mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Merge pull request #12846 from ansible/nolog-for-return-value
Hide values in json returns which were given in parameters marked no_log.
This commit is contained in:
commit
1126ce34e3
4 changed files with 336 additions and 66 deletions
|
@ -65,7 +65,7 @@ import grp
|
||||||
import pwd
|
import pwd
|
||||||
import platform
|
import platform
|
||||||
import errno
|
import errno
|
||||||
from itertools import repeat
|
from itertools import repeat, chain
|
||||||
|
|
||||||
try:
|
try:
|
||||||
import syslog
|
import syslog
|
||||||
|
@ -109,9 +109,24 @@ except AttributeError:
|
||||||
return d.items()
|
return d.items()
|
||||||
else:
|
else:
|
||||||
# Python 2
|
# Python 2
|
||||||
def iteritems(d): # Python 2
|
def iteritems(d):
|
||||||
return d.iteritems()
|
return d.iteritems()
|
||||||
|
|
||||||
|
try:
|
||||||
|
NUMBERTYPES = (int, long, float)
|
||||||
|
except NameError:
|
||||||
|
# Python 3
|
||||||
|
NUMBERTYPES = (int, float)
|
||||||
|
|
||||||
|
# Python2 & 3 way to get NoneType
|
||||||
|
NoneType = type(None)
|
||||||
|
|
||||||
|
try:
|
||||||
|
from collections import Sequence, Mapping
|
||||||
|
except ImportError:
|
||||||
|
# python2.5
|
||||||
|
Sequence = (list, tuple)
|
||||||
|
Mapping = (dict,)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
import json
|
import json
|
||||||
|
@ -408,6 +423,51 @@ def heuristic_log_sanitize(data):
|
||||||
|
|
||||||
return ''.join(output)
|
return ''.join(output)
|
||||||
|
|
||||||
|
def _return_values(obj):
|
||||||
|
""" Return stringified values from datastructures. For use with removing
|
||||||
|
sensitive values pre-jsonification."""
|
||||||
|
if isinstance(obj, basestring):
|
||||||
|
if obj:
|
||||||
|
yield obj
|
||||||
|
return
|
||||||
|
elif isinstance(obj, Sequence):
|
||||||
|
for element in obj:
|
||||||
|
for subelement in _return_values(element):
|
||||||
|
yield subelement
|
||||||
|
elif isinstance(obj, Mapping):
|
||||||
|
for element in obj.items():
|
||||||
|
for subelement in _return_values(element[1]):
|
||||||
|
yield subelement
|
||||||
|
elif isinstance(obj, (bool, NoneType)):
|
||||||
|
# This must come before int because bools are also ints
|
||||||
|
return
|
||||||
|
elif isinstance(obj, NUMBERTYPES):
|
||||||
|
yield str(obj)
|
||||||
|
else:
|
||||||
|
raise TypeError('Unknown parameter type: %s, %s' % (type(obj), obj))
|
||||||
|
|
||||||
|
def _remove_values(value, no_log_strings):
|
||||||
|
""" Remove strings in no_log_strings from value. If value is a container
|
||||||
|
type, then remove a lot more"""
|
||||||
|
if isinstance(value, basestring):
|
||||||
|
if value in no_log_strings:
|
||||||
|
return 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER'
|
||||||
|
for omit_me in no_log_strings:
|
||||||
|
value = value.replace(omit_me, '*' * 8)
|
||||||
|
elif isinstance(value, Sequence):
|
||||||
|
return [_remove_values(elem, no_log_strings) for elem in value]
|
||||||
|
elif isinstance(value, Mapping):
|
||||||
|
return dict((k, _remove_values(v, no_log_strings)) for k, v in value.items())
|
||||||
|
elif isinstance(value, tuple(chain(NUMBERTYPES, (bool, NoneType)))):
|
||||||
|
stringy_value = str(value)
|
||||||
|
if stringy_value in no_log_strings:
|
||||||
|
return 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER'
|
||||||
|
for omit_me in no_log_strings:
|
||||||
|
if omit_me in stringy_value:
|
||||||
|
return 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER'
|
||||||
|
else:
|
||||||
|
raise TypeError('Value of unknown type: %s, %s' % (type(value), value))
|
||||||
|
return value
|
||||||
|
|
||||||
def is_executable(path):
|
def is_executable(path):
|
||||||
'''is the given path executable?'''
