mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-25 21:44:00 -07:00 
			
		
		
		
	* Fix a bunch of potential security issues (secret leaking).
* oneandone_server was already ok.
* Add more parameters for pagerduty_alert.
* Add more no_log=True.
(cherry picked from commit 29bd5a9486)
Co-authored-by: Felix Fontein <felix@fontein.de>
	
	
This commit is contained in:
		
					parent
					
						
							
								023654473b
							
						
					
				
			
			
				commit
				
					
						4def9439bd
					
				
			
		
					 25 changed files with 52 additions and 30 deletions
				
			
		
							
								
								
									
										25
									
								
								changelogs/fragments/no_log-fixes.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								changelogs/fragments/no_log-fixes.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,25 @@ | |||
| security_fixes: | ||||
|  - "ovirt - mark the ``instance_rootpw`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "oneandone_firewall_policy, oneandone_load_balancer, oneandone_monitoring_policy, oneandone_private_network, oneandone_public_ip - mark the ``auth_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "rax_clb_ssl - mark the ``private_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "spotinst_aws_elastigroup - mark the ``multai_token`` and ``token`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "keycloak_client - mark the ``registration_access_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "librato_annotation - mark the ``api_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "pagerduty_alert - mark the ``api_key``, ``service_key`` and ``integration_key`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "nios_nsgroup - mark the ``tsig_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "pulp_repo - mark the ``feed_client_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "gitlab_runner - mark the ``registration_token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "ibm_sa_host - mark the ``iscsi_chap_secret`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "keycloak_* modules - mark the ``auth_client_secret`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "hwc_ecs_instance - mark the ``admin_pass`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "ovirt - mark the ``instance_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "pagerduty_change - mark the ``integration_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "pingdom - mark the ``key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "rollbar_deployment - mark the ``token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "stackdriver - mark the ``key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "dnsmadeeasy - mark the ``account_key`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "logentries_msg - mark the ``token`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "redfish_command - mark the ``update_creds.password`` parameter as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  - "utm_proxy_auth_profile - mark the ``frontend_cookie_secret`` parameter as ``no_log`` to avoid leakage of secrets. This causes the ``utm_proxy_auth_profile`` return value to no longer containing the correct value, but a placeholder (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
| breaking_changes: | ||||
|  - "utm_proxy_auth_profile - the ``frontend_cookie_secret`` return value now contains a placeholder string instead of the module's ``frontend_cookie_secret`` parameter (https://github.com/ansible-collections/community.general/pull/1736)." | ||||
|  | @ -543,7 +543,7 @@ def build_module(): | |||
|                 snapshot_id=dict(type='str') | ||||
|             )), | ||||
|             vpc_id=dict(type='str', required=True), | ||||
|             admin_pass=dict(type='str'), | ||||
|             admin_pass=dict(type='str', no_log=True), | ||||
|             data_volumes=dict(type='list', elements='dict', options=dict( | ||||
|                 volume_id=dict(type='str', required=True), | ||||
|                 device=dict(type='str') | ||||
|  |  | |||
|  | @ -405,8 +405,8 @@ def main(): | |||
|             instance_gateway=dict(type='str', aliases=['gateway']), | ||||
|             instance_domain=dict(type='str', aliases=['domain']), | ||||
|             instance_dns=dict(type='str', aliases=['dns']), | ||||
|             instance_rootpw=dict(type='str', aliases=['rootpw']), | ||||
|             instance_key=dict(type='str', aliases=['key']), | ||||
|             instance_rootpw=dict(type='str', aliases=['rootpw'], no_log=True), | ||||
|             instance_key=dict(type='str', aliases=['key'], no_log=True), | ||||
|             sdomain=dict(type='str'), | ||||
|             region=dict(type='str'), | ||||
|         ), | ||||
|  |  | |||
|  | @ -500,7 +500,7 @@ def main(): | |||
|     module = AnsibleModule( | ||||
|         argument_spec=dict( | ||||
|             auth_token=dict( | ||||
|                 type='str', | ||||
|                 type='str', no_log=True, | ||||
|                 default=os.environ.get('ONEANDONE_AUTH_TOKEN')), | ||||
|             api_url=dict( | ||||
|                 type='str', | ||||
|  |  | |||
