Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: allow testing to see if secrets are logged #125

Merged
merged 1 commit into from
Jan 23, 2024
Merged

test: allow testing to see if secrets are logged #125

merged 1 commit into from
Jan 23, 2024

Conversation

richm
Copy link
Contributor

@richm richm commented Jan 23, 2024

The tasks which handle secrets should be marked no_log: true.
Data used for secrets should not be logged. In order to test
this, you can use the environment variable
SYSTEM_ROLES_PODMAN_PASSWORD which will use this as the secret
data for the test. Then, you can search for this string in
the Ansible output/logs. Any hit means secret data is being
leaked.

SYSTEM_ROLES_PODMAN_PASSWORD=$(openssl rand -hex 32)
SYSTEM_ROLES_PODMAN_PASSWORD="${SYSTEM_ROLES_PODMAN_PASSWORD}" \
tox -e qemu-ansible-core-2.16 -- --image-name centos-9 --log-level debug \
tests/tests_quadlet_basic.yml > output 2>&1
grep "${SYSTEM_ROLES_PODMAN_PASSWORD}" output

Signed-off-by: Rich Megginson [email protected]

@richm
test: allow testing to see if secrets are logged
6fe9222 
The tasks which handle secrets should be marked `no_log: true`.
Data used for secrets should not be logged.  In order to test
this, you can use the environment variable
`SYSTEM_ROLES_PODMAN_PASSWORD` which will use this as the secret
data for the test.  Then, you can search for this string in
the Ansible output/logs.  Any hit means secret data is being
leaked.

```bash
SYSTEM_ROLES_PODMAN_PASSWORD=$(openssl rand -hex 32)
SYSTEM_ROLES_PODMAN_PASSWORD="${SYSTEM_ROLES_PODMAN_PASSWORD}" \
tox -e qemu-ansible-core-2.16 -- --image-name centos-9 --log-level debug \
tests/tests_quadlet_basic.yml > output 2>&1
grep "${SYSTEM_ROLES_PODMAN_PASSWORD}" output
```

Signed-off-by: Rich Megginson <[email protected]>
@richm richm merged commit 9ab16b4 into linux-system-roles:main Jan 23, 2024
8 checks passed
@richm richm deleted the test-secrets branch January 23, 2024 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhatdan rhatdan Awaiting requested review from rhatdan rhatdan is a code owner

@baude baude Awaiting requested review from baude baude is a code owner

@vrothberg vrothberg Awaiting requested review from vrothberg vrothberg is a code owner

@ikke-t ikke-t Awaiting requested review from ikke-t ikke-t is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@richm