Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed return and logging of password-like props in clear text #1093

Merged
merged 1 commit into from
Nov 29, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/source/modules/zhmc_ldap_server_definition.rst
Original file line number Diff line number Diff line change
@@ -228,7 +228,7 @@ ldap_server_definition
| **type**: str
{property}
Additional properties of the LDAP Server Definition, as described in the data model of the 'LDAP Server Definition' object in the :ref:`HMC API <HMC API>` book. The property names have hyphens (-) as described in that book.
Additional properties of the LDAP Server Definition, as described in the data model of the 'LDAP Server Definition' object in the :ref:`HMC API <HMC API>` book. Write-only properties in the data model are not included. The property names have hyphens (-) as described in that book.

| **type**: raw
2 changes: 1 addition & 1 deletion docs/source/modules/zhmc_lpar.rst
Original file line number Diff line number Diff line change
@@ -560,7 +560,7 @@ lpar
| **type**: str
{property}
Additional properties of the LPAR, as described in the data model of the 'Logical Partition' object in the :ref:`HMC API <HMC API>` book. The property names have hyphens (-) as described in that book.
Additional properties of the LPAR, as described in the data model of the 'Logical Partition' object in the :ref:`HMC API <HMC API>` book. Write-only properties in the data model are not included. The property names have hyphens (-) as described in that book.

| **type**: raw
2 changes: 1 addition & 1 deletion docs/source/modules/zhmc_partition.rst
Original file line number Diff line number Diff line change
@@ -515,7 +515,7 @@ partition
| **type**: str
{property}
Additional properties of the partition, as described in the data model of the 'Partition' object in the :ref:`HMC API <HMC API>` book. The property names have hyphens (-) as described in that book.
Additional properties of the partition, as described in the data model of the 'Partition' object in the :ref:`HMC API <HMC API>` book. Write-only properties in the data model are not included. The property names have hyphens (-) as described in that book.

| **type**: raw
4 changes: 2 additions & 2 deletions docs/source/modules/zhmc_user.rst
Original file line number Diff line number Diff line change
@@ -277,7 +277,7 @@ user
| **type**: str
{property}
Additional properties of the user, as described in the data model of the 'User' object in the :ref:`HMC API <HMC API>` book. The property names have hyphens (-) as described in that book.
Additional properties of the user, as described in the data model of the 'User' object in the :ref:`HMC API <HMC API>` book. Write-only properties in the data model are not included. The property names have hyphens (-) as described in that book.

| **type**: raw
@@ -348,7 +348,7 @@ user
| **type**: dict
{property}
Properties of the LDAP server definition, as described in the data model of the 'LDAP Server Definition' object in the :ref:`HMC API <HMC API>` book. The property names have hyphens (-) as described in that book.
Properties of the LDAP server definition, as described in the data model of the 'LDAP Server Definition' object in the :ref:`HMC API <HMC API>` book. Write-only properties in the data model are not included. The property names have hyphens (-) as described in that book.

| **type**: raw
15 changes: 14 additions & 1 deletion docs/source/release_notes.rst
Original file line number Diff line number Diff line change
@@ -37,7 +37,16 @@ Availability: `AutomationHub`_, `Galaxy`_, `GitHub`_

* Fixed safety issues up to 2024-11-21.

* Increased zhmcclient version to 1.18.0 to pick up fixes. (issue #1074)
* Increased zhmcclient version to 1.18.2 to pick up fixes. (issue #1074)

* Fixed that all password-like input parameters that were written in clear text
to the module entry log are now blanked out. This affected the following
modules: zhmc_ldap_server_definition, zhmc_lpar, zhmc_partition, zhmc_user.

* Fixed that all password-like input parameters that were added to the
module return value in clear text for 'state' values that created or updated
the resource are now removed from the return value. This affected the
following modules: zhmc_ldap_server_definition, zhmc_lpar, zhmc_partition.

* Sanity test: Fixed the sanity test on AutomationHub which failed because the
"compile" and "import" tests were run for all target node Python versions,
@@ -67,6 +76,10 @@ Availability: `AutomationHub`_, `Galaxy`_, `GitHub`_

* Support for ansible-core 2.18, by adding an ignore file for the sanity tests.

* The 'hmc_auth' input parameter is no longer completely removed from the
module entry log, but instead its sensitive items 'password' and 'session_id'
are now blanked out.

