mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-26 05:50:36 -07:00 
			
		
		
		
	
		
			
				
	
	
		
			90 lines
		
	
	
	
		
			3.7 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			90 lines
		
	
	
	
		
			3.7 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| # -*- coding: utf-8 -*-
 | |
| # (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com>
 | |
| #
 | |
| # This file is part of Ansible
 | |
| #
 | |
| # Ansible is free software: you can redistribute it and/or modify
 | |
| # it under the terms of the GNU General Public License as published by
 | |
| # the Free Software Foundation, either version 3 of the License, or
 | |
| # (at your option) any later version.
 | |
| #
 | |
| # Ansible is distributed in the hope that it will be useful,
 | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| # GNU General Public License for more details.
 | |
| #
 | |
| # You should have received a copy of the GNU General Public License
 | |
| # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 | |
| 
 | |
| # Make coding more python3-ish
 | |
| from __future__ import (absolute_import, division)
 | |
| __metaclass__ = type
 | |
| 
 | |
| import sys
 | |
| import syslog
 | |
| 
 | |
| from ansible.compat.tests import unittest
 | |
| from ansible.compat.tests.mock import patch, MagicMock
 | |
| 
 | |
| from ansible.module_utils.basic import heuristic_log_sanitize
 | |
| 
 | |
| class TestHeuristicLogSanitize(unittest.TestCase):
 | |
|     def setUp(self):
 | |
|         self.URL_SECRET = 'http://username:pas:word@foo.com/data'
 | |
|         self.SSH_SECRET = 'username:pas:word@foo.com/data'
 | |
|         self.clean_data = repr(self._gen_data(3, True, True, 'no_secret_here'))
 | |
|         self.url_data = repr(self._gen_data(3, True, True, self.URL_SECRET))
 | |
|         self.ssh_data = repr(self._gen_data(3, True, True, self.SSH_SECRET))
 | |
| 
 | |
|     def _gen_data(self, records, per_rec, top_level, secret_text):
 | |
|         hostvars = {'hostvars': {}}
 | |
|         for i in range(1, records, 1):
 | |
|             host_facts = {'host%s' % i:
 | |
|                             {'pstack':
 | |
|                                 {'running': '875.1',
 | |
|                                  'symlinked': '880.0',
 | |
|                                  'tars': [],
 | |
|                                  'versions': ['885.0']},
 | |
|                          }}
 | |
|             if per_rec:
 | |
|                 host_facts['host%s' % i]['secret'] = secret_text
 | |
|             hostvars['hostvars'].update(host_facts)
 | |
|         if top_level:
 | |
|             hostvars['secret'] = secret_text
 | |
|         return hostvars
 | |
| 
 | |
|     def test_did_not_hide_too_much(self):
 | |
|         self.assertEquals(heuristic_log_sanitize(self.clean_data), self.clean_data)
 | |
| 
 | |
|     def test_hides_url_secrets(self):
 | |
|         url_output = heuristic_log_sanitize(self.url_data)
 | |
|         # Basic functionality: Successfully hid the password
 | |
|         self.assertNotIn('pas:word', url_output)
 | |
| 
 | |
|         # Slightly more advanced, we hid all of the password despite the ":"
 | |
|         self.assertNotIn('pas', url_output)
 | |
| 
 | |
|         # In this implementation we replace the password with 8 "*" which is
 | |
|         # also the length of our password.  The url fields should be able to
 | |
|         # accurately detect where the password ends so the length should be
 | |
|         # the same:
 | |
|         self.assertEqual(len(url_output), len(self.url_data))
 | |
| 
 | |
|     def test_hides_ssh_secrets(self):
 | |
|         ssh_output = heuristic_log_sanitize(self.ssh_data)
 | |
|         self.assertNotIn('pas:word', ssh_output)
 | |
| 
 | |
|         # Slightly more advanced, we hid all of the password despite the ":"
 | |
|         self.assertNotIn('pas', ssh_output)
 | |
| 
 | |
|         # ssh checking is harder as the heuristic is overzealous in many
 | |
|         # cases.  Since the input will have at least one ":" present before
 | |
|         # the password we can tell some things about the beginning and end of
 | |
|         # the data, though:
 | |
|         self.assertTrue(ssh_output.startswith("{'"))
 | |
|         self.assertTrue(ssh_output.endswith("}"))
 | |
|         self.assertIn(":********@foo.com/data'", ssh_output)
 | |
| 
 | |
|     def test_hides_parameter_secrets(self):
 | |
|         output = heuristic_log_sanitize('token="secret", user="person", token_entry="test=secret"', frozenset(['secret']))
 | |
|         self.assertNotIn('secret', output)
 |