Merge pull request #5081 from AlanCoding/updated_stdout_processing

update stdout cleaner to use current job passwords

awx/main/models/jobs.py

@@ -604,13 +604,16 @@ class Job(UnifiedJob, JobOptions, SurveyJobMixin, JobNotificationMixin):
     def _survey_search_and_replace(self, content):
         # Use job template survey spec to identify password fields.
         # Then lookup password fields in extra_vars and save the values
-        jt = self.job_template
-        if jt and jt.survey_enabled and 'spec' in jt.survey_spec:
-            # Use password vars to find in extra_vars
-            for key in jt.survey_password_variables():
-                if key in self.extra_vars_dict:
-                    content = PlainTextCleaner.remove_sensitive(content, self.extra_vars_dict[key])
-        return content
+        job_extra_vars = self.extra_vars_dict
+        password_list = [job_extra_vars[k] for k in self.survey_passwords.keys()
+                         if k in job_extra_vars]
+        return_content = content
+        for val in password_list:
+            if len(val) == 0:
+                continue  # avoids memory errors
+            return_content = PlainTextCleaner.remove_sensitive(return_content, val)
+        return return_content
+
 
     def _result_stdout_raw_limited(self, *args, **kwargs):
         buff, start, end, abs_end = super(Job, self)._result_stdout_raw_limited(*args, **kwargs)

awx/main/redact.py

@@ -58,4 +58,6 @@ class PlainTextCleaner(object):
 
     @staticmethod
     def remove_sensitive(cleartext, sensitive):
+        if sensitive == '':
+            return cleartext
         return re.sub(r'%s' % re.escape(sensitive), '$encrypted$', cleartext)

awx/main/tests/unit/models/test_survey_models.py

@@ -20,11 +20,9 @@ def job(mocker):
     return ret
 
 
-@pytest.mark.survey
-def test_job_survey_password_redaction():
-    """Tests the Job model's funciton to redact passwords from
-    extra_vars - used when displaying job information"""
-    job = Job(
+@pytest.fixture
+def job_with_survey():
+    return Job(
         name="test-job-with-passwords",
         extra_vars=json.dumps({
             'submitter_email': 'foobar@redhat.com',
@@ -33,7 +31,13 @@ def test_job_survey_password_redaction():
         survey_passwords={
             'secret_key': '$encrypted$',
             'SSN': '$encrypted$'})
-    assert json.loads(job.display_extra_vars()) == {
+
+
+@pytest.mark.survey
+def test_job_survey_password_redaction(job_with_survey):
+    """Tests the Job model's funciton to redact passwords from
+    extra_vars - used when displaying job information"""
+    assert json.loads(job_with_survey.display_extra_vars()) == {
         'submitter_email': 'foobar@redhat.com',
         'secret_key': '$encrypted$',
         'SSN': '$encrypted$'}
@@ -55,6 +59,33 @@ def test_survey_passwords_not_in_extra_vars():
     }
 
 
+@pytest.mark.survey
+def test_survey_passwords_not_in_stdout(job_with_survey):
+    job_with_survey.survey_passwords['has_blank_value'] = '$encrypted$'
+    job_with_survey.extra_vars = json.dumps({
+        'has_blank_value': '',
+        'secret_key': '6kQngg3h8lgiSTvIEb21',
+        'SSN': '123-45-6789'})
+    example_stdout = '''
+PLAY [all] *********************************************************************
+ 
+TASK [debug] ******************************************************************* 
+ok: [webserver45] => { 
+    "msg": "Helpful echo of your secret_key: secret_key=6kQngg3h8lgiSTvIEb21 " 
+}
+
+TASK [debug] ******************************************************************* 
+ok: [webserver46] => { 
+   "msg": "Helpful echo of your secret_key: secret_key=123-45-6789 " 
+}
+'''
+    display_stdout = job_with_survey._survey_search_and_replace(example_stdout)
+    assert display_stdout == example_stdout.replace(
+        '6kQngg3h8lgiSTvIEb21', '$encrypted$').replace('123-45-6789', '$encrypted$')
+    assert type(display_stdout) == type(example_stdout)
+
+
+
 def test_job_safe_args_redacted_passwords(job):
     """Verify that safe_args hides passwords in the job extra_vars"""
     kwargs = {'ansible_version': '2.1'}