|
'''is the given path executable?'''
|
||||||
|
@ -1397,7 +1457,7 @@ class AnsibleModule(object):
|
||||||
''' return a bool for the arg '''
|
''' return a bool for the arg '''
|
||||||
if arg is None or type(arg) == bool:
|
if arg is None or type(arg) == bool:
|
||||||
return arg
|
return arg
|
||||||
if type(arg) in types.StringTypes:
|
if isinstance(arg, basestring):
|
||||||
arg = arg.lower()
|
arg = arg.lower()
|
||||||
if arg in BOOLEANS_TRUE:
|
if arg in BOOLEANS_TRUE:
|
||||||
return True
|
return True
|
||||||
|
@ -1432,11 +1492,30 @@ class AnsibleModule(object):
|
||||||
for path in self.cleanup_files:
|
for path in self.cleanup_files:
|
||||||
self.cleanup(path)
|
self.cleanup(path)
|
||||||
|
|
||||||
|
def remove_no_log_values(self, to_jsonify):
|
||||||
|
""" Strip values associated with no_log parameters from output.
|
||||||
|
Note: does not strip dict keys, only dict values.
|
||||||
|
"""
|
||||||
|
no_log_strings = set()
|
||||||
|
# Use the argspec to determine which args are no_log
|
||||||
|
for arg_name, arg_opts in self.argument_spec.items():
|
||||||
|
if arg_opts.get('no_log', False):
|
||||||
|
# Find the value for the no_log'd param
|
||||||
|
no_log_object = self.params.get(arg_name, None)
|
||||||
|
if no_log_object:
|
||||||
|
no_log_strings.update(_return_values(no_log_object))
|
||||||
|
|
||||||
|
for field, value in to_jsonify.items():
|
||||||
|
to_jsonify[field] = _remove_values(value, no_log_strings)
|
||||||
|
|
||||||
|
return to_jsonify
|
||||||
|
|
||||||
def exit_json(self, **kwargs):
|
def exit_json(self, **kwargs):
|
||||||
''' return from the module, without error '''
|
''' return from the module, without error '''
|
||||||
self.add_path_info(kwargs)
|
self.add_path_info(kwargs)
|
||||||
if not 'changed' in kwargs:
|
if not 'changed' in kwargs:
|
||||||
kwargs['changed'] = False
|
kwargs['changed'] = False
|
||||||
|
self.remove_no_log_values(kwargs)
|
||||||
self.do_cleanup_files()
|
self.do_cleanup_files()
|
||||||
print(self.jsonify(kwargs))
|
print(self.jsonify(kwargs))
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
@ -1446,6 +1525,7 @@ class AnsibleModule(object):
|
||||||
self.add_path_info(kwargs)
|
self.add_path_info(kwargs)
|
||||||
assert 'msg' in kwargs, "implementation error -- msg to explain the error is required"
|
assert 'msg' in kwargs, "implementation error -- msg to explain the error is required"
|
||||||
kwargs['failed'] = True
|
kwargs['failed'] = True
|
||||||
|
self.remove_no_log_values(kwargs)
|
||||||
self.do_cleanup_files()
|
self.do_cleanup_files()
|
||||||
print(self.jsonify(kwargs))
|
print(self.jsonify(kwargs))
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
102
test/units/module_utils/basic/test_heuristic_log_sanitize.py
Normal file
102
test/units/module_utils/basic/test_heuristic_log_sanitize.py
Normal file
|
@ -0,0 +1,102 @@
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com>
|
||||||
|
#
|
||||||
|
# This file is part of Ansible
|
||||||
|
#
|
||||||
|
# Ansible is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# Ansible is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Make coding more python3-ish
|
||||||
|
from __future__ import (absolute_import, division)
|
||||||
|
__metaclass__ = type
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import syslog
|
||||||
|
|
||||||
|
from ansible.compat.tests import unittest
|
||||||
|
from ansible.compat.tests.mock import patch, MagicMock
