enh(cli): enhance debugging of CLI plugins (#6100)

Enhance debugging of CLI plugins 
Refs: CTOR-1247

Author: scresto31

.gitleaksignore

@@ -1 +1,4 @@
-tests/cloud/google/gcp/gcp_config.json:private-key:5
+tests/cloud/google/gcp/gcp_config.json:private-key:5
+tests/centreon/plugins/mask_secrets.t:generic-api-key:44
+tests/centreon/plugins/mask_secrets.t:curl-auth-header:17
+tests/centreon/plugins/mask_secrets.t:curl-auth-header:41

src/centreon/plugins/misc.pm

@@ -47,6 +47,7 @@ our @EXPORT_OK = qw/change_seconds
                     slurp_file
                     format_opt
                     trim
+                    mask_secrets
                     value_of/;
 
 sub execute {
@@ -192,13 +193,19 @@ sub unix_execute {
         # On some equipment. Cannot get a pseudo terminal
         if (defined($options{ssh_pipe}) && $options{ssh_pipe} == 1) {
             $cmd = "echo '" . $sub_cmd . "' | " . $cmd . ' ' . join(' ', @$args);
+            $options{output}->output_add(long_msg => 'execute command: ' . $cmd, show_password => $options{output}->show_password()) if $options{output}->is_debug();
+
             ($lerror, $stdout, $exit_code) = backtick(
                 command => $cmd,
                 timeout => $options{options}->{timeout},
                 wait_exit => $wait_exit,
                 redirect_stderr => $redirect_stderr
             );
         } else {
+            if ($options{output}->is_debug()) {
+                my $cmd = $cmd . join (' ', [ @$args, $sub_cmd // '']);
+                $options{output}->output_add(long_msg => 'execute command: ' . $cmd, show_password => $options{output}->show_password())
+            }
             ($lerror, $stdout, $exit_code) = backtick(
                 command => $cmd,
                 arguments => [@$args, $sub_cmd],
@@ -213,6 +220,8 @@ sub unix_execute {
         $cmd .= $options{command} if (defined($options{command}));
         $cmd .= ' ' . $options{command_options} if (defined($options{command_options}));
 
+        $options{output}->output_add(long_msg => 'execute command: ' . $cmd, show_password => $options{output}->show_password()) if $options{output}->is_debug();
+
         if (defined($options{no_shell_interpretation}) and $options{no_shell_interpretation} ne '') {
             my @args = split(' ',$cmd);
             ($lerror, $stdout, $exit_code) = backtick(
@@ -961,6 +970,68 @@ sub format_opt($) {
     $_[0] =~ s/_/-/gr;
 }
 
+# Attempts to mask secrets in a command line string by replacing them with $mask ( or *** if mask is not defined )
+# Be aware that this is only a try, there is no guarantee that all secrets will be masked!
+sub mask_secrets($;$) {
+    my ($command, $mask) = @_;
+
+    return '' unless $command;
+
+    $mask = '***' unless defined $mask;
+
+    my $masked = $command;
+
+    # Handled cases with examples
+
+    # command -password P@s$W@rD -I100
+    $masked =~ s/(\s+-+password[=\s:]+)[^\s'"]+/$1$mask/gi;
+
+    # command -token=P@s$W@rD -I100
+    $masked =~ s/(\s+-+token[=\s:]+)[^\s'"]+/$1$mask/gi;
+
+    # curl --header "api-key: P@s$W@rD" https://test.com' OR curl -api-key P@s$W@rD
+    $masked =~ s/(\s+-+api[_-]?key[=\s:]+)[^\s'"]+/$1$mask/gi;
+    $masked =~ s/(api[_-]?key\s*:\s*)[^\s'"]+/$1$mask/gi;
+
+    # command -secret=P@s$W@rD -I100
+    $masked =~ s/(\s+-+secret[=\s:]+)[^\s'"]+/$1$mask/gi;
+
+    # curl --header "secret: P@s$W@rD" https://test.com'
+    $masked =~ s/(secret\s*:\s*)[^\s'"]+/$1$mask/gi;
+
+    # command -authent=P@s$W@rD -I100
+    $masked =~ s/(\s+-+auth(ent)?[=\s:]+)[^\s'"]+/$1$mask/gi;
+
+    # command -cert-password=P@s$W@rD -I100
+    $masked =~ s/(\s+-+cert[_-]?password[=\s:]+)[^\s'"]+/$1$mask/gi;
+    # command -passphrase=P@s$W@rD -I100
+    $masked =~ s/(\s+-+passphrase[=\s:]+)[^\s'"]+/$1$mask/gi;
+
+    # snmpwalk -snmp-community MyCommunitString123 -v 2c localhost',
+    $masked =~ s/(\s+-+snmp[_-]?community[=\s:]+)[^\s'"]+/$1$mask/gi;
+
+    # snmpwalk --c MyCommunitString123 -v 2c localhost',
+    $masked =~ s/(\s-c\s+)[^\s'"]+/$1$mask/gi;
+
+    # mysql -u root -p PASSWORD database
+    $masked =~ s/(\s+-p\s+)[^\s'"]+/$1$mask/gi;
+
+    # mysql -u root -pPASSWORD database
+    $masked =~ s/(\s+-p)(?!assword\b)([A-Z])[^\s'"]*/$1$mask/gi;
+
+    my $common_auth = 'Bearer|Basic|Negotiate|X-API-Key|ApiKey|NTLM|AWS4-HMAC-SHA256';
+
+    # curl -H "Authorization: Bearer ABCDEF" http://test.com'
+    $masked =~ s/((?:$common_auth)\s+)[^\s'"]+/$1$mask/gi;
+    # curl -H "PVX-Authorization: ABCDEF" http://test.com'
+    $masked =~ s/((?:[\w-]*)Authorization\s*:\s*)(?!$common_auth)[^\s',;"]+/$1$mask/gi;
+
+    # https://admin:password@test.com:8080/api
+    $masked =~ s/([\w.-]+):([\w?!@#$%^&*._-]+)(@)/$1:$mask$3/g;
+
+    return $masked;
+}
+
 1;
 
