[QA] some credentials appear in configreport

[jnweiger]

Seen with configreport-0.2.1-rc1

• Install and configure wopi or search_elastic
• Run configreport:generate
• Most usernames and passwords are obscured. E.g. "umgmt_set_password": "***REMOVED SENSITIVE VALUE***" OK
• The following potential secrets are exposed

  "wopi.token.key": "6mnncum6zo",
  ...
  "apps": [
      {
          "id": "search_elastic", 
  ...
          "appconfig": {
              "enabled": "yes",
              "installed_version": "2.1.0",
              "nocontent": "false",
              "servers": "elastic:vet18e2r1q@172.17.0.4:9200",
              "types": "filesystem"
          }
      },

[jnweiger]

Elastic search credentials are a new feature. Probably never implemented for the reporting.

[NannaBarz]

@IljaN and @ahherrera will work on this

[ahherrera]

@jnweiger @NannaBarz @IljaN Can you share with me a guide to install wopi? I am working on the task for elastic but I would like to be able to validate wopi as well.

[IljaN]

@ahherrera Did you see: https://doc.owncloud.com/server/next/admin_manual/enterprise/collaboration/msoffice-wopi-integration.html ?

[ahherrera]

@jnweiger @IljaN @NannaBarz I was testing and with the master branch of the core and the master branch of the elastic search app it is masking the password. Do I need to test with wopi as well?

{ "id": "search_elastic", "name": "Full Text Search", "version": "2.1.0", "licence": "GPLv2", "author": "ownCloud GmbH", "appconfig": { "enabled": "yes", "installed_version": "2.1.0", "scanExternalStorages": "1", "server_password": "REMOVED SENSITIVE VALUE", "server_user": "tttt", "servers": "https:\/\/es01:9200", "types": "filesystem" } },

[IljaN]

@ahherrera You can create seperate PRs for search_elastic and wopi

[IljaN]

With regards to wopi you can probably just install the wopi app without configuring a full wopi server to test configreport.

[ahherrera]

With regards to wopi you can probably just install the wopi app without configuring a full wopi server to test configreport.

@IljaN This message is without implementing changes, I have tested what exists and I cannot replicate what is requested in the issue. @jnweiger Can you validate that this error is still present?

[ahherrera]

Did you see

I am reviewing that.

[ahherrera]

@IljaN @jnweiger Can you share with me the configuration parameters for wopi test?

[jnweiger]

A reduced reproducer for the wopi test looks like this:

occ config:system:set wopi.token.key --value "secret token"
occ configreport:generate | grep wopi.token
        "wopi.token.key": "secret token"

No wopi server connection needed. The wopi app can even remain disabled for this.

[jnweiger]

"serverpassword": "REMOVED SENSITIVE VALUE_", "server_user": "tttt",

Regarding the elastic search case:

• Please also mask the server_user. For e.g. the mysql connection, we also mask both username and password.
• Are we sure that username:password can no longer show in the serves URL?

[ahherrera]

"serverpassword": "REMOVED SENSITIVE VALUE_", "server_user": "tttt",

Regarding the elastic search case:

• Please also mask the server_user. For e.g. the mysql connection, we also mask both username and password.
• Are we sure that username:password can no longer show in the serves URL?

I am going to make the setting in the server_user. I am sure that the user:password is not going to appear in the url because they are being taken as independent parameters outside the url. Regards

[jnweiger]

That should fix the release blocker. I'll build an rc2 from here, and verify.