|
||||||
|
|
||||||
|
from ansible.module_utils.basic import heuristic_log_sanitize
|
||||||
|
|
||||||
|
class TestHeuristicLogSanitize(unittest.TestCase):
|
||||||
|
def setUp(self):
|
||||||
|
self.URL_SECRET = 'http://username:pas:word@foo.com/data'
|
||||||
|
self.SSH_SECRET = 'username:pas:word@foo.com/data'
|
||||||
|
self.clean_data = repr(self._gen_data(3, True, True, 'no_secret_here'))
|
||||||
|
self.url_data = repr(self._gen_data(3, True, True, self.URL_SECRET))
|
||||||
|
self.ssh_data = repr(self._gen_data(3, True, True, self.SSH_SECRET))
|
||||||
|
|
||||||
|
def _gen_data(self, records, per_rec, top_level, secret_text):
|
||||||
|
hostvars = {'hostvars': {}}
|
||||||
|
for i in range(1, records, 1):
|
||||||
|
host_facts = {'host%s' % i:
|
||||||
|
{'pstack':
|
||||||
|
{'running': '875.1',
|
||||||
|
'symlinked': '880.0',
|
||||||
|
'tars': [],
|
||||||
|
'versions': ['885.0']},
|
||||||
|
}}
|
||||||
|
if per_rec:
|
||||||
|
host_facts['host%s' % i]['secret'] = secret_text
|
||||||
|
hostvars['hostvars'].update(host_facts)
|
||||||
|
if top_level:
|
||||||
|
hostvars['secret'] = secret_text
|
||||||
|
return hostvars
|
||||||
|
|
||||||
|
def test_did_not_hide_too_much(self):
|
||||||
|
self.assertEquals(heuristic_log_sanitize(self.clean_data), self.clean_data)
|
||||||
|
|
||||||
|
def test_hides_url_secrets(self):
|
||||||
|
url_output = heuristic_log_sanitize(self.url_data)
|
||||||
|
# Basic functionality: Successfully hid the password
|
||||||
|
self.assertNotIn('pas:word', url_output)
|
||||||
|
|
||||||
|
# Slightly more advanced, we hid all of the password despite the ":"
|
||||||
|
self.assertNotIn('pas', url_output)
|
||||||
|
|
||||||
|
# In this implementation we replace the password with 8 "*" which is
|
||||||
|
# also the length of our password. The url fields should be able to
|
||||||
|
# accurately detect where the password ends so the length should be
|
||||||
|
# the same:
|
||||||
|
self.assertEqual(len(url_output), len(self.url_data))
|
||||||
|
|
||||||
|
def test_hides_ssh_secrets(self):
|
||||||
|
ssh_output = heuristic_log_sanitize(self.ssh_data)
|
||||||
|
self.assertNotIn('pas:word', ssh_output)
|
||||||
|
|
||||||
|
# Slightly more advanced, we hid all of the password despite the ":"
|
||||||
|
self.assertNotIn('pas', ssh_output)
|
||||||
|
|
||||||
|
# ssh checking is harder as the heuristic is overzealous in many
|
||||||
|
# cases. Since the input will have at least one ":" present before
|
||||||
|
# the password we can tell some things about the beginning and end of
|
||||||
|
# the data, though:
|
||||||
|
self.assertTrue(ssh_output.startswith("{'"))
|
||||||
|
self.assertTrue(ssh_output.endswith("}"))
|
||||||
|
self.assertIn(":********@foo.com/data'", ssh_output)
|
||||||
|
|
||||||
|
|
||||||
|
class TestStripNoLog(unittest.TestCase):
|
||||||
|
def setUp(self):
|
||||||
|
data = ''
|
||||||
|
|
||||||
|
def test_return_strings(self):
|
||||||
|
pass
|
||||||
|
|
||||||
|
def test_strip_no_log(self):
|
||||||
|
pass
|
||||||
|
|
||||||
|
class TestAnsibleModuleStripNoLogValues(unittest.TestCase):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
151
test/units/module_utils/basic/test_no_log.py
Normal file
151
test/units/module_utils/basic/test_no_log.py
Normal file
|
@ -0,0 +1,151 @@
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com>
|
||||||
|
#
|
||||||
|
# This file is part of Ansible
|
