Coverity error reader: /pcs/pcs/settings.py

(1) Event Sigma main event:	A secret, such as a password, cryptographic key, or token is stored in a file that is persisted to the code repository. Any user with access to the code repository may obtain and use the secret to access restricted resources.
(2) Event remediation:	Avoid committing to the code repository any files that contain secrets or sensitive data. These files should be managed outside the code repository, preferably using a secure vault or similar, and loaded onto the system as needed.
1    	import os
2    	
3    	# generic system paths
4    	chkconfig_exec = "/sbin/chkconfig"
5    	find_exec = "/usr/bin/find"
6    	killall_exec = "/usr/bin/killall"
7    	rm_exec = "/usr/bin/rm"
8    	ruby_exec = "/usr/bin/ruby"
9    	service_exec = ""
10   	systemctl_exec = "/usr/bin/systemctl"
11   	systemd_unit_path = "/etc/systemd/system:/etc/systemd/system:/run/systemd/system:/usr/local/lib/systemd/system:/usr/lib/systemd/system:/usr/lib/systemd/system:/lib/systemd/system".split(":")
12   	certutil_exec = "/usr/bin/certutil"
13   	
14   	
15   	# pcs
16   	pcs_version = "0.11.11+11-c6782"
17   	pcs_bundled_packages_dir = os.path.join("/usr/lib64/pcs/pcs_bundled", "packages")
18   	pcs_data_dir = "/usr/lib64/pcs/data/"
19   	
20   	
21   	# pcsd
22   	pcsd_exec_location = "/usr/lib64/pcsd"
23   	pcsd_public_dir = "/usr/lib64/pcsd/public"
24   	pcsd_webui_dir = "/usr/lib64/pcsd/public/ui"
25   	pcs_capabilities = os.path.join(pcsd_exec_location, "capabilities.xml")
26   	# Set pcsd_gem_path to None if there are no bundled ruby gems and the path does
27   	# not exists.
28   	pcsd_gem_path = "/usr/lib64/pcsd/vendor/bundle/" or None
29   	pcsd_unix_socket = "/var/run/pcsd.socket"
30   	pcsd_ruby_socket = "/var/run/pcsd-ruby.socket"
31   	pcsd_log_location = os.path.join(
32   	    os.environ.get("LOGS_DIRECTORY", "/var/log/pcsd"),
33   	    "pcsd.log",
34   	)
35   	
36   	pcsd_default_port = 2224
37   	pcsd_config = "/etc/sysconfig/pcsd"
38   	
39   	pcsd_var_location = os.environ.get(
40   	    "STATE_DIRECTORY", "/var/lib/pcsd"
41   	)
42   	pcsd_cert_location = os.path.join(pcsd_var_location, "pcsd.crt")
43   	pcsd_dr_config_location = os.path.join(pcsd_var_location, "disaster-recovery")
44   	pcsd_key_location = os.path.join(pcsd_var_location, "pcsd.key")
45   	pcsd_known_hosts_location = os.path.join(pcsd_var_location, "known-hosts")
46   	pcsd_settings_conf_location = os.path.join(
47   	    pcsd_var_location, "pcs_settings.conf"
48   	)
49   	pcsd_users_conf_location = os.path.join(pcsd_var_location, "pcs_users.conf")
50   	
51   	default_ssl_ciphers = "DEFAULT:!RC4:!3DES:@STRENGTH"
52   	# Ssl options are based on default options in python (maybe with some extra
53   	# options). Format here is the same as the PCSD_SSL_OPTIONS environment
54   	# variable format (string with coma as a delimiter).
