validate-modules no_log test: extend search range, add more known false-positives (#73882)

* validate-modules no_log test: extend search range, add more known false-positives. * Mark false-positives.
3 years ago · 7c0af58449
parent ed18fcac3b
commit 7c0af58449
2 changed files with 6 additions and 6 deletions
--- a/lib/ansible/modules/yum_repository.py
+++ b/lib/ansible/modules/yum_repository.py
@ -599,9 +599,9 @@ def main():
        exclude=dict(type='list', elements='str'),
        failovermethod=dict(choices=['roundrobin', 'priority']),
        file=dict(),
-        gpgcakey=dict(),
+        gpgcakey=dict(no_log=False),
        gpgcheck=dict(type='bool'),
-        gpgkey=dict(type='list', elements='str'),
+        gpgkey=dict(type='list', elements='str', no_log=False),
        module_hotfixes=dict(type='bool'),
        http_caching=dict(choices=['all', 'packages', 'none']),
        include=dict(),
@ -635,7 +635,7 @@ def main():
        sslcacert=dict(aliases=['ca_cert']),
        ssl_check_cert_permissions=dict(type='bool'),
        sslclientcert=dict(aliases=['client_cert']),
-        sslclientkey=dict(aliases=['client_key']),
+        sslclientkey=dict(aliases=['client_key'], no_log=False),
        sslverify=dict(type='bool', aliases=['validate_certs']),
        state=dict(choices=['present', 'absent'], default='present'),
        throttle=dict(),
--- a/test/lib/ansible_test/_data/sanity/validate-modules/validate_modules/main.py
+++ b/test/lib/ansible_test/_data/sanity/validate-modules/validate_modules/main.py
@ -97,12 +97,12 @@ LOOSE_ANSIBLE_VERSION = LooseVersion('.'.join(ansible_version.split('.')[:3]))


 def is_potential_secret_option(option_name):
-    if not NO_LOG_REGEX.match(option_name):
+    if not NO_LOG_REGEX.search(option_name):
        return False
-    # If this is a count, type, algorithm, timeout, or name, it is probably not a secret
+    # If this is a count, type, algorithm, timeout, filename, or name, it is probably not a secret
    if option_name.endswith((
            '_count', '_type', '_alg', '_algorithm', '_timeout', '_name', '_comment',
-            '_bits', '_id', '_identifier', '_period',
+            '_bits', '_id', '_identifier', '_period', '_file', '_filename',
    )):
        return False
    # 'key' also matches 'publickey', which is generally not secret