fix broken project update secret filtering for external logging

2026-01-13 11:00:03 -03:30 · 2020-02-03 10:27:31 -05:00 · 2020-02-03 10:27:31 -05:00 · 7055460c4c
commit 7055460c4c
parent 864767d74a
2 changed files with 22 additions and 5 deletions
--- a/awx/main/models/events.py
+++ b/awx/main/models/events.py
@ -360,11 +360,10 @@ class BasePlaybookEvent(CreatedModifiedModel):
            value = force_text(event_data.get(field, '')).strip()
            if value != getattr(self, field):
                setattr(self, field, value)
-        if isinstance(self, JobEvent):
-            analytics_logger.info(
-                'Event data saved.',
-                extra=dict(python_objects=dict(job_event=self))
-            )
+        analytics_logger.info(
+            'Event data saved.',
+            extra=dict(python_objects=dict(job_event=self))
+        )

    @classmethod
    def create_from_data(cls, **kwargs):
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@ -52,6 +52,7 @@ import ansible_runner
 from awx import __version__ as awx_application_version
 from awx.main.constants import CLOUD_PROVIDERS, PRIVILEGE_ESCALATION_METHODS, STANDARD_INVENTORY_UPDATE_ENV, GALAXY_SERVER_FIELDS
 from awx.main.access import access_registry
+from awx.main.redact import UriCleaner
 from awx.main.models import (
    Schedule, TowerScheduleState, Instance, InstanceGroup,
    UnifiedJob, Notification,
@ -1138,6 +1139,23 @@ class BaseTask(object):
            else:
                event_data['host_name'] = ''
                event_data['host_id'] = ''
+
+        if isinstance(self, RunProjectUpdate):
+            # it's common for Ansible's SCM modules to print
+            # error messages on failure that contain the plaintext
+            # basic auth credentials (username + password)
+            # it's also common for the nested event data itself (['res']['...'])
+            # to contain unredacted text on failure
+            # this is a _little_ expensive to filter
+            # with regex, but project updates don't have many events,
+            # so it *should* have a negligible performance impact
+            try:
+                event_data_json = json.dumps(event_data)
+                event_data_json = UriCleaner.remove_sensitive(event_data_json)
+                event_data = json.loads(event_data_json)
+            except json.JSONDecodeError:
+                pass
+
        should_write_event = False
        event_data.setdefault(self.event_data_key, self.instance.id)
        self.dispatcher.dispatch(event_data)