mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Fix a bunch of potential security issues (secret leaking) (#1736)
* Fix a bunch of potential security issues (secret leaking). * oneandone_server was already ok. * Add more parameters for pagerduty_alert. * Add more no_log=True.
This commit is contained in:
parent
f4e60e09ac
commit
29bd5a9486
25 changed files with 52 additions and 30 deletions
25
changelogs/fragments/no_log-fixes.yml
Normal file
25
changelogs/fragments/no_log-fixes.yml
Normal file
|
@ -0,0 +1,25 @@
|
|||
security_fixes:
|
||||
- "ovirt - mark the ``instance_rootpw`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "oneandone_firewall_policy, oneandone_load_balancer, oneandone_monitoring_policy, oneandone_private_network, oneandone_public_ip - mark the ``auth_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "rax_clb_ssl - mark the ``private_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "spotinst_aws_elastigroup - mark the ``multai_token`` and ``token`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "keycloak_client - mark the ``registration_access_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "librato_annotation - mark the ``api_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "pagerduty_alert - mark the ``api_key``, ``service_key`` and ``integration_key`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "nios_nsgroup - mark the ``tsig_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "pulp_repo - mark the ``feed_client_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "gitlab_runner - mark the ``registration_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "ibm_sa_host - mark the ``iscsi_chap_secret`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "keycloak_* modules - mark the ``auth_client_secret`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "hwc_ecs_instance - mark the ``admin_pass`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "ovirt - mark the ``instance_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "pagerduty_change - mark the ``integration_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "pingdom - mark the ``key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "rollbar_deployment - mark the ``token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "stackdriver - mark the ``key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "dnsmadeeasy - mark the ``account_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "logentries_msg - mark the ``token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "redfish_command - mark the ``update_creds.password`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
- "utm_proxy_auth_profile - mark the ``frontend_cookie_secret`` parameter as ``no_log`` to avoid leakage of secrets. This causes the ``utm_proxy_auth_profile`` return value to no longer containing the correct value, but a placeholder (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||
breaking_changes:
|
||||
- "utm_proxy_auth_profile - the ``frontend_cookie_secret`` return value now contains a placeholder string instead of the module's ``frontend_cookie_secret`` parameter (https://github.com/ansible-collections/community.general/pull/1736)."
|
|
@ -543,7 +543,7 @@ def build_module():
|
|||
snapshot_id=dict(type='str')
|
||||
)),
|
||||
vpc_id=dict(type='str', required=True),
|
||||
admin_pass=dict(type='str'),
|
||||
admin_pass=dict(type='str', no_log=True),
|
||||
data_volumes=dict(type='list', elements='dict', options=dict(
|
||||
volume_id=dict(type='str', required=True),
|
||||
device=dict(type='str')
|
||||
|
|
|
@ -405,8 +405,8 @@ def main():
|
|||
instance_gateway=dict(type='str', aliases=['gateway']),
|
||||
instance_domain=dict(type='str', aliases=['domain']),
|
||||
instance_dns=dict(type='str', aliases=['dns']),
|
||||
instance_rootpw=dict(type='str', aliases=['rootpw']),
|
||||
instance_key=dict(type='str', aliases=['key']),
|
||||
instance_rootpw=dict(type='str', aliases=['rootpw'], no_log=True),
|
||||
instance_key=dict(type='str', aliases=['key'], no_log=True),
