Bug 2183357

Summary: [Satellite 6] Ansible Satellite Collection repository (redhat.satellite.repositories) module logs credentials
Product: Red Hat Satellite Reporter: jalviso <jalviso>
Component: Ansible CollectionAssignee: Evgeni Golov <egolov>
Status: VERIFIED --- QA Contact: Griffin Sullivan <gsulliva>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.12.0CC: ahumbe, egolov, ehelms, jpathan, tristan.steele
Target Milestone: 6.14.0Keywords: Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-collection-redhat-satellite-3.11.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jalviso 2023-03-30 22:59:12 UTC 
Description of problem:

Ansible Satellite Collection repository (redhat.satellite.repositories) module logs credentials. 

Version-Release number of selected component (if applicable):

redhat.satellite: 3.9.0 and 3.7.0

How reproducible: Always


Steps to Reproduce:
1. Install ansible-collection-redhat-satellite-3.7 or 3.9
2. Run the playbook with defined credentials, see example below:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- name: Setup AAP additional repos on Satellite
  hosts: localhost
  gather_facts: false

  vars:
    satellite_collections_redhat_url: https://console.redhat.com/api/automation-hub/content/540155-synclist/ 
    satellite_collections_redhat_requirements: |
      ---
      collections:
      - redhat.satellite
      
    aap_products:
      - name: Ansible
        repositories:
          - name: Red Hat Collections
            content_type: ansible_collection
            url: "{{ satellite_collections_redhat_url }}"
            ansible_collection_requirements: "{{ satellite_collections_redhat_requirements }}"
            upstream_username: "{{ cdn_username }}"
            upstream_password: "{{ cdn_password }}"


  roles:
    - role: redhat.satellite.repositories
      vars:
        satellite_server_url: https://satellite.example.com
        satellite_username: "admin"
        satellite_password: "password"
        satellite_organization: "gss"
        satellite_products: "{{ aap_products }}"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It will add the ansible satellite collection to ansible_collection repository in Satellite.

Actual results:

redhat.satellite.repositories role (or repository module) logged to the output the password in cleartext in `upstream_password` field 

Expected results:

This value should be obfuscated to match other modules that routinely obfuscate password values.

Additional info:

Logging the password in cleartext is a security risk, it is affecting the usage of this module.
Comment 1 Griffin Sullivan 2023-05-26 15:53:35 UTC 
FailedQA on stream snap 15

redhat.satellite.repositories: Create Products step still logs `upstream_password` in plain text. Create Repositories step shows no logs and the product and repo are created successfully. I'm guessing we need to add the `no_log` line to https://github.com/theforeman/foreman-ansible-modules/blob/develop/roles/repositories/tasks/main.yml#L34

Steps:

1) Copy and run playbook above


Results:
PLAY [Setup AAP additional repos on Satellite] *************************************************************************************

TASK [redhat.satellite.repositories : Enable Red Hat Repositories] *****************************************************************
skipping: [localhost]

TASK [redhat.satellite.repositories : Enable Red Hat Repository Sets] **************************************************************
skipping: [localhost]

TASK [redhat.satellite.repositories : Create Products] *****************************************************************************
changed: [localhost] => (item={'name': 'Ansible', 'repositories': [{'name': 'Red Hat Collections', 'content_type': 'ansible_collection', 'url': 'https://console.redhat.com/api/automation-hub/content/540155-synclist/', 'ansible_collection_requirements': '---\ncollections:\n- redhat.satellite\n', 'upstream_username': '<username>', 'upstream_password': '<password>'}]})

TASK [redhat.satellite.repositories : Create Repositories] *************************************************************************
changed: [localhost] => (item=None)
changed: [localhost]

PLAY RECAP *************************************************************************************************************************
localhost                  : ok=2    changed=2    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0
Comment 2 Griffin Sullivan 2023-07-05 19:16:56 UTC 
Verified on 6.14 snap 6

No credentials were logged when running the playbook.