no_log avoid masking booleans (#82217)

* no_log avoid masking booleans * clog * fix issues
6 months ago · 6e448edc63
parent f42984eeb3
commit 6e448edc63
4 changed files with 70 additions and 0 deletions
--- a/changelogs/fragments/no_log_booly.yml
+++ b/changelogs/fragments/no_log_booly.yml
@ -0,0 +1,2 @@
+bugfixes:
+  - module no_log will no longer affect top level booleans, for example ``no_log_module_parameter='a'`` will no longer hide ``changed=False`` as a 'no log value' (matches 'a').
--- a/lib/ansible/module_utils/basic.py
+++ b/lib/ansible/module_utils/basic.py
@ -1479,7 +1479,19 @@ class AnsibleModule(object):
        if deprecations:
            kwargs['deprecations'] = deprecations

+        # preserve bools/none from no_log
+        # TODO: once python version on target high enough, dict comprh
+        preserved = {}
+        for k, v in kwargs.items():
+            if v is None or isinstance(v, bool):
+                preserved[k] = v
+
+        # strip no_log collisions
        kwargs = remove_values(kwargs, self.no_log_values)
+
+        # return preserved
+        kwargs.update(preserved)
+
        print('\n%s' % self.jsonify(kwargs))

    def exit_json(self, **kwargs):
--- a/test/integration/targets/module_no_log/library/module_that_has_secret.py
+++ b/test/integration/targets/module_no_log/library/module_that_has_secret.py
@ -0,0 +1,18 @@
+#!/usr/bin/python
+from __future__ import annotations
+
+from ansible.module_utils.basic import AnsibleModule
+
+
+def main():
+    module = AnsibleModule(argument_spec=dict(
+        secret=dict(no_log=True),
+        notsecret=dict(no_log=False),
+    ))
+
+    msg = "My secret is: (%s), but don't tell %s" % (module.params['secret'], module.params['notsecret'])
+    module.exit_json(msg=msg, changed=bool(module.params['secret'] == module.params['notsecret']))
+
+
+if __name__ == '__main__':
+    main()
--- a/test/integration/targets/module_no_log/tasks/main.yml
+++ b/test/integration/targets/module_no_log/tasks/main.yml
@ -59,3 +59,41 @@
      # 2) the AnsibleModule.log method is not working
      - good_message in grep.stdout
      - bad_message not in grep.stdout
+
+- name: Ensure we do not obscure what we should not
+  block:
+    - module_that_has_secret:
+        secret: u
+        notsecret: u
+      register: ouch
+      ignore_errors: true
+
+    - name: no log wont obscure booleans when True, but still hide in msg
+      assert:
+        that:
+          - ouch['changed'] is boolean
+          - "'*' in ouch['msg']"
+
+    - module_that_has_secret:
+        secret: a
+        notsecret: b
+      register: ouch
+      ignore_errors: true
+
+    - name: no log wont obscure booleans when False, but still hide in msg
+      assert:
+        that:
+          - ouch['changed'] is boolean
+          - "'*' in ouch['msg']"
+
+    - module_that_has_secret:
+        secret: True
+        notsecret: False
+      register: ouch
+      ignore_errors: true
+
+    - name: no log does not hide bool values
+      assert:
+        that:
+          - ouch['changed'] is boolean
+          - "'*' not in ouch['msg']"