7 files changed, 256 insertions, 0 deletions

diff --git a/test/integration/targets/no_log/aliases b/test/integration/targets/no_log/aliases
new file mode 100644
index 0000000..498fedd
--- /dev/null
+++ b/test/integration/targets/no_log/aliases
@@ -0,0 +1,2 @@
+shippable/posix/group4
+context/controller
diff --git a/test/integration/targets/no_log/dynamic.yml b/test/integration/targets/no_log/dynamic.yml
new file mode 100644
index 0000000..4a1123d
--- /dev/null
+++ b/test/integration/targets/no_log/dynamic.yml
@@ -0,0 +1,27 @@
+- name: test dynamic no log
+  hosts: testhost
+  gather_facts: no
+  ignore_errors: yes
+  tasks:
+    - name: no loop, task fails, dynamic no_log
+      debug:
+        msg: "SHOW {{ var_does_not_exist }}"
+      no_log: "{{ not (unsafe_show_logs|bool) }}"
+
+    - name: loop, task succeeds, dynamic does no_log
+      debug:
+        msg: "SHOW {{ item }}"
+      loop:
+        - a
+        - b
+        - c
+      no_log: "{{ not (unsafe_show_logs|bool) }}"
+
+    - name: loop, task fails, dynamic no_log
+      debug:
+        msg: "SHOW {{ var_does_not_exist }}"
+      loop:
+        - a
+        - b
+        - c
+      no_log: "{{ not (unsafe_show_logs|bool) }}"
diff --git a/test/integration/targets/no_log/library/module.py b/test/integration/targets/no_log/library/module.py
new file mode 100644
index 0000000..d4f3c56
--- /dev/null
+++ b/test/integration/targets/no_log/library/module.py
@@ -0,0 +1,45 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# Copyright (c) 2019 Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+from ansible.module_utils.basic import AnsibleModule
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec={
+            'state': {},
+            'secret': {'no_log': True},
+            'subopt_dict': {
+                'type': 'dict',
+                'options': {
+                    'str_sub_opt1': {'no_log': True},
+                    'str_sub_opt2': {},
+                    'nested_subopt': {
+                        'type': 'dict',
+                        'options': {
+                            'n_subopt1': {'no_log': True},
+                        }
+                    }
+                }
+            },
+            'subopt_list': {
+                'type': 'list',
+                'elements': 'dict',
+                'options': {
+                    'subopt1': {'no_log': True},
+                    'subopt2': {},
+                }
+            }
+
+        }
+    )
+    module.exit_json(msg='done')
+
+
+if __name__ == '__main__':
+    main()
diff --git a/test/integration/targets/no_log/no_log_local.yml b/test/integration/targets/no_log/no_log_local.yml
new file mode 100644
index 0000000..aacf7de
--- /dev/null
+++ b/test/integration/targets/no_log/no_log_local.yml
@@ -0,0 +1,92 @@
+# TODO: test against real connection plugins to ensure they're not leaking module args
+
+- name: normal play
+  hosts: testhost
+  gather_facts: no
+  tasks:
+    - name: args should be logged in the absence of no_log
+      shell: echo "LOG_ME_TASK_SUCCEEDED"
+
+    - name: failed args should be logged in the absence of no_log
+      shell: echo "LOG_ME_TASK_FAILED"
+      failed_when: true
+      ignore_errors: true
+
+    - name: item args should be logged in the absence of no_log
+      shell: echo {{ item }}
+      with_items: [ "LOG_ME_ITEM", "LOG_ME_SKIPPED", "LOG_ME_ITEM_FAILED" ]
+      when: item != "LOG_ME_SKIPPED"
+      failed_when: item == "LOG_ME_ITEM_FAILED"
+      ignore_errors: true
+
+    - name: args should not be logged when task-level no_log set
+      shell: echo "DO_NOT_LOG_TASK_SUCCEEDED"
+      no_log: true
+
+    - name: failed args should not be logged when task-level no_log set
+      shell: echo "DO_NOT_LOG_TASK_FAILED"
+      no_log: true
+      failed_when: true
+      ignore_errors: true
+
+    - name: skipped task args should be suppressed with no_log
+      shell: echo "DO_NOT_LOG_TASK_SKIPPED"
+      no_log: true
+      when: false
+
+    - name: items args should be suppressed with no_log in every state
+      shell: echo {{ item }}
+      no_log: true
+      with_items: [ "DO_NOT_LOG_ITEM", "DO_NOT_LOG_ITEM_SKIPPED", "DO_NOT_LOG_ITEM_FAILED" ]
+      when: item != "DO_NOT_LOG_ITEM_SKIPPED"
+      failed_when: item == "DO_NOT_LOG_ITEM_FAILED"
+      ignore_errors: yes
+
+    - name: async task args should suppressed with no_log
+      async: 10
+      poll: 1
+      shell: echo "DO_NOT_LOG_ASYNC_TASK_SUCCEEDED"
+      no_log: true
+
+- name: play-level no_log set
+  hosts: testhost
+  gather_facts: no
+  no_log: true
+  tasks:
+      - name: args should not be logged when play-level no_log set
+        shell: echo "DO_NOT_LOG_PLAY"
+
