Fix encrypted-password anonymization to replace instead of scrub

[manonfgoo]

Summary

• Change Juniper encrypted-password handling from line-scrubbing to hash
  replacement, preserving config structure while anonymizing the value
• Add SHA-256 ($5$) hash format detection and anonymization alongside
  existing SHA-512 ($6$) and MD5 ($1$) support
• Add catch-all regexes for $5$ and $6$ hashes in extra_password_regexes

What changed

netconan/default_pwd_regexes.py:

• encrypted-password regex changed from scrub-line (None) to capture-group
  replacement (group 3), using a named (?P<prefix>...) group to preserve the
  line prefix

netconan/sensitive_item_removal.py:

• Add sha256 format to _sensitive_item_formats enum
• Add sha256_crypt import from passlib
• Add SHA-256 hash detection in _check_sensitive_item_format()
• Add SHA-256 anonymization in _anonymize_value()
• Add $5$ and $6$ catch-all regexes to extra_password_regexes
• Change encrypted-password extra regex from scrub (None) to replace (group 1)

Before/After

Before: encrypted-password "$6$hash..." → entire line replaced with
! netconan_scrubbed (breaks config structure)

After: encrypted-password "$6$hash..." → encrypted-password "$6$new_hash..."
(config remains valid, only the hash value changes)

New test files to avoid merge conflicts with other feature branches:

• tests/unit/test_encrypted_password.py (hash verification tests)
• tests/end_to_end/test_e2e_encrypted_password.py (e2e test)

---

This change is 

[dhalperi]

I pushed in the merge fixups for this PR. - Thanks for letting admins resolve conflicts.

[dhalperi]

@dhalperi reviewed 5 files and all commit messages, and made 3 comments.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on manonfgoo).

---

netconan/default_pwd_regexes.py line 127 at r1 (raw file):

    [(r"(wlccp \S+ username (\S+)( .*)? password( \d)?) (\S+)(.*)", None)],
    # Juniper encrypted-password with capture group (replaces scrub-only version below).
    # TODO: delete the original encrypted-password scrubber in the JUNOS section

what's the plan for this TODO?

---

tests/unit/test_encrypted_password.py line 5 at r1 (raw file):

import pytest

from netconan.sensitive_item_removal import _anonymize_value

We like tests of function <file>.py:<foo> to be in tests/test_<file>py. Any good reason to deviate here?

---

tests/unit/test_encrypted_password.py line 7 at r1 (raw file):

from netconan.sensitive_item_removal import _anonymize_value

SALT = "saltForTest"

Are these not redundant with the ones you added in the existing test_sensitive_item_removal.py?

[dhalperi]

@dhalperi made 1 comment and resolved 1 discussion.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on manonfgoo).

---

tests/unit/test_encrypted_password.py line 7 at r1 (raw file):

Previously, dhalperi (Dan Halperin) wrote…

Are these not redundant with the ones you added in the existing test_sensitive_item_removal.py?

seems like they are not redundant, because those ones don't check the output value.

[dhalperi]

@dhalperi made 1 comment.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on manonfgoo).

---

tests/unit/test_sensitive_item_removal.py line 713 at r1 (raw file):

    processed_line = replace_matching_item(regexes, config_line, pwd_lookup, SALT)
    assert "SECRET" not in processed_line
    assert _LINE_SCRUBBED_MESSAGE not in processed_line

This change broke the test. We need a new test with LINE_SCRUBBED_MESSAGE in it.

Code quote:

    assert "SECRET" not in processed_line
    assert _LINE_SCRUBBED_MESSAGE not in processed_line

[manonfgoo]

@dhalperi reviewed 5 files and all commit messages, and made 3 comments.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on manonfgoo).

netconan/default_pwd_regexes.py line 127 at r1 (raw file):

    [(r"(wlccp \S+ username (\S+)( .*)? password( \d)?) (\S+)(.*)", None)],
    # Juniper encrypted-password with capture group (replaces scrub-only version below).
    # TODO: delete the original encrypted-password scrubber in the JUNOS section

resolved this, this is the new line:

    [(r"(wlccp \S+ username (\S+)( .*)? password( \d)?) (\S+)(.*)", 1)],
    # Juniper encrypted-password with capture group (replaces scrub-only version below).
    # TODO: delete the original encrypted-password scrubber in the JUNOS section

what's the plan for this TODO?
Done

tests/unit/test_encrypted_password.py line 5 at r1 (raw file):

import pytest

from netconan.sensitive_item_removal import _anonymize_value

We like tests of function <file>.py:<foo> to be in tests/test_<file>py. Any good reason to deviate here?

I'll have a look at this

tests/unit/test_encrypted_password.py line 7 at r1 (raw file):

from netconan.sensitive_item_removal import _anonymize_value

SALT = "saltForTest"

Are these not redundant with the ones you added in the existing test_sensitive_item_removal.py?

[manonfgoo]

Addressed all three review comments:

1. wlccp capture group: Fixed None → 1
2. TODO for original encrypted-password scrubber: Deleted the duplicate scrub-only regex in the JUNOS section — the capture-group version above now handles all encrypted-password lines
3. Test file location + redundancy: Moved hash verification tests into test_sensitive_item_removal.py to follow the test_.py naming convention. These tests are not redundant — existing tests check format preservation and uniqueness, but the moved tests uniquely verify that anonymized crypt
   hashes are valid using passlib. Deleted tests/unit/test_encrypted_password.py.