mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Fix a bunch of potential security issues (secret leaking) (#1736)
* Fix a bunch of potential security issues (secret leaking). * oneandone_server was already ok. * Add more parameters for pagerduty_alert. * Add more no_log=True.
This commit is contained in:
Felix Fontein
GitHub
parent
f4e60e09ac
commit
29bd5a9486
25 changed files with 52 additions and 30 deletions
25
changelogs/fragments/no_log-fixes.yml
Normal file
25
changelogs/fragments/no_log-fixes.yml
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
security_fixes:
|
||||||
|
- "ovirt - mark the ``instance_rootpw`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "oneandone_firewall_policy, oneandone_load_balancer, oneandone_monitoring_policy, oneandone_private_network, oneandone_public_ip - mark the ``auth_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "rax_clb_ssl - mark the ``private_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "spotinst_aws_elastigroup - mark the ``multai_token`` and ``token`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "keycloak_client - mark the ``registration_access_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "librato_annotation - mark the ``api_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "pagerduty_alert - mark the ``api_key``, ``service_key`` and ``integration_key`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "nios_nsgroup - mark the ``tsig_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "pulp_repo - mark the ``feed_client_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "gitlab_runner - mark the ``registration_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "ibm_sa_host - mark the ``iscsi_chap_secret`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "keycloak_* modules - mark the ``auth_client_secret`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "hwc_ecs_instance - mark the ``admin_pass`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "ovirt - mark the ``instance_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "pagerduty_change - mark the ``integration_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "pingdom - mark the ``key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "rollbar_deployment - mark the ``token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "stackdriver - mark the ``key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "dnsmadeeasy - mark the ``account_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "logentries_msg - mark the ``token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "redfish_command - mark the ``update_creds.password`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
- "utm_proxy_auth_profile - mark the ``frontend_cookie_secret`` parameter as ``no_log`` to avoid leakage of secrets. This causes the ``utm_proxy_auth_profile`` return value to no longer containing the correct value, but a placeholder (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
breaking_changes:
|
||||||
|
- "utm_proxy_auth_profile - the ``frontend_cookie_secret`` return value now contains a placeholder string instead of the module's ``frontend_cookie_secret`` parameter (https://github.com/ansible-collections/community.general/pull/1736)."
|
||||||
|
|
@ -543,7 +543,7 @@ def build_module():
|
||||||
snapshot_id=dict(type='str')
|
snapshot_id=dict(type='str')
|
||||||
)),
|
)),
|
||||||
vpc_id=dict(type='str', required=True),
|
vpc_id=dict(type='str', required=True),
|
||||||
admin_pass=dict(type='str'),
|
admin_pass=dict(type='str', no_log=True),
|
||||||
data_volumes=dict(type='list', elements='dict', options=dict(
|
data_volumes=dict(type='list', elements='dict', options=dict(
|
||||||
volume_id=dict(type='str', required=True),
|
volume_id=dict(type='str', required=True),
|
||||||
device=dict(type='str')
|
device=dict(type='str')
|
||||||
|
|
|
||||||
|
|
@ -405,8 +405,8 @@ def main():
|
||||||
instance_gateway=dict(type='str', aliases=['gateway']),
|
instance_gateway=dict(type='str', aliases=['gateway']),
|
||||||
instance_domain=dict(type='str', aliases=['domain']),
|
