Hide sensible node vars

Fixes #344

Author: robertcheramy

CHANGELOG.md

@@ -7,13 +7,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ## [Unreleased]
 
 ### Added
+- Documentation of the configuration (@robertcheramy)
 
 ### Changed
-- Update weblibs to the latest version
+- Update weblibs to the latest version (@robertcheramy)
+- Depend on oxidized 0.34.0 (configuration of oxidized web as an extension) (@robertcheramy)
+- Use JSON to format the node metadata in /node/show (@robertcheramy)
 
 ### Fixed
 - Run puma directly, so that it does not rename the oxidized process. Fixes: 349 (@robertcheramy)
 - Display local time correctly and use epoch as timestamps in the URLs. Fixes: #258 and #356 (@robertcheramy)
+- Hide node vars when listed in the configuration entry hide_node_vars. Fixes: #344 (@robertcheramy)
 
 ## [0.16.0 - 2025-03-25]
 This release introduces the possibility for an extended configuration of
@@ -25,7 +29,7 @@ will only work with oxidized-web version 0.16.0 or later.
 
 ### Fixed
 - the table preferences (pagelength, column visibility, search) are stored in the local browser cache. Fixes #315 #314 #265 #211 (@robertcheramy)
-- Update "refresh" and "Upldate node list" to more meaningfull texts (@robertcheramy)
+- Update "refresh" and "Update node list" to more meaningful texts (@robertcheramy)
 
 ## [0.15.1 – 2025-02-20]
 This patch release fixes javascript errors.

README.md

@@ -3,15 +3,25 @@
 [![Build Status](https://github.com/ytti/oxidized-web/actions/workflows/ruby.yml/badge.svg)](https://github.com/ytti/oxidized-web/actions/workflows/ruby.yml)
 [![Gem Version](https://badge.fury.io/rb/oxidized-web.svg)](http://badge.fury.io/rb/oxidized-web)
 
-Web userinterface and RESTful API for Oxidized.
+Web user interface and RESTful API for Oxidized.
 
-This is not useful independently, see https://github.com/ytti/oxidized for install instructions.
+## Installation
+This is not useful independently, see https://github.com/ytti/oxidized for
+install instructions.
 
+Note: because of its dependencies, installing the `oxidized-web` gem will
+install `oxidized` automatically.
+
+## Configuration
+`oxidized-web` is configured through the configuration of `oxidized`,
+in the `extension` section. For details, see
+[docs/configuration.md](docs/configuration.md).
+
+## Development
 If you wonder how to run oxidized-web from git for development, have a look at
 [docs/development.md](docs/development.md).
 
 ## License and Copyright
-
 Copyright 2013-2015 Saku Ytti <[email protected]>
           2013-2015 Samer Abdel-Hafez <[email protected]>
 

