mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Filter out messages that match the pattern username:password@host
This filtering is done in both the module invocation logging and in the regular verbose() logging output. Fixes #4087
This commit is contained in:
parent
eaced05a77
commit
b8646991db
3 changed files with 52 additions and 2 deletions
|
@ -179,6 +179,7 @@ def vvvv(msg, host=None):
|
||||||
return verbose(msg, host=host, caplevel=3)
|
return verbose(msg, host=host, caplevel=3)
|
||||||
|
|
||||||
def verbose(msg, host=None, caplevel=2):
|
def verbose(msg, host=None, caplevel=2):
|
||||||
|
msg = utils.sanitize_output(msg)
|
||||||
if utils.VERBOSITY > caplevel:
|
if utils.VERBOSITY > caplevel:
|
||||||
if host is None:
|
if host is None:
|
||||||
display(msg, color='blue')
|
display(msg, color='blue')
|
||||||
|
|
|
@ -761,7 +761,13 @@ class AnsibleModule(object):
|
||||||
# Sanitize possible password argument when logging.
|
# Sanitize possible password argument when logging.
|
||||||
log_args = dict()
|
log_args = dict()
|
||||||
passwd_keys = ['password', 'login_password']
|
passwd_keys = ['password', 'login_password']
|
||||||
|
|
||||||
|
filter_re = [
|
||||||
|
# filter out things like user:pass@foo/whatever
|
||||||
|
# and http://username:pass@wherever/foo
|
||||||
|
re.compile('^(?P<before>.*:)(?P<password>.*)(?P<after>\@.*)$'),
|
||||||
|
]
|
||||||
|
|
||||||
for param in self.params:
|
for param in self.params:
|
||||||
canon = self.aliases.get(param, param)
|
canon = self.aliases.get(param, param)
|
||||||
arg_opts = self.argument_spec.get(canon, {})
|
arg_opts = self.argument_spec.get(canon, {})
|
||||||
|
@ -772,7 +778,16 @@ class AnsibleModule(object):
|
||||||
elif param in passwd_keys:
|
elif param in passwd_keys:
|
||||||
log_args[param] = 'NOT_LOGGING_PASSWORD'
|
log_args[param] = 'NOT_LOGGING_PASSWORD'
|
||||||
else:
|
else:
|
||||||
log_args[param] = self.params[param]
|
found = False
|
||||||
|
for filter in filter_re:
|
||||||
|
m = filter.match(str(self.params[param]))
|
||||||
|
if m:
|
||||||
|
d = m.groupdict()
|
||||||
|
log_args[param] = d['before'] + "********" + d['after']
|
||||||
|
found = True
|
||||||
|
break
|
||||||
|
if not found:
|
||||||
|
log_args[param] = self.params[param]
|
||||||
|
|
||||||
module = 'ansible-%s' % os.path.basename(__file__)
|
module = 'ansible-%s' % os.path.basename(__file__)
|
||||||
msg = ''
|
msg = ''
|
||||||
|
|
|
@ -623,6 +623,40 @@ def getch():
|
||||||
termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
|
termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
|
||||||
return ch
|
return ch
|
||||||
|
|
||||||
|
def sanitize_output(str):
|
||||||
|
''' strips private info out of a string '''
|
||||||
|
|
||||||
|
private_keys = ['password', 'login_password']
|
||||||
|
|
||||||
|
filter_re = [
|
||||||
|
# filter out things like user:pass@foo/whatever
|
||||||
|
# and http://username:pass@wherever/foo
|
||||||
|
re.compile('^(?P<before>.*:)(?P<password>.*)(?P<after>\@.*)$'),
|
||||||
|
]
|
||||||
|
|
||||||
|
parts = str.split()
|
||||||
|
output = ''
|
||||||
|
for part in parts:
|
||||||
|
try:
|
||||||
|
(k,v) = part.split('=', 1)
|
||||||
|
if k in private_keys:
|
||||||
|
output += " %s=VALUE_HIDDEN" % k
|
||||||
|
else:
|
||||||
|
found = False
|
||||||
|
for filter in filter_re:
|
||||||
|
m = filter.match(v)
|
||||||
|
if m:
|
||||||
|
d = m.groupdict()
|
||||||
|
output += " %s=%s" % (k, d['before'] + "********" + d['after'])
|
||||||
|
found = True
|
||||||
|
break
|
||||||
|
if not found:
|
||||||
|
output += " %s" % part
|
||||||
|
except:
|
||||||
|
output += " %s" % part
|
||||||
|
|
||||||
|
return output.strip()
|
||||||
|
|
||||||
####################################################################
|
####################################################################
|
||||||
# option handling code for /usr/bin/ansible and ansible-playbook
|
# option handling code for /usr/bin/ansible and ansible-playbook
|
||||||
# below this line
|
# below this line
|
||||||
|
|
Loading…
Reference in a new issue