Feature/additional secrets improvements

pyproject.toml

@@ -4,7 +4,7 @@
 
 [tool.poetry]
     name="pyracf"
-    version="1.0b5"
+    version="1.0b6"
     description="Python interface to RACF using IRRSMO00 RACF Callable Service."
     license = "Apache-2.0"
     authors = [

pyracf/common/utilities/logger.py

@@ -149,19 +149,33 @@ def __redact_request_dictionary(
     def __redact_string(
         self,
         input_string: Union[str, bytes],
-        start_ind: int,
-        end_pattern: Union[str, bytes],
-    ):
+        key: str,
+    ) -> Union[str, bytes]:
         """
-        Redacts characters in a string between a starting index and ending pattern.
+        Redacts characters in a string between a starting index and ending tag.
         Replaces the identified characters with '********' regardless of the original length.
         """
         asterisks = "********"
+        is_bytes = False
         if isinstance(input_string, bytes):
-            asterisks = asterisks.encode("cp1047")
-        pre_keyword = input_string[:start_ind]
-        post_keyword = end_pattern.join(input_string[start_ind:].split(end_pattern)[1:])
-        return pre_keyword + asterisks + end_pattern + post_keyword
+            input_string = input_string.decode("cp1047")
+            is_bytes = True
+        quoted = re.search(rf"{key.upper()}( +)\(\'.*?(?<!\')\'\)", input_string)
+        if quoted is not None:
+            input_string = re.sub(
+                rf"{key.upper()}( +)\(\'.*?(?<!\')\'\)",
+                rf"{key.upper()}\1('{asterisks}')",
+                input_string,
+            )
+        else:
+            input_string = re.sub(
+                rf"{key.upper()}( +)\(.*?(?<!\\)\)",
+                rf"{key.upper()}\1({asterisks})",
+                input_string,
+            )
+        if is_bytes:
+            return input_string.encode("cp1047")
+        return input_string
 
     def redact_request_xml(
         self,
@@ -191,7 +205,11 @@ def redact_request_xml(
             # <tag operation="del" />
             if f"</{xml_key}>" not in xml_string:
                 continue
-            xml_string = self.__redact_string(xml_string, match.end(), f"</{xml_key}")
+            xml_string = re.sub(
+                rf"{xml_key}(.*)>.*<\/{xml_key}",
+                rf"{xml_key}\1>********</{xml_key}",
+                xml_string,
+            )
         if is_bytes:
             xml_string = xml_string.encode("utf-8")
         return xml_string
@@ -203,27 +221,38 @@ def redact_result_xml(
     ) -> str:
         """
         Redacts a list of specific secret traits in a result xml string.
-        Based on the following RACF command pattern:
+        Based on the following RACF command patterns:
             'TRAIT (value)'
+            "TRAIT ('value')"
         This function also accounts for varied amounts of whitespace in the pattern.
         """
         if isinstance(security_result, list):
             return security_result
         for xml_key in secret_traits.values():
             racf_key = xml_key.split(":")[1] if ":" in xml_key else xml_key
-            end_pattern = ")"
             if isinstance(security_result, bytes):
                 match = re.search(
                     rf"{racf_key.upper()} +\(", security_result.decode("cp1047")
                 )
-                end_pattern = end_pattern.encode("cp1047")
             else:
                 match = re.search(rf"{racf_key.upper()} +\(", security_result)
             if not match:
                 continue
-            security_result = self.__redact_string(
-                security_result, match.end(), end_pattern
-            )
+            security_result = self.__redact_string(security_result, racf_key)
+            if isinstance(security_result, bytes):
+                security_result = re.sub(
+                    rf"<message>([A-Z]*[0-9]*[A-Z]) [^<>]*{racf_key.upper()}[^<>]*<\/message>",
+                    rf"<message>REDACTED MESSAGE CONCERNING {racf_key.upper()}, "
+                    + r"REVIEW DOCUMENTATION OF \1 FOR MORE INFORMATION</message>",
+                    security_result.decode("cp1047"),
+                ).encode("cp1047")
+            else:
+                security_result = re.sub(
+                    rf"<message>([A-Z]*[0-9]*[A-Z]) [^<>]*{racf_key.upper()}[^<>]*<\/message>",
+                    rf"<message>REDACTED MESSAGE CONCERNING {racf_key.upper()}, "
+                    + r"REVIEW DOCUMENTATION OF \1 FOR MORE INFORMATION</message>",
+                    security_result,
+                )
         return security_result
 