instance_domain=dict(type='str', aliases=['domain']),
|
||||||
instance_dns=dict(type='str', aliases=['dns']),
|
instance_dns=dict(type='str', aliases=['dns']),
|
||||||
instance_rootpw=dict(type='str', aliases=['rootpw']),
|
instance_rootpw=dict(type='str', aliases=['rootpw'], no_log=True),
|
||||||
instance_key=dict(type='str', aliases=['key']),
|
instance_key=dict(type='str', aliases=['key'], no_log=True),
|
||||||
sdomain=dict(type='str'),
|
sdomain=dict(type='str'),
|
||||||
region=dict(type='str'),
|
region=dict(type='str'),
|
||||||
),
|
),
|
||||||
|
|
|
||||||
|
|
@ -500,7 +500,7 @@ def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
auth_token=dict(
|
auth_token=dict(
|
||||||
type='str',
|
type='str', no_log=True,
|
||||||
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
||||||
api_url=dict(
|
api_url=dict(
|
||||||
type='str',
|
type='str',
|
||||||
|
|
|
||||||
|
|
@ -594,7 +594,7 @@ def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
auth_token=dict(
|
auth_token=dict(
|
||||||
type='str',
|
type='str', no_log=True,
|
||||||
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
||||||
api_url=dict(
|
api_url=dict(
|
||||||
type='str',
|
type='str',
|
||||||
|
|
|
||||||
|
|
@ -947,7 +947,7 @@ def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
auth_token=dict(
|
auth_token=dict(
|
||||||
type='str',
|
type='str', no_log=True,
|
||||||
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
||||||
api_url=dict(
|
api_url=dict(
|
||||||
type='str',
|
type='str',
|
||||||
|
|
|
||||||
|
|
@ -384,7 +384,7 @@ def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
auth_token=dict(
|
auth_token=dict(
|
||||||
type='str',
|
type='str', no_log=True,
|
||||||
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
||||||
api_url=dict(
|
api_url=dict(
|
||||||
type='str',
|
type='str',
|
||||||
|
|
|
||||||
|
|
@ -274,7 +274,7 @@ def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
auth_token=dict(
|
auth_token=dict(
|
||||||
type='str',
|
type='str', no_log=True,
|
||||||
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
|
||||||
api_url=dict(
|
api_url=dict(
|
||||||
type='str',
|
type='str',
|
||||||
|
|
|
||||||
|
|
@ -238,7 +238,7 @@ def main():
|
||||||
loadbalancer=dict(required=True),
|
loadbalancer=dict(required=True),
|
||||||
state=dict(default='present', choices=['present', 'absent']),
|
state=dict(default='present', choices=['present', 'absent']),
|
||||||
enabled=dict(type='bool', default=True),
|
enabled=dict(type='bool', default=True),
|
||||||
private_key=dict(),
|
private_key=dict(no_log=True),
|
||||||
certificate=dict(),
|
certificate=dict(),
|
||||||
intermediate_certificate=dict(),
|
intermediate_certificate=dict(),
|
||||||
secure_port=dict(type='int', default=443),
|
secure_port=dict(type='int', default=443),
|
||||||
|
|
|
||||||
|
|
@ -1459,7 +1459,7 @@ def main():
|
||||||
min_size=dict(type='int', required=True),
|
min_size=dict(type='int', required=True),
|
||||||
monitoring=dict(type='str'),
|
monitoring=dict(type='str'),
|
||||||
multai_load_balancers=dict(type='list'),
|
multai_load_balancers=dict(type='list'),
|
||||||
multai_token=dict(type='str'),
|
multai_token=dict(type='str', no_log=True),
|
||||||
name=dict(type='str', required=True),
|
name=dict(type='str', required=True),
|
||||||
network_interfaces=dict(type='list'),
|
network_interfaces=dict(type='list'),
|
||||||
on_demand_count=dict(type='int'),
|
on_demand_count=dict(type='int'),
|
||||||
|
|
@ -1483,7 +1483,7 @@ def main():
|
||||||
target_group_arns=dict(type='list'),
|
target_group_arns=dict(type='list'),
|
||||||
tenancy=dict(type='str'),
|
tenancy=dict(type='str'),
|
||||||
terminate_at_end_of_billing_hour=dict(type='bool'),
|
terminate_at_end_of_billing_hour=dict(type='bool'),
|
||||||
token=dict(type='str'),
|
token=dict(type='str', no_log=True),
|
||||||
unit=dict(type='str'),
|
unit=dict(type='str'),
|
||||||
user_data=dict(type='str'),
|
user_data=dict(type='str'),
|
||||||
utilize_reserved_instances=dict(type='bool'),
|
utilize_reserved_instances=dict(type='bool'),
|
||||||
|
|
|
||||||
|
|
@ -707,7 +707,7 @@ def main():
|
