From 5bf3197680bfe6581692f9dcbaae060a446bc3bd Mon Sep 17 00:00:00 2001
From: Chris Church <chris@ninemoreminutes.com>
Date: Wed, 11 Dec 2013 15:17:18 -0500
Subject: [PATCH] AC-752 Hide password in BROKER_URL environment variable, show
 other variables that are known not to contain sensitive information.

---
 awx/main/tasks.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index df64e55ede..9715cf92f1 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -134,10 +134,19 @@ class BaseTask(Task):
         return env
 
     def build_safe_env(self, instance, **kwargs):
-        hidden_re = re.compile('API|TOKEN|KEY|SECRET|PASS')
+        hidden_re = re.compile(r'API|TOKEN|KEY|SECRET|PASS')
+        urlpass_re = re.compile(r'^.*?://.?:(.*?)@.*?$')
         env = self.build_env(instance, **kwargs)
         for k,v in env.items():
-            if hidden_re.search(k):
+            if k == 'BROKER_URL':
+                m = urlpass_re.match(v)
+                if m:
+                    env[k] = urlpass_re.sub('*'*len(m.groups()[0]), v)
+            elif k in ('REST_API_URL', 'AWS_ACCESS_KEY', 'AWS_ACCESS_KEY_ID'):
+                continue
+            elif k.startswith('ANSIBLE_'):
+                continue
+            elif hidden_re.search(k):
                 env[k] = '*'*len(str(v))
         return env