||||||
|
#
|
||||||
|
# Ansible is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# Ansible is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Make coding more python3-ish
|
||||||
|
from __future__ import (absolute_import, division)
|
||||||
|
__metaclass__ = type
|
||||||
|
|
||||||
|
import json
|
||||||
|
import sys
|
||||||
|
import syslog
|
||||||
|
|
||||||
|
from ansible.compat.tests import unittest
|
||||||
|
from ansible.compat.tests.mock import patch, MagicMock
|
||||||
|
|
||||||
|
from ansible.module_utils import basic
|
||||||
|
from ansible.module_utils.basic import heuristic_log_sanitize
|
||||||
|
from ansible.module_utils.basic import _return_values, _remove_values
|
||||||
|
|
||||||
|
|
||||||
|
class TestReturnValues(unittest.TestCase):
|
||||||
|
dataset = (
|
||||||
|
('string', frozenset(['string'])),
|
||||||
|
('', frozenset()),
|
||||||
|
(1, frozenset(['1'])),
|
||||||
|
(1.0, frozenset(['1.0'])),
|
||||||
|
(False, frozenset()),
|
||||||
|
(['1', '2', '3'], frozenset(['1', '2', '3'])),
|
||||||
|
(('1', '2', '3'), frozenset(['1', '2', '3'])),
|
||||||
|
({'one': 1, 'two': 'dos'}, frozenset(['1', 'dos'])),
|
||||||
|
({'one': 1, 'two': 'dos',
|
||||||
|
'three': ['amigos', 'musketeers', None,
|
||||||
|
{'ping': 'pong', 'base': ('balls', 'raquets')}]},
|
||||||
|
frozenset(['1', 'dos', 'amigos', 'musketeers', 'pong', 'balls', 'raquets'])),
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_return_values(self):
|
||||||
|
for data, expected in self.dataset:
|
||||||
|
self.assertEquals(frozenset(_return_values(data)), expected)
|
||||||
|
|
||||||
|
def test_unknown_type(self):
|
||||||
|
self.assertRaises(TypeError, frozenset, _return_values(object()))
|
||||||
|
|
||||||
|
|
||||||
|
class TestRemoveValues(unittest.TestCase):
|
||||||
|
OMIT = 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER'
|
||||||
|
dataset_no_remove = (
|
||||||
|
('string', frozenset(['nope'])),
|
||||||
|
(1234, frozenset(['4321'])),
|
||||||
|
(False, frozenset(['4321'])),
|
||||||
|
(1.0, frozenset(['4321'])),
|
||||||
|
(['string', 'strang', 'strung'], frozenset(['nope'])),
|
||||||
|
({'one': 1, 'two': 'dos', 'secret': 'key'}, frozenset(['nope'])),
|
||||||
|
({'one': 1, 'two': 'dos',
|
||||||
|
'three': ['amigos', 'musketeers', None,
|
||||||
|
{'ping': 'pong', 'base': ['balls', 'raquets']}]},
|
||||||
|
frozenset(['nope'])),
|
||||||
|
)
|
||||||
|
dataset_remove = (
|
||||||
|
('string', frozenset(['string']), OMIT),
|
||||||
|
(1234, frozenset(['1234']), OMIT),
|
||||||
|
(1234, frozenset(['23']), OMIT),
|
||||||
|
(1.0, frozenset(['1.0']), OMIT),
|
||||||
|
(['string', 'strang', 'strung'], frozenset(['strang']), ['string', OMIT, 'strung']),
|
||||||
|
(['string', 'strang', 'strung'], frozenset(['strang', 'string', 'strung']), [OMIT, OMIT, OMIT]),
|
||||||
|
(('string', 'strang', 'strung'), frozenset(['string', 'strung']), [OMIT, 'strang', OMIT]),
|
||||||
|
((1234567890, 345678, 987654321), frozenset(['1234567890']), [OMIT, 345678, 987654321]),
|
||||||
|
((1234567890, 345678, 987654321), frozenset(['345678']), [OMIT, OMIT, 987654321]),
|
||||||
|
({'one': 1, 'two': 'dos', 'secret': 'key'}, frozenset(['key']),
|
||||||
|
{'one': 1, 'two': 'dos', 'secret': OMIT}),
|
||||||
|
({'one': 1, 'two': 'dos', 'secret': 'key'}, frozenset(['key', 'dos', '1']),
|
||||||
|
{'one': OMIT, 'two': OMIT, 'secret': OMIT}),
|
||||||
|
