1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Filter out messages that match the pattern username:password@host

This filtering is done in both the module invocation logging and in
the regular verbose() logging output.

Fixes #4087
This commit is contained in:
James Cammarata 2014-02-13 14:23:49 -06:00
parent eaced05a77
commit b8646991db
3 changed files with 52 additions and 2 deletions

View file

@ -179,6 +179,7 @@ def vvvv(msg, host=None):
return verbose(msg, host=host, caplevel=3)
def verbose(msg, host=None, caplevel=2):
msg = utils.sanitize_output(msg)
if utils.VERBOSITY > caplevel:
if host is None:
display(msg, color='blue')

View file

@ -761,7 +761,13 @@ class AnsibleModule(object):
# Sanitize possible password argument when logging.
log_args = dict()
passwd_keys = ['password', 'login_password']
filter_re = [
# filter out things like user:pass@foo/whatever
# and http://username:pass@wherever/foo
re.compile('^(?P<before>.*:)(?P<password>.*)(?P<after>\@.*)$'),
]
for param in self.params:
canon = self.aliases.get(param, param)
arg_opts = self.argument_spec.get(canon, {})
@ -772,7 +778,16 @@ class AnsibleModule(object):
elif param in passwd_keys:
log_args[param] = 'NOT_LOGGING_PASSWORD'
else:
log_args[param] = self.params[param]
found = False
for filter in filter_re:
m = filter.match(str(self.params[param]))
if m:
d = m.groupdict()
log_args[param] = d['before'] + "********" + d['after']
found = True
break
if not found:
log_args[param] = self.params[param]
module = 'ansible-%s' % os.path.basename(__file__)
msg = ''

View file

@ -623,6 +623,40 @@ def getch():
termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
return ch
def sanitize_output(str):
''' strips private info out of a string '''
private_keys = ['password', 'login_password']
filter_re = [
# filter out things like user:pass@foo/whatever
# and http://username:pass@wherever/foo
re.compile('^(?P<before>.*:)(?P<password>.*)(?P<after>\@.*)$'),
]
parts = str.split()
output = ''
for part in parts:
try:
(k,v) = part.split('=', 1)
if k in private_keys:
output += " %s=VALUE_HIDDEN" % k
else:
found = False
for filter in filter_re:
m = filter.match(v)
if m:
d = m.groupdict()
output += " %s=%s" % (k, d['before'] + "********" + d['after'])
found = True
break
if not found:
output += " %s" % part
except:
output += " %s" % part
return output.strip()
####################################################################
# option handling code for /usr/bin/ansible and ansible-playbook
# below this line