use regex vs list to weed out password fields

- also warn as module SHOULD have no_log
 - make password regex exportable for testing
 - avoids boolean fields

(cherry picked from commit 403e9d35df)
This commit is contained in:
Brian Coca 2017-02-09 13:59:29 -05:00
parent b4b65c6bd2
commit 20d67cc562

View file

@ -178,6 +178,8 @@ except ImportError:
except ImportError: except ImportError:
pass pass
PASSWORD_MATCH = re.compile(r'^(?:.+[-_\s])?pass(?:[-_\s]?(?:word|phrase|wrd|wd)?)(?:[-_\s].+)?$', re.I)
try: try:
from ast import literal_eval from ast import literal_eval
except ImportError: except ImportError:
@ -1627,17 +1629,19 @@ class AnsibleModule(object):
# TODO: generalize a separate log function and make log_invocation use it # TODO: generalize a separate log function and make log_invocation use it
# Sanitize possible password argument when logging. # Sanitize possible password argument when logging.
log_args = dict() log_args = dict()
passwd_keys = ['password', 'login_password', 'url_password']
for param in self.params: for param in self.params:
canon = self.aliases.get(param, param) canon = self.aliases.get(param, param)
arg_opts = self.argument_spec.get(canon, {}) arg_opts = self.argument_spec.get(canon, {})
no_log = arg_opts.get('no_log', False) no_log = arg_opts.get('no_log', False)
arg_type = arg_opts.get('type', 'str')
if self.boolean(no_log): if self.boolean(no_log):
log_args[param] = 'NOT_LOGGING_PARAMETER' log_args[param] = 'NOT_LOGGING_PARAMETER'
elif param in passwd_keys: # try to capture all passwords/passphrase named fields
elif arg_type != 'bool' and PASSWORD_MATCH.search(param):
log_args[param] = 'NOT_LOGGING_PASSWORD' log_args[param] = 'NOT_LOGGING_PASSWORD'
self.warn('Module did not set no_log for %s' % param)
else: else:
param_val = self.params[param] param_val = self.params[param]
if not isinstance(param_val, basestring): if not isinstance(param_val, basestring):