diff --git a/changelogs/fragments/no_log-fixes.yml b/changelogs/fragments/no_log-fixes.yml new file mode 100644 index 0000000000..70afd3229d --- /dev/null +++ b/changelogs/fragments/no_log-fixes.yml @@ -0,0 +1,25 @@ +security_fixes: + - "ovirt - mark the ``instance_rootpw`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "oneandone_firewall_policy, oneandone_load_balancer, oneandone_monitoring_policy, oneandone_private_network, oneandone_public_ip - mark the ``auth_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "rax_clb_ssl - mark the ``private_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "spotinst_aws_elastigroup - mark the ``multai_token`` and ``token`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "keycloak_client - mark the ``registration_access_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "librato_annotation - mark the ``api_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "pagerduty_alert - mark the ``api_key``, ``service_key`` and ``integration_key`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "nios_nsgroup - mark the ``tsig_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "pulp_repo - mark the ``feed_client_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "gitlab_runner - mark the ``registration_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "ibm_sa_host - mark the ``iscsi_chap_secret`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "keycloak_* modules - mark the ``auth_client_secret`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "hwc_ecs_instance - mark the ``admin_pass`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "ovirt - mark the ``instance_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "pagerduty_change - mark the ``integration_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "pingdom - mark the ``key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "rollbar_deployment - mark the ``token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "stackdriver - mark the ``key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "dnsmadeeasy - mark the ``account_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "logentries_msg - mark the ``token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "redfish_command - mark the ``update_creds.password`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." + - "utm_proxy_auth_profile - mark the ``frontend_cookie_secret`` parameter as ``no_log`` to avoid leakage of secrets. This causes the ``utm_proxy_auth_profile`` return value to no longer containing the correct value, but a placeholder (https://github.com/ansible-collections/community.general/pull/1736)." +breaking_changes: + - "utm_proxy_auth_profile - the ``frontend_cookie_secret`` return value now contains a placeholder string instead of the module's ``frontend_cookie_secret`` parameter (https://github.com/ansible-collections/community.general/pull/1736)." diff --git a/plugins/modules/cloud/huawei/hwc_ecs_instance.py b/plugins/modules/cloud/huawei/hwc_ecs_instance.py index cbd5f79454..3d4ba84b64 100644 --- a/plugins/modules/cloud/huawei/hwc_ecs_instance.py +++ b/plugins/modules/cloud/huawei/hwc_ecs_instance.py @@ -543,7 +543,7 @@ def build_module(): snapshot_id=dict(type='str') )), vpc_id=dict(type='str', required=True), - admin_pass=dict(type='str'), + admin_pass=dict(type='str', no_log=True), data_volumes=dict(type='list', elements='dict', options=dict( volume_id=dict(type='str', required=True), device=dict(type='str') diff --git a/plugins/modules/cloud/misc/ovirt.py b/plugins/modules/cloud/misc/ovirt.py index e037261b16..25e3081c8f 100644 --- a/plugins/modules/cloud/misc/ovirt.py +++ b/plugins/modules/cloud/misc/ovirt.py @@ -405,8 +405,8 @@ def main(): instance_gateway=dict(type='str', aliases=['gateway']), instance_domain=dict(type='str', aliases=['domain']), instance_dns=dict(type='str', aliases=['dns']), - instance_rootpw=dict(type='str', aliases=['rootpw']), - instance_key=dict(type='str', aliases=['key']), + instance_rootpw=dict(type='str', aliases=['rootpw'], no_log=True), + instance_key=dict(type='str', aliases=['key'], no_log=True), sdomain=dict(type='str'), region=dict(type='str'), ), diff --git a/plugins/modules/cloud/oneandone/oneandone_firewall_policy.py b/plugins/modules/cloud/oneandone/oneandone_firewall_policy.py index 3f545e6eb7..90694861a7 100644 --- a/plugins/modules/cloud/oneandone/oneandone_firewall_policy.py +++ b/plugins/modules/cloud/oneandone/oneandone_firewall_policy.py @@ -500,7 +500,7 @@ def main(): module = AnsibleModule( argument_spec=dict( auth_token=dict( - type='str', + type='str', no_log=True, default=os.environ.get('ONEANDONE_AUTH_TOKEN')), api_url=dict( type='str', diff --git a/plugins/modules/cloud/oneandone/oneandone_load_balancer.py b/plugins/modules/cloud/oneandone/oneandone_load_balancer.py index 104302b9fa..62551560c2 100644 --- a/plugins/modules/cloud/oneandone/oneandone_load_balancer.py +++ b/plugins/modules/cloud/oneandone/oneandone_load_balancer.py @@ -594,7 +594,7 @@ def main(): module = AnsibleModule( argument_spec=dict( auth_token=dict( - type='str', + type='str', no_log=True, default=os.environ.get('ONEANDONE_AUTH_TOKEN')), api_url=dict( type='str', diff --git a/plugins/modules/cloud/oneandone/oneandone_monitoring_policy.py b/plugins/modules/cloud/oneandone/oneandone_monitoring_policy.py index 7488b7aeab..79fed9a66a 100644 --- a/plugins/modules/cloud/oneandone/oneandone_monitoring_policy.py +++ b/plugins/modules/cloud/oneandone/oneandone_monitoring_policy.py @@ -947,7 +947,7 @@ def main(): module = AnsibleModule( argument_spec=dict( auth_token=dict( - type='str', + type='str', no_log=True, default=os.environ.get('ONEANDONE_AUTH_TOKEN')), api_url=dict( type='str', diff --git a/plugins/modules/cloud/oneandone/oneandone_private_network.py b/plugins/modules/cloud/oneandone/oneandone_private_network.py index ebd44130d5..7eae6ea3dc 100644 --- a/plugins/modules/cloud/oneandone/oneandone_private_network.py +++ b/plugins/modules/cloud/oneandone/oneandone_private_network.py @@ -384,7 +384,7 @@ def main(): module = AnsibleModule( argument_spec=dict( auth_token=dict( - type='str', + type='str', no_log=True, default=os.environ.get('ONEANDONE_AUTH_TOKEN')), api_url=dict( type='str', diff --git a/plugins/modules/cloud/oneandone/oneandone_public_ip.py b/plugins/modules/cloud/oneandone/oneandone_public_ip.py index 62cb62da63..edefbc938f 100644 --- a/plugins/modules/cloud/oneandone/oneandone_public_ip.py +++ b/plugins/modules/cloud/oneandone/oneandone_public_ip.py @@ -274,7 +274,7 @@ def main(): module = AnsibleModule( argument_spec=dict( auth_token=dict( - type='str', + type='str', no_log=True, default=os.environ.get('ONEANDONE_AUTH_TOKEN')), api_url=dict( type='str', diff --git a/plugins/modules/cloud/rackspace/rax_clb_ssl.py b/plugins/modules/cloud/rackspace/rax_clb_ssl.py index ae886b2959..114128e8b1 100644 --- a/plugins/modules/cloud/rackspace/rax_clb_ssl.py +++ b/plugins/modules/cloud/rackspace/rax_clb_ssl.py @@ -238,7 +238,7 @@ def main(): loadbalancer=dict(required=True), state=dict(default='present', choices=['present', 'absent']), enabled=dict(type='bool', default=True), - private_key=dict(), + private_key=dict(no_log=True), certificate=dict(), intermediate_certificate=dict(), secure_port=dict(type='int', default=443), diff --git a/plugins/modules/cloud/spotinst/spotinst_aws_elastigroup.py b/plugins/modules/cloud/spotinst/spotinst_aws_elastigroup.py index 02da2c7b6f..8f05da7b09 100644 --- a/plugins/modules/cloud/spotinst/spotinst_aws_elastigroup.py +++ b/plugins/modules/cloud/spotinst/spotinst_aws_elastigroup.py @@ -1459,7 +1459,7 @@ def main(): min_size=dict(type='int', required=True), monitoring=dict(type='str'), multai_load_balancers=dict(type='list'), - multai_token=dict(type='str'), + multai_token=dict(type='str', no_log=True), name=dict(type='str', required=True), network_interfaces=dict(type='list'), on_demand_count=dict(type='int'), @@ -1483,7 +1483,7 @@ def main(): target_group_arns=dict(type='list'), tenancy=dict(type='str'), terminate_at_end_of_billing_hour=dict(type='bool'), - token=dict(type='str'), + token=dict(type='str', no_log=True), unit=dict(type='str'), user_data=dict(type='str'), utilize_reserved_instances=dict(type='bool'), diff --git a/plugins/modules/identity/keycloak/keycloak_client.py