docs/configuration.md

@@ -0,0 +1,90 @@
+# Basic configuration
+The RESTful API and web interface are enabled by installing the `oxidized-web`
+gem and configuring the `extensions.oxidized-web:` section in the configuration
+file:
+```yaml
+extensions:
+  oxidized-web:
+    load: true
+    # enter your configuration here
+```
+
+You can set the following parameter:
+- `load`: `true`/`false`: Enables or disables the `oxidized-web` extension
+  (default: `false`)
+- `listen`: Specifies the interface to bind to (default: `127.0.0.1`). Valid
+  options:
+  - `127.0.0.1`: Allows IPv4 connections from localhost only
+  - `'[::1]'`: Allows IPv6 connections from localhost only
+  - `<IPv4-Address>` or `'[<IPv6-Address>]'`: Binds to a specific interface
+  - `0.0.0.0`: Binds to any IPv4 interface
+  - `'[::]'`:  Binds to any IPv4 and IPv6 interface
+- `port`: Specifies the TCP port to listen to (default: `8888`)
+- `url_prefix`: Defines a URL prefix (default: no prefix)
+- `vhosts`: A list of virtual hosts to listen to. If not specified, it will
+  respond to any virtual host.
+
+## Examples
+
+```yaml
+# Listen on http://[::1]:8888/
+extensions:
+  oxidized-web:
+    load: true
+    listen: '[::1]'
+    port: 8888
+```
+
+```yaml
+# Listen on http://127.0.0.1:8888/
+extensions:
+  oxidized-web:
+    load: true
+    listen: 127.0.0.1
+    port: 8888
+```
+
+```yaml
+# Listen on http://[2001:db8:0:face:b001:0:dead:beaf]:8888/oxidized/
+extensions:
+  oxidized-web:
+    load: true
+    listen: '[2001:db8:0:face:b001:0:dead:beaf]'
+    port: 8888
+    url_prefix: oxidized
+```
+
+```yaml
+# Listen on http://10.0.0.1:8000/oxidized/
+extensions:
+  oxidized-web:
+    load: true
+    listen: 10.0.0.1
+    port: 8000
+    url_prefix: oxidized
+```
+
+```yaml
+# Listen on any interface to http://oxidized.rocks:8888 and
+# http://oxidized:8888
+extensions:
+  oxidized-web:
+    load: true
+    listen: '[::]'
+    url_prefix: oxidized
+    vhosts:
+     - oxidized.rocks
+     - oxidized
+```
+
+# Hide node vars
+Some node vars (enable, password) can contain sensible data. You can list the
+vars to be hidden under `hide_node_vars`:
+```yaml
+extensions:
+  oxidized-web:
+    load: true
+    hide_node_vars:
+     - enable
+     - password
+```

lib/oxidized/web.rb

@@ -16,10 +16,13 @@ class Web
 
       def initialize(nodes, configuration)
         require 'oxidized/web/webapp'
-        @addr, @port, uri_prefix, vhosts = self.class.parse_configuration(configuration)
-        uri_prefix = "/#{uri_prefix}"
+        @configuration = self.class.parse_configuration(configuration)
         WebApp.set :nodes, nodes
-        WebApp.set :host_authorization, { permitted_hosts: vhosts }
+        WebApp.set :configuration, @configuration
+        WebApp.set :host_authorization, {
+          permitted_hosts: @configuration[:vhosts]
+        }
+        uri_prefix = @configuration[:uri_prefix]
         @app = Rack::Builder.new do
           map uri_prefix do
             run WebApp
@@ -30,8 +33,10 @@ def initialize(nodes, configuration)
       def run
         @thread = Thread.new do
           @server = Puma::Server.new @app
-          @server.add_tcp_listener @addr, @port
-          logger.info "Oxidized-web server listening on #{@addr}:#{@port}"
+          addr = @configuration[:addr]
+          port = @configuration[:port]
+          @server.add_tcp_listener addr, port
+          logger.info "Oxidized-web server listening on #{addr}:#{port}"
           @server.run.join
         end
       end
@@ -46,12 +51,20 @@ def self.parse_configuration(configuration)
 
       # New configuration style: extensions.oxidized-web
       def self.parse_new_configuration(configuration)
-        addr = configuration.listen? || DEFAULT_HOST
-        port = configuration.port? || DEFAULT_PORT
-        uri_prefix = configuration.url_prefix? || DEFAULT_URI_PREFIX
-        vhosts = configuration.vhosts? || []
-
-        [addr, port, uri_prefix, vhosts]
+        hide_node_vars = configuration.hide_node_vars? || []
+        unless hide_node_vars.is_a?(Array)
+          logger.error "hide_node_vars must be a list of strings"
+          hide_node_vars = []
+        end
+        hide_node_vars = hide_node_vars.map(&:to_sym)
+        {
+          addr: configuration.listen? || DEFAULT_HOST,
+          port: configuration.port? || DEFAULT_PORT,
+          uri_prefix: normalize_uri(configuration.url_prefix? ||
+                                    DEFAULT_URI_PREFIX),
+          vhosts: configuration.vhosts? || [],
+          hide_node_vars: hide_node_vars
+        }
       end
 
