Add rule for checking no_log is set when passwords are used

.flake8

@@ -94,6 +94,7 @@ per-file-ignores =
   test/TestMetaTagValid.py: PT009 D100 D101 D102
   test/TestMetaVideoLinks.py: PT009 D100 D101 D102
   test/TestNoFormattingInWhenRule.py: PT009 D100 D101 D102
+  test/TestNoLogPasswordsRule.py: PT009 D100 D101 D102
   test/TestOctalPermissions.py: PT009 D100 D101 D102
   test/TestPackageIsNotLatest.py: PT009 D100 D101 D102
   test/TestPretaskIncludePlaybook.py: D100 D103

examples/playbooks/no-log-passwords-failure.yml

@@ -0,0 +1,19 @@
+- hosts: localhost
+  tasks:
+    - name: Fail no_log isn't used
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+    - name: Fail when no_log is set to False
+      user:
+        name: bidule
+        user_password: "wow"
+        state: absent
+      no_log: False
+    - name: Fail when no_log is set to no
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: no

examples/playbooks/no-log-passwords-success.yml

@@ -0,0 +1,14 @@
+- hosts: localhost
+  tasks:
+    - name: Succeed when no_log is set to yes
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: yes
+    - name: Succeed when no_log is set to True
+      user:
+        name: bidule
+        user_password: "wow"
+        state: absent
+      no_log: True

src/ansiblelint/rules/NoLogPasswordsRule.py

@@ -0,0 +1,51 @@
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from typing import TYPE_CHECKING, Any, Dict, Union
+
+from ansiblelint.rules import AnsibleLintRule
+from ansiblelint.utils import convert_to_boolean
+
+if TYPE_CHECKING:
+    from typing import Optional
+
+    from ansiblelint.file_utils import Lintable
+
+
+class NoLogPasswordsRule(AnsibleLintRule):
+    id = "no-log-password"
+    shortdesc = "password should not be logged."
+    description = (
+        "When passing password argument you should have no_log configured "
+        "to a non False value to avoid accidental leaking of secrets."
+    )
+    severity = 'LOW'
+    tags = ["security", "experimental"]
+    version_added = "v5.0.9"
+
+    def matchtask(
+        self, task: Dict[str, Any], file: 'Optional[Lintable]' = None
+    ) -> Union[bool, str]:
+
+        for param in task["action"].keys():
+            if 'password' in param:
+                has_password = True
+                break
+        else:
+            has_password = False
+
+        # No no_log and no_log: False behave the same way
+        # and should return a failure (return True), so we
+        # need to invert the boolean
+        return bool(has_password and not convert_to_boolean(task.get('no_log', False)))

test/TestNoLogPasswordsRule.py

@@ -0,0 +1,24 @@
+# pylint: disable=preferred-module  # FIXME: remove once migrated per GH-725
+import unittest
+
+from ansiblelint.rules import RulesCollection
+from ansiblelint.rules.NoLogPasswordsRule import NoLogPasswordsRule
+from ansiblelint.runner import Runner
+
+
+class TestNoLogPasswordsRule(unittest.TestCase):
+    collection = RulesCollection()
+
+    def setUp(self):
+        self.collection.register(NoLogPasswordsRule())
+
+    def test_file_positive(self):
+        success = 'examples/playbooks/no-log-passwords-success.yml'
+        good_runner = Runner(success, rules=self.collection)
+        self.assertEqual([], good_runner.run())
+
+    def test_file_negative(self):
+        failure = 'examples/playbooks/no-log-passwords-failure.yml'
+        bad_runner = Runner(failure, rules=self.collection)
+        errs = bad_runner.run()
+        self.assertEqual(3, len(errs))

test/TestRulesCollection.py

@@ -128,4 +128,4 @@ def test_rules_id_format() -> None:
         assert rule_id_re.match(
             rule.id
         ), f"R rule id {rule.id} did not match our required format."
-    assert len(rules) == 39
+    assert len(rules) == 40