use regex vs list to weed out password fields

- also warn as module SHOULD have no_log - make password regex exportable for testing - avoids boolean fields (cherry picked from commit 403e9d35df)
2017-02-09 13:59:29 -05:00 · 2017-02-09 13:59:29 -05:00 · 20d67cc562
commit 20d67cc562
parent b4b65c6bd2
1 changed files with 6 additions and 2 deletions
--- a/lib/ansible/module_utils/basic.py
+++ b/lib/ansible/module_utils/basic.py
@ -178,6 +178,8 @@ except ImportError:
    except ImportError:
        pass

+PASSWORD_MATCH = re.compile(r'^(?:.+[-_\s])?pass(?:[-_\s]?(?:word|phrase|wrd|wd)?)(?:[-_\s].+)?$', re.I)
+
 try:
    from ast import literal_eval
 except ImportError:
@ -1627,17 +1629,19 @@ class AnsibleModule(object):
        # TODO: generalize a separate log function and make log_invocation use it
        # Sanitize possible password argument when logging.
        log_args = dict()
-        passwd_keys = ['password', 'login_password', 'url_password']

        for param in self.params:
            canon  = self.aliases.get(param, param)
            arg_opts = self.argument_spec.get(canon, {})
            no_log = arg_opts.get('no_log', False)
+            arg_type = arg_opts.get('type', 'str')

            if self.boolean(no_log):
                log_args[param] = 'NOT_LOGGING_PARAMETER'
-            elif param in passwd_keys:
+            # try to capture all passwords/passphrase named fields
+            elif arg_type != 'bool' and PASSWORD_MATCH.search(param):
                log_args[param] = 'NOT_LOGGING_PASSWORD'
+                self.warn('Module did not set no_log for %s' % param)
            else:
                param_val = self.params[param]
                if not isinstance(param_val, basestring):