ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

Fix a bunch of potential security issues (secret leaking) (#1736)

Browse source 
* Fix a bunch of potential security issues (secret leaking).

* oneandone_server was already ok.

* Add more parameters for pagerduty_alert.

* Add more no_log=True.
This commit is contained in:
Felix Fontein 2021-02-08 16:33:18 +01:00 committed by GitHub
parent f4e60e09ac
commit 29bd5a9486
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
25 changed files with 52 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
changelogs/fragments/no_log-fixes.yml Normal file
View file

@ -0,0 +1,25 @@
security_fixes:
- "ovirt - mark the ``instance_rootpw`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "oneandone_firewall_policy, oneandone_load_balancer, oneandone_monitoring_policy, oneandone_private_network, oneandone_public_ip - mark the ``auth_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "rax_clb_ssl - mark the ``private_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "spotinst_aws_elastigroup - mark the ``multai_token`` and ``token`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "keycloak_client - mark the ``registration_access_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "librato_annotation - mark the ``api_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "pagerduty_alert - mark the ``api_key``, ``service_key`` and ``integration_key`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "nios_nsgroup - mark the ``tsig_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "pulp_repo - mark the ``feed_client_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "gitlab_runner - mark the ``registration_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "ibm_sa_host - mark the ``iscsi_chap_secret`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "keycloak_* modules - mark the ``auth_client_secret`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "hwc_ecs_instance - mark the ``admin_pass`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "ovirt - mark the ``instance_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "pagerduty_change - mark the ``integration_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "pingdom - mark the ``key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "rollbar_deployment - mark the ``token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "stackdriver - mark the ``key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "dnsmadeeasy - mark the ``account_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "logentries_msg - mark the ``token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "redfish_command - mark the ``update_creds.password`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)."
- "utm_proxy_auth_profile - mark the ``frontend_cookie_secret`` parameter as ``no_log`` to avoid leakage of secrets. This causes the ``utm_proxy_auth_profile`` return value to no longer containing the correct value, but a placeholder (https://github.com/ansible-collections/community.general/pull/1736)."
breaking_changes:
- "utm_proxy_auth_profile - the ``frontend_cookie_secret`` return value now contains a placeholder string instead of the module's ``frontend_cookie_secret`` parameter (https://github.com/ansible-collections/community.general/pull/1736)."

2
plugins/modules/cloud/huawei/hwc_ecs_instance.py
View file

@ -543,7 +543,7 @@ def build_module():
snapshot_id=dict(type='str')
)),
vpc_id=dict(type='str', required=True),
admin_pass=dict(type='str'),
admin_pass=dict(type='str', no_log=True),
data_volumes=dict(type='list', elements='dict', options=dict(
volume_id=dict(type='str', required=True),
device=dict(type='str')

4
plugins/modules/cloud/misc/ovirt.py
View file

@ -405,8 +405,8 @@ def main():
instance_gateway=dict(type='str', aliases=['gateway']),
instance_domain=dict(type='str', aliases=['domain']),
instance_dns=dict(type='str', aliases=['dns']),
instance_rootpw=dict(type='str', aliases=['rootpw']),
instance_key=dict(type='str', aliases=['key']),
instance_rootpw=dict(type='str', aliases=['rootpw'], no_log=True),
instance_key=dict(type='str', aliases=['key'], no_log=True),
sdomain=dict(type='str'),
region=dict(type='str'),
),

2
plugins/modules/cloud/oneandone/oneandone_firewall_policy.py
View file

@ -500,7 +500,7 @@ def main():
module = AnsibleModule(
argument_spec=dict(
auth_token=dict(
type='str',
type='str', no_log=True,
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
api_url=dict(
type='str',

2
plugins/modules/cloud/oneandone/oneandone_load_balancer.py
View file

@ -594,7 +594,7 @@ def main():
module = AnsibleModule(
argument_spec=dict(
auth_token=dict(
type='str',
type='str', no_log=True,
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
api_url=dict(
type='str',