**Cleanup:**

* Removed the unnecessary .pylintrc file from the distribution archive of the
4 changes: 2 additions & 2 deletions minimum-constraints-install.txt
Original file line number Diff line number Diff line change
@@ -38,7 +38,7 @@ requests==2.32.2

pytz==2019.1

zhmcclient==1.18.0
zhmcclient==1.18.2


# Indirect dependencies for install that are needed for some reason (must be consistent with requirements.txt)
@@ -57,7 +57,7 @@ packaging==22.0
PyYAML==6.0.2

python-dateutil==2.8.2
jsonschema==4.18.1
jsonschema==4.18.2
urllib3==1.26.19


78 changes: 77 additions & 1 deletion plugins/module_utils/common.py
Original file line number Diff line number Diff line change
@@ -1423,7 +1423,7 @@ def params_deepcopy(params):
an optional '_faked_session' item with a value that cannot be copied.
Parameters:
params (dict): Module input parameters.
params (dict): Module input parameters. Must not be None.
Returns:
dict: Deep copy of params, where possible.
@@ -1435,3 +1435,79 @@ def params_deepcopy(params):
except TypeError:
copy_params[key] = value
return copy_params


def blanked_params(params, blanked_properties=None):
"""
Return a copy of the module input parameters, with the following items
blanked out:
* params['properties'][...] according to the blanked_properties list
* params['hmc_auth']['password']
* params['hmc_auth']['session_id']
Parameters:
params (dict): Module input parameters. Must not be None.
blanked_properties (Sequence): List of property names that will be
blanked out in the 'properties' item of the module input parameters.
Property names that are not in the input properties will be ignored.
Returns:
dict: Deep copy of the input parameters, with blanked out values.
"""
# The params['properties'] dict and the params['hmc_auth'] dict in the
# return value will be copies of the corresponding input items, and
# therefore it is sufficient to make a shallow copy of params.
copied_params = dict(params)
if 'properties' in copied_params and copied_params['properties'] \
and blanked_properties:
copied_params['properties'] = \
blanked_dict(copied_params['properties'], blanked_properties)
if 'hmc_auth' in copied_params:
copied_params['hmc_auth'] = \
blanked_dict(copied_params['hmc_auth'], ['password', 'session_id'])
return copied_params


def blanked_dict(properties, blanked_properties):
"""
Return a shallow copy of the input properties, where the values of the
specified properties have been blanked out.
Parameters:
properties (Mapping): Input properties. Must not be None.
blanked_properties (Sequence): List of property names that will be
blanked out. Property names that are not in the input properties
will be ignored. Must not be None.
Returns:
dict: Shallow copy of the input properties, with blanked out values.
"""
copied_properties = dict(properties)
for pname in blanked_properties:
if pname in copied_properties:
copied_properties[pname] = BLANKED_OUT
return copied_properties


def removed_dict(properties, removed_properties):
"""
Return a shallow copy of the input properties, where the specified
properties have been removed.
Parameters:
properties (Mapping): Input properties. Must not be None.
removed_properties (Sequence): List of property names that will be
removed. Property names that are not in the input properties
will be ignored. Must not be None.
Returns:
dict: Shallow copy of the input properties, with removed properties.
"""
copied_properties = dict(properties)
for pname in removed_properties:
try:
del copied_properties[pname]
except KeyError:
pass
return copied_properties
8 changes: 4 additions & 4 deletions plugins/modules/zhmc_adapter.py
Original file line number Diff line number Diff line change
@@ -350,7 +350,7 @@
from ..module_utils.common import log_init, open_session, close_session, \
hmc_auth_parameter, Error, ParameterError, to_unicode, \
process_normal_property, eq_hex, missing_required_lib, \
common_fail_on_import_errors, parse_hmc_host # noqa: E402
common_fail_on_import_errors, parse_hmc_host, blanked_params # noqa: E402

try:
import urllib3
@@ -966,9 +966,9 @@ def main():

module.params['hmc_host'] = parse_hmc_host(module.params['hmc_host'])

_params = dict(module.params)
del _params['hmc_auth']
LOGGER.debug("Module entry: params: %r", _params)
if LOGGER.isEnabledFor(logging.DEBUG):
LOGGER.debug("Module entry: params: %r",
blanked_params(module.params))

try:

8 changes: 4 additions & 4 deletions plugins/modules/zhmc_adapter_list.py
Original file line number Diff line number Diff line change
@@ -279,7 +279,7 @@

from ..module_utils.common import log_init, open_session, close_session, \
hmc_auth_parameter, Error, ParameterError, \
missing_required_lib, parse_hmc_host # noqa: E402
missing_required_lib, parse_hmc_host, blanked_params # noqa: E402

try:
import urllib3
@@ -474,9 +474,9 @@ def main():

module.params['hmc_host'] = parse_hmc_host(module.params['hmc_host'])

_params = dict(module.params)
del _params['hmc_auth']
LOGGER.debug("Module entry: params: %r", _params)
if LOGGER.isEnabledFor(logging.DEBUG):
LOGGER.debug("Module entry: params: %r",
blanked_params(module.params))

changed = False
try:
8 changes: 4 additions & 4 deletions plugins/modules/zhmc_console.py
Original file line number Diff line number Diff line change
@@ -237,7 +237,7 @@

from ..module_utils.common import log_init, open_session, close_session, \
hmc_auth_parameter, Error, ParameterError, missing_required_lib, \
common_fail_on_import_errors, parse_hmc_host # noqa: E402
common_fail_on_import_errors, parse_hmc_host, blanked_params # noqa: E402

try:
import urllib3
@@ -413,9 +413,9 @@ def main():

module.params['hmc_host'] = parse_hmc_host(module.params['hmc_host'])