     def __colorize_json(self, json_text: str) -> str:

tests/user/test_user_constants.py

@@ -71,6 +71,12 @@ def get_sample(sample_file: str) -> Union[str, bytes]:
 TEST_ALTER_USER_RESULT_ERROR_UID_SECRET_DICTIONARY = get_sample(
     "alter_user_result_error_uid_secret.json"
 )
+TEST_ALTER_USER_RESULT_INST_DATA_SUCCESS_XML = get_sample(
+    "alter_user_result_success_inst_data.xml"
+)
+TEST_ALTER_USER_RESULT_SUCCESS_INST_DATA_SECRET_DICTIONARY = get_sample(
+    "alter_user_result_success_inst_data_secret.json"
+)
 
 # Extract User
 TEST_EXTRACT_USER_RESULT_BASE_OMVS_SUCCESS_XML = get_sample(
@@ -218,6 +224,10 @@ def get_sample(sample_file: str) -> Union[str, bytes]:
 )
 TEST_ALTER_USER_REQUEST_TRAITS_UID_ERROR = dict(TEST_ALTER_USER_REQUEST_TRAITS_EXTENDED)
 TEST_ALTER_USER_REQUEST_TRAITS_UID_ERROR["omvs:uid"] = 90000000000
+TEST_ALTER_USER_REQUEST_TRAITS_INST_DATA = dict(TEST_ALTER_USER_REQUEST_TRAITS_EXTENDED)
+TEST_ALTER_USER_REQUEST_TRAITS_INST_DATA["base:installation_data"] = (
+    "Test = Value; Other(stuff goes here)'')"
+)
 
 # Extract User
 TEST_EXTRACT_USER_REQUEST_BASE_OMVS_XML = get_sample(

tests/user/test_user_result_parser.py

@@ -523,3 +523,27 @@ def test_user_admin_custom_secret_redacted_on_error(
             f"({TestUserConstants.TEST_ALTER_USER_REQUEST_TRAITS_UID_ERROR['omvs:uid']})",
             exception.exception.result,
         )
+
+    def test_user_admin_custom_secret_redacted_when_complex_characters(
+        self,
+        call_racf_mock: Mock,
+    ):
+        user_admin = UserAdmin(additional_secret_traits=["base:installation_data"])
+        call_racf_mock.side_effect = [
+            TestUserConstants.TEST_EXTRACT_USER_RESULT_BASE_ONLY_SUCCESS_XML,
+            TestUserConstants.TEST_ALTER_USER_RESULT_INST_DATA_SUCCESS_XML,
+        ]
+        result = user_admin.alter(
+            "squidwrd",
+            traits=TestUserConstants.TEST_ALTER_USER_REQUEST_TRAITS_INST_DATA,
+        )
+        self.assertEqual(
+            result,
+            TestUserConstants.TEST_ALTER_USER_RESULT_SUCCESS_INST_DATA_SECRET_DICTIONARY,
+        )
+        self.assertNotIn(
+            TestUserConstants.TEST_ALTER_USER_REQUEST_TRAITS_INST_DATA[
+                "base:installation_data"
+            ],
+            result,
+        )

