Merge pull request #27176 from basepi/merge-forward-2015.5

[2015.5] Merge forward from 2014.7 to 2015.5

conf/cloud

@@ -28,6 +28,9 @@
 # The level of messages to send to the console.
 # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
 #
+# The following log levels are considered INSECURE and may log sensitive data:
+# ['garbage', 'trace', 'debug']
+#
 # Default: 'info'
 #
 #log_level: info

conf/master

@@ -672,6 +672,10 @@
 
 # The level of messages to send to the console.
 # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
+#
+# The following log levels are considered INSECURE and may log sensitive data:
+# ['garbage', 'trace', 'debug']
+#
 #log_level: warning
 
 # The level of messages to send to the log file.

conf/minion

@@ -512,6 +512,10 @@
 
 # The level of messages to send to the console.
 # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
+#
+# The following log levels are considered INSECURE and may log sensitive data:
+# ['garbage', 'trace', 'debug']
+#
 # Default: 'warning'
 #log_level: warning
 

salt/cli/api.py

@@ -8,6 +8,7 @@ import logging
 
 import salt.utils.parsers as parsers
 import salt.version
+from salt.utils.verify import verify_log
 
 log = logging.getLogger(__name__)
 
@@ -51,6 +52,7 @@ class SaltAPI(six.with_metaclass(parsers.OptionParserMeta,  # pylint: disable=W0
             sys.exit(err.errno)
 
         self.setup_logfile_logger()
+        verify_log(self.config)
         client = salt.client.netapi.NetapiClient(self.config)
         self.daemonize_if_required()
         self.set_pidfile()

salt/cli/call.py

@@ -4,7 +4,7 @@ from __future__ import absolute_import
 import os
 
 from salt.utils import parsers
-from salt.utils.verify import verify_env, verify_files
+from salt.utils.verify import verify_env, verify_files, verify_log
 from salt.config import _expand_glob_path
 import salt.cli.caller
 import salt.defaults.exitcodes
@@ -56,6 +56,7 @@ class SaltCall(parsers.SaltCallOptionParser):
 
         # Setup file logging!
         self.setup_logfile_logger()
+        verify_log(self.config)
 
         caller = salt.cli.caller.Caller.factory(self.config)
 

salt/cli/cp.py

@@ -16,7 +16,7 @@ import pprint
 # Import salt libs
 import salt.client
 from salt.utils import parsers, print_cli
-from salt.utils.verify import verify_files
+from salt.utils.verify import verify_files, verify_log
 
 
 class SaltCPCli(parsers.SaltCPOptionParser):
@@ -42,6 +42,7 @@ class SaltCPCli(parsers.SaltCPOptionParser):
 
         # Setup file logging!
         self.setup_logfile_logger()
+        verify_log(self.config)
 
         cp_ = SaltCP(self.config)
         cp_.run()

salt/cli/daemons.py

@@ -8,6 +8,7 @@ from __future__ import absolute_import
 import os
 import sys
 import warnings
+from salt.utils.verify import verify_log
 
 # All salt related deprecation warnings should be shown once each!
 warnings.filterwarnings(
@@ -115,6 +116,7 @@ class Master(parsers.MasterOptionParser):
             sys.exit(err.errno)
 
         self.setup_logfile_logger()
+        verify_log(self.config)
         logger.info('Setting up the Salt Master')
 
         if self.config['transport'].lower() == 'zeromq':
@@ -222,6 +224,7 @@ class Minion(parsers.MinionOptionParser):
             sys.exit(err.errno)
 
         self.setup_logfile_logger()
+        verify_log(self.config)
         logger.info(
             'Setting up the Salt Minion "{0}"'.format(
                 self.config['id']
@@ -369,6 +372,7 @@ class ProxyMinion(parsers.MinionOptionParser):
 
