How is hiding sensitive info in config works?

We can hide specific texts in device config files by replacing them with "********".

Format of Settings

Specify your settings with a multi-line text. Each line must look like:

.

• mode_selection: one of "exact_prefix:" (note the colon), "regex_replacement:" and "" (empty string). You use this field to select the mode of text processing between exact_prefix and regex_replacement; if you use an empty string "", the mode defaults to exact_prefix.
• part_a: a list of device type ID's represented by int32_t in CSV format. No "|", "\r" or "\n" characters are allowed.
• |: a vertical bar character "|".
• part_b: a string that will be prepended to each replaced line in a device config files. No "|", "\r" or "\n" characters are allowed.
• |: another vertical bar character "|".
• part_c: a list of fields in CSV format about the details of how lines in device config files should be replaced. No "\r" or "\n" characters are allowed.
• \r\n: a carriage return character and a newline character.
• For each mode, a given device type ID should NOT appear more than once. If it does, the last appearance takes effect.
• If a line of settings has a bad format, the whole line will be ignored.

How It Works

exact_prefix Mode

You should provide a list of keywords in part_c. For each line in a device config file, all leading blank characters (that is, tab '\t' and space ' ') are skipped. Then if the remaining starts with one of the provided keywords (use key to denote this keyword), a replacement will take place. The whole line will become:

If a keyword is a prefix of another, the shorter takes effect in the replacement.

Example

Given the following line of settings:

exact_prefix:2008,4020|###|set admin user blah,set admin user

 if a device 4020 has the following line in its config file,

set admin user blah abcdef890

the line will be substituted with

###set admin user ********

regex_replacement Mode

You should provide a list of Perl regular expressions in part_c. In order to replace a line in the config file using a regex, the regex must match the whole config line without "\r\n". In the regex, use parenthesis-enclosed capture groups "(...)" to specify the parts of the config line that you would like to erase in the outcome. Those capture groups will be replaced with " ******** ". In addition, nested parentheses are ignored.

Example

Given the following line of settings,

regex_replacement:2008,4020|!@#|"set admin user(.*)set admin pass(.*) OK",set admin user(.*)set admin pass((.*) OK).+

if a device 2008 has the following line in its config file,

set admin user username; set admin pass PASSWORD OK; and something more

the line will be substituted with

!@#set admin user ******** set admin pass ******** ; and something more

Order of Processing

• exact_prefix mode is evaluated first. For any line the in the config file, if it's successfully replaced under the rule of exact_prefix, the processing of this line is considered done. Even if there is a regex that matches the line well, it will not be considered.
• Regular expressions in the regex list are considered in the order of their appearances in the settings. If a regex successfully matches, all remaining regexes are ignored for this line.

Performance

• The exact_prefix mode works fast. For any given config line, the time complexity of processing it is O(length of the longest keyword).
• Use regex_replacement mode sparingly.