Bug 1352929

Summary: QCI 1.2 displays password in plaintext
Product: Red Hat Quickstart Cloud Installer Reporter: Thom Carlin <tcarlin>
Component: WebUIAssignee: Derek Whatley <dwhatley>
Status: CLOSED WONTFIX QA Contact: Dave Johnson <dajohnso>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.0CC: jmatthew, tcarlin
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-19 14:42:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1354526    
Bug Blocks:    

Description Thom Carlin 2016-07-05 14:07:03 UTC 
Description of problem:

During Deployment, error in downloading manifest shows password in plaintext

Version-Release number of selected component (if applicable):

QCI 1.2

How reproducible:

100% with error

Steps to Reproduce:
1. Install QCI 1.2
2. Log into run launch-fusor-installer
3. Deploy a provider, with errors on CDN side

Actual results:

Password displayed

Expected results:

Password removed/covered/obscured

Additional info:

Error occurred in "Actions::Fusor::Subscription::DownloadManifest
Input:"
Password appeared in Errors tab for task, Input parameters
Comment 1 Derek Whatley 2016-07-07 18:35:42 UTC 
Hi Thom,

Do you remember exactly where the password is being displayed? Is it in the DynFlow console, in a deployment log, or perhaps in development.log?

Additionally, can you clarify instructions for replication of "errors on CDN side"?

Thanks!
Comment 2 Thom Carlin 2016-07-07 19:06:09 UTC 
The password is displayed in the Dynflow console "Password appeared in Errors tab for task, Input parameters"

As I recall, the "errors on CDN side" referred to problems connecting to Customer Portal.
Comment 3 Derek Whatley 2016-07-11 13:52:12 UTC 
Contacted Ivan Necas from Satellite team to see about adding password filtering support to DynFlow. 

Ivan responded quickly and opened up two pull requests.
https://github.com/theforeman/foreman-tasks/pull/192
https://github.com/Dynflow/dynflow/pull/190

Erik Nelson assisted by testing PR set in a sandbox environment and gain a reasonable certainty that they will suit our needs.

Blocking BZ filed against Satellite 6.2 to get Ivan's PRs downstreamed for future use by QCI. See BZ 1354526.

This BZ is blocked until Satellite team downstreams changes.
Comment 5 John Matthews 2016-07-11 15:43:53 UTC 
We are removing this from GA as we require a RFE to be added to Sat which we don't expect to make it into Sat 6.2