|  | @ -594,7 +594,7 @@ def main(): | |||
|     module = AnsibleModule( | ||||
|         argument_spec=dict( | ||||
|             auth_token=dict( | ||||
|                 type='str', | ||||
|                 type='str', no_log=True, | ||||
|                 default=os.environ.get('ONEANDONE_AUTH_TOKEN')), | ||||
|             api_url=dict( | ||||
|                 type='str', | ||||
|  |  | |||
|  | @ -947,7 +947,7 @@ def main(): | |||
|     module = AnsibleModule( | ||||
|         argument_spec=dict( | ||||
|             auth_token=dict( | ||||
|                 type='str', | ||||
|                 type='str', no_log=True, | ||||
|                 default=os.environ.get('ONEANDONE_AUTH_TOKEN')), | ||||
|             api_url=dict( | ||||
|                 type='str', | ||||
|  |  | |||
|  | @ -384,7 +384,7 @@ def main(): | |||
|     module = AnsibleModule( | ||||
|         argument_spec=dict( | ||||
|             auth_token=dict( | ||||
|                 type='str', | ||||
|                 type='str', no_log=True, | ||||
|                 default=os.environ.get('ONEANDONE_AUTH_TOKEN')), | ||||
|             api_url=dict( | ||||
|                 type='str', | ||||
|  |  | |||
|  | @ -274,7 +274,7 @@ def main(): | |||
|     module = AnsibleModule( | ||||
|         argument_spec=dict( | ||||
|             auth_token=dict( | ||||
|                 type='str', | ||||
|                 type='str', no_log=True, | ||||
|                 default=os.environ.get('ONEANDONE_AUTH_TOKEN')), | ||||
|             api_url=dict( | ||||
|                 type='str', | ||||
|  |  | |||
|  | @ -238,7 +238,7 @@ def main(): | |||
|         loadbalancer=dict(required=True), | ||||
|         state=dict(default='present', choices=['present', 'absent']), | ||||
|         enabled=dict(type='bool', default=True), | ||||
|         private_key=dict(), | ||||
|         private_key=dict(no_log=True), | ||||
|         certificate=dict(), | ||||
|         intermediate_certificate=dict(), | ||||
|         secure_port=dict(type='int', default=443), | ||||
|  |  | |||
|  | @ -1459,7 +1459,7 @@ def main(): | |||
|         min_size=dict(type='int', required=True), | ||||
|         monitoring=dict(type='str'), | ||||
|         multai_load_balancers=dict(type='list'), | ||||
|         multai_token=dict(type='str'), | ||||
|         multai_token=dict(type='str', no_log=True), | ||||
|         name=dict(type='str', required=True), | ||||
|         network_interfaces=dict(type='list'), | ||||
|         on_demand_count=dict(type='int'), | ||||
|  | @ -1483,7 +1483,7 @@ def main(): | |||
|         target_group_arns=dict(type='list'), | ||||
|         tenancy=dict(type='str'), | ||||
|         terminate_at_end_of_billing_hour=dict(type='bool'), | ||||
|         token=dict(type='str'), | ||||
|         token=dict(type='str', no_log=True), | ||||
|         unit=dict(type='str'), | ||||
|         user_data=dict(type='str'), | ||||
|         utilize_reserved_instances=dict(type='bool'), | ||||
|  |  | |||
|  | @ -707,7 +707,7 @@ def main(): | |||
|         enabled=dict(type='bool'), | ||||
|         client_authenticator_type=dict(type='str', choices=['client-secret', 'client-jwt'], aliases=['clientAuthenticatorType']), | ||||
|         secret=dict(type='str', no_log=True), | ||||
|         registration_access_token=dict(type='str', aliases=['registrationAccessToken']), | ||||
|         registration_access_token=dict(type='str', aliases=['registrationAccessToken'], no_log=True), | ||||
|         default_roles=dict(type='list', aliases=['defaultRoles']), | ||||
|         redirect_uris=dict(type='list', aliases=['redirectUris']), | ||||
|         web_origins=dict(type='list', aliases=['webOrigins']), | ||||
|  |  | |||
|  | @ -148,7 +148,7 @@ def main(): | |||
|     module = AnsibleModule( | ||||
|         argument_spec=dict( | ||||
|             user=dict(required=True), | ||||
|             api_key=dict(required=True), | ||||
|             api_key=dict(required=True, no_log=True), | ||||
|             name=dict(required=False), | ||||
|             title=dict(required=True), | ||||
|             source=dict(required=False), | ||||
|  |  | |||
|  | @ -197,9 +197,9 @@ def main(): | |||
|         argument_spec=dict( | ||||
|             name=dict(required=False), | ||||
|             service_id=dict(required=True), | ||||
|             service_key=dict(required=False), | ||||
|             integration_key=dict(required=False), | ||||
|             api_key=dict(required=True), | ||||
|             service_key=dict(required=False, no_log=True), | ||||
|             integration_key=dict(required=False, no_log=True), | ||||
|             api_key=dict(required=True, no_log=True), | ||||
|             state=dict(required=True, | ||||
|                        choices=['triggered', 'acknowledged', 'resolved']), | ||||
|             client=dict(required=False, default=None), | ||||
|  |  | |||
|  | @ -108,7 +108,7 @@ from datetime import datetime | |||
| def main(): | ||||
|     module = AnsibleModule( | ||||
|         argument_spec=dict( | ||||
|             integration_key=dict(required=True, type='str'), | ||||
