[open-ils-commits] [GIT] Evergreen ILS branch rel_2_2 updated. 8dfb887686cb7a81a09b46c9d917c150bdd14d7a
Evergreen Git
git at git.evergreen-ils.org
Thu Nov 8 13:02:22 EST 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_2 has been updated
via 8dfb887686cb7a81a09b46c9d917c150bdd14d7a (commit)
via 65e0a6d715f87b487233f5eea15371404662ebe1 (commit)
via 08b92941797c63e90cc7f3963da2ea106e33e865 (commit)
from 92f9a371dffad6a741dd5e6abc6ab8ba65a82713 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 8dfb887686cb7a81a09b46c9d917c150bdd14d7a
Author: Bill Erickson <berick at esilibrary.com>
Date: Fri Nov 2 15:28:27 2012 -0400
CStoreEditor auto-activity log redaction
CStoreEditor logs all update calls to the activity log as key/value
pairs on the updated object. Avoid loging key/value pairs for objects
when the API call being relayed by CStoreEditor is on the list of
log-protect API calls. Instead, log "**DETAILS REDACTED**".
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Dan Scott <dscott at laurentian.ca>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Utils/CStoreEditor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Utils/CStoreEditor.pm
index d41e435..70553b7 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Utils/CStoreEditor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Utils/CStoreEditor.pm
@@ -1,6 +1,7 @@
use strict; use warnings;
package OpenILS::Utils::CStoreEditor;
use OpenILS::Application::AppUtils;
+use OpenSRF::Application;
use OpenSRF::AppSession;
use OpenSRF::EX qw(:try);
use OpenILS::Utils::Fieldmapper;
@@ -624,9 +625,25 @@ sub _checkperm {
# Logs update actions to the activity log
# -----------------------------------------------------------------------------
sub log_activity {
- my( $self, $type, $action, $arg ) = @_;
+ my( $self, $method, $type, $action, $arg ) = @_;
my $str = "$type.$action";
- $str .= _prop_string($arg);
+
+ if ($arg) {
+
+ my $redact = $OpenSRF::Application::shared_conf->shared->log_protect;
+ if (ref($redact) eq 'ARRAY' and grep { $method =~ /^$_/ } @{$redact}) {
+
+ # when API calls are marked as log-protect, avoid
+ # dumping the param object to the activity log.
+ $str .= " **DETAILS REDACTED**";
+
+ } else {
+
+ $str .= _prop_string($arg);
+ }
+ }
+
+
$self->log(A, $str);
}
@@ -747,7 +764,7 @@ sub runmethod {
$logger->error("Attempt to update DB while not in a transaction : $method");
throw OpenSRF::EX::ERROR ("Attempt to update DB while not in a transaction : $method");
}
- $self->log_activity($type, $action, $arg);
+ $self->log_activity($method, $type, $action, $arg);
}
if($$options{checkperm}) {
commit 65e0a6d715f87b487233f5eea15371404662ebe1
Author: Bill Erickson <berick at esilibrary.com>
Date: Wed Oct 31 09:00:19 2012 -0400
Add sample log redaction config to EG opensrf_core
Redact parameter logging for the following API calls:
Login:
open-ils.auth.authenticate.verify
open-ils.auth.authenticate.complete
open-ils.auth_proxy.login
User updates:
open-ils.actor.user.password
open-ils.actor.user.username
open-ils.actor.user.email
open-ils.actor.patron.update
open-ils.cstore.direct.actor.user.create
open-ils.cstore.direct.actor.user.update
open-ils.cstore.direct.actor.user.delete
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Dan Scott <dscott at laurentian.ca>
diff --git a/Open-ILS/examples/opensrf_core.xml.example b/Open-ILS/examples/opensrf_core.xml.example
index 440bd8b..7bc022f 100644
--- a/Open-ILS/examples/opensrf_core.xml.example
+++ b/Open-ILS/examples/opensrf_core.xml.example
@@ -170,4 +170,22 @@ Example OpenSRF bootstrap configuration file for Evergreen
</router>
</routers>
<!-- ======================================================================================== -->
+
+ <!-- Any methods which match any of these match_string node values will
+ have their params redacted from lower-level input logging.
+ Adjust these examples as needed. -->
+ <shared>
+ <log_protect>
+ <match_string>open-ils.auth.authenticate.verify</match_string>
+ <match_string>open-ils.auth.authenticate.complete</match_string>
+ <match_string>open-ils.auth_proxy.login</match_string>
+ <match_string>open-ils.actor.user.password</match_string>
+ <match_string>open-ils.actor.user.username</match_string>
+ <match_string>open-ils.actor.user.email</match_string>
+ <match_string>open-ils.actor.patron.update</match_string>
+ <match_string>open-ils.cstore.direct.actor.user.create</match_string>
+ <match_string>open-ils.cstore.direct.actor.user.update</match_string>
+ <match_string>open-ils.cstore.direct.actor.user.delete</match_string>
+ </log_protect>
+ </shared>
</config>
commit 08b92941797c63e90cc7f3963da2ea106e33e865
Author: Dan Scott <dscott at laurentian.ca>
Date: Tue Nov 6 09:48:51 2012 -0500
Document log redaction XML for opensrf_core.xml (2.2)
Based on Bill Erickson's original text.
Signed-off-by: Dan Scott <dscott at laurentian.ca>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/docs/RELEASE_NOTES_2_2.txt b/docs/RELEASE_NOTES_2_2.txt
index 11ac2ef..5961379 100644
--- a/docs/RELEASE_NOTES_2_2.txt
+++ b/docs/RELEASE_NOTES_2_2.txt
@@ -6,6 +6,33 @@ Release notes
Upgrade notes
-------------
+Log Protect (redaction)
+~~~~~~~~~~~~~~~~~~~~~~~
+To prevent sensitive information such as passwords from being logged
+in general activity logs, add the following XML chunk to the bottom of
+`opensrf_core.xml`, just inside the `<config>` section:
+
+[source, xml]
+----------------------------------------------------------------
+ ...
+ </routers>
+ <shared> <!-- new block starts here -->
+ <log_protect>
+ <match_string>open-ils.auth.authenticate.verify</match_string>
+ <match_string>open-ils.auth.authenticate.complete</match_string>
+ <match_string>open-ils.auth_proxy.login</match_string>
+ <match_string>open-ils.actor.user.password</match_string>
+ <match_string>open-ils.actor.user.username</match_string>
+ <match_string>open-ils.actor.user.email</match_string>
+ <match_string>open-ils.actor.patron.update</match_string>
+ <match_string>open-ils.cstore.direct.actor.user.create</match_string>
+ <match_string>open-ils.cstore.direct.actor.user.update</match_string>
+ <match_string>open-ils.cstore.direct.actor.user.delete</match_string>
+ </log_protect>
+ </shared> <!-- new block ends here -->
+</config>
+----------------------------------------------------------------
+
Z39.50 Server Definitions
~~~~~~~~~~~~~~~~~~~~~~~
Z39.50 server target definitions have been removed from the sample
@@ -608,4 +635,4 @@ License
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
Unported License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/3.0/ or send a letter to Creative
-Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
\ No newline at end of file
+Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/opensrf_core.xml.example | 18 ++++++++++++
.../src/perlmods/lib/OpenILS/Utils/CStoreEditor.pm | 23 +++++++++++++--
docs/RELEASE_NOTES_2_2.txt | 29 +++++++++++++++++++-
3 files changed, 66 insertions(+), 4 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list