       # Legacy configuration style: "rest: 127.0.0.1:8888/prefix"
@@ -62,11 +75,19 @@ def self.parse_legacy_configuration(configuration)
           port = addr
           addr = nil
         end
-        port = port.to_i
-        uri_prefix ||= DEFAULT_URI_PREFIX
-        vhosts = []
+        {
+          addr: addr,
+          port: port.to_i,
+          uri_prefix: normalize_uri(uri_prefix || DEFAULT_URI_PREFIX),
+          vhosts: [],
+          hide_node_vars: []
+        }
+      end
+
+      def self.normalize_uri(uri_prefix)
+        return '/' if uri_prefix.empty?
 
-        [addr, port, uri_prefix, vhosts]
+        uri_prefix.start_with?('/') ? uri_prefix : "/#{uri_prefix}"
       end
     end
   end

lib/oxidized/web/views/node.haml

@@ -14,7 +14,8 @@
       %a.link-dark.link-underline-opacity-0{title: 'update',
         href: url_for("/node/next/#{@data[:full_name]}")}
         %i.bi.bi-repeat
-    - out = '';PP.pp(@data,out)
     %pre.bg-body-tertiary.border.border-secondary-subtle.rounded
-      = preserve "#{out}"
+      %code
+        =escape_once(JSON.pretty_generate(@data))
+
 

lib/oxidized/web/webapp.rb

@@ -2,7 +2,6 @@
 require 'sinatra/json'
 require 'sinatra/url_for'
 require 'tilt/haml'
-require 'pp'
 require 'htmlentities'
 require 'charlock_holmes'
 module Oxidized
@@ -128,7 +127,7 @@ class WebApp < Sinatra::Base
 
       get '/node/show/:node' do
         node, @json = route_parse :node
-        @data = nodes.show node
+        @data = filter_node_vars(nodes.show(node))
         out :node
       end
 
@@ -259,7 +258,7 @@ def route_parse(param)
         [e.join('.'), json]
       end
 
-      # give the time enlapsed between now and a date (Time object)
+      # give the time elapsed between now and a date (Time object)
       def time_from_now(date)
         return "no time specified" if date.nil?
 
@@ -328,6 +327,20 @@ def convert_to_utf8(text)
           'The text contains binary values - cannot display'
         end
       end
+
+      def filter_node_vars(serialized_node)
+        # Make a deep copy of the data, so we do not impact oxidized
+        data = Marshal.load(Marshal.dump(serialized_node))
+
+        hide_node_vars = settings.configuration[:hide_node_vars]
+        if data[:vars].is_a?(Hash) && hide_node_vars&.any?
+          hide_node_vars.each do |key|
+            data[:vars][key] = '<hidden>' if data[:vars].has_key?(key)
+          end
+        end
+
+        data
+      end
     end
   end
 end

