY}
 -e OS_AUTH_URL=${OS_AUTH_URL:-http://keystone.${NAMESPACE}.svc.cluster.local:80/v3}
 -e OS_USERNAME=${OS_USERNAME:-shipyard}
 -e OS_USER_DOMAIN_NAME=${OS_USER_DOMAIN_NAME:-default}
--e OS_PASSWORD=${OS_PASSWORD:-password}
+-e OS_PASSWORD
 -e OS_PROJECT_DOMAIN_NAME=${OS_PROJECT_DOMAIN_NAME:-default}
 -e OS_PROJECT_NAME=${OS_PROJECT_NAME:-service}
 EndOfCommand