Avoid redacting Galaxy URLs

2026-03-13 23:17:32 -02:30 · 2019-08-26 12:10:10 -04:00
parent c566c332f9
commit d59d8562db
2 changed files with 14 additions and 1 deletions
--- a/awx/main/redact.py
+++ b/awx/main/redact.py
@@ -1,6 +1,8 @@
 import re
 import urllib.parse as urlparse

+from django.conf import settings
+
 REPLACE_STR = '$encrypted$'


@@ -10,14 +12,22 @@ class UriCleaner(object):

    @staticmethod
    def remove_sensitive(cleartext):
+        if settings.PRIVATE_GALAXY_URL:
+            exclude_list = (settings.PUBLIC_GALAXY_URL, settings.PRIVATE_GALAXY_URL)
+        else:
+            exclude_list = (settings.PUBLIC_GALAXY_URL)
        redactedtext = cleartext
        text_index = 0
        while True:
            match = UriCleaner.SENSITIVE_URI_PATTERN.search(redactedtext, text_index)
            if not match:
                break
+            uri_str = match.group(1)
+            # Do not redact items from the exclude list
+            if any(uri_str.startswith(exclude_uri) for exclude_uri in exclude_list):
+                text_index = match.start() + len(UriCleaner.REPLACE_STR)
+                continue
            try:
-                uri_str = match.group(1)
                # May raise a ValueError if invalid URI for one reason or another
                o = urlparse.urlsplit(uri_str)

@@ -52,6 +62,7 @@ class UriCleaner(object):
                redactedtext = t
                if text_index >= len(redactedtext):
                    text_index = len(redactedtext) - 1
+                print('URL string old: {} new: {}'.format(uri_str_old, uri_str))
            except ValueError:
                # Invalid URI, redact the whole URI to be safe
                redactedtext = redactedtext[:match.start()] + UriCleaner.REPLACE_STR + redactedtext[match.end():]
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -627,6 +627,8 @@ PRIVATE_GALAXY_URL = None
 PRIVATE_GALAXY_USERNAME = None
 PRIVATE_GALAXY_TOKEN = None
 PRIVATE_GALAXY_PASSWORD = None
+# Public Galaxy URL, not configurable outside of file-based settings
+PUBLIC_GALAXY_URL = 'https://galaxy.ansible.com'

 # Enable bubblewrap support for running jobs (playbook runs only).
 # Note: This setting may be overridden by database settings.