({'one': 1, 'two': 'dos', 'secret': 'key'}, frozenset(['key', 'dos', '1']),
|
||||||
|
{'one': OMIT, 'two': OMIT, 'secret': OMIT}),
|
||||||
|
({'one': 1, 'two': 'dos', 'three': ['amigos', 'musketeers', None,
|
||||||
|
{'ping': 'pong', 'base': ['balls', 'raquets']}]},
|
||||||
|
frozenset(['balls', 'base', 'pong', 'amigos']),
|
||||||
|
{'one': 1, 'two': 'dos', 'three': [OMIT, 'musketeers',
|
||||||
|
None, {'ping': OMIT, 'base': [OMIT, 'raquets']}]}),
|
||||||
|
('This sentence has an enigma wrapped in a mystery inside of a secret. - mr mystery',
|
||||||
|
frozenset(['enigma', 'mystery', 'secret']),
|
||||||
|
'This sentence has an ******** wrapped in a ******** inside of a ********. - mr ********'),
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_no_removal(self):
|
||||||
|
for value, no_log_strings in self.dataset_no_remove:
|
||||||
|
self.assertEquals(_remove_values(value, no_log_strings), value)
|
||||||
|
|
||||||
|
def test_strings_to_remove(self):
|
||||||
|
for value, no_log_strings, expected in self.dataset_remove:
|
||||||
|
self.assertEquals(_remove_values(value, no_log_strings), expected)
|
||||||
|
|
||||||
|
def test_unknown_type(self):
|
||||||
|
self.assertRaises(TypeError, _remove_values, object(), frozenset())
|
||||||
|
|
||||||
|
|
||||||
|
@unittest.skipIf(sys.version_info[0] >= 3, "Python 3 is not supported on targets (yet)")
|
||||||
|
class TestAnsibleModuleRemoveNoLogValues(unittest.TestCase):
|
||||||
|
OMIT = 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER'
|
||||||
|
dataset = (
|
||||||
|
(dict(username='person', password='$ecret k3y'),
|
||||||
|
dict(one=1, pwd='$ecret k3y', url='https://username:password12345@foo.com/login/',
|
||||||
|
not_secret='following the leader'),
|
||||||
|
dict(one=1, pwd=OMIT, url='https://username:password12345@foo.com/login/',
|
||||||
|
not_secret='following the leader')
|
||||||
|
),
|
||||||
|
(dict(username='person', password='password12345'),
|
||||||
|
dict(one=1, pwd='$ecret k3y', url='https://username:password12345@foo.com/login/',
|
||||||
|
not_secret='following the leader'),
|
||||||
|
dict(one=1, pwd='$ecret k3y', url='https://username:********@foo.com/login/',
|
||||||
|
not_secret='following the leader')
|
||||||
|
),
|
||||||
|
(dict(username='person', password='$ecret k3y'),
|
||||||
|
dict(one=1, pwd='$ecret k3y', url='https://username:$ecret k3y@foo.com/login/',
|
||||||
|
not_secret='following the leader'),
|
||||||
|
dict(one=1, pwd=OMIT, url='https://username:********@foo.com/login/',
|
||||||
|
not_secret='following the leader')
|
||||||
|
),
|
||||||
|
)
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
self.COMPLEX_ARGS = basic.MODULE_COMPLEX_ARGS
|
||||||
|
|
||||||
|
def tearDown(self):
|
||||||
|
basic.MODULE_COMPLEX_ARGS = self.COMPLEX_ARGS
|
||||||
|
|
||||||
|
def test_remove_no_log_values(self):
|
||||||
|
for args, return_val, expected in self.dataset:
|
||||||
|
basic.MODULE_COMPLEX_ARGS = json.dumps(args)
|
||||||
|
module = basic.AnsibleModule(
|
||||||
|
argument_spec = dict(
|
||||||
|
username=dict(),
|
||||||
|
password=dict(no_log=True),
|
||||||
|
token=dict(no_log=True),
|
||||||
|
),
|
||||||
|
)
|
||||||
|
self.assertEquals(module.remove_no_log_values(return_val), expected)
|
|
@ -154,69 +154,6 @@ class TestModuleUtilsBasic(unittest.TestCase):
|
||||||
|
|
||||||
self.assertEqual(test_data, res2)
|
self.assertEqual(test_data, res2)
|
||||||
|
|
||||||
