cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

validate-modules no_log test: extend search range, add more known false-positives (#73882)

Browse source 
* validate-modules no_log test: extend search range, add more known false-positives.

* Mark false-positives.
This commit is contained in:
Felix Fontein 2021-03-13 15:28:33 +01:00 committed by GitHub
parent ed18fcac3b
commit 7c0af58449
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/ansible/modules/yum_repository.py
View file

@ -599,9 +599,9 @@ def main():
exclude=dict(type='list', elements='str'), exclude=dict(type='list', elements='str'),
failovermethod=dict(choices=['roundrobin', 'priority']), failovermethod=dict(choices=['roundrobin', 'priority']),
file=dict(), file=dict(),
gpgcakey=dict(), gpgcakey=dict(no_log=False),
gpgcheck=dict(type='bool'), gpgcheck=dict(type='bool'),
gpgkey=dict(type='list', elements='str'), gpgkey=dict(type='list', elements='str', no_log=False),
module_hotfixes=dict(type='bool'), module_hotfixes=dict(type='bool'),
http_caching=dict(choices=['all', 'packages', 'none']), http_caching=dict(choices=['all', 'packages', 'none']),
include=dict(), include=dict(),
@ -635,7 +635,7 @@ def main():
sslcacert=dict(aliases=['ca_cert']), sslcacert=dict(aliases=['ca_cert']),
ssl_check_cert_permissions=dict(type='bool'), ssl_check_cert_permissions=dict(type='bool'),
sslclientcert=dict(aliases=['client_cert']), sslclientcert=dict(aliases=['client_cert']),
sslclientkey=dict(aliases=['client_key']), sslclientkey=dict(aliases=['client_key'], no_log=False),
sslverify=dict(type='bool', aliases=['validate_certs']), sslverify=dict(type='bool', aliases=['validate_certs']),
state=dict(choices=['present', 'absent'], default='present'), state=dict(choices=['present', 'absent'], default='present'),
throttle=dict(), throttle=dict(),

6
test/lib/ansible_test/_data/sanity/validate-modules/validate_modules/main.py
View file

@ -97,12 +97,12 @@ LOOSE_ANSIBLE_VERSION = LooseVersion('.'.join(ansible_version.split('.')[:3]))
def is_potential_secret_option(option_name): def is_potential_secret_option(option_name):
if not NO_LOG_REGEX.match(option_name): if not NO_LOG_REGEX.search(option_name):
return False return False
# If this is a count, type, algorithm, timeout, or name, it is probably not a secret # If this is a count, type, algorithm, timeout, filename, or name, it is probably not a secret
if option_name.endswith(( if option_name.endswith((
'_count', '_type', '_alg', '_algorithm', '_timeout', '_name', '_comment', '_count', '_type', '_alg', '_algorithm', '_timeout', '_name', '_comment',
'_bits', '_id', '_identifier', '_period', '_bits', '_id', '_identifier', '_period', '_file', '_filename',
)): )):
return False return False
# 'key' also matches 'publickey', which is generally not secret # 'key' also matches 'publickey', which is generally not secret