From 9f7b124a6fe616c3fd06d500c1a6f6969c57ba2d Mon Sep 17 00:00:00 2001 From: Matt Clay Date: Mon, 16 Sep 2019 21:01:37 -0700 Subject: [PATCH] Mark ansible-test cloud credentials as sensitive. --- changelogs/fragments/ansible-test-cloud-secrets.yml | 3 +++ test/lib/ansible_test/_internal/cloud/azure.py | 5 +++++ test/lib/ansible_test/_internal/cloud/cloudscale.py | 2 ++ test/lib/ansible_test/_internal/cloud/cs.py | 4 ++++ test/lib/ansible_test/_internal/cloud/hcloud.py | 4 ++++ test/lib/ansible_test/_internal/cloud/opennebula.py | 2 ++ test/lib/ansible_test/_internal/cloud/scaleway.py | 7 ++++++- test/lib/ansible_test/_internal/cloud/tower.py | 2 ++ test/lib/ansible_test/_internal/cloud/vcenter.py | 4 ++++ test/lib/ansible_test/_internal/cloud/vultr.py | 7 ++++++- 10 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 changelogs/fragments/ansible-test-cloud-secrets.yml diff --git a/changelogs/fragments/ansible-test-cloud-secrets.yml b/changelogs/fragments/ansible-test-cloud-secrets.yml new file mode 100644 index 00000000000..b7e19fab22c --- /dev/null +++ b/changelogs/fragments/ansible-test-cloud-secrets.yml @@ -0,0 +1,3 @@ +bugfixes: + - > + **security issue** - Redact cloud plugin secrets in ansible-test when running integration tests using cloud plugins. Only present in 2.9.0b1. diff --git a/test/lib/ansible_test/_internal/cloud/azure.py b/test/lib/ansible_test/_internal/cloud/azure.py index e022a83e3d5..9128237a9bd 100644 --- a/test/lib/ansible_test/_internal/cloud/azure.py +++ b/test/lib/ansible_test/_internal/cloud/azure.py @@ -125,6 +125,8 @@ class AzureCloudProvider(CloudProvider): RESOURCE_GROUP_SECONDARY=response['resourceGroupNames'][1], ) + display.sensitive.add(values['AZURE_SECRET']) + config = '\n'.join('%s: %s' % (key, values[key]) for key in sorted(values)) config = '[default]\n' + config @@ -146,6 +148,9 @@ class AzureCloudEnvironment(CloudEnvironment): """ env_vars = get_config(self.config_path) + display.sensitive.add(env_vars.get('AZURE_SECRET')) + display.sensitive.add(env_vars.get('AZURE_PASSWORD')) + ansible_vars = dict( resource_prefix=self.resource_prefix, ) diff --git a/test/lib/ansible_test/_internal/cloud/cloudscale.py b/test/lib/ansible_test/_internal/cloud/cloudscale.py index 098bdb7c8c4..466ba420fda 100644 --- a/test/lib/ansible_test/_internal/cloud/cloudscale.py +++ b/test/lib/ansible_test/_internal/cloud/cloudscale.py @@ -66,6 +66,8 @@ class CloudscaleCloudEnvironment(CloudEnvironment): CLOUDSCALE_API_TOKEN=parser.get('default', 'cloudscale_api_token'), ) + display.sensitive.add(env_vars['CLOUDSCALE_API_TOKEN']) + ansible_vars = dict( cloudscale_resource_prefix=self.resource_prefix, ) diff --git a/test/lib/ansible_test/_internal/cloud/cs.py b/test/lib/ansible_test/_internal/cloud/cs.py index 0bf5f51569c..8c0a4c2184b 100644 --- a/test/lib/ansible_test/_internal/cloud/cs.py +++ b/test/lib/ansible_test/_internal/cloud/cs.py @@ -201,6 +201,8 @@ class CsCloudProvider(CloudProvider): SECRET=credentials['secretkey'], ) + display.sensitive.add(values['SECRET']) + config = self._populate_config_template(config, values) self._write_config(config) @@ -280,6 +282,8 @@ class CsCloudEnvironment(CloudEnvironment): CLOUDSTACK_TIMEOUT=config['timeout'], ) + display.sensitive.add(env_vars['CLOUDSTACK_SECRET']) + ansible_vars = dict( cs_resource_prefix=self.resource_prefix, ) diff --git a/test/lib/ansible_test/_internal/cloud/hcloud.py b/test/lib/ansible_test/_internal/cloud/hcloud.py index