mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Filter out messages that match the pattern username:password@host
This filtering is done in both the module invocation logging and in the regular verbose() logging output. Fixes #4087
This commit is contained in:
parent
eaced05a77
commit
b8646991db
3 changed files with 52 additions and 2 deletions
|
@ -179,6 +179,7 @@ def vvvv(msg, host=None):
|
|||
return verbose(msg, host=host, caplevel=3)
|
||||
|
||||
def verbose(msg, host=None, caplevel=2):
|
||||
msg = utils.sanitize_output(msg)
|
||||
if utils.VERBOSITY > caplevel:
|
||||
if host is None:
|
||||
display(msg, color='blue')
|
||||
|
|
|
@ -761,7 +761,13 @@ class AnsibleModule(object):
|
|||
# Sanitize possible password argument when logging.
|
||||
log_args = dict()
|
||||
passwd_keys = ['password', 'login_password']
|
||||
|
||||
|
||||
filter_re = [
|
||||
# filter out things like user:pass@foo/whatever
|
||||
# and http://username:pass@wherever/foo
|
||||
re.compile('^(?P<before>.*:)(?P<password>.*)(?P<after>\@.*)$'),
|
||||
]
|
||||
|
||||
for param in self.params:
|
||||
canon = self.aliases.get(param, param)
|
||||
arg_opts = self.argument_spec.get(canon, {})
|
||||
|
@ -772,7 +778,16 @@ class AnsibleModule(object):
|
|||
elif param in passwd_keys:
|
||||
log_args[param] = 'NOT_LOGGING_PASSWORD'
|
||||
else:
|
||||
log_args[param] = self.params[param]
|
||||
found = False
|
||||
for filter in filter_re:
|
||||
m = filter.match(str(self.params[param]))
|
||||
if m:
|
||||
d = m.groupdict()
|
||||
log_args[param] = d['before'] + "********" + d['after']
|
||||
found = True
|
||||
break
|
||||
if not found:
|
||||
log_args[param] = self.params[param]
|
||||
|
||||
module = 'ansible-%s' % os.path.basename(__file__)
|
||||
msg = ''
|
||||
|
|
|
@ -623,6 +623,40 @@ def getch():
|
|||
termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
|
||||
return ch
|
||||
|
||||
def sanitize_output(str):
|
||||
''' strips private info out of a string '''
|
||||
|
||||
private_keys = ['password', 'login_password']
|
||||
|
||||
filter_re = [
|
||||
# filter out things like user:pass@foo/whatever
|
||||
# and http://username:pass@wherever/foo
|
||||
re.compile('^(?P<before>.*:)(?P<password>.*)(?P<after>\@.*)$'),
|
||||
]
|
||||
|
||||
parts = str.split()
|
||||
output = ''
|
||||
for part in parts:
|
||||
try:
|
||||
(k,v) = part.split('=', 1)
|
||||
if k in private_keys:
|
||||
output += " %s=VALUE_HIDDEN" % k
|
||||
else:
|
||||
found = False
|
||||
for filter in filter_re:
|
||||
m = filter.match(v)
|
||||
if m:
|
||||
d = m.groupdict()
|
||||
output += " %s=%s" % (k, d['before'] + "********" + d['after'])
|
||||
found = True
|
||||
break
|
||||
if not found:
|
||||
output += " %s" % part
|
||||
except:
|
||||
output += " %s" % part
|
||||
|
||||
return output.strip()
|
||||
|
||||
####################################################################
|
||||
# option handling code for /usr/bin/ansible and ansible-playbook
|
||||
# below this line
|
||||
|
|
Loading…
Reference in a new issue