|
||||
sdomain=dict(type='str'),
|
||||
region=dict(type='str'),
|
||||
),
|
||||
|
|
|
@ -500,7 +500,7 @@ def main():
|
|||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
auth_token=dict(
|
||||
type='str',
|
||||
type='str', no_log=True,
|
||||
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
||||
api_url=dict(
|
||||
type='str',
|
||||
|
|
|
@ -594,7 +594,7 @@ def main():
|
|||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
auth_token=dict(
|
||||
type='str',
|
||||
type='str', no_log=True,
|
||||
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
||||
api_url=dict(
|
||||
type='str',
|
||||
|
|
|
@ -947,7 +947,7 @@ def main():
|
|||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
auth_token=dict(
|
||||
type='str',
|
||||
type='str', no_log=True,
|
||||
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
||||
api_url=dict(
|
||||
type='str',
|
||||
|
|
|
@ -384,7 +384,7 @@ def main():
|
|||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
auth_token=dict(
|
||||
type='str',
|
||||
type='str', no_log=True,
|
||||
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
||||
api_url=dict(
|
||||
type='str',
|
||||
|
|
|
@ -274,7 +274,7 @@ def main():
|
|||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
auth_token=dict(
|
||||
type='str',
|
||||
type='str', no_log=True,
|
||||
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
||||
api_url=dict(
|
||||
type='str',
|
||||
|
|
|
@ -238,7 +238,7 @@ def main():
|
|||
loadbalancer=dict(required=True),
|
||||
state=dict(default='present', choices=['present', 'absent']),
|
||||
enabled=dict(type='bool', default=True),
|
||||
private_key=dict(),
|
||||
private_key=dict(no_log=True),
|
||||
certificate=dict(),
|
||||
intermediate_certificate=dict(),
|
||||
secure_port=dict(type='int', default=443),
|
||||
|
|
|
@ -1459,7 +1459,7 @@ def main():
|
|||
min_size=dict(type='int', required=True),
|
||||
monitoring=dict(type='str'),
|
||||
multai_load_balancers=dict(type='list'),
|
||||
multai_token=dict(type='str'),
|
||||
multai_token=dict(type='str', no_log=True),
|
||||
name=dict(type='str', required=True),
|
||||
network_interfaces=dict(type='list'),
|
||||
on_demand_count=dict(type='int'),
|
||||
|
@ -1483,7 +1483,7 @@ def main():
|
|||
target_group_arns=dict(type='list'),
|
||||
tenancy=dict(type='str'),
|
||||
terminate_at_end_of_billing_hour=dict(type='bool'),
|
||||
token=dict(type='str'),
|
||||
token=dict(type='str', no_log=True),
|
||||
unit=dict(type='str'),
|
||||
user_data=dict(type='str'),
|
||||
utilize_reserved_instances=dict(type='bool'),
|
||||
|
|
|
@ -707,7 +707,7 @@ def main():
|
|||
enabled=dict(type='bool'),
|
||||
client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']),
|
||||
secret=dict(type='str', no_log=True),
|
||||
registration_access_token=dict(type='str', aliases=['registrationAccessToken']),
|
||||
registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True),
|
||||
default_roles=dict(type='list', aliases=['defaultRoles']),
|
||||
redirect_uris=dict(type='list', aliases=['redirectUris']),
|
||||
web_origins=dict(type='list', aliases=['webOrigins']),
|
||||
|
|
|
@ -148,7 +148,7 @@ def main():
|
|||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
user=dict(required=True),
|
||||
api_key=dict(required=True),
|
||||
api_key=dict(required=True, no_log=True),
|
||||
name=dict(required=False),
|
||||
title=dict(required=True),
|
||||
source=dict(required=False),
|
||||
|
|
|
@ -197,9 +197,9 @@ def main():
|
|||
argument_spec=dict(
|
||||
name=dict(required=False),
|
||||
service_id=dict(required=True),
|
||||
service_key=dict(required=False),
|
||||
integration_key=dict(required=False),
|
||||
api_key=dict(required=True),
|
||||
service_key=dict(required=False, no_log=True),
|
||||
integration_key=dict(required=False, no_log=True),
|
||||
api_key=dict(required=True, no_log=True),
|
||||
state=dict(required=True,
|
||||
choices=['triggered', 'acknowledged', 'resolved']),
|
||||
client=dict(required=False, default=None),
|
||||
|
|
|
@ -108,7 +108,7 @@ from datetime import datetime
