From 5fd5c95a1d0e8ed98fa51244234db3ab83bcd185 Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Mon, 2 Apr 2018 12:16:17 -0400 Subject: [PATCH] only record task.args in the callback plugin if `DISPLAY_ARGS_TO_STDOUT` see: https://github.com/ansible/awx/issues/1633 --- awx/lib/awx_display_callback/module.py | 14 +++++++++----- awx/lib/tests/test_display_callback.py | 12 ++++++------ awx/main/models/events.py | 6 ------ 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/awx/lib/awx_display_callback/module.py b/awx/lib/awx_display_callback/module.py index 368063d0d1..0d99f82680 100644 --- a/awx/lib/awx_display_callback/module.py +++ b/awx/lib/awx_display_callback/module.py @@ -28,6 +28,7 @@ import uuid from copy import copy # Ansible +from ansible import constants as C from ansible.plugins.callback import CallbackBase from ansible.plugins.callback.default import CallbackModule as DefaultCallbackModule @@ -126,16 +127,19 @@ class BaseCallbackModule(CallbackBase): task=(task.name or task.action), task_uuid=str(task._uuid), task_action=task.action, + task_args='', ) try: task_ctx['task_path'] = task.get_path() except AttributeError: pass - if task.no_log: - task_ctx['task_args'] = "the output has been hidden due to the fact that 'no_log: true' was specified for this result" - else: - task_args = ', '.join(('%s=%s' % a for a in task.args.items())) - task_ctx['task_args'] = task_args + + if C.DISPLAY_ARGS_TO_STDOUT: + if task.no_log: + task_ctx['task_args'] = "the output has been hidden due to the fact that 'no_log: true' was specified for this result" + else: + task_args = ', '.join(('%s=%s' % a for a in task.args.items())) + task_ctx['task_args'] = task_args if getattr(task, '_role', None): task_role = task._role._role_name else: diff --git a/awx/lib/tests/test_display_callback.py b/awx/lib/tests/test_display_callback.py index d8c7923108..5f7ce96ab8 100644 --- a/awx/lib/tests/test_display_callback.py +++ b/awx/lib/tests/test_display_callback.py @@ -186,14 +186,16 @@ def test_callback_plugin_no_log_filters(executor, cache, playbook): @pytest.mark.parametrize('playbook', [ {'no_log_on_ok.yml': ''' -- name: args should not be logged when task-level no_log is set +- name: args should not be logged when no_log is set at the task or module level connection: local hosts: all gather_facts: no tasks: - - shell: echo "SENSITIVE" + - shell: echo "PUBLIC" - shell: echo "PRIVATE" no_log: true + - uri: uri=https://example.org username="PUBLIC" password="PRIVATE" + - copy: content="PRIVATE" destination="/tmp/tmp_no_log" '''}, # noqa ]) def test_callback_plugin_task_args_leak(executor, cache, playbook): @@ -204,15 +206,13 @@ def test_callback_plugin_task_args_leak(executor, cache, playbook): # task 1 assert events[2]['event'] == 'playbook_on_task_start' - assert 'SENSITIVE' in events[2]['event_data']['task_args'] assert events[3]['event'] == 'runner_on_ok' - assert 'SENSITIVE' in events[3]['event_data']['task_args'] # task 2 no_log=True assert events[4]['event'] == 'playbook_on_task_start' - assert events[4]['event_data']['task_args'] == "the output has been hidden due to the fact that 'no_log: true' was specified for this result" # noqa assert events[5]['event'] == 'runner_on_ok' - assert events[5]['event_data']['task_args'] == "the output has been hidden due to the fact that 'no_log: true' was specified for this result" # noqa + assert 'PUBLIC' in json.dumps(cache.items()) + assert 'PRIVATE' not in json.dumps(cache.items()) @pytest.mark.parametrize('playbook', [ diff --git a/awx/main/models/events.py b/awx/main/models/events.py index 09da2ffb20..6f240cfdf4 100644 --- a/awx/main/models/events.py +++ b/awx/main/models/events.py @@ -235,12 +235,6 @@ class BasePlaybookEvent(CreatedModifiedModel): if res.get('changed', False): self.changed = True updated_fields.add('changed') - # If we're not in verbose mode, wipe out any module arguments. - invocation = res.get('invocation', None) - if isinstance(invocation, dict) and self.job_verbosity == 0 and 'module_args' in invocation: - event_data['res']['invocation']['module_args'] = '' - self.event_data = event_data - updated_fields.add('event_data') if self.event == 'playbook_on_stats': try: failures_dict = event_data.get('failures', {})