ansible/test/integration/targets/no_log/runme.sh

#!/usr/bin/env bash

set -eux -o pipefail

# ensure _ansible_no_log returned by actions is actually respected
ansible-playbook ansible_no_log_in_result.yml -vvvvv > "${OUTPUT_DIR}/output.log" 2> /dev/null

[ "$(grep -c "action result should be masked" "${OUTPUT_DIR}/output.log")" = "0" ]
[ "$(grep -c "the output has been hidden" "${OUTPUT_DIR}/output.log")" = "4" ]

# This test expects 7 loggable vars and 0 non-loggable ones.
# If either mismatches it fails, run the ansible-playbook command to debug.
[ "$(ansible-playbook no_log_local.yml -i ../../inventory -vvvvv "$@" | awk \
'BEGIN { logme = 0; nolog = 0; } /LOG_ME/ { logme += 1;} /DO_NOT_LOG/ { nolog += 1;} END { printf "%d/%d", logme, nolog; }')" = "26/0" ]

# deal with corner cases with no log and loops
# no log enabled, should produce 6 censored messages
[ "$(ansible-playbook dynamic.yml -i ../../inventory -vvvvv "$@" -e unsafe_show_logs=no|grep -c 'output has been hidden')" = "6" ]  # DT needs 7

# no log disabled, should produce 0 censored
[ "$(ansible-playbook dynamic.yml -i ../../inventory -vvvvv "$@" -e unsafe_show_logs=yes|grep -c 'output has been hidden')" = "0" ]

# test no log for sub options
[ "$(ansible-playbook no_log_suboptions.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'SECRET')" = "0" ]

# test invalid data passed to a suboption
[ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'SECRET')" = "0" ]

# test variations on ANSIBLE_NO_LOG
[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]  # DT needs 5
Split integration tests out from Makefile. (#17976) 8 years ago			`#!/usr/bin/env bash`

Preserve `_ansible_no_log` from action result; fix `include_vars` to set properly (#84143) * fixes for CVE-2024-8775 * propagate truthy `_ansible_no_log` in action result (previously superseded by task-calculated value) * always mask entire `include_vars` action result if any file loaded had a false `show_content` flag (previously used only the flag value from the last file loaded) * update no_log tests for CVE-2024-8775 * include validation of _ansible_no_log preservation when set by actions * replace static values with dynamic for increased robustness to logging/display/callback changes (but still using grep counts :( ) * changelog * use ternary, coerce to bool explicitly 1 month ago			`set -eux -o pipefail`

			`# ensure _ansible_no_log returned by actions is actually respected`
			`ansible-playbook ansible_no_log_in_result.yml -vvvvv > "${OUTPUT_DIR}/output.log" 2> /dev/null`

			`[ "$(grep -c "action result should be masked" "${OUTPUT_DIR}/output.log")" = "0" ]`
			`[ "$(grep -c "the output has been hidden" "${OUTPUT_DIR}/output.log")" = "4" ]`
Split integration tests out from Makefile. (#17976) 8 years ago
			`# This test expects 7 loggable vars and 0 non-loggable ones.`
			`# If either mismatches it fails, run the ansible-playbook command to debug.`
			`[ "$(ansible-playbook no_log_local.yml -i ../../inventory -vvvvv "$@" \| awk \`
Preserve `_ansible_no_log` from action result; fix `include_vars` to set properly (#84143) * fixes for CVE-2024-8775 * propagate truthy `_ansible_no_log` in action result (previously superseded by task-calculated value) * always mask entire `include_vars` action result if any file loaded had a false `show_content` flag (previously used only the flag value from the last file loaded) * update no_log tests for CVE-2024-8775 * include validation of _ansible_no_log preservation when set by actions * replace static values with dynamic for increased robustness to logging/display/callback changes (but still using grep counts :( ) * changelog * use ternary, coerce to bool explicitly 1 month ago			`'BEGIN { logme = 0; nolog = 0; } /LOG_ME/ { logme += 1;} /DO_NOT_LOG/ { nolog += 1;} END { printf "%d/%d", logme, nolog; }')" = "26/0" ]`
fix tempating issues with no_log and loops (#44468) * fix tempating issues with no_log and loops - task is no log if any item is - added test cases fixes #43294 6 years ago
			`# deal with corner cases with no log and loops`
			`# no log enabled, should produce 6 censored messages`
Preserve `_ansible_no_log` from action result; fix `include_vars` to set properly (#84143) * fixes for CVE-2024-8775 * propagate truthy `_ansible_no_log` in action result (previously superseded by task-calculated value) * always mask entire `include_vars` action result if any file loaded had a false `show_content` flag (previously used only the flag value from the last file loaded) * update no_log tests for CVE-2024-8775 * include validation of _ansible_no_log preservation when set by actions * replace static values with dynamic for increased robustness to logging/display/callback changes (but still using grep counts :( ) * changelog * use ternary, coerce to bool explicitly 1 month ago			`[ "$(ansible-playbook dynamic.yml -i ../../inventory -vvvvv "$@" -e unsafe_show_logs=no\|grep -c 'output has been hidden')" = "6" ] # DT needs 7`
fix tempating issues with no_log and loops (#44468) * fix tempating issues with no_log and loops - task is no log if any item is - added test cases fixes #43294 6 years ago
			`# no log disabled, should produce 0 censored`
			`[ "$(ansible-playbook dynamic.yml -i ../../inventory -vvvvv "$@" -e unsafe_show_logs=yes\|grep -c 'output has been hidden')" = "0" ]`
Properly mask no_log values is sub parameters during failure (#63405) * Get no_log parameters from subspec * Add changelog and unit tests * Handle list of dicts in suboptions Add fancy error message (this will probably haunt me) * Update unit tests to test for list of dicts in suboptions * Add integration tests * Validate parameters in dict and list In case it comes in as a string * Make changes based on feedback, fix tests * Simplify validators since we only need to validate dicts Add test for suboptions passed in as strings to ensure they get validated properly and turned into a dictionary. ci_complete * Add a few more integration tests 5 years ago
			`# test no log for sub options`
Preserve `_ansible_no_log` from action result; fix `include_vars` to set properly (#84143) * fixes for CVE-2024-8775 * propagate truthy `_ansible_no_log` in action result (previously superseded by task-calculated value) * always mask entire `include_vars` action result if any file loaded had a false `show_content` flag (previously used only the flag value from the last file loaded) * update no_log tests for CVE-2024-8775 * include validation of _ansible_no_log preservation when set by actions * replace static values with dynamic for increased robustness to logging/display/callback changes (but still using grep counts :( ) * changelog * use ternary, coerce to bool explicitly 1 month ago			`[ "$(ansible-playbook no_log_suboptions.yml -i ../../inventory -vvvvv "$@" \| grep -Ec 'SECRET')" = "0" ]`
Properly mask no_log values is sub parameters during failure (#63405) * Get no_log parameters from subspec * Add changelog and unit tests * Handle list of dicts in suboptions Add fancy error message (this will probably haunt me) * Update unit tests to test for list of dicts in suboptions * Add integration tests * Validate parameters in dict and list In case it comes in as a string * Make changes based on feedback, fix tests * Simplify validators since we only need to validate dicts Add test for suboptions passed in as strings to ensure they get validated properly and turned into a dictionary. ci_complete * Add a few more integration tests 5 years ago
			`# test invalid data passed to a suboption`
Preserve `_ansible_no_log` from action result; fix `include_vars` to set properly (#84143) * fixes for CVE-2024-8775 * propagate truthy `_ansible_no_log` in action result (previously superseded by task-calculated value) * always mask entire `include_vars` action result if any file loaded had a false `show_content` flag (previously used only the flag value from the last file loaded) * update no_log tests for CVE-2024-8775 * include validation of _ansible_no_log preservation when set by actions * replace static values with dynamic for increased robustness to logging/display/callback changes (but still using grep counts :( ) * changelog * use ternary, coerce to bool explicitly 1 month ago			`[ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" \| grep -Ec 'SECRET')" = "0" ]`
Ensure ANSIBLE_NO_LOG is respected (CVE-2024-0690) (#82565) 11 months ago
			`# test variations on ANSIBLE_NO_LOG`
			`[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" \| grep -Ec 'the output has been hidden')" = "1" ]`
			`[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" \| grep -Ec 'the output has been hidden')" = "1" ]`
Preserve `_ansible_no_log` from action result; fix `include_vars` to set properly (#84143) * fixes for CVE-2024-8775 * propagate truthy `_ansible_no_log` in action result (previously superseded by task-calculated value) * always mask entire `include_vars` action result if any file loaded had a false `show_content` flag (previously used only the flag value from the last file loaded) * update no_log tests for CVE-2024-8775 * include validation of _ansible_no_log preservation when set by actions * replace static values with dynamic for increased robustness to logging/display/callback changes (but still using grep counts :( ) * changelog * use ternary, coerce to bool explicitly 1 month ago			`[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" \| grep -Ec 'the output has been hidden')" = "6" ] # DT needs 5`