spec/web/node/show_spec.rb

@@ -0,0 +1,100 @@
+require_relative '../../spec_helper'
+describe Oxidized::API::WebApp do
+  include Rack::Test::Methods
+
+  def app
+    Oxidized::API::WebApp
+  end
+
+  before do
+    @nodes = mock('Oxidized::Nodes')
+    app.set(:nodes, @nodes)
+
+    @serialized_node = {
+      name: "sw5",
+      full_name: "sw5.example.com",
+      ip: "10.42.12.42",
+      group: nil,
+      model: "ios",
+      last: {
+        start: Time.parse("2025-02-05 19:49:00 +0100"),
+        end: Time.parse("2025-02-05 19:49:10 +0100"),
+        status: :no_connection,
+        time: 10
+      },
+      vars: {
+        oxi: "dized",
+        enable: "secret_enable",
+        username: "oxidized",
+        password: "secret_password"
+      },
+      mtime: Time.parse("2025-02-05 19:49:11 +0100")
+    }
+  end
+
+  describe "get /node/show/:node" do
+    it "shows the metadata of a node" do
+      app.set(:configuration, { hide_node_vars: [] })
+      @nodes.expects(:show).with("sw5").returns(@serialized_node)
+
+      get '/node/show/sw5'
+      _(last_response.ok?).must_equal true
+      body = last_response.body
+
+      _(body).must_match(/secret_enable/)
+      _(body).must_match(/secret_password/)
+      _(body.include?(
+          "<code>{\n  &quot;name&quot;: &quot;sw5&quot;," \
+          "\n  &quot;full_name&quot;: &quot;sw5.example.com&quot;," \
+          "\n  &quot;ip&quot;: &quot;10.42.12.42&quot;," \
+          "\n  &quot;group&quot;: null,\n  &quot;model&quot;: &quot;ios&quot;," \
+          "\n  &quot;last&quot;: {" \
+          "\n    &quot;start&quot;: &quot;2025-02-05 19:49:00 +0100&quot;," \
+          "\n    &quot;end&quot;: &quot;2025-02-05 19:49:10 +0100&quot;," \
+          "\n    &quot;status&quot;: &quot;no_connection&quot;," \
+          "\n    &quot;time&quot;: 10\n  }," \
+          "\n  &quot;vars&quot;: {" \
+          "\n    &quot;oxi&quot;: &quot;dized&quot;," \
+          "\n    &quot;enable&quot;: &quot;secret_enable&quot;," \
+          "\n    &quot;username&quot;: &quot;oxidized&quot;," \
+          "\n    &quot;password&quot;: &quot;secret_password&quot;" \
+          "\n  },\n  &quot;mtime&quot;: &quot;2025-02-05 19:49:11 +0100&quot;" \
+          "\n}</code>"
+        )).must_equal true
+    end
+
+    it "hides vars in hide_node_vars" do
+      app.set(:configuration, { hide_node_vars: %i[enable password] })
+      @nodes.expects(:show).with("sw5").returns(@serialized_node)
+
+      get '/node/show/sw5'
+      _(last_response.ok?).must_equal true
+      body = last_response.body
+
+      _(body).wont_match(/secret_enable/)
+      _(body).wont_match(/secret_password/)
+      _(body).must_match(/&lt;hidden&gt;/)
+      _(body.include?(
+          "<code>{\n  &quot;name&quot;: &quot;sw5&quot;," \
+          "\n  &quot;full_name&quot;: &quot;sw5.example.com&quot;," \
+          "\n  &quot;ip&quot;: &quot;10.42.12.42&quot;," \
+          "\n  &quot;group&quot;: null,\n  &quot;model&quot;: &quot;ios&quot;," \
+          "\n  &quot;last&quot;: {" \
+          "\n    &quot;start&quot;: &quot;2025-02-05 19:49:00 +0100&quot;," \
+          "\n    &quot;end&quot;: &quot;2025-02-05 19:49:10 +0100&quot;," \
+          "\n    &quot;status&quot;: &quot;no_connection&quot;," \
+          "\n    &quot;time&quot;: 10\n  }," \
+          "\n  &quot;vars&quot;: {" \
+          "\n    &quot;oxi&quot;: &quot;dized&quot;," \
+          "\n    &quot;enable&quot;: &quot;&lt;hidden&gt;&quot;," \
+          "\n    &quot;username&quot;: &quot;oxidized&quot;," \
+          "\n    &quot;password&quot;: &quot;&lt;hidden&gt;&quot;" \
+          "\n  },\n  &quot;mtime&quot;: &quot;2025-02-05 19:49:11 +0100&quot;" \
+          "\n}</code>"
+        )).must_equal true
+
+      # The note data is not changed (deep copy with Marshal)
+      _(@serialized_node[:vars][:enable]).must_equal "secret_enable"
+    end
+  end
+end