tests/user/user_log_samples/alter_user_additional_secret_added_error.log

@@ -240,9 +240,9 @@
       <returncode>16</returncode>
       <reasoncode>8</reasoncode>
       <image>ALTUSER SQUIDWRD  NOSPECIAL      OMVS     (HOME        ('/u/clarinet') NOPROGRAM      UID         (********))</image>
-      <message>IKJ56702I INVALID UID, 90000000000</message>
-      <message>IKJ56701I MISSING OMVS UID+</message>
-      <message>IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS</message>
+      <message>REDACTED MESSAGE CONCERNING UID, REVIEW DOCUMENTATION OF IKJ56702I FOR MORE INFORMATION</message>
+      <message>REDACTED MESSAGE CONCERNING UID, REVIEW DOCUMENTATION OF IKJ56701I FOR MORE INFORMATION</message>
+      <message>REDACTED MESSAGE CONCERNING UID, REVIEW DOCUMENTATION OF IKJ56701I FOR MORE INFORMATION</message>
     </command>
   </user>
   <returncode>4</returncode>
@@ -271,9 +271,9 @@
           "reasonCode": 8,
           "image": "ALTUSER SQUIDWRD  NOSPECIAL      OMVS     (HOME        ('/u/clarinet') NOPROGRAM      UID         (********))",
           "messages": [
-            "IKJ56702I INVALID UID, 90000000000",
-            "IKJ56701I MISSING OMVS UID+",
-            "IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS"
+            "REDACTED MESSAGE CONCERNING UID, REVIEW DOCUMENTATION OF IKJ56702I FOR MORE INFORMATION",
+            "REDACTED MESSAGE CONCERNING UID, REVIEW DOCUMENTATION OF IKJ56701I FOR MORE INFORMATION",
+            "REDACTED MESSAGE CONCERNING UID, REVIEW DOCUMENTATION OF IKJ56701I FOR MORE INFORMATION"
           ]
         }
       ]

tests/user/user_result_samples/alter_user_result_error_uid_secret.json

@@ -14,9 +14,9 @@
           "reasonCode": 8,
           "image": "ALTUSER SQUIDWRD  NOSPECIAL      OMVS     (HOME        ('/u/clarinet') NOPROGRAM      UID         (********))",
           "messages": [
-            "IKJ56702I INVALID UID, 90000000000",
-            "IKJ56701I MISSING OMVS UID+",
-            "IKJ56701I MISSING OMVS USER ID (UID), 1-10 NUMERIC DIGITS"
+            "REDACTED MESSAGE CONCERNING UID, REVIEW DOCUMENTATION OF IKJ56702I FOR MORE INFORMATION",
+            "REDACTED MESSAGE CONCERNING UID, REVIEW DOCUMENTATION OF IKJ56701I FOR MORE INFORMATION",
+            "REDACTED MESSAGE CONCERNING UID, REVIEW DOCUMENTATION OF IKJ56701I FOR MORE INFORMATION"
           ]
         }
       ]

tests/user/user_result_samples/alter_user_result_success_inst_data.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="IBM-1047"?>
+<securityresult xmlns="http://www.ibm.com/systems/zos/saf/IRRSMO00Result1">
+  <user name="SQUIDWRD" operation="set" requestid="UserRequest">
+    <info>Definition exists. Add command skipped due  to precheck option</info>
+    <command>
+      <safreturncode>0</safreturncode>
+      <returncode>0</returncode>
+      <reasoncode>0</reasoncode>
+      <image>ALTUSER SQUIDWRD     NAME        ('Squidward') OWNER       (leonard) SPECIAL      DATA        ('Test = Value; Other(stuff goes here)'')') OMVS     (UID         (2424) HOME        ('/u/squidwrd') PROGRAM     ('/bin/sh'))</image>
+    </command>
+  </user>
+  <returncode>0</returncode>
+  <reasoncode>0</reasoncode>
+</securityresult>

tests/user/user_result_samples/alter_user_result_success_inst_data_secret.json

@@ -0,0 +1,23 @@
+{
+  "securityResult": {
+    "user": {
+      "name": "SQUIDWRD",
+      "operation": "set",
+      "requestId": "UserRequest",
+      "info": [
+        "Definition exists. Add command skipped due  to precheck option"
+      ],
+      "commands": [
+        {
+          "safReturnCode": 0,
+          "returnCode": 0,
+          "reasonCode": 0,
+          "image": "ALTUSER SQUIDWRD     NAME        ('Squidward') OWNER       (leonard) SPECIAL      DATA        ('********') OMVS     (UID         (2424) HOME        ('/u/squidwrd') PROGRAM     ('/bin/sh'))"
+        }
+      ]
+    },
+    "returnCode": 0,
+    "reasonCode": 0,
+    "runningUserid": "testuser"
+  }
+}