Add rule for checking no_log is set

It's pretty important to ensure, that password won't be logged and thus exposed in the output. So we add linter rule that will check that all tasks, that have "password" in argument are not logged. Signed-Off-By: Dmitriy Rabotyagov <noonedeadpunk@ya.ru>
ansible · May 19, 2021 · 71cbb5b · 71cbb5b
1 parent d18509c
commit 71cbb5b
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 0 deletions.
diff --git a/examples/playbooks/no-log-passwords-failure.yml b/examples/playbooks/no-log-passwords-failure.yml
@@ -0,0 +1,18 @@
+- tasks:
+    - name: Fail no_log isn't used
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+    - name: Fail when no_log is set to False
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: False
+    - name: Fail when no_log is set to no
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: no
diff --git a/examples/playbooks/no-log-passwords-success.yml b/examples/playbooks/no-log-passwords-success.yml
@@ -0,0 +1,13 @@
+- tasks:
+    - name: Succeed when no_log is set to yes
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: yes
+    - name: Succeed when no_log is set to True
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: True
diff --git a/src/ansiblelint/rules/NoLogPasswordsRule.py b/src/ansiblelint/rules/NoLogPasswordsRule.py
@@ -0,0 +1,35 @@
+
+from ansiblelint.rules import AnsibleLintRule
+from ansiblelint.utils import convert_to_boolean
+from typing import TYPE_CHECKING, Any, Dict, Union
+
+if TYPE_CHECKING:
+    from typing import Optional
+
+    from ansiblelint.file_utils import Lintable
+
+
+class NoLogPasswordsRule(AnsibleLintRule):
+    id = "no-log-password"
+    shortdesc = "password should not be logged."
+    description = (
+        "All the modules that take a password argument should fail "
+        "if no_log is not set or set to False in the task."
+    )
+    severity = 'LOW'
+    tags = ["passwords", "experimental"]
+    version_added = "v5.0.9"
+
+    def matchtask(self, task: Dict[str, Any], file: 'Optional[Lintable]' = None) -> Union[bool, str]:
+
+        for param in task["action"].keys():
+            if 'password' in param:
+                has_password = True
+                break
+        else:
+            has_password = False
+
+        # No no_log and no_log: False behave the same way
+        # and should return a failure (return True), so we
+        # need to invert the boolean
+        return bool(has_password and not convert_to_boolean(task['action'].get('no_log', False)))
diff --git a/test/TestNoLogPasswordsRule.py b/test/TestNoLogPasswordsRule.py
@@ -0,0 +1,23 @@
+import unittest
+
+from ansiblelint.rules import RulesCollection
+from ansiblelint.runner import Runner
+from ansiblelint.rules.NoLogPasswordsRule import NoLogPasswordsRule
+
+
+class TestNoLogPasswordsRule(unittest.TestCase):
+    collection = RulesCollection()
+
+    def setUp(self):
+        self.collection.register(NoLogPasswordsRule())
+
+    def test_file_positive(self):
+        success = 'examples/playbooks/no-log-passwords-success.yml'
+        good_runner = Runner(success, rules=self.collection)
+        self.assertEqual([], good_runner.run())
+
+    def test_file_negative(self):
+        failure = 'examples/playbooks/no-log-passwords-failure.yml'
+        bad_runner = Runner(failure, rules=self.collection)
+        errs = bad_runner.run()
+        self.assertEqual(3, len(errs))