55   	default_ssl_options = ",".join(
56   	    [
57   	        "OP_NO_COMPRESSION",
58   	        "OP_CIPHER_SERVER_PREFERENCE",
59   	        "OP_SINGLE_DH_USE",
60   	        "OP_SINGLE_ECDH_USE",
61   	        "OP_NO_SSLv2",
62   	        "OP_NO_SSLv3",
63   	        "OP_NO_TLSv1",
64   	        "OP_NO_TLSv1_1",
65   	        "OP_NO_RENEGOTIATION",
66   	    ]
67   	)
68   	default_request_timeout = 60
69   	gui_session_lifetime_seconds = 60 * 60
70   	pcsd_token_max_bytes = 256
71   	
72   	# pcsd task scheduler settings
73   	async_api_scheduler_interval_ms = 100
74   	pcsd_worker_count = 10
75   	pcsd_temporary_workers = 10
76   	pcsd_worker_reset_limit = 100
77   	pcsd_deadlock_threshold_timeout = 5
78   	task_unresponsive_timeout_seconds = 60 * 60
79   	task_abandoned_timeout_seconds = 1 * 60
80   	task_deletion_timeout_seconds = 1 * 60
81   	
82   	
83   	# corosync
84   	# Used only in settings.py and utils.py. Make it private once utils.py is removed.
85   	corosync_execs = "/srv/corosync/origin/camelback/sbin"
86   	corosync_conf_dir = "/srv/corosync/origin/camelback/etc/corosync"
87   	corosync_exec = os.path.join(corosync_execs, "corosync")
88   	corosync_cfgtool_exec = os.path.join(corosync_execs, "corosync-cfgtool")
89   	corosync_quorumtool_exec = os.path.join(corosync_execs, "corosync-quorumtool")
90   	corosync_conf_file = os.path.join(corosync_conf_dir, "corosync.conf")
91   	corosync_uidgid_dir = os.path.join(corosync_conf_dir, "uidgid.d")
92   	corosync_authkey_file = os.path.join(corosync_conf_dir, "authkey")
93   	# Must be set to 256 for corosync to work in FIPS environment.
94   	corosync_authkey_bytes = 256
95   	corosync_log_file = "/srv/corosync/origin/camelback/var/log/cluster/corosync.log"
96   	
97   	
98   	# corosync qnetd and qdevice
99   	corosync_qnet_execs = "/srv/corosync-qdevice/origin/main/bin"
100  	corosync_qnetd_certutil_exec = os.path.join(
101  	    corosync_qnet_execs, "corosync-qnetd-certutil"
102  	)
103  	corosync_qnetd_tool_exec = os.path.join(
104  	    corosync_qnet_execs, "corosync-qnetd-tool"
105  	)
106  	corosync_qdevice_execs = "/srv/corosync-qdevice/origin/main/sbin"
107  	corosync_qdevice_conf_dir = "/srv/corosync-qdevice/origin/main/etc/corosync"
108  	corosync_qdevice_net_server_certs_dir = os.path.join(
109  	    corosync_qdevice_conf_dir, "qnetd/nssdb"
110  	)
111  	corosync_qdevice_net_server_ca_file_name = "qnetd-cacert.crt"
112  	corosync_qdevice_net_client_certs_dir = os.path.join(
113  	    corosync_qdevice_conf_dir, "qdevice/net/nssdb"
114  	)
115  	corosync_qdevice_net_client_ca_file_name = "qnetd-cacert.crt"
116  	corosync_qdevice_tool_exec = os.path.join(
117  	    corosync_qdevice_execs, "corosync-qdevice-tool"
118  	)
119  	corosync_qdevice_net_certutil_exec = os.path.join(
120  	    corosync_qdevice_execs, "corosync-qdevice-net-certutil"
121  	)
122  	
123  	
124  	# pacemaker
125  	# Used only in settings.py and utils.py. Make it private once utils.py is removed.
126  	pacemaker_execs = "/srv/pacemaker/origin/2.1/sbin"
127  	pacemaker_authkey_file = "/srv/pacemaker/origin/2.1/etc/pacemaker/authkey"
128  	# Using the same value as for corosync. Higher values MAY work in FIPS.
