From 40728e3ef401296579ba9904dc4f7a67dfaced03 Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Mon, 20 Feb 2017 07:06:58 -0500
Subject: [PATCH] Set display_args_to_stdout for secure jobs

Ansible has a config flag that is accessible from callback plugins that
is an indicator for whether or not to display args in the log output.

It should be noted that this can wind up being a general flag in our
callback plugin that will let us know if the job being run is secure or
insecure.

Change-Id: Ie0b45ca533e71610cc18950edd735dc3258bd604
---
 zuul/launcher/server.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/zuul/launcher/server.py b/zuul/launcher/server.py
index cc34187881..1ba42da87d 100644
--- a/zuul/launcher/server.py
+++ b/zuul/launcher/server.py
@@ -799,6 +799,14 @@ class AnsibleJob(object):
                 config.write('action_plugins = %s\n'
                              % self.launcher_server.action_dir)
 
+            # On secure jobs, we want to prevent the printing of args,
+            # since secure jobs might have access to secrets that they may
+            # need to pass to a task or a role. On the other hand, there
+            # should be no sensitive data in insecure jobs, and printing
+            # the args could be useful for debugging.
+            config.write('display_args_to_stdout = %s\n' %
+                         str(not secure))
+
             config.write('[ssh_connection]\n')
             # NB: when setting pipelining = True, keep_remote_files
             # must be False (the default).  Otherwise it apparently