_params = dict(module.params)
del _params['hmc_auth']
LOGGER.debug("Module entry: params: %r", _params)
if LOGGER.isEnabledFor(logging.DEBUG):
LOGGER.debug("Module entry: params: %r",
blanked_params(module.params))

try:

9 changes: 5 additions & 4 deletions plugins/modules/zhmc_cpc.py
Original file line number Diff line number Diff line change
@@ -416,7 +416,8 @@
from ..module_utils.common import log_init, open_session, close_session, \
hmc_auth_parameter, Error, StatusError, ParameterError, to_unicode, \
process_normal_property, missing_required_lib, \
common_fail_on_import_errors, pull_properties, parse_hmc_host # noqa: E402
common_fail_on_import_errors, pull_properties, parse_hmc_host, \
blanked_params # noqa: E402

try:
import urllib3
@@ -899,9 +900,9 @@ def main():

module.params['hmc_host'] = parse_hmc_host(module.params['hmc_host'])

_params = dict(module.params)
del _params['hmc_auth']
LOGGER.debug("Module entry: params: %r", _params)
if LOGGER.isEnabledFor(logging.DEBUG):
LOGGER.debug("Module entry: params: %r",
blanked_params(module.params))

try:

8 changes: 4 additions & 4 deletions plugins/modules/zhmc_cpc_capacity.py
Original file line number Diff line number Diff line change
@@ -451,7 +451,7 @@
from ..module_utils.common import log_init, open_session, close_session, \
hmc_auth_parameter, Error, missing_required_lib, \
common_fail_on_import_errors, parse_hmc_host, \
underscore_properties # noqa: E402
underscore_properties, blanked_params # noqa: E402

try:
import urllib3
@@ -835,9 +835,9 @@ def main():

module.params['hmc_host'] = parse_hmc_host(module.params['hmc_host'])

_params = dict(module.params)
del _params['hmc_auth']
LOGGER.debug("Module entry: params: %r", _params)
if LOGGER.isEnabledFor(logging.DEBUG):
LOGGER.debug("Module entry: params: %r",
blanked_params(module.params))

try:

8 changes: 4 additions & 4 deletions plugins/modules/zhmc_cpc_list.py
Original file line number Diff line number Diff line change
@@ -222,7 +222,7 @@

from ..module_utils.common import log_init, open_session, close_session, \
hmc_auth_parameter, Error, missing_required_lib, \
common_fail_on_import_errors, parse_hmc_host # noqa: E402
common_fail_on_import_errors, parse_hmc_host, blanked_params # noqa: E402

try:
import urllib3
@@ -330,9 +330,9 @@ def main():

module.params['hmc_host'] = parse_hmc_host(module.params['hmc_host'])

_params = dict(module.params)
del _params['hmc_auth']
LOGGER.debug("Module entry: params: %r", _params)
if LOGGER.isEnabledFor(logging.DEBUG):
LOGGER.debug("Module entry: params: %r",
blanked_params(module.params))

changed = False
try:
8 changes: 4 additions & 4 deletions plugins/modules/zhmc_crypto_attachment.py
Original file line number Diff line number Diff line change
@@ -374,7 +374,7 @@

from ..module_utils.common import log_init, open_session, close_session, \
hmc_auth_parameter, Error, ParameterError, missing_required_lib, \
common_fail_on_import_errors, parse_hmc_host # noqa: E402
common_fail_on_import_errors, parse_hmc_host, blanked_params # noqa: E402


try:
@@ -1091,9 +1091,9 @@ def main():

module.params['hmc_host'] = parse_hmc_host(module.params['hmc_host'])

_params = dict(module.params)
del _params['hmc_auth']
LOGGER.debug("Module entry: params: %r", _params)
if LOGGER.isEnabledFor(logging.DEBUG):
LOGGER.debug("Module entry: params: %r",
blanked_params(module.params))

try:

8 changes: 4 additions & 4 deletions plugins/modules/zhmc_hba.py
Original file line number Diff line number Diff line change
@@ -246,7 +246,7 @@
from ..module_utils.common import log_init, open_session, close_session, \
hmc_auth_parameter, Error, ParameterError, wait_for_transition_completion, \
eq_hex, to_unicode, process_normal_property, missing_required_lib, \
common_fail_on_import_errors, parse_hmc_host # noqa: E402
common_fail_on_import_errors, parse_hmc_host, blanked_params # noqa: E402

try:
import urllib3
@@ -627,9 +627,9 @@ def main():

module.params['hmc_host'] = parse_hmc_host(module.params['hmc_host'])

_params = dict(module.params)
del _params['hmc_auth']
LOGGER.debug("Module entry: params: %r", _params)
if LOGGER.isEnabledFor(logging.DEBUG):
LOGGER.debug("Module entry: params: %r",
blanked_params(module.params))

try:

Loading