diff options
author | Daniil Baturin <daniil@vyos.io> | 2021-12-16 23:51:03 +0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-12-16 23:51:03 +0700 |
commit | 98396247fcba8b7793e62c483288fdda34c77f3c (patch) | |
tree | eba4f27cfe4a664b076190845d35f726c381b23f /src/helpers | |
parent | ecec222a6dac7fa225d26dce497d893da00b32a1 (diff) | |
parent | 713c969d7472475568cda1e20e72c7341faec48c (diff) | |
download | vyos-1x-98396247fcba8b7793e62c483288fdda34c77f3c.tar.gz vyos-1x-98396247fcba8b7793e62c483288fdda34c77f3c.zip |
Merge pull request #1110 from erkin/equuleus
T3354: Backport strip-private script
Diffstat (limited to 'src/helpers')
-rwxr-xr-x | src/helpers/strip-private.py | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/src/helpers/strip-private.py b/src/helpers/strip-private.py new file mode 100755 index 000000000..e4e1fe11d --- /dev/null +++ b/src/helpers/strip-private.py @@ -0,0 +1,149 @@ +#!/usr/bin/python3 + +# Copyright 2021 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +import argparse +import re +import sys + +from netaddr import IPNetwork, AddrFormatError + + +parser = argparse.ArgumentParser(description='strip off private information from VyOS config') + +strictness = parser.add_mutually_exclusive_group() +strictness.add_argument('--loose', action='store_true', help='remove only information specified as arguments') +strictness.add_argument('--strict', action='store_true', help='remove any private information (implies all arguments below). This is the default behavior.') + +parser.add_argument('--mac', action='store_true', help='strip off MAC addresses') +parser.add_argument('--hostname', action='store_true', help='strip off system host and domain names') +parser.add_argument('--username', action='store_true', help='strip off user names') +parser.add_argument('--dhcp', action='store_true', help='strip off DHCP shared network and static mapping names') +parser.add_argument('--domain', action='store_true', help='strip off domain names') +parser.add_argument('--asn', action='store_true', help='strip off BGP ASNs') +parser.add_argument('--snmp', action='store_true', help='strip off SNMP location information') +parser.add_argument('--lldp', action='store_true', help='strip off LLDP location information') + +address_preserval = parser.add_mutually_exclusive_group() +address_preserval.add_argument('--address', action='store_true', help='strip off all IPv4 and IPv6 addresses') +address_preserval.add_argument('--public-address', action='store_true', help='only strip off public IPv4 and IPv6 addresses') +address_preserval.add_argument('--keep-address', action='store_true', help='preserve all IPv4 and IPv6 addresses') + +# Censor the first half of the address. +ipv4_re = re.compile(r'(\d{1,3}\.){2}(\d{1,3}\.\d{1,3})') +ipv4_subst = r'xxx.xxx.\2' + +# Censor all but the first two fields. +ipv6_re = re.compile(r'([0-9a-fA-F]{1,4}\:){2}([0-9a-fA-F:]+)') +ipv6_subst = r'xxxx:xxxx:\2' + +def ip_match(match: re.Match, subst: str) -> str: + """ + Take a Match and a substitution pattern, check if the match contains a valid IP address, strip + information if it is. This routine is intended to be passed to `re.sub' as a replacement pattern. + """ + result = match.group(0) + # Is this a valid IP address? + try: + addr = IPNetwork(result).ip + # No? Then we've got nothing to do with it. + except AddrFormatError: + return result + # Should we strip it? + if args.address or (args.public_address and not addr.is_private()): + return match.expand(subst) + # No? Then we'll leave it as is. + else: + return result + +def strip_address(line: str) -> str: + """ + Strip IPv4 and IPv6 addresses from the given string. + """ + return ipv4_re.sub(lambda match: ip_match(match, ipv4_subst), ipv6_re.sub(lambda match: ip_match(match, ipv6_subst), line)) + +def strip_lines(rules: tuple) -> None: + """ + Read stdin line by line and apply the given stripping rules. + """ + try: + for line in sys.stdin: + if not args.keep_address: + line = strip_address(line) + for (condition, regexp, subst) in rules: + if condition: + line = regexp.sub(subst, line) + print(line, end='') + # stdin can be cut for any reason, such as user interrupt or the pager terminating before the text can be read. + # All we can do is gracefully exit. + except (BrokenPipeError, EOFError, KeyboardInterrupt): + sys.exit(1) + +if __name__ == "__main__": + args = parser.parse_args() + # Strict mode is the default and the absence of loose mode implies presence of strict mode. + if not args.loose: + args.mac = args.domain = args.hostname = args.username = args.dhcp = args.asn = args.snmp = args.lldp = True + if not args.public_address and not args.keep_address: + args.address = True + elif not args.address and not args.public_address: + args.keep_address = True + + # (condition, precompiled regexp, substitution string) + stripping_rules = [ + # Strip passwords + (True, re.compile(r'password \S+'), 'password xxxxxx'), + (True, re.compile(r'cisco-authentication \S+'), 'cisco-authentication xxxxxx'), + # Strip public key information + (True, re.compile(r'public-keys \S+'), 'public-keys xxxx@xxx.xxx'), + (True, re.compile(r'type \'ssh-(rsa|dss)\''), 'type ssh-xxx'), + (True, re.compile(r' key \S+'), ' key xxxxxx'), + # Strip OpenVPN secrets + (True, re.compile(r'(shared-secret-key-file|ca-cert-file|cert-file|dh-file|key-file|client) (\S+)'), r'\1 xxxxxx'), + # Strip IPSEC secrets + (True, re.compile(r'pre-shared-secret \S+'), 'pre-shared-secret xxxxxx'), + # Strip OSPF md5-key + (True, re.compile(r'md5-key \S+'), 'md5-key xxxxxx'), + # Strip WireGuard private-key + (True, re.compile(r'private-key \S+'), 'private-key xxxxxx'), + + # Strip MAC addresses + (args.mac, re.compile(r'([0-9a-fA-F]{2}\:){5}([0-9a-fA-F]{2}((\:{0,1})){3})'), r'xx:xx:xx:xx:xx:\2'), + + # Strip host-name, domain-name, and domain-search + (args.hostname, re.compile(r'(host-name|domain-name|domain-search) \S+'), r'\1 xxxxxx'), + + # Strip user-names + (args.username, re.compile(r'(user|username|user-id) \S+'), r'\1 xxxxxx'), + # Strip full-name + (args.username, re.compile(r'(full-name) [ -_A-Z a-z]+'), r'\1 xxxxxx'), + + # Strip DHCP static-mapping and shared network names + (args.dhcp, re.compile(r'(shared-network-name|static-mapping) \S+'), r'\1 xxxxxx'), + + # Strip host/domain names + (args.domain, re.compile(r' (peer|remote-host|local-host|server) ([\w-]+\.)+[\w-]+'), r' \1 xxxxx.tld'), + + # Strip BGP ASNs + (args.asn, re.compile(r'(bgp|remote-as) (\d+)'), r'\1 XXXXXX'), + + # Strip LLDP location parameters + (args.lldp, re.compile(r'(altitude|datum|latitude|longitude|ca-value|country-code) (\S+)'), r'\1 xxxxxx'), + + # Strip SNMP location + (args.snmp, re.compile(r'(location) \S+'), r'\1 xxxxxx'), + ] + strip_lines(stripping_rules) |