External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-19 14:57:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

do not save sensitive env vars

Browse Source 
* job_env gets exposed via the api. Sensitive env variables should be
redacted before saved into job_env.
This commit is contained in:
chris meyers
2019-03-20 14:00:22 -04:00
parent 1a6ae6e107
commit b006510035
2 changed files with 18 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
awx/main/tasks.py
View File

@@ -1037,8 +1037,15 @@ class BaseTask(object):
Ansible runner callback triggered on status transition Ansible runner callback triggered on status transition
''' '''
if status_data['status'] == 'starting': if status_data['status'] == 'starting':
job_env = dict(runner_config.env)
'''
Take the safe environment variables and overwrite
'''
for k, v in self.safe_env.items():
if k in job_env:
job_env[k] = v
self.instance = self.update_model(self.instance.pk, job_args=json.dumps(runner_config.command), self.instance = self.update_model(self.instance.pk, job_args=json.dumps(runner_config.command),
job_cwd=runner_config.cwd, job_env=runner_config.env) job_cwd=runner_config.cwd, job_env=job_env)
@with_path_cleanup @with_path_cleanup
@@ -1056,6 +1063,11 @@ class BaseTask(object):
extra_update_fields = {} extra_update_fields = {}
fact_modification_times = {} fact_modification_times = {}
self.event_ct = 0 self.event_ct = 0
'''
Needs to be an object property because status_handler uses it in a callback context
'''
self.safe_env = {}
private_data_dir = None private_data_dir = None
try: try:
@@ -1100,14 +1112,14 @@ class BaseTask(object):
cwd) cwd)
env = self.build_env(self.instance, private_data_dir, isolated, env = self.build_env(self.instance, private_data_dir, isolated,
private_data_files=private_data_files) private_data_files=private_data_files)
safe_env = build_safe_env(env) self.safe_env = build_safe_env(env)
credentials = self.build_credentials_list(self.instance) credentials = self.build_credentials_list(self.instance)
for credential in credentials: for credential in credentials:
if credential: if credential:
credential.credential_type.inject_credential( credential.credential_type.inject_credential(
credential, env, safe_env, args, private_data_dir credential, env, self.safe_env, args, private_data_dir
) )
self.write_args_file(private_data_dir, args) self.write_args_file(private_data_dir, args)

5
awx/main/tests/unit/test_tasks.py
View File

@@ -417,15 +417,16 @@ class TestGenericRun():
pass pass
task = tasks.RunJob() task = tasks.RunJob()
task.instance = job task.instance = job
task.safe_env = {'secret_key': 'redacted_value'}
task.update_model = mock.Mock(wraps=update_model_wrapper) task.update_model = mock.Mock(wraps=update_model_wrapper)
runner_config = MockMe() runner_config = MockMe()
runner_config.command = {'foo': 'bar'} runner_config.command = {'foo': 'bar'}
runner_config.cwd = '/foobar' runner_config.cwd = '/foobar'
runner_config.env = {'switch': 'blade', 'foot': 'ball'} runner_config.env = {'switch': 'blade', 'foot': 'ball', 'secret_key': 'secret_value'}
task.status_handler({'status': 'starting'}, runner_config) task.status_handler({'status': 'starting'}, runner_config)
task.update_model.assert_called_with(1, job_args=json.dumps({'foo': 'bar'}), task.update_model.assert_called_with(1, job_args=json.dumps({'foo': 'bar'}),
job_cwd='/foobar', job_env={'switch': 'blade', 'foot': 'ball'}) job_cwd='/foobar', job_env={'switch': 'blade', 'foot': 'ball', 'secret_key': 'redacted_value'})
def test_uses_process_isolation(self, settings): def test_uses_process_isolation(self, settings):