 __END__
@@ -1616,6 +1687,19 @@ Returns 1 if the string is excluded, 0 if it is included.
 The string is excluded if $exclude_regexp is defined and matches the string, or if $include_regexp is defined and does
 not match the string. The string will also be excluded if it is undefined.
 
+=back
+
+=head2 mask_secrets
+
+    my $to_print = centreon::plugins::misc::mask_secrets($unsafe_string, $mask);
+
+Attempts to mask secrets in a command line string by replacing them with $mask ( or *** if mask is not defined )
+Be aware that this is only a try, there is no guarantee that all secrets will be masked!
+
+=over 4
+
+=item * C<$ident> - name to convert.
+
 =head1 AUTHOR
 
 Centreon

src/centreon/plugins/output.pm

@@ -1,5 +1,5 @@
 #
-# Copyright 2024 Centreon (http://www.centreon.com/)
+# Copyright 2026-Present Centreon (http://www.centreon.com/)
 #
 # Centreon is a full-fledged industry-strength solution that meets
 # the needs in IT infrastructure and application monitoring for
@@ -22,7 +22,7 @@ package centreon::plugins::output;
 
 use strict;
 use warnings;
-use centreon::plugins::misc;
+use centreon::plugins::misc qw/mask_secrets/;
 
 sub new {
     my ($class, %options) = @_;
@@ -51,6 +51,7 @@ sub new {
         'verbose'                 => { name => 'verbose' },
         'debug'                   => { name => 'debug' },
         'debug-stream'            => { name => 'debug_stream' },
+        'show-password'           => { name => 'show_password' },
         'opt-exit:s'              => { name => 'opt_exit', default => 'unknown' },
         'output-xml'              => { name => 'output_xml' },
         'output-json'             => { name => 'output_json' },
@@ -226,6 +227,8 @@ sub output_add {
 
     if (defined($options->{short_msg})) {
         chomp $options->{short_msg};
+        $options->{short_msg} = mask_secrets($options->{short_msg}) if defined $options->{show_password} && !$options->{show_password};
+
         if (defined($self->{global_short_concat_outputs}->{uc($options->{severity})})) {
             $self->{global_short_concat_outputs}->{uc($options->{severity})} .= $options->{separator} . $options->{short_msg};
         } else {
@@ -237,10 +240,13 @@ sub output_add {
     }
 
     if (defined($options->{long_msg})) {
-        chomp $options->{long_msg};
+        if (($options->{debug} == 0 || defined($self->{option_results}->{debug})) || defined($self->{option_results}->{debug_stream})) {
+            chomp $options->{long_msg};
+            $options->{long_msg} = mask_secrets($options->{long_msg}) if defined $options->{show_password} && !$options->{show_password};
 
-        push @{$self->{global_long_output}}, $options->{long_msg} if ($options->{debug} == 0 || defined($self->{option_results}->{debug}));
-        print $options->{long_msg} . "\n" if (defined($self->{option_results}->{debug_stream}));
+            push @{$self->{global_long_output}}, $options->{long_msg} if ($options->{debug} == 0 || defined($self->{option_results}->{debug}));
+            print $options->{long_msg} . "\n" if (defined($self->{option_results}->{debug_stream}));
+        }
     }
 }
 
@@ -995,6 +1001,13 @@ sub is_debug {
     return 0;
 }
 
+sub show_password {
+    my ($self) = @_;
+
+    return $self->{option_results}->{show_password}
+}
+
+
 sub load_eval {
     my ($self) = @_;
 
@@ -1571,6 +1584,11 @@ Display extended status information (long output).
 
 Display debug messages.
 
