Add a rule to prevent passwords to be logged

Lint rule to make sure no module argument looking like "password"
will get logged.

Change-Id: I180b77faf7aaab57d1c48fc993e43f08c4fb16f6
Closes-Bug: #1760878
(cherry picked from commit c00ecb858d)

ansible-lint/NoLogPasswordsRule.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+import ansiblelint
+
+try:
+    from ansible.module_utils.parsing.convert_bool import boolean
+except ImportError:
+    try:
+        from ansible.utils.boolean import boolean
+    except ImportError:
+        try:
+            from ansible.utils import boolean
+        except ImportError:
+            from ansible import constants
+            boolean = constants.mk_boolean
+
+
+class NoLogPasswordsRule(ansiblelint.AnsibleLintRule):
+    id = "OSA0003"
+    shortdesc = "password should not be logged."
+    description = (
+        "all the modules that take a password argument must fail "
+        "if no_log is not set or set to False in the task."
+    )
+    tags = ["passwords"]
+
+    def matchtask(self, file, task):
+
+        has_password = False
+        for param in task["action"].keys():
+            if 'password' in param:
+                has_password = True
+        # No nog_log and no_log: False behave the same way
+        # and should return a failure (return True), so we
+        # need to invert the boolean
+        return has_password and not boolean(task.get('no_log', False))

ansible-lint/test/TestNoLogPasswordsRule.py

@@ -0,0 +1,22 @@
+import unittest
+
+from ansiblelint import RulesCollection, Runner
+from NoLogPasswordsRule import NoLogPasswordsRule
+
+
+class TestNoLogPasswordsRule(unittest.TestCase):
+    collection = RulesCollection()
+
+    def setUp(self):
+        self.collection.register(NoLogPasswordsRule())
+
+    def test_file_positive(self):
+        success = 'ansible-lint/test/no-log-passwords-success.yml'
+        good_runner = Runner(self.collection, success, [], [], [])
+        self.assertEqual([], good_runner.run())
+
+    def test_file_negative(self):
+        failure = 'ansible-lint/test/no-log-passwords-failure.yml'
+        bad_runner = Runner(self.collection, failure, [], [], [])
+        errs = bad_runner.run()
+        self.assertEqual(3, len(errs))

ansible-lint/test/no-log-passwords-failure.yml

@@ -0,0 +1,21 @@
+- tasks:
+
+    - name: Fail no_log isn't used
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+
+    - name: Fail when no_log is set to False
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: False
+
+    - name: Fail when no_log is set to no
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: no

ansible-lint/test/no-log-passwords-success.yml

@@ -0,0 +1,14 @@
+- tasks:
+    - name: Succeed when no_log is set to yes
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: yes
+
+    - name: Succeed when no_log is set to True
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: True