|
|||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
integration_key=dict(required=True, type='str'),
|
||||
integration_key=dict(required=True, type='str', no_log=True),
|
||||
summary=dict(required=True, type='str'),
|
||||
source=dict(required=False, default='Ansible', type='str'),
|
||||
user=dict(required=False, type='str'),
|
||||
|
|
|
@ -112,7 +112,7 @@ def main():
|
|||
checkid=dict(required=True),
|
||||
uid=dict(required=True),
|
||||
passwd=dict(required=True, no_log=True),
|
||||
key=dict(required=True)
|
||||
key=dict(required=True, no_log=True),
|
||||
)
|
||||
)
|
||||
|
||||
|
|
|
@ -92,7 +92,7 @@ def main():
|
|||
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
token=dict(required=True),
|
||||
token=dict(required=True, no_log=True),
|
||||
environment=dict(required=True),
|
||||
revision=dict(required=True),
|
||||
user=dict(required=False),
|
||||
|
|
|
@ -152,7 +152,7 @@ def main():
|
|||
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict( # @TODO add types
|
||||
key=dict(required=True),
|
||||
key=dict(required=True, no_log=True),
|
||||
event=dict(required=True, choices=['deploy', 'annotation']),
|
||||
msg=dict(),
|
||||
revision_id=dict(),
|
||||
|
|
|
@ -546,7 +546,7 @@ def main():
|
|||
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
account_key=dict(required=True),
|
||||
account_key=dict(required=True, no_log=True),
|
||||
account_secret=dict(required=True, no_log=True),
|
||||
domain=dict(required=True),
|
||||
sandbox=dict(default=False, type='bool'),
|
||||
|
|
|
@ -398,7 +398,7 @@ def main():
|
|||
address=dict(required=True),
|
||||
name=dict(required=True),
|
||||
stealth=dict(type='bool', default=False),
|
||||
tsig_key=dict(),
|
||||
tsig_key=dict(no_log=True),
|
||||
tsig_key_alg=dict(choices=['HMAC-MD5', 'HMAC-SHA256'], default='HMAC-MD5'),
|
||||
tsig_key_name=dict(required=True)
|
||||
)
|
||||
|
|
|
@ -73,7 +73,7 @@ def send_msg(module, token, msg, api, port):
|
|||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec=dict(
|
||||
token=dict(type='str', required=True),
|
||||
token=dict(type='str', required=True, no_log=True),
|
||||
msg=dict(type='str', required=True),
|
||||
api=dict(type='str', default="data.logentries.com"),
|
||||
port=dict(type='int', default=80)),
|
||||
|
|
|
@ -545,7 +545,7 @@ def main():
|
|||
deprecated_aliases=[dict(name='ca_cert', version='3.0.0',
|
||||
collection_name='community.general')]), # was Ansible 2.14
|
||||
feed_client_cert=dict(aliases=['importer_ssl_client_cert']),
|
||||
feed_client_key=dict(aliases=['importer_ssl_client_key']),
|
||||
feed_client_key=dict(aliases=['importer_ssl_client_key'], no_log=True),
|
||||
name=dict(required=True, aliases=['repo']),
|
||||
proxy_host=dict(),
|
||||
proxy_port=dict(),
|
||||
|
|
|
@ -572,7 +572,7 @@ def main():
|
|||
type='dict',
|
||||
options=dict(
|
||||
username=dict(),
|
||||
password=dict()
|
||||
password=dict(no_log=True)
|
||||
)
|
||||
),
|
||||
virtual_media=dict(
|
||||
|
|
|
@ -309,7 +309,7 @@ def main():
|
|||
locked=dict(type='bool', default=False),
|
||||
access_level=dict(type='str', default='ref_protected', choices=["not_protected", "ref_protected"]),
|
||||
maximum_timeout=dict(type='int', default=3600),
|
||||
registration_token=dict(type='str', required=True),
|
||||
registration_token=dict(type='str', required=True, no_log=True),
|
||||
state=dict(type='str', default="present", choices=["absent", "present"]),
|
||||
))
|
||||
|
||||
|
|
|
@ -90,7 +90,7 @@ def main():
|
|||
cluster=dict(),
|
||||
domain=dict(),
|
||||
iscsi_chap_name=dict(),
|
||||
iscsi_chap_secret=dict()
|
||||
iscsi_chap_secret=dict(no_log=True),
|
||||
)
|
||||
)
|
||||
|
||||
|
|
|
@ -256,9 +256,6 @@ result:
|
|||
frontend_cookie:
|
||||
description: Frontend cookie name
|
||||
type: str
|
||||
frontend_cookie_secret:
|
||||
description: Frontend cookie secret
|
||||
type: str
|
||||
frontend_form:
|
||||
description: Frontend authentication form name
|
||||
type: str
|
||||
|
|
Loading…
Reference in a new issue