search

php-opencloud / openstack

PHP SDK for OpenStack clouds
Apache License 2.0
222 stars 152 forks source link

used password shown on error message #398

Closed mshannaq closed 4 months ago

mshannaq commented 4 months ago

when using php-opencloud and when error happen , the error message show the password used to access openstack

is there any way to hide the used password from the error message

example of what I mean:

If I call:

        $openstack = $this->prepareOpenStack($providerInfo);
            try {
                $compute = $openstack->computeV2();
                $server = $compute->getServer(['id' => $serverinfo->instance_id]);
                $rtype = ($rebootType == 'hard') ? \OpenStack\Compute\v2\Enum::REBOOT_HARD : \OpenStack\Compute\v2\Enum::REBOOT_SOFT;
                $reboot_result = $server->reboot($rtype);
            } catch (\Exception $e) {
                return response()->json([
                    'status' => 'error',
                    'message' => 'An error occurred running the command ' . $e->getMessage(), 
                    'message' => 'An error occurred running the command',
                    'code' => $e->getCode(), // Optional: Include error code
                    'data' => [ // Optional: Additional error data
                        'error_details' => 'Additional details about the error.',
                    ],
                ], Response::HTTP_INTERNAL_SERVER_ERROR); // Use appropriate HTTP status code
            }

in that example if error happend some times the returned message contains the error text with the used password

example of message returned:


An error occurred running the command HTTP Error
~~~~~~~~~~
The remote server returned a "401 UNAUTHORIZED" error for the following transaction:

Request
~~~~~~~
POST /v3/auth/tokens HTTP/1.1
User-Agent: GuzzleHttp/7
Content-Type: application/json
Host: console.openstack.test:5000

{"auth":{"identity":{"password":{"user":{"name":"sandboxuser","password":"tempPassword","domain":{"id":"default"}}},"methods":["password"]},"scope":{"project":{"id":"9283f894c3frd32"}}}}

Response
~~~~~~~~
HTTP/1.1 401 UNAUTHORIZED
date: Sat, 03 Feb 2024 03:38:36 GMT
server: Apache/2.4.29 (Ubuntu)
www-authenticate: Keystone uri="https://console.openstack.test:5000/v3"
content-length: 109
vary: X-Auth-Token
x-openstack-request-id: req-15f44d54-90ba-40e9-8c08-61a879a65eb3
content-type: application/json

{"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}

Further information
~~~~~~~~~~~~~~~~~~~
Please ensure that your authentication credentials are valid. Visit http://docs.php-opencloud.com/en/latest/http-codes for more information about debugging HTTP status codes, or file a support issue on https://github.com/php-opencloud/openstack/issues.

in the message it shown the used passwrod tempPassword which is not secure to return the password in messages.

is there any way to disable show the password on returned messages?

k0ka commented 4 months ago

added errorVerbosity in v 3.8.0 https://php-openstack-sdk.readthedocs.io/en/latest/setup.html#other-options