From 9d95df9ce28729e90306fe7bb8a38c8d239a07c4 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Evrard <jean-philippe@evrard.me>
Date: Wed, 11 Apr 2018 15:00:16 +0200
Subject: [PATCH] Add a rule to prevent passwords to be logged

Lint rule to make sure no module argument looking like "password"
will get logged.

Change-Id: I180b77faf7aaab57d1c48fc993e43f08c4fb16f6
Closes-Bug: #1760878
(cherry picked from commit c00ecb858d238fbba26d64750740f94f5411bd06)
---
 ansible-lint/NoLogPasswordsRule.py            | 50 +++++++++++++++++++
 ansible-lint/test/TestNoLogPasswordsRule.py   | 22 ++++++++
 .../test/no-log-passwords-failure.yml         | 21 ++++++++
 .../test/no-log-passwords-success.yml         | 14 ++++++
 4 files changed, 107 insertions(+)
 create mode 100755 ansible-lint/NoLogPasswordsRule.py
 create mode 100644 ansible-lint/test/TestNoLogPasswordsRule.py
 create mode 100644 ansible-lint/test/no-log-passwords-failure.yml
 create mode 100644 ansible-lint/test/no-log-passwords-success.yml

diff --git a/ansible-lint/NoLogPasswordsRule.py b/ansible-lint/NoLogPasswordsRule.py
new file mode 100755
index 00000000..3e8b44fd
--- /dev/null
+++ b/ansible-lint/NoLogPasswordsRule.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+import ansiblelint
+
+try:
+    from ansible.module_utils.parsing.convert_bool import boolean
+except ImportError:
+    try:
+        from ansible.utils.boolean import boolean
+    except ImportError:
+        try:
+            from ansible.utils import boolean
+        except ImportError:
+            from ansible import constants
+            boolean = constants.mk_boolean
+
+
+class NoLogPasswordsRule(ansiblelint.AnsibleLintRule):
+    id = "OSA0003"
+    shortdesc = "password should not be logged."
+    description = (
+        "all the modules that take a password argument must fail "
+        "if no_log is not set or set to False in the task."
+    )
+    tags = ["passwords"]
+
+    def matchtask(self, file, task):
+
+        has_password = False
+        for param in task["action"].keys():
+            if 'password' in param:
+                has_password = True
+        # No nog_log and no_log: False behave the same way
+        # and should return a failure (return True), so we
+        # need to invert the boolean
+        return has_password and not boolean(task.get('no_log', False))
diff --git a/ansible-lint/test/TestNoLogPasswordsRule.py b/ansible-lint/test/TestNoLogPasswordsRule.py
new file mode 100644
index 00000000..3c3b5908
--- /dev/null
+++ b/ansible-lint/test/TestNoLogPasswordsRule.py
@@ -0,0 +1,22 @@
+import unittest
+
+from ansiblelint import RulesCollection, Runner
+from NoLogPasswordsRule import NoLogPasswordsRule
+
+
+class TestNoLogPasswordsRule(unittest.TestCase):
+    collection = RulesCollection()
+
+    def setUp(self):
+        self.collection.register(NoLogPasswordsRule())
+
+    def test_file_positive(self):
+        success = 'ansible-lint/test/no-log-passwords-success.yml'
+        good_runner = Runner(self.collection, success, [], [], [])
+        self.assertEqual([], good_runner.run())
+
+    def test_file_negative(self):
+        failure = 'ansible-lint/test/no-log-passwords-failure.yml'
+        bad_runner = Runner(self.collection, failure, [], [], [])
+        errs = bad_runner.run()
+        self.assertEqual(3, len(errs))
diff --git a/ansible-lint/test/no-log-passwords-failure.yml b/ansible-lint/test/no-log-passwords-failure.yml
new file mode 100644
index 00000000..a80a4cff
--- /dev/null
+++ b/ansible-lint/test/no-log-passwords-failure.yml
@@ -0,0 +1,21 @@
+- tasks:
+
+    - name: Fail no_log isn't used
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+
+    - name: Fail when no_log is set to False
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: False
+
+    - name: Fail when no_log is set to no
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: no
diff --git a/ansible-lint/test/no-log-passwords-success.yml b/ansible-lint/test/no-log-passwords-success.yml
new file mode 100644
index 00000000..98a3b777
--- /dev/null
+++ b/ansible-lint/test/no-log-passwords-success.yml
@@ -0,0 +1,14 @@
+- tasks:
+    - name: Succeed when no_log is set to yes
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: yes
+
+    - name: Succeed when no_log is set to True
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: True