Bug 1118354

Summary: [RFE] Automated testing should prevent leaking sensitive data
Product: [oVirt] ovirt-engine Reporter: Yedidyah Bar David <didi>
Component: RFEsAssignee: Gil Klein <gklein>
Status: CLOSED NOTABUG QA Contact: Gonza <grafuls>
Severity: medium Docs Contact:
Priority: medium    
Version: ---CC: bugs, iheim, ncredi, pstehlik, rbalakri, sbonazzo, srevivo, wmealing, ylavi
Target Milestone: ovirt-4.0.0-alphaKeywords: FutureFeature, TestCaseNeeded, TestOnly
Target Release: 4.0.0Flags: rule-engine: ovirt-4.0.0+
pnovotny: testing_plan_complete-
rule-engine: planning_ack+
rule-engine: devel_ack+
pstehlik: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
URL: https://fedorahosted.org/ovirt/ticket/227
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-22 15:36:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yedidyah Bar David 2014-07-10 13:48:18 UTC 
We should have some automated testing (in jenkins or whatever) that will alert if we leak secrets.

Such a test should:

1. Pick random secrets for whatever relevant slot
engine/dwh/reports db password, engine/reports admin password, other?

2. Generate an answer file and run setup

3. Optionally (?) do some actions
to make the system work, log stuff, etc

4. Create a temporary user with only default permissions

5. Search for these secrets in all of the hosts' disk using this user

6. Alert if any are found

Perhaps do more than that. E.g.:

7. Search for these using a privileged user (root, ovirt) and verify that all occurrences are expected
Comment 1 Yedidyah Bar David 2014-07-10 13:54:48 UTC 
This should probably include verifying suitable access to secret ssl keys as well.
Comment 2 Yaniv Kaul 2015-11-22 15:56:31 UTC 
Gil - assigning to you - I'm pretty sure it's an easy project to add to your tests - just grep for the password in the sosreport logs after collecting them.
Comment 3 Yaniv Lavi 2016-06-14 21:08:46 UTC 
Nelly did you say you want to move this to JIRA? 
Why is this back on Gil?
Comment 4 Nelly Credi 2016-06-15 06:21:38 UTC 
Gil will decide who is going to test it