Add rule for checking no_log is set

It's pretty important to ensure, that password won't be logged
and thus exposed in the output. So we add linter rule that will
check that all tasks, that have "password" in argument are not logged.

Signed-Off-By: Dmitriy Rabotyagov <[email protected]>

examples/playbooks/no-log-passwords-failure.yml

@@ -0,0 +1,18 @@
+- tasks:
+    - name: Fail no_log isn't used
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+    - name: Fail when no_log is set to False
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: False
+    - name: Fail when no_log is set to no
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: no

examples/playbooks/no-log-passwords-success.yml

@@ -0,0 +1,13 @@
+- tasks:
+    - name: Succeed when no_log is set to yes
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: yes
+    - name: Succeed when no_log is set to True
+      user:
+        name: bidule
+        password: "wow"
+        state: absent
+      no_log: True

src/ansiblelint/rules/NoLogPasswordsRule.py

@@ -0,0 +1,51 @@
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from typing import TYPE_CHECKING, Any, Dict, Union
+
+from ansiblelint.rules import AnsibleLintRule
+from ansiblelint.utils import convert_to_boolean
+
+if TYPE_CHECKING:
+    from typing import Optional
+
+    from ansiblelint.file_utils import Lintable
+
+
+class NoLogPasswordsRule(AnsibleLintRule):
+    id = "no-log-password"
+    shortdesc = "password should not be logged."
+    description = (
+        "When passing password argument you should have no_log configured "
+        "to a non False value to avoid accidental leaking of secrets."
+    )
+    severity = 'LOW'
+    tags = ["security", "experimental"]
+    version_added = "v5.0.9"
+
+    def matchtask(
+        self, task: Dict[str, Any], file: 'Optional[Lintable]' = None
+    ) -> Union[bool, str]:
+
+        for param in task["action"].keys():
+            if 'password' in param:
+                has_password = True
+                break
+        else:
+            has_password = False
+
+        # No no_log and no_log: False behave the same way
+        # and should return a failure (return True), so we
+        # need to invert the boolean
+        return bool(has_password and not convert_to_boolean(task['action'].get('no_log', False)))

test/TestNoLogPasswordsRule.py

@@ -0,0 +1,23 @@
+import unittest
+
+from ansiblelint.rules import RulesCollection
+from ansiblelint.runner import Runner
+from ansiblelint.rules.NoLogPasswordsRule import NoLogPasswordsRule
+
+
+class TestNoLogPasswordsRule(unittest.TestCase):
+    collection = RulesCollection()
+
+    def setUp(self):
+        self.collection.register(NoLogPasswordsRule())
+
+    def test_file_positive(self):
+        success = 'examples/playbooks/no-log-passwords-success.yml'
+        good_runner = Runner(success, rules=self.collection)
+        self.assertEqual([], good_runner.run())
+
+    def test_file_negative(self):
+        failure = 'examples/playbooks/no-log-passwords-failure.yml'
+        bad_runner = Runner(failure, rules=self.collection)
+        errs = bad_runner.run()
+        self.assertEqual(3, len(errs))