Fix masking of ironic_osism_* secrets in kernel_append_params (#2120)

berendt · web-flow · commit 822854f884f7 · 2026-03-13T16:32:04.000+01:00
When ironic_osism_* values in the Netbox secrets custom field are
vault-encrypted and decryption fails in the API context, deep_decrypt
silently removes the keys, so no secret values are collected for
string replacement. This leaves passwords exposed in the API response.

Add a regex-based fallback: before decryption, collect ironic_osism_*
key names and derive kernel parameter names (ironic_osism_aa -&gt; osism-aa).
After value-based replacement, also mask param=value patterns by name,
ensuring secrets are masked even when vault decryption is unavailable.

AI-assisted: Claude Code

Signed-off-by: Christian Berendt &lt;berendt@osism.tech&gt;
diff --git a/osism/tasks/openstack.py b/osism/tasks/openstack.py
@@ -2,6 +2,7 @@
 
 from celery import Celery
 import os
+import re
 import shutil
 import tempfile
 import yaml
@@ -260,6 +261,17 @@ def get_baremetal_node_parameters(node_uuid):
                 if node_secrets is None:
                     node_secrets = {}
 
+                # Collect ironic_osism_* parameter names BEFORE decryption
+                # so they're available even if vault decryption removes them.
+                # Convention: ironic_osism_aa -> osism-aa in kernel_append_params
+                secret_param_names = set()
+                for key in node_secrets:
+                    if isinstance(key, str) and key.lower().startswith("ironic_osism_"):
+                        param_name = key[len("ironic_") :].replace(  # noqa: E203
+                            "_", "-"
+                        )
+                        secret_param_names.add(param_name)
+
                 vault = get_vault()
                 deep_decrypt(node_secrets, vault)
 
@@ -280,6 +292,16 @@ def get_baremetal_node_parameters(node_uuid):
                             kernel_append_params = kernel_append_params.replace(
                                 sv, "***"
                             )
+
+                    # Also mask by parameter name for ironic_osism_* params.
+                    # This catches cases where vault decryption failed and
+                    # the secret values could not be collected.
+                    for param_name in secret_param_names:
+                        kernel_append_params = re.sub(
+                            rf"\b{re.escape(param_name)}=\S+",
+                            f"{param_name}=***",
+                            kernel_append_params,
+                        )
         except Exception as e:
             logger.debug(f"Could not mask secrets for {node_name}: {e}")
 
