Bug 1118354 - [RFE] Automated testing should prevent leaking sensitive data
Summary: [RFE] Automated testing should prevent leaking sensitive data
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: RFEs
Version: ---
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ovirt-4.0.0-alpha
: 4.0.0
Assignee: Gil Klein
QA Contact: Gonza
URL: https://fedorahosted.org/ovirt/ticket...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-10 13:48 UTC by Yedidyah Bar David
Modified: 2019-04-28 13:12 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-22 15:36:46 UTC
oVirt Team: Integration
Embargoed:
rule-engine: ovirt-4.0.0+
pnovotny: testing_plan_complete-
rule-engine: planning_ack+
rule-engine: devel_ack+
pstehlik: testing_ack+

Attachments (Terms of Use)

Description Yedidyah Bar David 2014-07-10 13:48:18 UTC 
We should have some automated testing (in jenkins or whatever) that will alert if we leak secrets.

Such a test should:

1. Pick random secrets for whatever relevant slot
engine/dwh/reports db password, engine/reports admin password, other?

2. Generate an answer file and run setup

3. Optionally (?) do some actions
to make the system work, log stuff, etc

4. Create a temporary user with only default permissions

5. Search for these secrets in all of the hosts' disk using this user

6. Alert if any are found

Perhaps do more than that. E.g.:

7. Search for these using a privileged user (root, ovirt) and verify that all occurrences are expected
Comment 1 Yedidyah Bar David 2014-07-10 13:54:48 UTC 
This should probably include verifying suitable access to secret ssl keys as well.
Comment 2 Yaniv Kaul 2015-11-22 15:56:31 UTC 
Gil - assigning to you - I'm pretty sure it's an easy project to add to your tests - just grep for the password in the sosreport logs after collecting them.
Comment 3 Yaniv Lavi 2016-06-14 21:08:46 UTC 
Nelly did you say you want to move this to JIRA? 
Why is this back on Gil?
Comment 4 Nelly Credi 2016-06-15 06:21:38 UTC 
Gil will decide who is going to test it
Note You need to log in before you can comment on or make changes to this bug.