Fix password leak in logs for provider argument (#32215)

* Fix password leak in logs for provider argument

Since provider argument is not validated against a spec
the `no_log` arguments are not handled leading to password
leaking to syslogs.
To fix this:
*  Mask password and other `no_log` provider arguments in action plugin
*  In case of eapi and nxapi as the password is used in module code,
*  copy the provider password to top-level password argument which
*  handles `no_log` correctly. This will, however, throw a deprecation
*  warning message for password arg even if it is not given as a
*  top-level argument.

* Remove auth details from provider args in action plugin

* Update CHANGELOG

CHANGELOG.md

@@ -56,7 +56,7 @@ Ansible Changes By Release
 * Include_role now complains about invalid arguments
 * Added socket conditions to ignore for wait_for, no need to error for closing already closed connection
 * Updated hostname module to work on newer RHEL7 releases
-
+* Security fix to avoid provider password leaking in logs for network modules
 
 <a id="2.3.2"></a>
 

lib/ansible/plugins/action/dellos10.py

@@ -64,6 +64,10 @@ class ActionModule(_ActionModule):
         pc.become = provider['authorize'] or False
         pc.become_pass = provider['auth_pass']
 
+        # remove auth from provider arguments
+        provider.pop('password', None)
+        provider.pop('auth_pass', None)
+
         display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
         connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)
 

lib/ansible/plugins/action/dellos6.py

@@ -60,6 +60,10 @@ class ActionModule(_ActionModule):
         pc.become = provider['authorize'] or False
         pc.become_pass = provider['auth_pass']
 
+        # remove auth from provider arguments
+        provider.pop('password', None)
+        provider.pop('auth_pass', None)
+
         display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
         connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)
 

lib/ansible/plugins/action/dellos9.py

@@ -64,6 +64,10 @@ class ActionModule(_ActionModule):
         pc.become = provider['authorize'] or False
         pc.become_pass = provider['auth_pass']
 
+        # remove auth from provider arguments
+        provider.pop('password', None)
+        provider.pop('auth_pass', None)
+
         display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
         connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)
 

lib/ansible/plugins/action/eos.py

@@ -65,6 +65,10 @@ class ActionModule(_ActionModule):
             pc.become = provider['authorize'] or False
             pc.become_pass = provider['auth_pass']
 
+            # remove auth from provider arguments
+            provider.pop('password', None)
+            provider.pop('auth_pass', None)
+
             display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
             connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)
 
@@ -109,18 +113,22 @@ class ActionModule(_ActionModule):
             if provider.get('username') is None:
                 provider['username'] = self._play_context.connection_user
 
-            if provider.get('password') is None:
-                provider['password'] = self._play_context.password
-
             if provider.get('authorize') is None:
                 provider['authorize'] = False
 
             if provider.get('validate_certs') is None:
                 provider['validate_certs'] = ARGS_DEFAULT_VALUE['validate_certs']
 
-            self._task.args['provider'] = provider
+            # copy auth to top level module arguments to correctly handle `no_log`.
+            if self._task.args.get('password') is None:
+                self._task.args['password'] = provider['password'] or self._play_context.password
 
+            # remove auth from provider arguments
+            provider.pop('password', None)
+
+            self._task.args['provider'] = provider
         result = super(ActionModule, self).run(tmp, task_vars)
+
         return result
 
     def _get_socket_path(self, play_context):

lib/ansible/plugins/action/ios.py

@@ -62,6 +62,10 @@ class ActionModule(_ActionModule):
         pc.become = provider['authorize'] or False
         pc.become_pass = provider['auth_pass']
 
+        # remove auth from provider arguments
+        provider.pop('password', None)
+        provider.pop('auth_pass', None)
+
         display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
         connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)
 

lib/ansible/plugins/action/iosxr.py

@@ -60,6 +60,9 @@ class ActionModule(_ActionModule):
         pc.password = provider['password'] or self._play_context.password
         pc.timeout = provider['timeout'] or self._play_context.timeout
 
+        # remove auth from provider arguments
+        provider.pop('password', None)
+
         display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
         connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)
 

lib/ansible/plugins/action/junos.py

@@ -71,6 +71,9 @@ class ActionModule(_ActionModule):
         pc.private_key_file = provider['ssh_keyfile'] or self._play_context.private_key_file
         pc.timeout = provider['timeout'] or self._play_context.timeout
 
+        # remove auth from provider arguments
+        provider.pop('password', None)
+
         display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
         connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)
 

lib/ansible/plugins/action/nxos.py

@@ -63,6 +63,9 @@ class ActionModule(_ActionModule):
             pc.private_key_file = provider['ssh_keyfile'] or self._play_context.private_key_file
             pc.timeout = provider['timeout'] or self._play_context.timeout
 
+            # remove auth from provider arguments
+            provider.pop('password', None)
+
             display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
             connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)
 
@@ -105,8 +108,12 @@ class ActionModule(_ActionModule):
             if provider.get('username') is None:
                 provider['username'] = self._play_context.connection_user
 
-            if provider.get('password') is None:
-                provider['password'] = self._play_context.password
+            # copy auth to top level module arguments to correctly handle `no_log`.
+            if self._task.args.get('password') is None:
+                self._task.args['password'] = provider['password'] or self._play_context.password
+
+            # remove auth from provider arguments
+            provider.pop('password', None)
 
             if provider.get('use_ssl') is None:
                 provider['use_ssl'] = False

lib/ansible/plugins/action/sros.py

@@ -61,6 +61,9 @@ class ActionModule(_ActionModule):
         pc.private_key_file = provider['ssh_keyfile'] or self._play_context.private_key_file
         pc.timeout = provider['timeout'] or self._play_context.timeout
 
+        # remove auth from provider arguments
+        provider.pop('password', None)
+
         display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
         connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)
 

lib/ansible/plugins/action/vyos.py

@@ -59,6 +59,9 @@ class ActionModule(_ActionModule):
         pc.private_key_file = provider['ssh_keyfile'] or self._play_context.private_key_file
         pc.timeout = provider['timeout'] or self._play_context.timeout
 
+        # remove auth from provider arguments
+        provider.pop('password', None)
+
         display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
         connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)