Fix password leak in logs for provider argument (#32215)

* Fix password leak in logs for provider argument

Since provider argument is not validated against a spec
the `no_log` arguments are not handled leading to password
leaking to syslogs.
To fix this:
*  Mask password and other `no_log` provider arguments in action plugin
*  In case of eapi and nxapi as the password is used in module code,
*  copy the provider password to top-level password argument which
*  handles `no_log` correctly. This will, however, throw a deprecation
*  warning message for password arg even if it is not given as a
*  top-level argument.

* Remove auth details from provider args in action plugin

* Update CHANGELOG

1 files changed, 3 insertions, 0 deletions

diff --git a/lib/ansible/plugins/action/iosxr.py b/lib/ansible/plugins/action/iosxr.py
index 2b0f4e8e12..46091f1d14 100644
--- a/lib/ansible/plugins/action/iosxr.py
+++ b/lib/ansible/plugins/action/iosxr.py
@@ -60,6 +60,9 @@ class ActionModule(_ActionModule):
         pc.password = provider['password'] or self._play_context.password
         pc.timeout = provider['timeout'] or self._play_context.timeout
 
+        # remove auth from provider arguments
+        provider.pop('password', None)
+
         display.vvv('using connection plugin %s' % pc.connection, pc.remote_addr)
         connection = self._shared_loader_obj.connection_loader.get('persistent', pc, sys.stdin)