diff options
author | Brian Coca <brian.coca+git@gmail.com> | 2017-02-09 13:59:29 -0500 |
---|---|---|
committer | Brian Coca <brian.coca+git@gmail.com> | 2017-02-09 18:18:48 -0500 |
commit | f1217a9b9440aa4911657e9d715e9a0b148c5bec (patch) | |
tree | 25af417db9fb6f2fdc5c2f8a7401842b1d93f712 | |
parent | 9029547603175826218bd91fd2b937b6e11d4c3f (diff) | |
download | ansible-f1217a9b9440aa4911657e9d715e9a0b148c5bec.tar.gz |
use regex vs list to weed out password fields
- also warn as module SHOULD have no_log
- make password regex exportable for testing
- avoids boolean fields
(cherry picked from commit 403e9d35dff54395766fcf74ed79d294728c1672)
-rw-r--r-- | lib/ansible/module_utils/basic.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/ansible/module_utils/basic.py b/lib/ansible/module_utils/basic.py index 527802ffd1..98ac0cf6ed 100644 --- a/lib/ansible/module_utils/basic.py +++ b/lib/ansible/module_utils/basic.py @@ -144,6 +144,8 @@ from ansible.module_utils.six import (PY2, PY3, b, binary_type, integer_types, from ansible.module_utils.six.moves import map, reduce from ansible.module_utils._text import to_native, to_bytes, to_text +PASSWORD_MATCH = re.compile(r'^(?:.+[-_\s])?pass(?:[-_\s]?(?:word|phrase|wrd|wd)?)(?:[-_\s].+)?$', re.I) + _NUMBERTYPES = tuple(list(integer_types) + [float]) # Deprecated compat. Only kept in case another module used these names Using @@ -1666,17 +1668,19 @@ class AnsibleModule(object): # TODO: generalize a separate log function and make log_invocation use it # Sanitize possible password argument when logging. log_args = dict() - passwd_keys = ['password', 'login_password', 'url_password'] for param in self.params: canon = self.aliases.get(param, param) arg_opts = self.argument_spec.get(canon, {}) no_log = arg_opts.get('no_log', False) + arg_type = arg_opts.get('type', 'str') if self.boolean(no_log): log_args[param] = 'NOT_LOGGING_PARAMETER' - elif param in passwd_keys: + # try to capture all passwords/passphrase named fields + elif arg_type != 'bool' and PASSWORD_MATCH.search(param): log_args[param] = 'NOT_LOGGING_PASSWORD' + self.warn('Module did not set no_log for %s' % param) else: param_val = self.params[param] if not isinstance(param_val, (text_type, binary_type)): |