2
plugins/modules/cloud/oneandone/oneandone_monitoring_policy.py
View file

@ -947,7 +947,7 @@ def main():
module = AnsibleModule(
argument_spec=dict(
auth_token=dict(
type='str',
type='str', no_log=True,
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
api_url=dict(
type='str',

2
plugins/modules/cloud/oneandone/oneandone_private_network.py
View file

@ -384,7 +384,7 @@ def main():
module = AnsibleModule(
argument_spec=dict(
auth_token=dict(
type='str',
type='str', no_log=True,
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
api_url=dict(
type='str',

2
plugins/modules/cloud/oneandone/oneandone_public_ip.py
View file

@ -274,7 +274,7 @@ def main():
module = AnsibleModule(
argument_spec=dict(
auth_token=dict(
type='str',
type='str', no_log=True,
default=os.environ.get('ONEANDONE_AUTH_TOKEN')),
api_url=dict(
type='str',

2
plugins/modules/cloud/rackspace/rax_clb_ssl.py
View file

@ -238,7 +238,7 @@ def main():
loadbalancer=dict(required=True),
state=dict(default='present', choices=['present', 'absent']),
enabled=dict(type='bool', default=True),
private_key=dict(),
private_key=dict(no_log=True),
certificate=dict(),
intermediate_certificate=dict(),
secure_port=dict(type='int', default=443),

4
plugins/modules/cloud/spotinst/spotinst_aws_elastigroup.py
View file

@ -1459,7 +1459,7 @@ def main():
min_size=dict(type='int', required=True),
monitoring=dict(type='str'),
multai_load_balancers=dict(type='list'),
multai_token=dict(type='str'),
multai_token=dict(type='str', no_log=True),
name=dict(type='str', required=True),
network_interfaces=dict(type='list'),
on_demand_count=dict(type='int'),
@ -1483,7 +1483,7 @@ def main():
target_group_arns=dict(type='list'),
tenancy=dict(type='str'),
terminate_at_end_of_billing_hour=dict(type='bool'),
token=dict(type='str'),
token=dict(type='str', no_log=True),
unit=dict(type='str'),
user_data=dict(type='str'),
utilize_reserved_instances=dict(type='bool'),

2
plugins/modules/identity/keycloak/keycloak_client.py
View file

@ -707,7 +707,7 @@ def main():
enabled=dict(type='bool'),
client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']),
secret=dict(type='str', no_log=True),
registration_access_token=dict(type='str', aliases=['registrationAccessToken']),
registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True),
default_roles=dict(type='list', aliases=['defaultRoles']),
redirect_uris=dict(type='list', aliases=['redirectUris']),
web_origins=dict(type='list', aliases=['webOrigins']),

2
plugins/modules/monitoring/librato_annotation.py
View file

@ -148,7 +148,7 @@ def main():
module = AnsibleModule(
argument_spec=dict(
user=dict(required=True),
api_key=dict(required=True),
api_key=dict(required=True, no_log=True),
name=dict(required=False),
title=dict(required=True),
source=dict(required=False),

6
plugins/modules/monitoring/pagerduty_alert.py
View file

@ -197,9 +197,9 @@ def main():
argument_spec=dict(
name=dict(required=False),
service_id=dict(required=True),
service_key=dict(required=False),
integration_key=dict(required=False),
api_key=dict(required=True),
service_key=dict(required=False, no_log=True),
integration_key=dict(required=False, no_log=True),
api_key=dict(required=True, no_log=True),
state=dict(required=True,
choices=['triggered', 'acknowledged', 'resolved']),
client=dict(required=False, default=None),

2
plugins/modules/monitoring/pagerduty_change.py
View file

@ -108,7 +108,7 @@ from datetime import datetime
def main():
module = AnsibleModule(
argument_spec=dict(
integration_key=dict(required=True, type='str'),
integration_key=dict(required=True, type='str', no_log=True),
summary=dict(required=True, type='str'),
source=dict(required=False, default='Ansible', type='str'),
user=dict(required=False, type='str'),

