Add an ARA_IGNORE_FACTS variable and stop saving ansible_env by default

The ansible_env fact is no longer saved by default as env variables are often used to carry passwords, tokens or otherwise privileged information that might not be relevant or suitable to save in ARA. This is done through a new ARA_IGNORE_FACTS configuration parameter which allows users to define a list of facts that they might not be comfortable saving. This prevents facts configured in this list from being saved to host facts and task results. Change-Id: I69c110706198b9fb6dd0324e2157859fe01e5b34
2018-08-24 11:44:17 -04:00 · 2018-08-24 11:44:17 -04:00 · 93e3ef2a46
parent c41dc6f28d
commit 93e3ef2a46
4 changed files with 41 additions and 10 deletions
--- a/ara/config/base.py
+++ b/ara/config/base.py
@ -80,6 +80,12 @@ class BaseConfig(object):
            ['extra_vars'],
            value_type='list'
        )
+        self.ARA_IGNORE_FACTS = ara_config(
+            'ignore_facts',
+            'ARA_IGNORE_FACTS',
+            ['ansible_env'],
+            value_type='list'
+        )

        # Static generation with flask-frozen
        self.ARA_IGNORE_EMPTY_GENERATION = ara_config(
--- a/ara/plugins/callbacks/log_ara.py
+++ b/ara/plugins/callbacks/log_ara.py
@ -167,6 +167,21 @@ class CallbackModule(CallbackBase):
            if not isinstance(ignore_errors, bool):
                ignore_errors = True if ignore_errors == "yes" else False

+        if self.task.action == 'setup' and 'ansible_facts' in results:
+            # Potentially sanitize some Ansible facts to prevent them from
+            # being saved both in the host facts and in the task results.
+            for fact in app.config['ARA_IGNORE_FACTS']:
+                if fact in results['ansible_facts']:
+                    msg = "Not saved by ARA as configured by ARA_IGNORE_FACTS"
+                    results['ansible_facts'][fact] = msg
+
+            values = jsonutils.dumps(result._result['ansible_facts'])
+            facts = models.HostFacts(values=values)
+            host.facts = facts
+
+            db.session.add(facts)
+            db.session.commit()
+
        self.taskresult = models.TaskResult(
            task=self.task,
            host=host,
@ -184,14 +199,6 @@ class CallbackModule(CallbackBase):
        db.session.add(self.taskresult)
        db.session.commit()

-        if self.task.action == 'setup' and 'ansible_facts' in result._result:
-            values = jsonutils.dumps(result._result['ansible_facts'])
-            facts = models.HostFacts(values=values)
-            host.facts = facts
-
-            db.session.add(facts)
-            db.session.commit()
-
    def log_stats(self, stats):
        """
        Logs playbook statistics to the database.
@ -318,7 +325,7 @@ class CallbackModule(CallbackBase):
        # Potentially sanitize some user-specified keys
        for parameter in app.config['ARA_IGNORE_PARAMETERS']:
            if parameter in options:
-                msg = "Parameter not saved by ARA due to configuration"
+                msg = "Not saved by ARA as configured by ARA_IGNORE_PARAMETERS"
                options[parameter] = msg

        log.debug('Starting playbook %s', path)
--- a/ara/tests/unit/test_config.py
+++ b/ara/tests/unit/test_config.py
@ -47,6 +47,9 @@ class TestConfig(TestAra):
            'ARA_PORT': "9191",
            'ARA_DATABASE': db,
            'ARA_IGNORE_EMPTY_GENERATION': True,
+            'ARA_IGNORE_FACTS': [
+                'ansible_env'
+            ],
            'ARA_IGNORE_PARAMETERS': [
                'extra_vars'
            ],
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -127,6 +127,8 @@ Parameters and their defaults
 +-------------------------------+----------------------------+-------------------------------------------+
 | ARA_LOG_FORMAT_               | logformat                  | %(asctime)s - %(levelname)s - %(message)s |
 +-------------------------------+----------------------------+-------------------------------------------+
+| ARA_IGNORE_FACTS_             | ignore_facts               | ansible_env                               |
+-------------------------------+----------------------------+-------------------------------------------+
 | ARA_IGNORE_PARAMETERS_        | ignore_parameters          | extra_vars                                |
 +-------------------------------+----------------------------+-------------------------------------------+
 | ARA_IGNORE_EMPTY_GENERATION_  | ignore_empty_generation    | True                                      |
@ -284,6 +286,19 @@ ARA_LOG_FORMAT

 The log format of the logs.

+ARA_IGNORE_FACTS
+~~~~~~~~~~~~~~~~
+
+When Ansible gathers host facts or uses the setup module, your host facts are
+recorded by ARA and are also available as part of your reports.
+
+By default, only the host fact ``ansible_env`` is not saved due to the
+sensitivity of the information it could contain such as tokens, passwords or
+otherwise privileged information.
+
+This configuration allows you to customize what ARA will and will not save.
+It is a list, provided by comma-separated values.
+
 ARA_IGNORE_PARAMETERS
 ~~~~~~~~~~~~~~~~~~~~~

@ -295,7 +310,7 @@ If, for example, you use `extra_vars`_ to send a password or secret variable
 to your playbooks, it is likely you don't want this saved in ARA's database.

 This configuration allows you to customize what ARA will and will not save.
-It is a list, provided by a comma-separated values.
+It is a list, provided by comma-separated values.

 .. _extra_vars: https://docs.ansible.com/ansible/playbooks_variables.html#passing-variables-on-the-command-line