2015-10-20 07:32:21 +02:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com>
|
|
|
|
#
|
|
|
|
# This file is part of Ansible
|
|
|
|
#
|
|
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
# Make coding more python3-ish
|
|
|
|
from __future__ import (absolute_import, division)
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
import sys
|
|
|
|
import syslog
|
|
|
|
|
|
|
|
from ansible.compat.tests import unittest
|
|
|
|
from ansible.compat.tests.mock import patch, MagicMock
|
|
|
|
|
|
|
|
from ansible.module_utils.basic import heuristic_log_sanitize
|
|
|
|
|
|
|
|
class TestHeuristicLogSanitize(unittest.TestCase):
|
|
|
|
def setUp(self):
|
|
|
|
self.URL_SECRET = 'http://username:pas:word@foo.com/data'
|
|
|
|
self.SSH_SECRET = 'username:pas:word@foo.com/data'
|
|
|
|
self.clean_data = repr(self._gen_data(3, True, True, 'no_secret_here'))
|
|
|
|
self.url_data = repr(self._gen_data(3, True, True, self.URL_SECRET))
|
|
|
|
self.ssh_data = repr(self._gen_data(3, True, True, self.SSH_SECRET))
|
|
|
|
|
|
|
|
def _gen_data(self, records, per_rec, top_level, secret_text):
|
|
|
|
hostvars = {'hostvars': {}}
|
|
|
|
for i in range(1, records, 1):
|
|
|
|
host_facts = {'host%s' % i:
|
|
|
|
{'pstack':
|
|
|
|
{'running': '875.1',
|
|
|
|
'symlinked': '880.0',
|
|
|
|
'tars': [],
|
|
|
|
'versions': ['885.0']},
|
|
|
|
}}
|
|
|
|
if per_rec:
|
|
|
|
host_facts['host%s' % i]['secret'] = secret_text
|
|
|
|
hostvars['hostvars'].update(host_facts)
|
|
|
|
if top_level:
|
|
|
|
hostvars['secret'] = secret_text
|
|
|
|
return hostvars
|
|
|
|
|
|
|
|
def test_did_not_hide_too_much(self):
|
|
|
|
self.assertEquals(heuristic_log_sanitize(self.clean_data), self.clean_data)
|
|
|
|
|
|
|
|
def test_hides_url_secrets(self):
|
|
|
|
url_output = heuristic_log_sanitize(self.url_data)
|
|
|
|
# Basic functionality: Successfully hid the password
|
|
|
|
self.assertNotIn('pas:word', url_output)
|
|
|
|
|
|
|
|
# Slightly more advanced, we hid all of the password despite the ":"
|
|
|
|
self.assertNotIn('pas', url_output)
|
|
|
|
|
|
|
|
# In this implementation we replace the password with 8 "*" which is
|
|
|
|
# also the length of our password. The url fields should be able to
|
|
|
|
# accurately detect where the password ends so the length should be
|
|
|
|
# the same:
|
|
|
|
self.assertEqual(len(url_output), len(self.url_data))
|
|
|
|
|
|
|
|
def test_hides_ssh_secrets(self):
|
|
|
|
ssh_output = heuristic_log_sanitize(self.ssh_data)
|
|
|
|
self.assertNotIn('pas:word', ssh_output)
|
|
|
|
|
|
|
|
# Slightly more advanced, we hid all of the password despite the ":"
|
|
|
|
self.assertNotIn('pas', ssh_output)
|
|
|
|
|
|
|
|
# ssh checking is harder as the heuristic is overzealous in many
|
|
|
|
# cases. Since the input will have at least one ":" present before
|
|
|
|
# the password we can tell some things about the beginning and end of
|
|
|
|
# the data, though:
|
|
|
|
self.assertTrue(ssh_output.startswith("{'"))
|
|
|
|
self.assertTrue(ssh_output.endswith("}"))
|
|
|
|
self.assertIn(":********@foo.com/data'", ssh_output)
|
|
|
|
|
2015-12-03 23:15:37 +01:00
|
|
|
@unittest.skipIf(sys.version_info[0] >= 3, "Python 3 is not supported on targets (yet)")
|
2015-10-21 03:51:34 +02:00
|
|
|
def test_hides_parameter_secrets(self):
|
|
|
|
output = heuristic_log_sanitize('token="secret", user="person", token_entry="test=secret"', frozenset(['secret']))
|
|
|
|
self.assertNotIn('secret', output)
|