From c1f7fa2f3b78ccb159ed789990f4ec3e9924c219 Mon Sep 17 00:00:00 2001
From: Michael Scherer <mscherer@users.noreply.github.com>
Date: Mon, 17 Oct 2016 11:38:20 +0200
Subject: [PATCH] ovirt_auth: fix type and password leak (#3119)

Do not leak the password in log, and verify the path of ca_file
---
 lib/ansible/modules/extras/cloud/ovirt/ovirt_auth.py | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/lib/ansible/modules/extras/cloud/ovirt/ovirt_auth.py b/lib/ansible/modules/extras/cloud/ovirt/ovirt_auth.py
index 19ab2e1641..50ed548eb9 100644
--- a/lib/ansible/modules/extras/cloud/ovirt/ovirt_auth.py
+++ b/lib/ansible/modules/extras/cloud/ovirt/ovirt_auth.py
@@ -98,10 +98,7 @@ tasks:
        # oVirt user's password, and include that yaml file with variable:
        - include_vars: ovirt_password.yml
 
-       # Always be sure to pass 'no_log: true' to ovirt_auth task,
-       # so the oVirt user's password is not logged:
        - name: Obtain SSO token with using username/password credentials:
-         no_log: true
          ovirt_auth:
            url: https://ovirt.example.com/ovirt-engine/api
            username: admin@internal
@@ -171,8 +168,8 @@ def main():
         argument_spec=dict(
             url=dict(default=None),
             username=dict(default=None),
-            password=dict(default=None),
-            ca_file=dict(default=None),
+            password=dict(default=None, no_log=True),
+            ca_file=dict(default=None, type='path'),
             insecure=dict(required=False, type='bool', default=False),
             timeout=dict(required=False, type='int', default=0),
             compress=dict(required=False, type='bool', default=True),