From 7055460c4c00569ba4d848e1d4dec382e5b3c2fd Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Mon, 3 Feb 2020 10:27:31 -0500
Subject: [PATCH] fix broken project update secret filtering for external
 logging

---
 awx/main/models/events.py |  9 ++++-----
 awx/main/tasks.py         | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/awx/main/models/events.py b/awx/main/models/events.py
index bc51715e4b..f34e98de51 100644
--- a/awx/main/models/events.py
+++ b/awx/main/models/events.py
@@ -360,11 +360,10 @@ class BasePlaybookEvent(CreatedModifiedModel):
             value = force_text(event_data.get(field, '')).strip()
             if value != getattr(self, field):
                 setattr(self, field, value)
-        if isinstance(self, JobEvent):
-            analytics_logger.info(
-                'Event data saved.',
-                extra=dict(python_objects=dict(job_event=self))
-            )
+        analytics_logger.info(
+            'Event data saved.',
+            extra=dict(python_objects=dict(job_event=self))
+        )
 
     @classmethod
     def create_from_data(cls, **kwargs):
diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index 69e5c2873c..08f550c072 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -52,6 +52,7 @@ import ansible_runner
 from awx import __version__ as awx_application_version
 from awx.main.constants import CLOUD_PROVIDERS, PRIVILEGE_ESCALATION_METHODS, STANDARD_INVENTORY_UPDATE_ENV, GALAXY_SERVER_FIELDS
 from awx.main.access import access_registry
+from awx.main.redact import UriCleaner
 from awx.main.models import (
     Schedule, TowerScheduleState, Instance, InstanceGroup,
     UnifiedJob, Notification,
@@ -1138,6 +1139,23 @@ class BaseTask(object):
             else:
                 event_data['host_name'] = ''
                 event_data['host_id'] = ''
+
+        if isinstance(self, RunProjectUpdate):
+            # it's common for Ansible's SCM modules to print
+            # error messages on failure that contain the plaintext
+            # basic auth credentials (username + password)
+            # it's also common for the nested event data itself (['res']['...'])
+            # to contain unredacted text on failure
+            # this is a _little_ expensive to filter
+            # with regex, but project updates don't have many events,
+            # so it *should* have a negligible performance impact
+            try:
+                event_data_json = json.dumps(event_data)
+                event_data_json = UriCleaner.remove_sensitive(event_data_json)
+                event_data = json.loads(event_data_json)
+            except json.JSONDecodeError:
+                pass
+
         should_write_event = False
         event_data.setdefault(self.event_data_key, self.instance.id)
         self.dispatcher.dispatch(event_data)