2
plugins/modules/monitoring/pingdom.py
View file

@ -112,7 +112,7 @@ def main():
checkid=dict(required=True),
uid=dict(required=True),
passwd=dict(required=True, no_log=True),
key=dict(required=True)
key=dict(required=True, no_log=True),
)
)

2
plugins/modules/monitoring/rollbar_deployment.py
View file

@ -92,7 +92,7 @@ def main():
module = AnsibleModule(
argument_spec=dict(
token=dict(required=True),
token=dict(required=True, no_log=True),
environment=dict(required=True),
revision=dict(required=True),
user=dict(required=False),

2
plugins/modules/monitoring/stackdriver.py
View file

@ -152,7 +152,7 @@ def main():
module = AnsibleModule(
argument_spec=dict( # @TODO add types
key=dict(required=True),
key=dict(required=True, no_log=True),
event=dict(required=True, choices=['deploy', 'annotation']),
msg=dict(),
revision_id=dict(),

2
plugins/modules/net_tools/dnsmadeeasy.py
View file

@ -546,7 +546,7 @@ def main():
module = AnsibleModule(
argument_spec=dict(
account_key=dict(required=True),
account_key=dict(required=True, no_log=True),
account_secret=dict(required=True, no_log=True),
domain=dict(required=True),
sandbox=dict(default=False, type='bool'),

2
plugins/modules/net_tools/nios/nios_nsgroup.py
View file

@ -398,7 +398,7 @@ def main():
address=dict(required=True),
name=dict(required=True),
stealth=dict(type='bool', default=False),
tsig_key=dict(),
tsig_key=dict(no_log=True),
tsig_key_alg=dict(choices=['HMAC-MD5', 'HMAC-SHA256'], default='HMAC-MD5'),
tsig_key_name=dict(required=True)
)

2
plugins/modules/notification/logentries_msg.py
View file

@ -73,7 +73,7 @@ def send_msg(module, token, msg, api, port):
def main():
module = AnsibleModule(
argument_spec=dict(
token=dict(type='str', required=True),
token=dict(type='str', required=True, no_log=True),
msg=dict(type='str', required=True),
api=dict(type='str', default="data.logentries.com"),
port=dict(type='int', default=80)),

2
plugins/modules/packaging/os/pulp_repo.py
View file

@ -545,7 +545,7 @@ def main():
deprecated_aliases=[dict(name='ca_cert', version='3.0.0',
collection_name='community.general')]), # was Ansible 2.14
feed_client_cert=dict(aliases=['importer_ssl_client_cert']),
feed_client_key=dict(aliases=['importer_ssl_client_key']),
feed_client_key=dict(aliases=['importer_ssl_client_key'], no_log=True),
name=dict(required=True, aliases=['repo']),
proxy_host=dict(),
proxy_port=dict(),

2
plugins/modules/remote_management/redfish/redfish_command.py
View file

@ -572,7 +572,7 @@ def main():
type='dict',
options=dict(
username=dict(),
password=dict()
password=dict(no_log=True)
)
),
virtual_media=dict(

2
plugins/modules/source_control/gitlab/gitlab_runner.py
View file

@ -309,7 +309,7 @@ def main():
locked=dict(type='bool', default=False),
access_level=dict(type='str', default='ref_protected', choices=["not_protected", "ref_protected"]),
maximum_timeout=dict(type='int', default=3600),
registration_token=dict(type='str', required=True),
registration_token=dict(type='str', required=True, no_log=True),
state=dict(type='str', default="present", choices=["absent", "present"]),
))

2
plugins/modules/storage/ibm/ibm_sa_host.py
View file

@ -90,7 +90,7 @@ def main():
cluster=dict(),
domain=dict(),
iscsi_chap_name=dict(),
iscsi_chap_secret=dict()
iscsi_chap_secret=dict(no_log=True),
)
)

3
plugins/modules/web_infrastructure/sophos_utm/utm_proxy_auth_profile.py
View file

@ -256,9 +256,6 @@ result:
frontend_cookie:
description: Frontend cookie name
type: str
frontend_cookie_secret:
description: Frontend cookie secret
type: str
frontend_form:
description: Frontend authentication form name
type: str