def test_module_utils_basic_heuristic_log_sanitize(self):
|
|
||||||
from ansible.module_utils.basic import heuristic_log_sanitize
|
|
||||||
|
|
||||||
URL_SECRET = 'http://username:pas:word@foo.com/data'
|
|
||||||
SSH_SECRET = 'username:pas:word@foo.com/data'
|
|
||||||
|
|
||||||
def _gen_data(records, per_rec, top_level, secret_text):
|
|
||||||
hostvars = {'hostvars': {}}
|
|
||||||
for i in range(1, records, 1):
|
|
||||||
host_facts = {'host%s' % i:
|
|
||||||
{'pstack':
|
|
||||||
{'running': '875.1',
|
|
||||||
'symlinked': '880.0',
|
|
||||||
'tars': [],
|
|
||||||
'versions': ['885.0']},
|
|
||||||
}}
|
|
||||||
if per_rec:
|
|
||||||
host_facts['host%s' % i]['secret'] = secret_text
|
|
||||||
hostvars['hostvars'].update(host_facts)
|
|
||||||
if top_level:
|
|
||||||
hostvars['secret'] = secret_text
|
|
||||||
return hostvars
|
|
||||||
|
|
||||||
url_data = repr(_gen_data(3, True, True, URL_SECRET))
|
|
||||||
ssh_data = repr(_gen_data(3, True, True, SSH_SECRET))
|
|
||||||
|
|
||||||
url_output = heuristic_log_sanitize(url_data)
|
|
||||||
ssh_output = heuristic_log_sanitize(ssh_data)
|
|
||||||
|
|
||||||
# Basic functionality: Successfully hid the password
|
|
||||||
try:
|
|
||||||
self.assertNotIn('pas:word', url_output)
|
|
||||||
self.assertNotIn('pas:word', ssh_output)
|
|
||||||
|
|
||||||
# Slightly more advanced, we hid all of the password despite the ":"
|
|
||||||
self.assertNotIn('pas', url_output)
|
|
||||||
self.assertNotIn('pas', ssh_output)
|
|
||||||
except AttributeError:
|
|
||||||
# python2.6 or less's unittest
|
|
||||||
self.assertFalse('pas:word' in url_output, '%s is present in %s' % ('"pas:word"', url_output))
|
|
||||||
self.assertFalse('pas:word' in ssh_output, '%s is present in %s' % ('"pas:word"', ssh_output))
|
|
||||||
|
|
||||||
self.assertFalse('pas' in url_output, '%s is present in %s' % ('"pas"', url_output))
|
|
||||||
self.assertFalse('pas' in ssh_output, '%s is present in %s' % ('"pas"', ssh_output))
|
|
||||||
|
|
||||||
# In this implementation we replace the password with 8 "*" which is
|
|
||||||
# also the length of our password. The url fields should be able to
|
|
||||||
# accurately detect where the password ends so the length should be
|
|
||||||
# the same:
|
|
||||||
self.assertEqual(len(url_output), len(url_data))
|
|
||||||
|
|
||||||
# ssh checking is harder as the heuristic is overzealous in many
|
|
||||||
# cases. Since the input will have at least one ":" present before
|
|
||||||
# the password we can tell some things about the beginning and end of
|
|
||||||
# the data, though:
|
|
||||||
self.assertTrue(ssh_output.startswith("{'"))
|
|
||||||
self.assertTrue(ssh_output.endswith("}"))
|
|
||||||
try:
|
|
||||||
self.assertIn(":********@foo.com/data'", ssh_output)
|
|
||||||
except AttributeError:
|
|
||||||
# python2.6 or less's unittest
|
|
||||||
self.assertTrue(":********@foo.com/data'" in ssh_output, '%s is not present in %s' % (":********@foo.com/data'", ssh_output))
|
|
||||||
|
|
||||||
def test_module_utils_basic_get_module_path(self):
|
def test_module_utils_basic_get_module_path(self):
|
||||||
from ansible.module_utils.basic import get_module_path
|
from ansible.module_utils.basic import get_module_path
|
||||||
with patch('os.path.realpath', return_value='/path/to/foo/'):
|
with patch('os.path.realpath', return_value='/path/to/foo/'):
|
||||||
|
|
Loading…
Reference in a new issue