From 7c0af58449666b9d5cc2ec0d2916d89c45fc02d7 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sat, 13 Mar 2021 15:28:33 +0100
Subject: [PATCH] validate-modules no_log test: extend search range, add more
 known false-positives (#73882)

* validate-modules no_log test: extend search range, add more known false-positives.

* Mark false-positives.
---
 lib/ansible/modules/yum_repository.py                       | 6 +++---
 .../_data/sanity/validate-modules/validate_modules/main.py  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/ansible/modules/yum_repository.py b/lib/ansible/modules/yum_repository.py
index f7d3afb6d8f..7b5ac23dbda 100644
--- a/lib/ansible/modules/yum_repository.py
+++ b/lib/ansible/modules/yum_repository.py
@@ -599,9 +599,9 @@ def main():
         exclude=dict(type='list', elements='str'),
         failovermethod=dict(choices=['roundrobin', 'priority']),
         file=dict(),
-        gpgcakey=dict(),
+        gpgcakey=dict(no_log=False),
         gpgcheck=dict(type='bool'),
-        gpgkey=dict(type='list', elements='str'),
+        gpgkey=dict(type='list', elements='str', no_log=False),
         module_hotfixes=dict(type='bool'),
         http_caching=dict(choices=['all', 'packages', 'none']),
         include=dict(),
@@ -635,7 +635,7 @@ def main():
         sslcacert=dict(aliases=['ca_cert']),
         ssl_check_cert_permissions=dict(type='bool'),
         sslclientcert=dict(aliases=['client_cert']),
-        sslclientkey=dict(aliases=['client_key']),
+        sslclientkey=dict(aliases=['client_key'], no_log=False),
         sslverify=dict(type='bool', aliases=['validate_certs']),
         state=dict(choices=['present', 'absent'], default='present'),
         throttle=dict(),
diff --git a/test/lib/ansible_test/_data/sanity/validate-modules/validate_modules/main.py b/test/lib/ansible_test/_data/sanity/validate-modules/validate_modules/main.py
index a5e0806ba9a..55db4625eb3 100644
--- a/test/lib/ansible_test/_data/sanity/validate-modules/validate_modules/main.py
+++ b/test/lib/ansible_test/_data/sanity/validate-modules/validate_modules/main.py
@@ -97,12 +97,12 @@ LOOSE_ANSIBLE_VERSION = LooseVersion('.'.join(ansible_version.split('.')[:3]))
 
 
 def is_potential_secret_option(option_name):
-    if not NO_LOG_REGEX.match(option_name):
+    if not NO_LOG_REGEX.search(option_name):
         return False
-    # If this is a count, type, algorithm, timeout, or name, it is probably not a secret
+    # If this is a count, type, algorithm, timeout, filename, or name, it is probably not a secret
     if option_name.endswith((
             '_count', '_type', '_alg', '_algorithm', '_timeout', '_name', '_comment',
-            '_bits', '_id', '_identifier', '_period',
+            '_bits', '_id', '_identifier', '_period', '_file', '_filename',
     )):
         return False
     # 'key' also matches 'publickey', which is generally not secret