Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
It's pretty important to ensure, that password won't be logged and thus exposed in the output. So we add linter rule that will check that all tasks, that have "password" in argument are not logged. Signed-Off-By: Dmitriy Rabotyagov <noonedeadpunk@ya.ru>
- Loading branch information
Dmitriy Rabotyagov
committed
May 19, 2021
1 parent
d18509c
commit 71cbb5b
Showing
4 changed files
with
89 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
- tasks: | ||
- name: Fail no_log isn't used | ||
user: | ||
name: bidule | ||
password: "wow" | ||
state: absent | ||
- name: Fail when no_log is set to False | ||
user: | ||
name: bidule | ||
password: "wow" | ||
state: absent | ||
no_log: False | ||
- name: Fail when no_log is set to no | ||
user: | ||
name: bidule | ||
password: "wow" | ||
state: absent | ||
no_log: no |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
- tasks: | ||
- name: Succeed when no_log is set to yes | ||
user: | ||
name: bidule | ||
password: "wow" | ||
state: absent | ||
no_log: yes | ||
- name: Succeed when no_log is set to True | ||
user: | ||
name: bidule | ||
password: "wow" | ||
state: absent | ||
no_log: True |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
|
||
from ansiblelint.rules import AnsibleLintRule | ||
from ansiblelint.utils import convert_to_boolean | ||
from typing import TYPE_CHECKING, Any, Dict, Union | ||
|
||
if TYPE_CHECKING: | ||
from typing import Optional | ||
|
||
from ansiblelint.file_utils import Lintable | ||
|
||
|
||
class NoLogPasswordsRule(AnsibleLintRule): | ||
id = "no-log-password" | ||
shortdesc = "password should not be logged." | ||
description = ( | ||
"All the modules that take a password argument should fail " | ||
"if no_log is not set or set to False in the task." | ||
) | ||
severity = 'LOW' | ||
tags = ["passwords", "experimental"] | ||
version_added = "v5.0.9" | ||
|
||
def matchtask(self, task: Dict[str, Any], file: 'Optional[Lintable]' = None) -> Union[bool, str]: | ||
|
||
for param in task["action"].keys(): | ||
if 'password' in param: | ||
has_password = True | ||
break | ||
else: | ||
has_password = False | ||
|
||
# No no_log and no_log: False behave the same way | ||
# and should return a failure (return True), so we | ||
# need to invert the boolean | ||
return bool(has_password and not convert_to_boolean(task['action'].get('no_log', False))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
import unittest | ||
|
||
from ansiblelint.rules import RulesCollection | ||
from ansiblelint.runner import Runner | ||
from ansiblelint.rules.NoLogPasswordsRule import NoLogPasswordsRule | ||
|
||
|
||
class TestNoLogPasswordsRule(unittest.TestCase): | ||
collection = RulesCollection() | ||
|
||
def setUp(self): | ||
self.collection.register(NoLogPasswordsRule()) | ||
|
||
def test_file_positive(self): | ||
success = 'examples/playbooks/no-log-passwords-success.yml' | ||
good_runner = Runner(success, rules=self.collection) | ||
self.assertEqual([], good_runner.run()) | ||
|
||
def test_file_negative(self): | ||
failure = 'examples/playbooks/no-log-passwords-failure.yml' | ||
bad_runner = Runner(failure, rules=self.collection) | ||
errs = bad_runner.run() | ||
self.assertEqual(3, len(errs)) |