Add test coverage and add profile to docs

conf/cloud

@@ -29,7 +29,7 @@
 # One of 'garbage', 'trace', 'debug', 'info', 'warning', 'error', 'critical'.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# ['garbage', 'trace', 'debug', 'all']
+# ['profile', 'garbage', 'trace', 'debug', 'all']
 #
 # Default: 'info'
 #

conf/master

@@ -1198,7 +1198,7 @@
 # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# ['garbage', 'trace', 'debug', 'all']
+# ['profile', 'garbage', 'trace', 'debug', 'all']
 #
 #log_level: warning
 

conf/minion

@@ -809,7 +809,7 @@
 # One of 'garbage', 'trace', 'debug', 'info', 'warning', 'error', 'critical'.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# ['garbage', 'trace', 'debug', 'all']
+# ['profile', 'garbage', 'trace', 'debug', 'all']
 #
 # Default: 'warning'
 #log_level: warning

conf/proxy

@@ -545,7 +545,7 @@
 # One of 'garbage', 'trace', 'debug', 'info', 'warning', 'error', 'critical'.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
-# ['garbage', 'trace', 'debug', 'all']
+# ['profile', 'garbage', 'trace', 'debug', 'all']
 #
 # Default: 'warning'
 #log_level: warning

doc/ref/configuration/logging/index.rst

@@ -62,6 +62,7 @@ available in salt are shown in the table below.
 +----------+---------------+--------------------------------------------------------------------------+
 
 Any log level below the `info` level is INSECURE and may log sensitive data. This currently includes:
+#. profile
 #. debug
 #. trace
 #. garbage

doc/ref/configuration/master.rst

@@ -5461,6 +5461,7 @@ The level of messages to send to the console. See also :conf_log:`log_level`.
     log_level: warning
 
 Any log level below the `info` level is INSECURE and may log sensitive data. This currently includes:
+#. profile
 #. debug
 #. trace
 #. garbage
@@ -5482,6 +5483,7 @@ it will inherit the level set by :conf_log:`log_level` option.
     log_level_logfile: warning
 
 Any log level below the `info` level is INSECURE and may log sensitive data. This currently includes:
+#. profile
 #. debug
 #. trace
 #. garbage

doc/ref/configuration/minion.rst

@@ -3309,6 +3309,7 @@ The level of messages to send to the console. See also :conf_log:`log_level`.
     log_level: warning
 
 Any log level below the `info` level is INSECURE and may log sensitive data. This currently includes:
+#. profile
 #. debug
 #. trace
 #. garbage
@@ -3330,6 +3331,7 @@ it will inherit the level set by :conf_log:`log_level` option.
     log_level_logfile: warning
 
 Any log level below the `info` level is INSECURE and may log sensitive data. This currently includes:
+#. profile
 #. debug
 #. trace
 #. garbage

salt/utils/verify.py

@@ -572,7 +572,9 @@ def verify_log(opts):
     """
     If an insecre logging configuration is found, show a warning
     """
-    if str(opts.get("log_level")).lower() in insecure_log():
+    level = LOG_LEVELS.get(str(opts.get("log_level")).lower(), logging.NOTSET)
+
+    if level < logging.INFO:
         log.warning(
             "Insecure logging configuration detected! Sensitive data may be logged."
         )

tests/pytests/functional/cli/test_salt.py

@@ -13,23 +13,27 @@ log = logging.getLogger(__name__)
 @pytest.fixture(autouse=True)
 def _install_salt_extension(shell):
     if os.environ.get("ONEDIR_TESTRUN", "0") == "0":
-        return
-
-    script_name = "salt-pip"
-    if salt.utils.platform.is_windows():
-        script_name += ".exe"
-
-    script_path = CODE_DIR / "artifacts" / "salt" / script_name
-    assert script_path.exists()
-    try:
-        ret = shell.run(str(script_path), "install", "salt-analytics-framework==0.1.0")
-        assert ret.returncode == 0
-        log.info(ret)
         yield
-    finally:
-        ret = shell.run(str(script_path), "uninstall", "-y", "salt-analytics-framework")
-        log.info(ret)
-        shutil.rmtree(script_path.parent / "extras-3.10", ignore_errors=True)
+    else:
+        script_name = "salt-pip"
+        if salt.utils.platform.is_windows():
+            script_name += ".exe"
+
+        script_path = CODE_DIR / "artifacts" / "salt" / script_name
+        assert script_path.exists()
+        try:
+            ret = shell.run(
+                str(script_path), "install", "salt-analytics-framework==0.1.0"
+            )
+            assert ret.returncode == 0
+            log.info(ret)
+            yield
+        finally:
+            ret = shell.run(
+                str(script_path), "uninstall", "-y", "salt-analytics-framework"
+            )
+            log.info(ret)
+            shutil.rmtree(script_path.parent / "extras-3.10", ignore_errors=True)
 
 
 @pytest.mark.windows_whitelisted
@@ -86,3 +90,18 @@ def test_versions_report(salt_cli):
     assert "relenv" in ret_dict["Dependency Versions"]
     assert "Salt Extensions" in ret_dict
     assert "salt-analytics-framework" in ret_dict["Salt Extensions"]
+
+
+def test_help_log(salt_cli):
+    """
+    Test to ensure when we pass in `--help` the insecure
+    log warning is included.
+    """
+    ret = salt_cli.run("--help")
+    count = 0
+    stdout = ret.stdout.split("\n")
+    for line in stdout:
+        if "sensitive data:" in line:
+            count += 1
+            assert line.strip() == "sensitive data: all, debug, garbage, profile, trace"
+    assert count == 2

tests/pytests/unit/utils/verify/test_verify_logs.py

@@ -66,3 +66,11 @@ def test_verify_log():
     with patch.object(salt.utils.verify.log, "warning", mock_info):
         salt.utils.verify.verify_log({"log_level": "info"})
         assert mock_info.call_count == 0
+
+
+def test_insecure_log():
+    """
+    test insecure_log that it returns accurate insecure log levels
+    """
+    ret = salt.utils.verify.insecure_log()
+    assert ret == ["all", "debug", "garbage", "profile", "trace"]