Stop displaying kinit pass input on a failure (#41882)
* Stop displaying kinit pass input on a failure * Fixed up minor logic info and added tests
This commit is contained in:
parent
97ffb4c4d2
commit
9b7b564d75
3 changed files with 55 additions and 2 deletions
2
changelogs/fragments/winrm_kinit-remove-pass-log.yml
Normal file
2
changelogs/fragments/winrm_kinit-remove-pass-log.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
bugfixes:
|
||||
- winrm - ensure pexpect is set to not echo the input on a failure and have a manual sanity check afterwards https://github.com/ansible/ansible/issues/41865
|
|
@ -294,7 +294,7 @@ class Connection(ConnectionBase):
|
|||
% principal)
|
||||
try:
|
||||
child = pexpect.spawn(command, kinit_cmdline, timeout=60,
|
||||
env=krb5env)
|
||||
env=krb5env, echo=False)
|
||||
except pexpect.ExceptionPexpect as err:
|
||||
err_msg = "Kerberos auth failure when calling kinit cmd " \
|
||||
"'%s': %s" % (command, to_native(err))
|
||||
|
@ -336,8 +336,13 @@ class Connection(ConnectionBase):
|
|||
rc = p.returncode != 0
|
||||
|
||||
if rc != 0:
|
||||
# one last attempt at making sure the password does not exist
|
||||
# in the output
|
||||
exp_msg = to_native(stderr.strip())
|
||||
exp_msg = exp_msg.replace(to_native(password), "<redacted>")
|
||||
|
||||
err_msg = "Kerberos auth failure for principal %s with %s: %s" \
|
||||
% (principal, proc_mechanism, to_native(stderr.strip()))
|
||||
% (principal, proc_mechanism, exp_msg)
|
||||
raise AnsibleConnectionFailure(err_msg)
|
||||
|
||||
display.vvvvv("kinit succeeded for principal %s" % principal)
|
||||
|
|
|
@ -271,6 +271,7 @@ class TestWinRMKerbAuth(object):
|
|||
actual_env = mock_calls[0][2]['env']
|
||||
assert list(actual_env.keys()) == ['KRB5CCNAME']
|
||||
assert actual_env['KRB5CCNAME'].startswith("FILE:/")
|
||||
assert mock_calls[0][2]['echo'] is False
|
||||
assert mock_calls[1][0] == "().expect"
|
||||
assert mock_calls[1][1] == (".*:",)
|
||||
assert mock_calls[2][0] == "().sendline"
|
||||
|
@ -367,3 +368,48 @@ class TestWinRMKerbAuth(object):
|
|||
assert str(err.value) == \
|
||||
"Kerberos auth failure for principal invaliduser with " \
|
||||
"pexpect: %s" % (expected_err)
|
||||
|
||||
def test_kinit_error_pass_in_output_subprocess(self, monkeypatch):
|
||||
def mock_communicate(input=None, timeout=None):
|
||||
return b"", b"Error with kinit\n" + input
|
||||
|
||||
mock_popen = MagicMock()
|
||||
mock_popen.return_value.communicate = mock_communicate
|
||||
mock_popen.return_value.returncode = 1
|
||||
monkeypatch.setattr("subprocess.Popen", mock_popen)
|
||||
|
||||
winrm.HAS_PEXPECT = False
|
||||
pc = PlayContext()
|
||||
new_stdin = StringIO()
|
||||
conn = connection_loader.get('winrm', pc, new_stdin)
|
||||
conn.set_options(var_options={"_extras": {}})
|
||||
|
||||
with pytest.raises(AnsibleConnectionFailure) as err:
|
||||
conn._kerb_auth("username", "password")
|
||||
assert str(err.value) == \
|
||||
"Kerberos auth failure for principal username with subprocess: " \
|
||||
"Error with kinit\n<redacted>"
|
||||
|
||||
def test_kinit_error_pass_in_output_pexpect(self, monkeypatch):
|
||||
pytest.importorskip("pexpect")
|
||||
|
||||
mock_pexpect = MagicMock()
|
||||
mock_pexpect.return_value.expect = MagicMock()
|
||||
mock_pexpect.return_value.read.return_value = \
|
||||
b"Error with kinit\npassword\n"
|
||||
mock_pexpect.return_value.exitstatus = 1
|
||||
|
||||
monkeypatch.setattr("pexpect.spawn", mock_pexpect)
|
||||
|
||||
winrm.HAS_PEXPECT = True
|
||||
pc = PlayContext()
|
||||
pc = PlayContext()
|
||||
new_stdin = StringIO()
|
||||
conn = connection_loader.get('winrm', pc, new_stdin)
|
||||
conn.set_options(var_options={"_extras": {}})
|
||||
|
||||
with pytest.raises(AnsibleConnectionFailure) as err:
|
||||
conn._kerb_auth("username", "password")
|
||||
assert str(err.value) == \
|
||||
"Kerberos auth failure for principal username with pexpect: " \
|
||||
"Error with kinit\n<redacted>"
|
||||
|
|
Loading…
Reference in a new issue