129  	pacemaker_authkey_bytes = 256
130  	pacemaker_local_state_dir = os.path.join(
131  	    "/", "/srv/pacemaker/origin/2.1/var", "lib/pacemaker"
132  	)
133  	pacemaker_daemon_dir = "/srv/pacemaker/origin/2.1/libexec/pacemaker"
134  	pacemaker_schedulerd_exec = os.path.join(
135  	    pacemaker_daemon_dir, "pacemaker-schedulerd"
136  	)
137  	pacemakerd_exec = os.path.join(pacemaker_execs, "pacemakerd")
138  	iso8601_exec = os.path.join(pacemaker_execs, "iso8601")
139  	pacemaker_controld_exec = os.path.join(pacemaker_daemon_dir, "pacemaker-controld")
140  	pacemaker_based_exec = os.path.join(pacemaker_daemon_dir, "pacemaker-based")
141  	pacemaker_fenced_exec = os.path.join(pacemaker_daemon_dir, "pacemaker-fenced")
142  	crm_resource_exec = os.path.join(pacemaker_execs, "crm_resource")
143  	crm_mon_exec = os.path.join(pacemaker_execs, "crm_mon")
144  	crm_report_exec = os.path.join(pacemaker_execs, "crm_report")
145  	crm_rule_exec = os.path.join(pacemaker_execs, "crm_rule")
146  	crm_diff_exec = os.path.join(pacemaker_execs, "crm_diff")
147  	crm_simulate_exec = os.path.join(pacemaker_execs, "crm_simulate")
148  	crm_ticket_exec = os.path.join(pacemaker_execs, "crm_ticket")
149  	crm_verify_exec = os.path.join(pacemaker_execs, "crm_verify")
150  	crm_node_exec = os.path.join(pacemaker_execs, "crm_node")
151  	cibadmin_exec = os.path.join(pacemaker_execs, "cibadmin")
152  	stonith_admin_exec = os.path.join(pacemaker_execs, "stonith_admin")
153  	pacemaker_api_result_schema = "/srv/pacemaker/origin/2.1/share/pacemaker/api/api-result.rng"
154  	cib_dir = "/srv/pacemaker/origin/2.1/var/lib/pacemaker/cib"
155  	pacemaker_uname = "hacluster"
156  	pacemaker_gname = "haclient"
157  	pacemaker_wait_timeout_status = 124
158  	
159  	
160  	# resource / stonith agents
161  	fence_agent_execs = "/srv/fence-agents/origin/main/sbin"
162  	
163  	
164  	# sbd
165  	sbd_exec = "/srv/sbd/origin/main-pacemaker-2.1/sbin/sbd"
166  	sbd_config = "/srv/sbd/origin/main-pacemaker-2.1/etc/sysconfig/sbd"
167  	# this limit is also mentioned in docs, change there as well
168  	sbd_max_device_num = 3
169  	# message types are also mentioned in docs, change there as well
170  	sbd_message_types = ["test", "reset", "off", "crashdump", "exit", "clear"]
171  	sbd_watchdog_default = "/dev/watchdog"
172  	
173  	
174  	# booth
175  	# Booth does not support keys longer than 64 bytes.
176  	booth_authkey_bytes = 64
177  	booth_authkey_file_mode = 0o600
178  	booth_exec = "/srv/booth/origin/main-pacemaker-2.1/sbin/booth"
179  	booth_config_dir = "/srv/booth/origin/main-pacemaker-2.1/etc/booth"
180  	booth_enable_authfile_set_enabled = False
181  	booth_enable_authfile_unset_enabled = False or booth_enable_authfile_set_enabled
182  	
183  	
184  	# path manager
185  	_ocf_1_0_schema_filename = "ocf-1.0.rng"
186  	_ocf_1_1_schema_filename = "ocf-1.1.rng"
187  	
188  	
189  	class _PathManager:
190  	    @property
191  	    def ocf_1_0_schema(self):
192  	        return os.path.join(pcs_data_dir, _ocf_1_0_schema_filename)
193  	
194  	    @property
195  	    def ocf_1_1_schema(self):
196  	        return os.path.join(pcs_data_dir, _ocf_1_1_schema_filename)
197  	
198  	    @property
199  	    def pcs_data_dir(self):
200  	        return pcs_data_dir
201  	
202  	
203  	path = _PathManager()
204