fa068597b06..aa4e33ff854 100644 --- a/test/lib/ansible_test/_internal/cloud/hcloud.py +++ b/test/lib/ansible_test/_internal/cloud/hcloud.py @@ -77,6 +77,8 @@ class HcloudCloudProvider(CloudProvider): TOKEN=token, ) + display.sensitive.add(values['TOKEN']) + config = self._populate_config_template(config, values) self._write_config(config) @@ -104,6 +106,8 @@ class HcloudCloudEnvironment(CloudEnvironment): HCLOUD_TOKEN=parser.get('default', 'hcloud_api_token'), ) + display.sensitive.add(env_vars['HCLOUD_TOKEN']) + ansible_vars = dict( hcloud_prefix=self.resource_prefix, ) diff --git a/test/lib/ansible_test/_internal/cloud/opennebula.py b/test/lib/ansible_test/_internal/cloud/opennebula.py index d0757279d02..559093e3d83 100644 --- a/test/lib/ansible_test/_internal/cloud/opennebula.py +++ b/test/lib/ansible_test/_internal/cloud/opennebula.py @@ -59,6 +59,8 @@ class OpenNebulaCloudEnvironment(CloudEnvironment): ansible_vars.update(dict(parser.items('default'))) + display.sensitive.add(ansible_vars.get('opennebula_password')) + return CloudEnvironmentConfig( ansible_vars=ansible_vars, ) diff --git a/test/lib/ansible_test/_internal/cloud/scaleway.py b/test/lib/ansible_test/_internal/cloud/scaleway.py index f52f8f0e452..22abe197baf 100644 --- a/test/lib/ansible_test/_internal/cloud/scaleway.py +++ b/test/lib/ansible_test/_internal/cloud/scaleway.py @@ -10,7 +10,10 @@ from . import ( CloudEnvironmentConfig, ) -from ..util import ConfigParser +from ..util import ( + ConfigParser, + display, +) class ScalewayCloudProvider(CloudProvider): @@ -57,6 +60,8 @@ class ScalewayCloudEnvironment(CloudEnvironment): SCW_ORG=parser.get('default', 'org') ) + display.sensitive.add(env_vars['SCW_API_KEY']) + ansible_vars = dict( scw_org=parser.get('default', 'org'), ) diff --git a/test/lib/ansible_test/_internal/cloud/tower.py b/test/lib/ansible_test/_internal/cloud/tower.py index a0f98612fa4..f6093741ddf 100644 --- a/test/lib/ansible_test/_internal/cloud/tower.py +++ b/test/lib/ansible_test/_internal/cloud/tower.py @@ -124,6 +124,8 @@ class TowerCloudProvider(CloudProvider): PASSWORD=connection.password, ) + display.sensitive.add(values['PASSWORD']) + config = self._populate_config_template(config, values) self._write_config(config) diff --git a/test/lib/ansible_test/_internal/cloud/vcenter.py b/test/lib/ansible_test/_internal/cloud/vcenter.py index 4fb7936c988..578ef0f4c0e 100644 --- a/test/lib/ansible_test/_internal/cloud/vcenter.py +++ b/test/lib/ansible_test/_internal/cloud/vcenter.py @@ -257,6 +257,10 @@ class VcenterEnvironment(CloudEnvironment): vcsim=self._get_cloud_config('vcenter_host'), ) + for key, value in ansible_vars.items(): + if key.endswith('_password'): + display.sensitive.add(value) + return CloudEnvironmentConfig( env_vars=env_vars, ansible_vars=ansible_vars, diff --git a/test/lib/ansible_test/_internal/cloud/vultr.py b/test/lib/ansible_test/_internal/cloud/vultr.py index 3ff2b98cec8..ce6184f7ce8 100644 --- a/test/lib/ansible_test/_internal/cloud/vultr.py +++ b/test/lib/ansible_test/_internal/cloud/vultr.py @@ -10,7 +10,10 @@ from . import ( CloudEnvironmentConfig, ) -from ..util import ConfigParser +from ..util import ( + ConfigParser, + display, +) class VultrCloudProvider(CloudProvider): @@ -56,6 +59,8 @@ class VultrCloudEnvironment(CloudEnvironment): VULTR_API_KEY=parser.get('default', 'key'), ) + display.sensitive.add(env_vars['VULTR_API_KEY']) + ansible_vars = dict( vultr_resource_prefix=self.resource_prefix, )