b/plugins/modules/identity/keycloak/keycloak_client.py index e1fa4aed13..b27155ba4a 100644 --- a/plugins/modules/identity/keycloak/keycloak_client.py +++ b/plugins/modules/identity/keycloak/keycloak_client.py @@ -707,7 +707,7 @@ def main(): enabled=dict(type='bool'), client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']), secret=dict(type='str', no_log=True), - registration_access_token=dict(type='str', aliases=['registrationAccessToken']), + registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True), default_roles=dict(type='list', aliases=['defaultRoles']), redirect_uris=dict(type='list', aliases=['redirectUris']), web_origins=dict(type='list', aliases=['webOrigins']), diff --git a/plugins/modules/monitoring/librato_annotation.py b/plugins/modules/monitoring/librato_annotation.py index ebdf371ce7..d0fd406d4f 100644 --- a/plugins/modules/monitoring/librato_annotation.py +++ b/plugins/modules/monitoring/librato_annotation.py @@ -148,7 +148,7 @@ def main(): module = AnsibleModule( argument_spec=dict( user=dict(required=True), - api_key=dict(required=True), + api_key=dict(required=True, no_log=True), name=dict(required=False), title=dict(required=True), source=dict(required=False), diff --git a/plugins/modules/monitoring/pagerduty_alert.py b/plugins/modules/monitoring/pagerduty_alert.py index dd17c174e8..736ada5e4a 100644 --- a/plugins/modules/monitoring/pagerduty_alert.py +++ b/plugins/modules/monitoring/pagerduty_alert.py @@ -197,9 +197,9 @@ def main(): argument_spec=dict( name=dict(required=False), service_id=dict(required=True), - service_key=dict(required=False), - integration_key=dict(required=False), - api_key=dict(required=True), + service_key=dict(required=False, no_log=True), + integration_key=dict(required=False, no_log=True), + api_key=dict(required=True, no_log=True), state=dict(required=True, choices=['triggered', 'acknowledged', 'resolved']), client=dict(required=False, default=None), diff --git a/plugins/modules/monitoring/pagerduty_change.py b/plugins/modules/monitoring/pagerduty_change.py index 3fecdba59f..358a69612e 100644 --- a/plugins/modules/monitoring/pagerduty_change.py +++ b/plugins/modules/monitoring/pagerduty_change.py @@ -108,7 +108,7 @@ from datetime import datetime def main(): module = AnsibleModule( argument_spec=dict( - integration_key=dict(required=True, type='str'), + integration_key=dict(required=True, type='str', no_log=True), summary=dict(required=True, type='str'), source=dict(required=False, default='Ansible', type='str'), user=dict(required=False, type='str'), diff --git a/plugins/modules/monitoring/pingdom.py b/plugins/modules/monitoring/pingdom.py index baf99eda58..23ed254543 100644 --- a/plugins/modules/monitoring/pingdom.py +++ b/plugins/modules/monitoring/pingdom.py @@ -112,7 +112,7 @@ def main(): checkid=dict(required=True), uid=dict(required=True), passwd=dict(required=True, no_log=True), - key=dict(required=True) + key=dict(required=True, no_log=True), ) ) diff --git a/plugins/modules/monitoring/rollbar_deployment.py b/plugins/modules/monitoring/rollbar_deployment.py index 0affd7c78c..161361b774 100644 --- a/plugins/modules/monitoring/rollbar_deployment.py +++ b/plugins/modules/monitoring/rollbar_deployment.py @@ -92,7 +92,7 @@ def main(): module = AnsibleModule( argument_spec=dict( - token=dict(required=True), + token=dict(required=True, no_log=True), environment=dict(required=True), revision=dict(required=True), user=dict(required=False), diff --git a/plugins/modules/monitoring/stackdriver.py b/plugins/modules/monitoring/stackdriver.py index bd1fc14514..8e2d19a9ab 100644 --- a/plugins/modules/monitoring/stackdriver.py +++ b/plugins/modules/monitoring/stackdriver.py @@ -152,7 +152,7 @@ def main(): module = AnsibleModule( argument_spec=dict( # @TODO add types - key=dict(required=True), + key=dict(required=True, no_log=True), event=dict(required=True, choices=['deploy', 'annotation']), msg=dict(), revision_id=dict(), diff --git a/plugins/modules/net_tools/dnsmadeeasy.py b/plugins/modules/net_tools/dnsmadeeasy.py index c6bc70324c..75135c8277 100644 --- a/plugins/modules/net_tools/dnsmadeeasy.py +++ b/plugins/modules/net_tools/dnsmadeeasy.py @@ -546,7 +546,7 @@ def main(): module = AnsibleModule( argument_spec=dict( - account_key=dict(required=True), + account_key=dict(required=True, no_log=True), account_secret=dict(required=True, no_log=True), domain=dict(required=True), sandbox=dict(default=False, type='bool'), diff --git a/plugins/modules/net_tools/nios/nios_nsgroup.py b/plugins/modules/net_tools/nios/nios_nsgroup.py index f94c379407..b56c3f0b8d 100644 --- a/plugins/modules/net_tools/nios/nios_nsgroup.py +++ b/plugins/modules/net_tools/nios/nios_nsgroup.py @@ -398,7 +398,7 @@ def main(): address=dict(required=True), name=dict(required=True), stealth=dict(type='bool', default=False), - tsig_key=dict(), + tsig_key=dict(no_log=True), tsig_key_alg=dict(choices=['HMAC-MD5', 'HMAC-SHA256'], default='HMAC-MD5'), tsig_key_name=dict(required=True) ) diff --git a/plugins/modules/notification/logentries_msg.py b/plugins/modules/notification/logentries_msg.py index 974e35f9a1..59e0f32565 100644 --- a/plugins/modules/notification/logentries_msg.py +++ b/plugins/modules/notification/logentries_msg.py @@ -73,7 +73,7 @@ def send_msg(module, token, msg, api, port): def main(): module = AnsibleModule( argument_spec=dict( - token=dict(type='str', required=True), + token=dict(type='str', required=True, no_log=True), msg=dict(type='str', required=True), api=dict(type='str', default="data.logentries.com"), port=dict(type='int', default=80)), diff --git a/plugins/modules/packaging/os/pulp_repo.py b/plugins/modules/packaging/os/pulp_repo.py index 37344233d8..8dbc6b9ac4 100644 --- a/plugins/modules/packaging/os/pulp_repo.py +++ b/plugins/modules/packaging/os/pulp_repo.py @@ -545,7 +545,7 @@ def main(): deprecated_aliases=[dict(name='ca_cert', version='3.0.0', collection_name='community.general')]), # was Ansible 2.14 feed_client_cert=dict(aliases=['importer_ssl_client_cert']), - feed_client_key=dict(aliases=['importer_ssl_client_key']), + feed_client_key=dict(aliases=['importer_ssl_client_key'], no_log=True), name=dict(required=True, aliases=['repo']), proxy_host=dict(), proxy_port=dict(), diff --git a/plugins/modules/remote_management/redfish/redfish_command.py b/plugins/modules/remote_management/redfish/redfish_command.py index 9646f9a3b7..78007f1de9 100644 --- a/plugins/modules/remote_management/redfish/redfish_command.py +++ b/plugins/modules/remote_management/redfish/redfish_command.py @@ -572,7 +572,7 @@ def main(): type='dict', options=dict( username=dict(), - password=dict() + password=dict(no_log=True) ) ), virtual_media=dict( diff --git a/plugins/modules/source_control/gitlab/gitlab_runner.py b/plugins/modules/source_control/gitlab/gitlab_runner.py index 8ebd1a3851..52354645df 100644 --- a/plugins/modules/source_control/gitlab/gitlab_runner.py +++ b/plugins/modules/source_control/gitlab/gitlab_runner.py @@ -309,7 +309,7 @@ def main(): locked=dict(type='bool', default=False), access_level=dict(type='str', default='ref_protected', choices=["not_protected", "ref_protected"]), maximum_timeout=dict(type='int', default=3600), - registration_token=dict(type='str', required=True), + registration_token=dict(type='str', required=True, no_log=True), state=dict(type='str', default="present", choices=["absent", "present"]), )) diff --git a/plugins/modules/storage/ibm/ibm_sa_host.py b/plugins/modules/storage/ibm/ibm_sa_host.py index 3853a5e04b..5ce12992bc 100644 --- a/plugins/modules/storage/ibm/ibm_sa_host.py +++ b/plugins/modules/storage/ibm/ibm_sa_host.py @@ -90,7 +90,7 @@ def main(): cluster=dict(), domain=dict(), iscsi_chap_name=dict(), - iscsi_chap_secret=dict() + iscsi_chap_secret=dict(no_log=True), ) ) diff --git a/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py b/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py index ebd76e3d9c..caa0085c25 100644 --- a/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py +++ b/plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py @@ -256,9 +256,6 @@ result: frontend_cookie: description: Frontend cookie name type: str - frontend_cookie_secret: - description: Frontend cookie secret - type: str frontend_form: description: Frontend authentication form name type: str