|             integration_key=dict(required=True, type='str', no_log=True), | ||||
|             summary=dict(required=True, type='str'), | ||||
|             source=dict(required=False, default='Ansible', type='str'), | ||||
|             user=dict(required=False, type='str'), | ||||
|  |  | |||
|  | @ -112,7 +112,7 @@ def main(): | |||
|             checkid=dict(required=True), | ||||
|             uid=dict(required=True), | ||||
|             passwd=dict(required=True, no_log=True), | ||||
|             key=dict(required=True) | ||||
|             key=dict(required=True, no_log=True), | ||||
|         ) | ||||
|     ) | ||||
| 
 | ||||
|  |  | |||
|  | @ -92,7 +92,7 @@ def main(): | |||
| 
 | ||||
|     module = AnsibleModule( | ||||
|         argument_spec=dict( | ||||
|             token=dict(required=True), | ||||
|             token=dict(required=True, no_log=True), | ||||
|             environment=dict(required=True), | ||||
|             revision=dict(required=True), | ||||
|             user=dict(required=False), | ||||
|  |  | |||
|  | @ -152,7 +152,7 @@ def main(): | |||
| 
 | ||||
|     module = AnsibleModule( | ||||
|         argument_spec=dict(  # @TODO add types | ||||
|             key=dict(required=True), | ||||
|             key=dict(required=True, no_log=True), | ||||
|             event=dict(required=True, choices=['deploy', 'annotation']), | ||||
|             msg=dict(), | ||||
|             revision_id=dict(), | ||||
|  |  | |||
|  | @ -546,7 +546,7 @@ def main(): | |||
| 
 | ||||
|     module = AnsibleModule( | ||||
|         argument_spec=dict( | ||||
|             account_key=dict(required=True), | ||||
|             account_key=dict(required=True, no_log=True), | ||||
|             account_secret=dict(required=True, no_log=True), | ||||
|             domain=dict(required=True), | ||||
|             sandbox=dict(default=False, type='bool'), | ||||
|  |  | |||
|  | @ -398,7 +398,7 @@ def main(): | |||
|         address=dict(required=True), | ||||
|         name=dict(required=True), | ||||
|         stealth=dict(type='bool', default=False), | ||||
|         tsig_key=dict(), | ||||
|         tsig_key=dict(no_log=True), | ||||
|         tsig_key_alg=dict(choices=['HMAC-MD5', 'HMAC-SHA256'], default='HMAC-MD5'), | ||||
|         tsig_key_name=dict(required=True) | ||||
|     ) | ||||
|  |  | |||
|  | @ -73,7 +73,7 @@ def send_msg(module, token, msg, api, port): | |||
| def main(): | ||||
|     module = AnsibleModule( | ||||
|         argument_spec=dict( | ||||
|             token=dict(type='str', required=True), | ||||
|             token=dict(type='str', required=True, no_log=True), | ||||
|             msg=dict(type='str', required=True), | ||||
|             api=dict(type='str', default="data.logentries.com"), | ||||
|             port=dict(type='int', default=80)), | ||||
|  |  | |||
|  | @ -545,7 +545,7 @@ def main(): | |||
|                           deprecated_aliases=[dict(name='ca_cert', version='3.0.0', | ||||
|                                                    collection_name='community.general')]),  # was Ansible 2.14 | ||||
|         feed_client_cert=dict(aliases=['importer_ssl_client_cert']), | ||||
|         feed_client_key=dict(aliases=['importer_ssl_client_key']), | ||||
|         feed_client_key=dict(aliases=['importer_ssl_client_key'], no_log=True), | ||||
|         name=dict(required=True, aliases=['repo']), | ||||
|         proxy_host=dict(), | ||||
|         proxy_port=dict(), | ||||
|  |  | |||
|  | @ -572,7 +572,7 @@ def main(): | |||
|                 type='dict', | ||||
|                 options=dict( | ||||
|                     username=dict(), | ||||
|                     password=dict() | ||||
|                     password=dict(no_log=True) | ||||
|                 ) | ||||
|             ), | ||||
|             virtual_media=dict( | ||||
|  |  | |||
|  | @ -309,7 +309,7 @@ def main(): | |||
|         locked=dict(type='bool', default=False), | ||||
|         access_level=dict(type='str', default='ref_protected', choices=["not_protected", "ref_protected"]), | ||||
|         maximum_timeout=dict(type='int', default=3600), | ||||
|         registration_token=dict(type='str', required=True), | ||||
|         registration_token=dict(type='str', required=True, no_log=True), | ||||
|         state=dict(type='str', default="present", choices=["absent", "present"]), | ||||
|     )) | ||||
| 
 | ||||
|  |  | |||
|  | @ -90,7 +90,7 @@ def main(): | |||
|             cluster=dict(), | ||||
|             domain=dict(), | ||||
|             iscsi_chap_name=dict(), | ||||
|             iscsi_chap_secret=dict() | ||||
|             iscsi_chap_secret=dict(no_log=True), | ||||
|         ) | ||||
|     ) | ||||
| 
 | ||||
|  |  | |||
|  | @ -256,9 +256,6 @@ result: | |||
|         frontend_cookie: | ||||
|             description: Frontend cookie name | ||||
|             type: str | ||||
|         frontend_cookie_secret: | ||||
|             description: Frontend cookie secret | ||||
|             type: str | ||||
|         frontend_form: | ||||
|             description: Frontend authentication form name | ||||
|             type: str | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue