[security] Add missing no_log=True, and mark false-positives with no_…

…log=False (#223) * Added no_log=False to clear false-positives. * Some more that seem to be false-positives with the examples from https://github.com/avinetworks/devops. * Guesswork. * These definitely miss no_log=True. * Add changelog fragment.
ansible-collections · Mar 15, 2021 · af60326 · af60326
1 parent 5e2cd88
commit af60326
Show file tree

Hide file tree

Showing 11 changed files with 19 additions and 15 deletions.
diff --git a/changelogs/fragments/223-no_log-missing.yml b/changelogs/fragments/223-no_log-missing.yml
@@ -0,0 +1,4 @@
+security_fixes:
+- "avi_webhook - mark the ``verification_token`` parameter as ``no_log`` to prevent potential leaking of secret values (https://github.com/ansible-collections/community.network/pull/223)."
+- "avi_sslkeyandcertificate - mark the ``enckey_base64`` parameter as ``no_log`` to prevent potential leaking of secret values (https://github.com/ansible-collections/community.network/pull/223)."
+- "avi_cloudconnectoruser - mark the ``azure_userpass``, ``gcp_credentials``, ``oci_credentials``, and ``tencent_credentials`` parameters as ``no_log`` to prevent leaking of secret values (https://github.com/ansible-collections/community.network/pull/223)."
diff --git a/plugins/modules/network/avi/avi_cloudconnectoruser.py b/plugins/modules/network/avi/avi_cloudconnectoruser.py
@@ -117,14 +117,14 @@ def main():
                                    choices=['put', 'patch']),
         avi_api_patch_op=dict(choices=['add', 'replace', 'delete']),
         azure_serviceprincipal=dict(type='dict',),
-        azure_userpass=dict(type='dict',),
-        gcp_credentials=dict(type='dict',),
+        azure_userpass=dict(type='dict', no_log=True),
+        gcp_credentials=dict(type='dict', no_log=True),
         name=dict(type='str', required=True),
-        oci_credentials=dict(type='dict',),
+        oci_credentials=dict(type='dict', no_log=True),
         private_key=dict(type='str', no_log=True,),
         public_key=dict(type='str',),
         tenant_ref=dict(type='str',),
-        tencent_credentials=dict(type='dict',),
+        tencent_credentials=dict(type='dict', no_log=True),
         url=dict(type='str',),
         uuid=dict(type='str',),
     )

diff --git a/plugins/modules/network/avi/avi_pool.py b/plugins/modules/network/avi/avi_pool.py
@@ -474,7 +474,7 @@ def main():
         servers=dict(type='list',),
         service_metadata=dict(type='str',),
         sni_enabled=dict(type='bool',),
-        ssl_key_and_certificate_ref=dict(type='str',),
+        ssl_key_and_certificate_ref=dict(type='str', no_log=False),
         ssl_profile_ref=dict(type='str',),
         tenant_ref=dict(type='str',),
         url=dict(type='str',),

diff --git a/plugins/modules/network/avi/avi_serviceenginegroup.py b/plugins/modules/network/avi/avi_serviceenginegroup.py
@@ -959,7 +959,7 @@ def main():
         hardwaresecuritymodulegroup_ref=dict(type='str',),
         heap_minimum_config_memory=dict(type='int',),
         hm_on_standby=dict(type='bool',),
-        host_attribute_key=dict(type='str',),
+        host_attribute_key=dict(type='str', no_log=False),
         host_attribute_value=dict(type='str',),
         host_gateway_monitor=dict(type='bool',),
         hypervisor=dict(type='str',),

diff --git a/plugins/modules/network/avi/avi_sslkeyandcertificate.py b/plugins/modules/network/avi/avi_sslkeyandcertificate.py
@@ -166,13 +166,13 @@ def main():
         certificate_management_profile_ref=dict(type='str',),
         created_by=dict(type='str',),
         dynamic_params=dict(type='list',),
-        enckey_base64=dict(type='str',),
+        enckey_base64=dict(type='str', no_log=True),
         enckey_name=dict(type='str',),
         format=dict(type='str',),
         hardwaresecuritymodulegroup_ref=dict(type='str',),
         key=dict(type='str', no_log=True,),
         key_base64=dict(type='bool',),
-        key_params=dict(type='dict',),
+        key_params=dict(type='dict', no_log=False),
         key_passphrase=dict(type='str', no_log=True,),
         name=dict(type='str', required=True),
         status=dict(type='str',),

diff --git a/plugins/modules/network/avi/avi_virtualservice.py b/plugins/modules/network/avi/avi_virtualservice.py
@@ -609,7 +609,7 @@ def main():
         sideband_profile=dict(type='dict',),
         snat_ip=dict(type='list',),
         sp_pool_refs=dict(type='list',),
-        ssl_key_and_certificate_refs=dict(type='list',),
+        ssl_key_and_certificate_refs=dict(type='list', no_log=False),
         ssl_profile_ref=dict(type='str',),
         ssl_profile_selectors=dict(type='list',),
         ssl_sess_cache_avg_size=dict(type='int',),

diff --git a/plugins/modules/network/avi/avi_webhook.py b/plugins/modules/network/avi/avi_webhook.py
@@ -107,7 +107,7 @@ def main():
         tenant_ref=dict(type='str',),
         url=dict(type='str',),
         uuid=dict(type='str',),
-        verification_token=dict(type='str',),
+        verification_token=dict(type='str', no_log=True),
     )
     argument_specs.update(avi_common_argument_spec())
     module = AnsibleModule(

diff --git a/plugins/modules/network/cnos/cnos_user.py b/plugins/modules/network/cnos/cnos_user.py
@@ -325,7 +325,7 @@ def main():
         configured_password=dict(no_log=True),
         update_password=dict(default='always', choices=['on_create', 'always']),
         roles=dict(type='list', aliases=['role']),
-        sshkey=dict(),
+        sshkey=dict(no_log=False),
         state=dict(default='present', choices=['present', 'absent'])
     )
 

diff --git a/plugins/modules/network/netscaler/netscaler_cs_vserver.py b/plugins/modules/network/netscaler/netscaler_cs_vserver.py
@@ -1022,7 +1022,7 @@ def main():
 
     hand_inserted_arguments = dict(
         policybindings=dict(type='list'),
-        ssl_certkey=dict(type='str'),
+        ssl_certkey=dict(type='str', no_log=False),
         disabled=dict(
             type='bool',
             default=False

diff --git a/plugins/modules/network/netscaler/netscaler_lb_vserver.py b/plugins/modules/network/netscaler/netscaler_lb_vserver.py
@@ -1611,7 +1611,7 @@ def main():
     hand_inserted_arguments = dict(
         servicebindings=dict(type='list'),
         servicegroupbindings=dict(type='list'),
-        ssl_certkey=dict(type='str'),
+        ssl_certkey=dict(type='str', no_log=False),
         disabled=dict(
             type='bool',
             default=False

diff --git a/plugins/modules/network/netscaler/netscaler_ssl_certkey.py b/plugins/modules/network/netscaler/netscaler_ssl_certkey.py
@@ -184,9 +184,9 @@ def diff_list(client, module, sslcertkey_proxy):
 def main():
 
     module_specific_arguments = dict(
-        certkey=dict(type='str'),
+        certkey=dict(type='str', no_log=False),
         cert=dict(type='str'),
-        key=dict(type='str'),
+        key=dict(type='str', no_log=False),
         password=dict(type='bool'),
         inform=dict(
             type='str',