+      - name: args should not be logged when both play- and task-level no_log set
+        shell: echo "DO_NOT_LOG_TASK_AND_PLAY"
+        no_log: true
+
+      - name: args should be logged when task-level no_log overrides play-level
+        shell: echo "LOG_ME_OVERRIDE"
+        no_log: false
+
+      - name: Add a fake host for next play
+        add_host:
+            hostname: fake
+
+- name: use 'fake' unreachable host to force unreachable error
+  hosts: fake
+  gather_facts: no
+  connection: ssh
+  tasks:
+    - name: 'EXPECTED FAILURE: Fail to run a lineinfile task'
+      vars:
+        logins:
+          - machine: foo
+            login: bar
+            password: DO_NOT_LOG_UNREACHABLE_ITEM
+          - machine: two
+            login: three
+            password: DO_NOT_LOG_UNREACHABLE_ITEM
+      lineinfile:
+        path: /dev/null
+        mode: 0600
+        create: true
+        insertafter: EOF
+        line: "machine {{ item.machine }} login {{ item.login }} password {{ item.password }}"
+      loop: "{{ logins }}"
+      no_log: true
diff --git a/test/integration/targets/no_log/no_log_suboptions.yml b/test/integration/targets/no_log/no_log_suboptions.yml
new file mode 100644
index 0000000..e67ecfe
--- /dev/null
+++ b/test/integration/targets/no_log/no_log_suboptions.yml
@@ -0,0 +1,24 @@
+- name: test no log with suboptions
+  hosts: testhost
+  gather_facts: no
+
+  tasks:
+    - name: Task with suboptions
+      module:
+        secret: GLAMOROUS
+        subopt_dict:
+          str_sub_opt1: AFTERMATH
+          str_sub_opt2: otherstring
+          nested_subopt:
+            n_subopt1: MANPOWER
+
+        subopt_list:
+          - subopt1: UNTAPPED
+            subopt2: thridstring
+
+          - subopt1: CONCERNED
+
+    - name: Task with suboptions as string
+      module:
+        secret: MARLIN
+        subopt_dict: str_sub_opt1=FLICK
diff --git a/test/integration/targets/no_log/no_log_suboptions_invalid.yml b/test/integration/targets/no_log/no_log_suboptions_invalid.yml
new file mode 100644
index 0000000..933a8a9
--- /dev/null
+++ b/test/integration/targets/no_log/no_log_suboptions_invalid.yml
@@ -0,0 +1,45 @@
+- name: test no log with suboptions
+  hosts: testhost
+  gather_facts: no
+  ignore_errors: yes
+
+  tasks:
+    - name: Task with suboptions and invalid parameter
+      module:
+        secret: SUPREME
+        invalid: param
+        subopt_dict:
+          str_sub_opt1: IDIOM
+          str_sub_opt2: otherstring
+          nested_subopt:
+            n_subopt1: MOCKUP
+
+        subopt_list:
+          - subopt1: EDUCATED
+            subopt2: thridstring
+          - subopt1: FOOTREST
+
+    - name: Task with suboptions as string with invalid parameter
+      module:
+        secret: FOOTREST
+        invalid: param
+        subopt_dict: str_sub_opt1=CRAFTY
+
+    - name: Task with suboptions with dict instead of list
+      module:
+        secret: FELINE
+        subopt_dict:
+          str_sub_opt1: CRYSTAL
+          str_sub_opt2: otherstring
+          nested_subopt:
+            n_subopt1: EXPECTANT
+        subopt_list:
+          foo: bar
+
+    - name: Task with suboptions with incorrect data type
+      module:
+        secret: AGROUND
+        subopt_dict: 9068.21361
+        subopt_list:
+          - subopt1: GOLIATH
+          - subopt1: FREEFALL
diff --git a/test/integration/targets/no_log/runme.sh b/test/integration/targets/no_log/runme.sh
new file mode 100755
index 0000000..bb5c048
--- /dev/null
+++ b/test/integration/targets/no_log/runme.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -eux
+
+# This test expects 7 loggable vars and 0 non-loggable ones.
+# If either mismatches it fails, run the ansible-playbook command to debug.
+[ "$(ansible-playbook no_log_local.yml -i ../../inventory -vvvvv "$@" | awk \
+'BEGIN { logme = 0; nolog = 0; } /LOG_ME/ { logme += 1;} /DO_NOT_LOG/ { nolog += 1;} END { printf "%d/%d", logme, nolog; }')" = "26/0" ]
+
+# deal with corner cases with no log and loops
+# no log enabled, should produce 6 censored messages
+[ "$(ansible-playbook dynamic.yml -i ../../inventory -vvvvv "$@" -e unsafe_show_logs=no|grep -c 'output has been hidden')" = "6" ]
+
+# no log disabled, should produce 0 censored
+[ "$(ansible-playbook dynamic.yml -i ../../inventory -vvvvv "$@" -e unsafe_show_logs=yes|grep -c 'output has been hidden')" = "0" ]
+
+# test no log for sub options
+[ "$(ansible-playbook no_log_suboptions.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(MANPOWER|UNTAPPED|CONCERNED|MARLIN|FLICK)')" = "0" ]
+
+# test invalid data passed to a suboption
+[ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(SUPREME|IDIOM|MOCKUP|EDUCATED|FOOTREST|CRAFTY|FELINE|CRYSTAL|EXPECTANT|AGROUND|GOLIATH|FREEFALL)')" = "0" ]