||||||
enabled=dict(type='bool'),
|
enabled=dict(type='bool'),
|
||||||
client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']),
|
client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']),
|
||||||
secret=dict(type='str', no_log=True),
|
secret=dict(type='str', no_log=True),
|
||||||
registration_access_token=dict(type='str', aliases=['registrationAccessToken']),
|
registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True),
|
||||||
default_roles=dict(type='list', aliases=['defaultRoles']),
|
default_roles=dict(type='list', aliases=['defaultRoles']),
|
||||||
redirect_uris=dict(type='list', aliases=['redirectUris']),
|
redirect_uris=dict(type='list', aliases=['redirectUris']),
|
||||||
web_origins=dict(type='list', aliases=['webOrigins']),
|
web_origins=dict(type='list', aliases=['webOrigins']),
|
||||||
|
|
|
||||||
|
|
@ -148,7 +148,7 @@ def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
user=dict(required=True),
|
user=dict(required=True),
|
||||||
api_key=dict(required=True),
|
api_key=dict(required=True, no_log=True),
|
||||||
name=dict(required=False),
|
name=dict(required=False),
|
||||||
title=dict(required=True),
|
title=dict(required=True),
|
||||||
source=dict(required=False),
|
source=dict(required=False),
|
||||||
|
|
|
||||||
|
|
@ -197,9 +197,9 @@ def main():
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
name=dict(required=False),
|
name=dict(required=False),
|
||||||
service_id=dict(required=True),
|
service_id=dict(required=True),
|
||||||
service_key=dict(required=False),
|
service_key=dict(required=False, no_log=True),
|
||||||
integration_key=dict(required=False),
|
integration_key=dict(required=False, no_log=True),
|
||||||
api_key=dict(required=True),
|
api_key=dict(required=True, no_log=True),
|
||||||
state=dict(required=True,
|
state=dict(required=True,
|
||||||
choices=['triggered', 'acknowledged', 'resolved']),
|
choices=['triggered', 'acknowledged', 'resolved']),
|
||||||
client=dict(required=False, default=None),
|
client=dict(required=False, default=None),
|
||||||
|
|
|
||||||
|
|
@ -108,7 +108,7 @@ from datetime import datetime
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
integration_key=dict(required=True, type='str'),
|
integration_key=dict(required=True, type='str', no_log=True),
|
||||||
summary=dict(required=True, type='str'),
|
summary=dict(required=True, type='str'),
|
||||||
source=dict(required=False, default='Ansible', type='str'),
|
source=dict(required=False, default='Ansible', type='str'),
|
||||||
user=dict(required=False, type='str'),
|
user=dict(required=False, type='str'),
|
||||||
|
|
|
||||||
|
|
@ -112,7 +112,7 @@ def main():
|
||||||
checkid=dict(required=True),
|
checkid=dict(required=True),
|
||||||
uid=dict(required=True),
|
uid=dict(required=True),
|
||||||
passwd=dict(required=True, no_log=True),
|
passwd=dict(required=True, no_log=True),
|
||||||
key=dict(required=True)
|
key=dict(required=True, no_log=True),
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -92,7 +92,7 @@ def main():
|
||||||
|
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
token=dict(required=True),
|
token=dict(required=True, no_log=True),
|
||||||
environment=dict(required=True),
|
environment=dict(required=True),
|
||||||
revision=dict(required=True),
|
revision=dict(required=True),
|
||||||
user=dict(required=False),
|
user=dict(required=False),
|
||||||
|
|
|
||||||
|
|
@ -152,7 +152,7 @@ def main():
|
||||||
|
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict( # @TODO add types
|
argument_spec=dict( # @TODO add types
|
||||||
key=dict(required=True),
|
key=dict(required=True, no_log=True),
|
||||||
event=dict(required=True, choices=['deploy', 'annotation']),
|
event=dict(required=True, choices=['deploy', 'annotation']),
|
||||||
msg=dict(),
|
msg=dict(),
|
||||||
revision_id=dict(),
|
revision_id=dict(),
|
||||||
|
|
|
||||||
|
|
@ -546,7 +546,7 @@ def main():
|
||||||
|
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
account_key=dict(required=True),
|
account_key=dict(required=True, no_log=True),
|
||||||
account_secret=dict(required=True, no_log=True),
