ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

Merge pull request #6001 from jimi-c/issue_4087_sanitize_output

Browse source 
Filter out messages that match the pattern username:password@host
This commit is contained in:
James Cammarata 2014-02-14 09:54:05 -06:00
commit faa645c834
3 changed files with 52 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
lib/ansible/callbacks.py
View file

@ -179,6 +179,7 @@ def vvvv(msg, host=None):
return verbose(msg, host=host, caplevel=3) return verbose(msg, host=host, caplevel=3)
def verbose(msg, host=None, caplevel=2): def verbose(msg, host=None, caplevel=2):
msg = utils.sanitize_output(msg)
if utils.VERBOSITY > caplevel: if utils.VERBOSITY > caplevel:
if host is None: if host is None:
display(msg, color='blue') display(msg, color='blue')

19
lib/ansible/module_utils/basic.py
View file

@ -761,7 +761,13 @@ class AnsibleModule(object):
# Sanitize possible password argument when logging. # Sanitize possible password argument when logging.
log_args = dict() log_args = dict()
passwd_keys = ['password', 'login_password'] passwd_keys = ['password', 'login_password']
filter_re = [
# filter out things like user:pass@foo/whatever
# and http://username:pass@wherever/foo
re.compile('^(?P<before>.*:)(?P<password>.*)(?P<after>\@.*)$'),
]
for param in self.params: for param in self.params:
canon = self.aliases.get(param, param) canon = self.aliases.get(param, param)
arg_opts = self.argument_spec.get(canon, {}) arg_opts = self.argument_spec.get(canon, {})
@ -772,7 +778,16 @@ class AnsibleModule(object):
elif param in passwd_keys: elif param in passwd_keys:
log_args[param] = 'NOT_LOGGING_PASSWORD' log_args[param] = 'NOT_LOGGING_PASSWORD'
else: else:
log_args[param] = self.params[param] found = False
for filter in filter_re:
m = filter.match(str(self.params[param]))
if m:
d = m.groupdict()
log_args[param] = d['before'] + "********" + d['after']
found = True
break
if not found:
log_args[param] = self.params[param]
module = 'ansible-%s' % os.path.basename(__file__) module = 'ansible-%s' % os.path.basename(__file__)
msg = '' msg = ''

34
lib/ansible/utils/__init__.py
View file

@ -623,6 +623,40 @@ def getch():
termios.tcsetattr(fd, termios.TCSADRAIN, old_settings) termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
return ch return ch
def sanitize_output(str):
''' strips private info out of a string '''
private_keys = ['password', 'login_password']
filter_re = [
# filter out things like user:pass@foo/whatever
# and http://username:pass@wherever/foo
re.compile('^(?P<before>.*:)(?P<password>.*)(?P<after>\@.*)$'),
]
parts = str.split()
output = ''
for part in parts:
try:
(k,v) = part.split('=', 1)
if k in private_keys:
output += " %s=VALUE_HIDDEN" % k
else:
found = False
for filter in filter_re:
m = filter.match(v)
if m:
d = m.groupdict()
output += " %s=%s" % (k, d['before'] + "********" + d['after'])
found = True
break
if not found:
output += " %s" % part
except:
output += " %s" % part
return output.strip()
#################################################################### ####################################################################
# option handling code for /usr/bin/ansible and ansible-playbook # option handling code for /usr/bin/ansible and ansible-playbook
# below this line # below this line