From f377da0ecb987f38f678fc84f327e4572a26ab36 Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Tue, 31 Jan 2017 14:32:20 -0500 Subject: [PATCH] update stdout cleaner to use current job passwords --- awx/main/models/jobs.py | 15 ++++---- .../tests/unit/models/test_survey_models.py | 37 ++++++++++++++++--- 2 files changed, 39 insertions(+), 13 deletions(-) diff --git a/awx/main/models/jobs.py b/awx/main/models/jobs.py index 64ad7f7791..39760dbd42 100644 --- a/awx/main/models/jobs.py +++ b/awx/main/models/jobs.py @@ -604,13 +604,14 @@ class Job(UnifiedJob, JobOptions, SurveyJobMixin, JobNotificationMixin): def _survey_search_and_replace(self, content): # Use job template survey spec to identify password fields. # Then lookup password fields in extra_vars and save the values - jt = self.job_template - if jt and jt.survey_enabled and 'spec' in jt.survey_spec: - # Use password vars to find in extra_vars - for key in jt.survey_password_variables(): - if key in self.extra_vars_dict: - content = PlainTextCleaner.remove_sensitive(content, self.extra_vars_dict[key]) - return content + job_extra_vars = self.extra_vars_dict + password_list = [job_extra_vars[k] for k in self.survey_passwords.keys() + if k in job_extra_vars] + return_content = content + for val in password_list: + return_content = PlainTextCleaner.remove_sensitive(return_content, val) + return return_content + def _result_stdout_raw_limited(self, *args, **kwargs): buff, start, end, abs_end = super(Job, self)._result_stdout_raw_limited(*args, **kwargs) diff --git a/awx/main/tests/unit/models/test_survey_models.py b/awx/main/tests/unit/models/test_survey_models.py index d58f7bd1c7..4ec177de68 100644 --- a/awx/main/tests/unit/models/test_survey_models.py +++ b/awx/main/tests/unit/models/test_survey_models.py @@ -20,11 +20,9 @@ def job(mocker): return ret -@pytest.mark.survey -def test_job_survey_password_redaction(): - """Tests the Job model's funciton to redact passwords from - extra_vars - used when displaying job information""" - job = Job( +@pytest.fixture +def job_with_survey(): + return Job( name="test-job-with-passwords", extra_vars=json.dumps({ 'submitter_email': 'foobar@redhat.com', @@ -33,7 +31,13 @@ def test_job_survey_password_redaction(): survey_passwords={ 'secret_key': '$encrypted$', 'SSN': '$encrypted$'}) - assert json.loads(job.display_extra_vars()) == { + + +@pytest.mark.survey +def test_job_survey_password_redaction(job_with_survey): + """Tests the Job model's funciton to redact passwords from + extra_vars - used when displaying job information""" + assert json.loads(job_with_survey.display_extra_vars()) == { 'submitter_email': 'foobar@redhat.com', 'secret_key': '$encrypted$', 'SSN': '$encrypted$'} @@ -55,6 +59,27 @@ def test_survey_passwords_not_in_extra_vars(): } +@pytest.mark.survey +def test_survey_passwords_not_in_stdout(job_with_survey): + example_stdout = ''' +PLAY [all] ********************************************************************* + +TASK [debug] ******************************************************************* +ok: [webserver45] => { + "msg": "Helpful echo of your secret_key: secret_key=6kQngg3h8lgiSTvIEb21 " +} + +TASK [debug] ******************************************************************* +ok: [webserver46] => { + "msg": "Helpful echo of your secret_key: secret_key=123-45-6789 " +} +''' + display_stdout = job_with_survey._survey_search_and_replace(example_stdout) + assert display_stdout == example_stdout.replace( + '6kQngg3h8lgiSTvIEb21', '$encrypted$').replace('123-45-6789', '$encrypted$') + + + def test_job_safe_args_redacted_passwords(job): """Verify that safe_args hides passwords in the job extra_vars""" kwargs = {'ansible_version': '2.1'}