All,
I built a previous TA and upgrades worked fine in the past. My recent TA build with AOB 4.0 has an issue where the the modular input passwords in password.conf are all erased and set to ******** (exactly 8). I have tried to debug this every possible way I could. Has anyone seen an issue where passwords were reset with all asterisks? I know from the the logs that this occurs immediately after the upgrade but the logs don't shed light on why the reset occurs.
clear_password | {"api_key": "********"} |
I am ripping my hair out and I can't seem to figure why this is happening. Once I upgrade and try to upgrade to different build issue no longer occurs.
This issue is specifically related to the new credentials.py under /aob_py[23]/splunktaucclib/rest_handler/credentials.py
The old magic password format as 8 '*' (asterisks), but the new lib is matching the formatting constant to six '*' (asterisks) to make it consistent with solnlib but it ultimately breaks exiting installs.
To fix this you must patch the credentials.py to recognize the legacy format (eight astrisks) and rewrite the inputs.conf with the new six asterisks format.
I simply added an additional condition to the _merge_passwords function to check for the old format, and to rewrite the new magic password. This fixes the problem for upgrades and future releases.
elif existed_model["content"][k] == "********":
# set existing as raw value, magic pattern is the old one so rewrite this item to fix it.
existed_model["content"][k] = v
need_write_magic_pwd = True
The issue is related to the following python file packaged with AOB. On older versions of AOB packages the credential.py is looking for 8 asterisks in inputs.conf. In later versions it's looking for 6 asterisks, and as a result they overwrite values in password.conf. Basically, your password.conf file will have 8 asterisks encrypted in the resulting password.conf file.
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # if the field value is '********', keep the original value
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # original password does not exist, use '********' as password
/opt/splunk/etc/apps/TA-proofpoint-/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # if the field value is '********', keep the original value
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # original password does not exist, use '********' as password
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # if the field value is '********', keep the original value
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # original password does not exist, use '********' as password
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # if the field value is '********', keep the original value
/opt/splunk/etc/apps/TA-proofpoint-isolation/bin/ta_proofpoint_isolation/aob_py3/splunktaucclib/rest_handler/credentials.py: # original password does not exist, use '********' as password
This issue is specifically related to the new credentials.py under /aob_py[23]/splunktaucclib/rest_handler/credentials.py
The old magic password format as 8 '*' (asterisks), but the new lib is matching the formatting constant to six '*' (asterisks) to make it consistent with solnlib but it ultimately breaks exiting installs.
To fix this you must patch the credentials.py to recognize the legacy format (eight astrisks) and rewrite the inputs.conf with the new six asterisks format.
I simply added an additional condition to the _merge_passwords function to check for the old format, and to rewrite the new magic password. This fixes the problem for upgrades and future releases.
elif existed_model["content"][k] == "********":
# set existing as raw value, magic pattern is the old one so rewrite this item to fix it.
existed_model["content"][k] = v
need_write_magic_pwd = True
We are currently trying to make an app upgrade seamlessly but the addon builder 4 version of the app doesnt like the inputs.conf from the older versions. The cause of this problem is this new password constant, but we need to make it work without the requirement to manually change the current password from six * to eight *.
We are testing a patch that modifies the PASSWORD constant directly so the entire lib uses the old constant, but we dont know if it breaks other stuff.
Anyone encountered this problem and managed to solve?