+=item B<--show-password>
+
+By default, sensitive information in command lines is hidden in debug output and replaced with C<***> (however, debug logs may still display sensitive information).
+Using the C<--show-password> option will display the passwords in plain text.
+
 =item B<--filter-perfdata>
 
 Filter perfdata that match the regexp.

tests/centreon/plugins/database_redis_parameters.t

@@ -47,10 +47,10 @@ my $cust = database::redis::custom::cli->new(
 );
 $options->{custom} = $cust;
 
-foreach my $test ({ title => 'Test --key parameter',    param => { key => 'private.key'},       expect => q(--key 'private.key') },
-                  { title => 'Test --cert parameter',   param => { cert => 'dummy.crt'},        expect => q(--cert 'dummy.crt') },
-                  { title => 'Test --cacert parameter', param => { cacert => 'ca.crt'},         expect => q(--cacert 'ca.crt') },) {
-    $cust->set_options(option_results => $test->{param} );
+foreach my $test ({ title => 'Test --key parameter',    param => { cert => '', cacert => '', key => 'private.key' },       expect => q(--key 'private.key') },
+                  { title => 'Test --cert parameter',   param => { cert => 'dummy.crt', cacert => '', key => '' },         expect => q(--cert 'dummy.crt') },
+                  { title => 'Test --cacert parameter', param => { cert => '', cacert => 'ca.crt', key => '' },            expect => q(--cacert 'ca.crt') },) {
+    $cust->set_options(option_results => { %{$test->{param}}, ssh_hostname => '', tls => '', server => '', password => '', username => '', port => '' } );
     $cust->check_options();
 
     $plugin->manage_selection(%$options);

tests/centreon/plugins/mask_secrets.t

@@ -0,0 +1,68 @@
+use strict;
+use warnings;
+use Test2::V0;
+
+use Test2::Tools::Compare qw{is like match};
+use FindBin;
+use lib "$FindBin::RealBin/../../../src";
+use centreon::plugins::misc qw/mask_secrets/;
+
+sub mask_secrets_execute() {
+    my @tests = ( {  original => 'raidcom get system -password MySecretPass123 -I100',
+                     masked   => 'raidcom get system -password *** -I100'
+                  },
+                  {  original => 'pairdisplay -password=SuperSecret123 -g GRP1',
+                     masked   => 'pairdisplay -password=*** -g GRP1'
+                  },
+                  {  original => 'curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" https://test.com',
+                     masked   => 'curl -H "Authorization: Bearer ***" https://test.com'
+                  },
+                  {  original => 'curl -H "Authorization: Basic ABCDEF" https://test.com',
+                     masked   => 'curl -H "Authorization: Basic ***" https://test.com'
+                  },
+                  {  original => 'snmpwalk -snmp-community=tutu -v 2c localhost',
+                     masked   => 'snmpwalk -snmp-community=*** -v 2c localhost'
+                  },
+                  {  original => 'snmpwalk -c MyCommunitString123 -v 2c localhost',
+                     masked   => 'snmpwalk -c *** -v 2c localhost'
+                  },
+                  {  original => 'ssh -l admin user@host.com',
+                     masked   => 'ssh -l admin user@host.com'
+                  },
+                  {  original => 'mysql -u root -pMyPassword123 database',
+                     masked   => 'mysql -u root -p*** database'
+                  },
+                  {  original => 'mysql -u root -p MyPassword123 database',
+                     masked   => 'mysql -u root -p *** database'
+                  },
+                  {  original => 'pg_dump -U postgres -W database',
+                     masked   => 'pg_dump -U postgres -W database'
+                  },
+                  {  original => 'curl --header "api-key: sk-1234567890abcdef" https://test.com',
+                     masked   => 'curl --header "api-key: ***" https://test.com'
+                  },
+                  {  original => 'prog get path -token=abc123def456 -I100',
+                     masked   => 'prog get path -token=*** -I100'
+                  },
+                  {  original => 'PVX-Authorization: P@sSw@RdZ',
+                     masked   => 'PVX-Authorization: ***'
+                  },
+                  {  original => 'Authorization: Basic ABCDEF',
+                     masked   => 'Authorization: Basic ***'
+                  },
+                  {  original => 'https://admin:SecurePass@test.com:8080/api',
+                     masked   => 'https://admin:***@test.com:8080/api',
+                  },
+                  {  original => '/tmp/centreon-plugins/test.pl --secret=secret',
+                     masked   => '/tmp/centreon-plugins/test.pl --secret=***',
+                  },
+    );
+
+    foreach my $test (@tests) {
+        my $masked = mask_secrets($test->{original});
+	ok($test->{masked} eq $masked, "Masks secrets in '".$test->{original} . "' => '" . $masked."'");
+    }
+}
+
+mask_secrets_execute();
+done_testing();

tests/centreon/plugins/sshcli.t

@@ -24,6 +24,7 @@ my $_fake_ssh = '/tmp/test_fake_ssh_'.$$;
     sub new { bless {}, shift }
     sub add_option_msg { }
     sub option_exit { die }
+    sub is_debug { 0 }
 }
 
 sub process_test {