         self.config['proxy'] = proxydetails
         self.setup_logfile_logger()
+        verify_log(self.config)
         logger.info(
             'Setting up a Salt Proxy Minion "{0}"'.format(
                 self.config['id']
@@ -459,6 +463,7 @@ class Syndic(parsers.SyndicOptionParser):
             sys.exit(err.errno)
 
         self.setup_logfile_logger()
+        verify_log(self.config)
         logger.info(
             'Setting up the Salt Syndic Minion "{0}"'.format(
                 self.config['id']

salt/cli/key.py

@@ -5,7 +5,7 @@ from __future__ import absolute_import
 import os
 
 from salt.utils import parsers
-from salt.utils.verify import check_user, verify_env, verify_files
+from salt.utils.verify import check_user, verify_env, verify_files, verify_log
 
 
 class SaltKey(parsers.SaltKeyOptionParser):
@@ -55,6 +55,7 @@ class SaltKey(parsers.SaltKeyOptionParser):
                 )
 
         self.setup_logfile_logger()
+        verify_log(self.config)
 
         key = salt.key.KeyCLI(self.config)
         if check_user(self.config['user']):

salt/cli/run.py

@@ -3,7 +3,7 @@ from __future__ import print_function
 from __future__ import absolute_import
 
 from salt.utils import parsers
-from salt.utils.verify import check_user, verify_env, verify_files
+from salt.utils.verify import check_user, verify_env, verify_files, verify_log
 from salt.exceptions import SaltClientError
 import salt.defaults.exitcodes  # pylint: disable=W0611
 
@@ -40,6 +40,7 @@ class SaltRun(parsers.SaltRunOptionParser):
 
         # Setup file logging!
         self.setup_logfile_logger()
+        verify_log(self.config)
 
         runner = salt.runner.Runner(self.config)
         if self.options.doc:

salt/cli/salt.py

@@ -8,7 +8,7 @@ import sys
 import salt.utils.job
 from salt._compat import string_types
 from salt.utils import parsers, print_cli
-from salt.utils.verify import verify_files
+from salt.utils.verify import verify_files, verify_log
 from salt.exceptions import (
         SaltClientError,
         SaltInvocationError,
@@ -41,6 +41,7 @@ class SaltCMD(parsers.SaltCMDOptionParser):
 
         # Setup file logging!
         self.setup_logfile_logger()
+        verify_log(self.config)
 
         try:
             # We don't need to bail on config file permission errors

salt/cli/ssh.py

@@ -4,6 +4,7 @@ from __future__ import print_function
 from __future__ import absolute_import
 import salt.client.ssh
 from salt.utils import parsers
+from salt.utils.verify import verify_log
 
 
 class SaltSSH(parsers.SaltSSHOptionParser):
@@ -14,6 +15,7 @@ class SaltSSH(parsers.SaltSSHOptionParser):
     def run(self):
         self.parse_args()
         self.setup_logfile_logger()
+        verify_log(self.config)
 
         ssh = salt.client.ssh.SSH(self.config)
         ssh.run()

salt/cloud/cli.py

@@ -25,7 +25,7 @@ import salt.defaults.exitcodes
 import salt.output
 import salt.utils
 from salt.utils import parsers
-from salt.utils.verify import check_user, verify_env, verify_files
+from salt.utils.verify import check_user, verify_env, verify_files, verify_log
 
 # Import salt.cloud libs
 import salt.cloud
@@ -73,6 +73,7 @@ class SaltCloud(parsers.SaltCloudParser):
 
         # Setup log file logging
         self.setup_logfile_logger()
+        verify_log(self.config)
 
         if self.options.update_bootstrap:
             ret = salt.utils.cloud.update_bootstrap(self.config)

salt/utils/verify.py

@@ -500,3 +500,11 @@ def safe_py_code(code):
         if code.count(bad):
             return False
     return True
+
+
+def verify_log(opts):
+    '''
+    If an insecre logging configuration is found, show a warning
+    '''
+    if opts.get('log_level') in ('garbage', 'trace', 'debug'):
+        log.warn('Insecure logging configuration detected! Sensitive data may be logged.')