Bkprt no log fix (#41452)

* no_log even when task_result doesn't provide key

 - now also checks task property
 - added reproducer to tests for unreachable status on item loop

(cherry picked from commit 336b3762b2)

* Add changelog entry for the no_log fix

(cherry picked from commit 5fdd101a3e)

* Tasks that are expected to fail need to begin with a special string

(cherry picked from commit a5fd86cf6d)
This commit is contained in:
Toshio Kuratomi 2018-06-13 14:45:06 -07:00 committed by Matt Clay
parent 6cdc3ac057
commit 70f4f89178
3 changed files with 37 additions and 1 deletions

View file

@ -0,0 +1,9 @@
---
bugfixes:
- '**Security Fix** - Some connection exceptions would cause no_log specified on
a task to be ignored. If this happened, the task information, including any
private information could have been displayed to stdout and (if enabled, not
the default) logged to a log file specified in ansible.cfg''s log_path.
Additionally, sites which redirected stdout from ansible runs to a log file
may have stored that private information onto disk that way as well.
(https://github.com/ansible/ansible/pull/41414)'

View file

@ -110,7 +110,7 @@ class TaskResult:
else:
ignore = _IGNORE
if self._result.get('_ansible_no_log', False):
if self._task.no_log or self._result.get('_ansible_no_log', False):
x = {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result"}
for preserve in _PRESERVE:
if preserve in self._result:

View file

@ -63,3 +63,30 @@
- name: args should be logged when task-level no_log overrides play-level
shell: echo "LOG_ME_OVERRIDE"
no_log: false
- name: Add a fake host for next play
add_host:
hostname: fake
- name: use 'fake' unreachable host to force unreachable error
hosts: fake
gather_facts: no
connection: ssh
tasks:
- name: 'EXPECTED FAILURE: Fail to run a lineinfile task'
vars:
logins:
- machine: foo
login: bar
password: DO_NOT_LOG_UNREACHABLE_ITEM
- machine: two
login: three
password: DO_NOT_LOG_UNREACHABLE_ITEM
lineinfile:
path: /dev/null
mode: 0600
create: true
insertafter: EOF
line: "machine {{ item.machine }} login {{ item.login }} password {{ item.password }}"
loop: "{{ logins }}"
no_log: true