Add log level insecure warning to more places

2025-04-17 10:10:20 +00:00 · 2023-10-12 12:22:39 -06:00 · 2023-10-12 12:22:39 -06:00 · 56f0e48e27
commit 56f0e48e27
parent d6d71daedb
9 changed files with 49 additions and 10 deletions
--- a/conf/cloud
+++ b/conf/cloud
@ -29,7 +29,7 @@
 # One of 'garbage', 'trace', 'debug', 'info', 'warning', 'error', 'critical'.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# ['garbage', 'trace', 'debug']
+# ['garbage', 'trace', 'debug', 'all']
 #
 # Default: 'info'
 #
--- a/conf/master
+++ b/conf/master
@ -1198,7 +1198,7 @@
 # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# ['garbage', 'trace', 'debug']
+# ['garbage', 'trace', 'debug', 'all']
 #
 #log_level: warning
--- a/conf/minion
+++ b/conf/minion
@ -809,7 +809,7 @@
 # One of 'garbage', 'trace', 'debug', 'info', 'warning', 'error', 'critical'.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# ['garbage', 'trace', 'debug']
+# ['garbage', 'trace', 'debug', 'all']
 #
 # Default: 'warning'
 #log_level: warning
--- a/conf/proxy
+++ b/conf/proxy
@ -545,7 +545,7 @@
 # One of 'garbage', 'trace', 'debug', 'info', 'warning', 'error', 'critical'.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# ['garbage', 'trace', 'debug']
+# ['garbage', 'trace', 'debug', 'all']
 #
 # Default: 'warning'
 #log_level: warning
--- a/doc/ref/configuration/logging/index.rst
+++ b/doc/ref/configuration/logging/index.rst
@ -61,6 +61,12 @@ available in salt are shown in the table below.
 | all      |             0 | Everything                                                               |
 +----------+---------------+--------------------------------------------------------------------------+
 Any log level below the `info` level is INSECURE and may log sensitive data. This currently includes:
 #. debug
 #. trace
 #. garbage
 #. all
 Available Configuration Settings
 ================================
--- a/doc/ref/configuration/master.rst
+++ b/doc/ref/configuration/master.rst
@ -5460,6 +5460,12 @@ The level of messages to send to the console. See also :conf_log:`log_level`.
    log_level: warning
 Any log level below the `info` level is INSECURE and may log sensitive data. This currently includes:
 #. debug
 #. trace
 #. garbage
 #. all
 .. conf_master:: log_level_logfile
 ``log_level_logfile``
@ -5475,6 +5481,12 @@ it will inherit the level set by :conf_log:`log_level` option.
    log_level_logfile: warning
 Any log level below the `info` level is INSECURE and may log sensitive data. This currently includes:
 #. debug
 #. trace
 #. garbage
 #. all
 .. conf_master:: log_datefmt
 ``log_datefmt``
--- a/doc/ref/configuration/minion.rst
+++ b/doc/ref/configuration/minion.rst
@ -3308,6 +3308,11 @@ The level of messages to send to the console. See also :conf_log:`log_level`.
    log_level: warning
 Any log level below the `info` level is INSECURE and may log sensitive data. This currently includes:
 #. debug
 #. trace
 #. garbage
 #. all
 .. conf_minion:: log_level_logfile
@ -3324,6 +3329,11 @@ it will inherit the level set by :conf_log:`log_level` option.
    log_level_logfile: warning
 Any log level below the `info` level is INSECURE and may log sensitive data. This currently includes:
 #. debug
 #. trace
 #. garbage
 #. all
 .. conf_minion:: log_datefmt
--- a/salt/utils/parsers.py
+++ b/salt/utils/parsers.py
@ -41,7 +41,7 @@ import salt.utils.yaml
 import salt.version as version
 from salt.defaults import DEFAULT_TARGET_DELIM
 from salt.utils.validate.path import is_writeable
-from salt.utils.verify import verify_log, verify_log_files
+from salt.utils.verify import insecure_log, verify_log, verify_log_files
 log = logging.getLogger(__name__)
@ -610,9 +610,10 @@ class LogLevelMixIn(metaclass=MixInMeta):
            *self._console_log_level_cli_flags,
            dest=self._loglevel_config_setting_name_,
            choices=list(salt._logging.LOG_LEVELS),
-            help="Console logging log level. One of {}. Default: '{}'.".format(
+            help="Console logging log level. One of {}. Default: '{}'. \n The following log levels are INSECURE and may log sensitive data: {}".format(
                ", ".join(["'{}'".format(n) for n in salt._logging.SORTED_LEVEL_NAMES]),
                self._default_logging_level_,
                ", ".join(insecure_log()),
            ),
        )
@ -636,9 +637,10 @@ class LogLevelMixIn(metaclass=MixInMeta):
            "--log-file-level",
            dest=self._logfile_loglevel_config_setting_name_,
            choices=list(salt._logging.SORTED_LEVEL_NAMES),
-            help="Logfile logging log level. One of {}. Default: '{}'.".format(
+            help="Logfile logging log level. One of {}. Default: '{}'. \n The following log levels are INSECURE and may log sensitive data: {}".format(
                ", ".join(["'{}'".format(n) for n in salt._logging.SORTED_LEVEL_NAMES]),
                self._default_logging_level_,
                ", ".join(insecure_log()),
            ),
        )
        self._mixin_after_parsed_funcs.append(self.__setup_logging_routines)
--- a/salt/utils/verify.py
+++ b/salt/utils/verify.py
@ -557,13 +557,22 @@ def safe_py_code(code):
    return True
 def insecure_log():
    """
    Return the insecure logs types
    """
    insecure = []
    for level, value in LOG_LEVELS.items():
        if value < LOG_LEVELS.get("info", 20):
            insecure.append(level)
    return insecure
 def verify_log(opts):
    """
    If an insecre logging configuration is found, show a warning
    """
-    level = LOG_LEVELS.get(str(opts.get("log_level")).lower(), logging.NOTSET)
+    if str(opts.get("log_level")).lower() in insecure_log():
    if level < logging.INFO:
        log.warning(
            "Insecure logging configuration detected! Sensitive data may be logged."
        )