From b393a60ecea87f77e57e100f6cd459b0104b591f Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Tue, 11 Jul 2017 08:07:36 -0400
Subject: [PATCH] prevent overwriting of playbook data when censoring

---
 awx/lib/tests/test_display_callback.py   | 32 ++++++++++++++++++++++++
 awx/lib/tower_display_callback/module.py |  3 +++
 2 files changed, 35 insertions(+)

diff --git a/awx/lib/tests/test_display_callback.py b/awx/lib/tests/test_display_callback.py
index 2e979a67ca..48960f97c7 100644
--- a/awx/lib/tests/test_display_callback.py
+++ b/awx/lib/tests/test_display_callback.py
@@ -209,6 +209,38 @@ def test_callback_plugin_task_args_leak(executor, cache, playbook):
     assert events[5]['event_data']['task_args'] == "the output has been hidden due to the fact that 'no_log: true' was specified for this result"  # noqa
 
 
+@pytest.mark.parametrize('playbook', [
+{'loop_with_no_log.yml': '''
+- name: playbook variable should not be overwritten when using no log
+  connection: local
+  hosts: all
+  gather_facts: no
+  tasks:
+    - command: "{{ item }}"
+      register: command_register
+      no_log: True
+      with_items:
+        - "echo helloworld!"
+    - debug: msg="{{ command_register.results|map(attribute='stdout')|list }}"
+'''},  # noqa
+])
+def test_callback_plugin_censoring_does_not_overwrite(executor, cache, playbook):
+    executor.run()
+    events = cache.values()
+    assert events[0]['event'] == 'playbook_on_start'
+    assert events[1]['event'] == 'playbook_on_play_start'
+
+    # task 1
+    assert events[2]['event'] == 'playbook_on_task_start'
+    # Ordering of task and item events may differ randomly
+    assert set(['runner_on_ok', 'runner_item_on_ok']) == set([data['event'] for data in events[3:5]])
+
+    # task 2 no_log=True
+    assert events[5]['event'] == 'playbook_on_task_start'
+    assert events[6]['event'] == 'runner_on_ok'
+    assert 'helloworld!' in events[6]['event_data']['res']['msg']
+
+
 @pytest.mark.parametrize('playbook', [
 {'strip_env_vars.yml': '''
 - name: sensitive environment variables should be stripped from events
diff --git a/awx/lib/tower_display_callback/module.py b/awx/lib/tower_display_callback/module.py
index 6f68b35046..0b0b964a72 100644
--- a/awx/lib/tower_display_callback/module.py
+++ b/awx/lib/tower_display_callback/module.py
@@ -21,6 +21,7 @@ from __future__ import (absolute_import, division, print_function)
 import contextlib
 import sys
 import uuid
+from copy import copy
 
 # Ansible
 from ansible.plugins.callback import CallbackBase
@@ -73,6 +74,8 @@ class BaseCallbackModule(CallbackBase):
         if event_data.get('res'):
             if event_data['res'].get('_ansible_no_log', False):
                 event_data['res'] = {'censored': CENSORED}
+            if event_data['res'].get('results', []):
+                event_data['res']['results'] = copy(event_data['res']['results'])
             for i, item in enumerate(event_data['res'].get('results', [])):
                 if isinstance(item, dict) and item.get('_ansible_no_log', False):
                     event_data['res']['results'][i] = {'censored': CENSORED}