|
account_secret=dict(required=True, no_log=True),
|
||||||
domain=dict(required=True),
|
domain=dict(required=True),
|
||||||
sandbox=dict(default=False, type='bool'),
|
sandbox=dict(default=False, type='bool'),
|
||||||
|
|
|
||||||
|
|
@ -398,7 +398,7 @@ def main():
|
||||||
address=dict(required=True),
|
address=dict(required=True),
|
||||||
name=dict(required=True),
|
name=dict(required=True),
|
||||||
stealth=dict(type='bool', default=False),
|
stealth=dict(type='bool', default=False),
|
||||||
tsig_key=dict(),
|
tsig_key=dict(no_log=True),
|
||||||
tsig_key_alg=dict(choices=['HMAC-MD5', 'HMAC-SHA256'], default='HMAC-MD5'),
|
tsig_key_alg=dict(choices=['HMAC-MD5', 'HMAC-SHA256'], default='HMAC-MD5'),
|
||||||
tsig_key_name=dict(required=True)
|
tsig_key_name=dict(required=True)
|
||||||
)
|
)
|
||||||
|
|
|
||||||
|
|
@ -73,7 +73,7 @@ def send_msg(module, token, msg, api, port):
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=dict(
|
argument_spec=dict(
|
||||||
token=dict(type='str', required=True),
|
token=dict(type='str', required=True, no_log=True),
|
||||||
msg=dict(type='str', required=True),
|
msg=dict(type='str', required=True),
|
||||||
api=dict(type='str', default="data.logentries.com"),
|
api=dict(type='str', default="data.logentries.com"),
|
||||||
port=dict(type='int', default=80)),
|
port=dict(type='int', default=80)),
|
||||||
|
|
|
||||||
|
|
@ -545,7 +545,7 @@ def main():
|
||||||
deprecated_aliases=[dict(name='ca_cert', version='3.0.0',
|
deprecated_aliases=[dict(name='ca_cert', version='3.0.0',
|
||||||
collection_name='community.general')]), # was Ansible 2.14
|
collection_name='community.general')]), # was Ansible 2.14
|
||||||
feed_client_cert=dict(aliases=['importer_ssl_client_cert']),
|
feed_client_cert=dict(aliases=['importer_ssl_client_cert']),
|
||||||
feed_client_key=dict(aliases=['importer_ssl_client_key']),
|
feed_client_key=dict(aliases=['importer_ssl_client_key'], no_log=True),
|
||||||
name=dict(required=True, aliases=['repo']),
|
name=dict(required=True, aliases=['repo']),
|
||||||
proxy_host=dict(),
|
proxy_host=dict(),
|
||||||
proxy_port=dict(),
|
proxy_port=dict(),
|
||||||
|
|
|
||||||
|
|
@ -572,7 +572,7 @@ def main():
|
||||||
type='dict',
|
type='dict',
|
||||||
options=dict(
|
options=dict(
|
||||||
username=dict(),
|
username=dict(),
|
||||||
password=dict()
|
password=dict(no_log=True)
|
||||||
)
|
)
|
||||||
),
|
),
|
||||||
virtual_media=dict(
|
virtual_media=dict(
|
||||||
|
|
|
||||||
|
|
@ -309,7 +309,7 @@ def main():
|
||||||
locked=dict(type='bool', default=False),
|
locked=dict(type='bool', default=False),
|
||||||
access_level=dict(type='str', default='ref_protected', choices=["not_protected", "ref_protected"]),
|
access_level=dict(type='str', default='ref_protected', choices=["not_protected", "ref_protected"]),
|
||||||
maximum_timeout=dict(type='int', default=3600),
|
maximum_timeout=dict(type='int', default=3600),
|
||||||
registration_token=dict(type='str', required=True),
|
registration_token=dict(type='str', required=True, no_log=True),
|
||||||
state=dict(type='str', default="present", choices=["absent", "present"]),
|
state=dict(type='str', default="present", choices=["absent", "present"]),
|
||||||
))
|
))
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -90,7 +90,7 @@ def main():
|
||||||
cluster=dict(),
|
cluster=dict(),
|
||||||
domain=dict(),
|
domain=dict(),
|
||||||
iscsi_chap_name=dict(),
|
iscsi_chap_name=dict(),
|
||||||
iscsi_chap_secret=dict()
|
iscsi_chap_secret=dict(no_log=True),
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -256,9 +256,6 @@ result:
|
||||||
frontend_cookie:
|
frontend_cookie:
|
||||||
description: Frontend cookie name
|
description: Frontend cookie name
|
||||||
type: str
|
type: str
|
||||||
frontend_cookie_secret:
|
|
||||||
description: Frontend cookie secret
|
|
||||||
type: str
|
|
||||||
frontend_form:
|
frontend_form:
|
||||||
description: Frontend authentication form name
|
description: Frontend authentication form name
|
||||||
type: str
|
type: str
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue