update stdout cleaner to use current job passwords

2026-01-13 19:10:07 -03:30 · 2017-01-31 14:32:20 -05:00 · 2017-01-31 14:32:20 -05:00 · f377da0ecb
commit f377da0ecb
parent 8ea36adb19
2 changed files with 39 additions and 13 deletions
--- a/awx/main/models/jobs.py
+++ b/awx/main/models/jobs.py
@ -604,13 +604,14 @@ class Job(UnifiedJob, JobOptions, SurveyJobMixin, JobNotificationMixin):
    def _survey_search_and_replace(self, content):
        # Use job template survey spec to identify password fields.
        # Then lookup password fields in extra_vars and save the values
-        jt = self.job_template
-        if jt and jt.survey_enabled and 'spec' in jt.survey_spec:
-            # Use password vars to find in extra_vars
-            for key in jt.survey_password_variables():
-                if key in self.extra_vars_dict:
-                    content = PlainTextCleaner.remove_sensitive(content, self.extra_vars_dict[key])
-        return content
+        job_extra_vars = self.extra_vars_dict
+        password_list = [job_extra_vars[k] for k in self.survey_passwords.keys()
+                         if k in job_extra_vars]
+        return_content = content
+        for val in password_list:
+            return_content = PlainTextCleaner.remove_sensitive(return_content, val)
+        return return_content
+

    def _result_stdout_raw_limited(self, *args, **kwargs):
        buff, start, end, abs_end = super(Job, self)._result_stdout_raw_limited(*args, **kwargs)
--- a/awx/main/tests/unit/models/test_survey_models.py
+++ b/awx/main/tests/unit/models/test_survey_models.py
@ -20,11 +20,9 @@ def job(mocker):
    return ret


-@pytest.mark.survey
-def test_job_survey_password_redaction():
-    """Tests the Job model's funciton to redact passwords from
-    extra_vars - used when displaying job information"""
-    job = Job(
+@pytest.fixture
+def job_with_survey():
+    return Job(
        name="test-job-with-passwords",
        extra_vars=json.dumps({
            'submitter_email': 'foobar@redhat.com',
@ -33,7 +31,13 @@ def test_job_survey_password_redaction():
        survey_passwords={
            'secret_key': '$encrypted$',
            'SSN': '$encrypted$'})
-    assert json.loads(job.display_extra_vars()) == {
+
+
+@pytest.mark.survey
+def test_job_survey_password_redaction(job_with_survey):
+    """Tests the Job model's funciton to redact passwords from
+    extra_vars - used when displaying job information"""
+    assert json.loads(job_with_survey.display_extra_vars()) == {
        'submitter_email': 'foobar@redhat.com',
        'secret_key': '$encrypted$',
        'SSN': '$encrypted$'}
@ -55,6 +59,27 @@ def test_survey_passwords_not_in_extra_vars():
    }


+@pytest.mark.survey
+def test_survey_passwords_not_in_stdout(job_with_survey):
+    example_stdout = '''
+PLAY [all] *********************************************************************
+ 
+TASK [debug] ******************************************************************* 
+ok: [webserver45] => { 
+    "msg": "Helpful echo of your secret_key: secret_key=6kQngg3h8lgiSTvIEb21 " 
+}
+
+TASK [debug] ******************************************************************* 
+ok: [webserver46] => { 
+   "msg": "Helpful echo of your secret_key: secret_key=123-45-6789 " 
+}
+'''
+    display_stdout = job_with_survey._survey_search_and_replace(example_stdout)
+    assert display_stdout == example_stdout.replace(
+        '6kQngg3h8lgiSTvIEb21', '$encrypted$').replace('123-45-6789', '$encrypted$')
+
+
+
 def test_job_safe_args_redacted_passwords(job):
    """Verify that safe_args hides passwords in the job extra_vars"""
    kwargs = {'ansible_version': '2.1'}