Commit Graph

3062 Commits (353511a900f6216a25a25d8a36528f636428b57b)

Author SHA1 Message Date
Sloane Hertel f96a661ada
ansible-galaxy - add configuration options for more flexible collection signature verification (#77026)
* Add a toggle to control the number of signatures required to verify the authenticity of a collection

* Make the default number of required valid signatures 1

* Add option to make signature verification strict and fail if there are no valid signatures (e.g. "+1")

* Use a regex to validate --required-valid-signature-count

* Add a toggle to limit the gpg status codes that are considered a failure

* Update documentation and changelog

* Add unit and integration tests for the new options

* Fixes #77146

Fix using user-provided signatures when running 'ansible-galaxy collection verify ns.coll --offline'

Add a test for a user-provided signature when running ansible-galaxy collection verify with --offline

Fix displaying overall gpg failure without extra verbosity

Add a test for displaying gpg failure without verbosity

Improve documentation to be more clear that signature verification only currently applies to collections directly sourced from Galaxy servers
3 years ago
ChanthMiao 34e60c0a7a
ansible_distribution: Add support for Uos/Deepin (#77275)
* ansible_distribution: Add support for Uos/Deepin

* Add changelog fragment.
3 years ago
Felix Fontein e3c72230cd
unarchive: fix io_buffer_size option, remove ignore.txt entry (#77271)
* Fix io_buffer_size option.

* Remove ignore.txt entry by adding action plugin only options to module's argument spec.

* Add changelog fragment.

* Adjust unit tests.
3 years ago
Matt Clay f68c66a3ef Remove collections compat from controller code. 3 years ago
Abhijeet Kasurde 4f48f375a0
parameters: handle blank values when argument is a list (#77119)
Fixes: #77108

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
3 years ago
Matt Clay 1a5853d794
Remove obsolete units.compat.mock compat layer. (#77118)
* Remove obsolete units.compat.mock compat layer.
* Update remaining units.compat.mock references.
3 years ago
Matt Clay b613808277 Remove obsolete unit test builtins compat. 3 years ago
Matt Clay 2cd6cdc6a7
Fix duplicate unit test function names. (#77115)
* Fix duplicate unit test function names.
* Disable faulty tests.
3 years ago
Matt Clay 0bd8106d15 Remove unused mock compat code.
The code is unreachable since Python 3 versions before 3.5 are not supported.
3 years ago
Matt Clay de9a3bda2c Fix warning in unit tests for _yaml import. 3 years ago
Sloane Hertel 43e55db208
ansible-galaxy - add signature verification of the MANIFEST.json (#76681)
* ansible-galaxy collection install|verify:

  - Support verifying the origin of the MANIFEST.json when the Galaxy server has provided signatures.
  - Allow supplemental signatures to use during verification on the CLI/requirements file.

* ansible-galaxy collection install:

  - Support disabling signature verification. This silences the warning provided by ansible-galaxy if the Galaxy server provided signatures it cannot use because no keyring is configured.
  - Store Galaxy server metadata alongside installed collections for provenance. This is used by 'ansible-galaxy collection verify --offline'.

* Add unit tests for method that gets signatures from a Galaxy server

* Add integration tests for user-provided signature sources

- Test CLI option combinations
- Test installing collections with valid/invalid signature sources
- Test disabling GPG verification when installing collections
- Test verifying collections with valid/invalid signature sources

* Make signature verification advisory-by-default if signatures are provided by the Galaxy server

- Make the default keyring None
- Warn if the keyring is None but the Galaxy server provided signatures
- Error if the keyring is None but the user supplied signatures
- Error if the keyring is not None but is invalid

* changelog

* add ansible-galaxy user documentation for new options

Co-authored-by: Matt Martz <matt@sivel.net>
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
Co-authored-by: Martin Krizek <martin.krizek@gmail.com>
Co-authored-by: Sandra McCann <samccann@redhat.com>
Co-authored-by: Andy Mott <amott@redhat.com>
Co-authored-by: John R Barker <john@johnrbarker.com>
3 years ago
Thomas Sjögren b145732973
Resubmit: Use SystemdStrategy for Debian in the hostname module (#76929)
* add DebianStrategy tests
* ensure hostname can be changed by using become
* use Systemd strat for debian and Base for generic.
* add test to ensure all strategies are available

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
3 years ago
Éloi Rivard 3889ddeb4b
iptables - added a ``chain_management`` parameter to control chain (#76378)
creation and deletion

fixes #25099
closes #32158
3 years ago
Brian Coca 0ff80a15ba
ssh connection avoid parsiing own debug (#76732)
- Avoids false positives on become strings being echoed back 
   by ssh cli itself
  - added test for debug lines
  - also simplified some of existing test code
3 years ago
Brian Coca 9142be2f6c
Allow specifying specific python via shebang (#76677)
modules with python were always normalized to /usr/bin/python,
  while other interpreters could have specific versions.

* now shebang is always constructed by get_shebang and args are preserved
* only update shebang if interpreter changed
* updated test expectation
* added python shebang test
3 years ago
Adrian Likins 20cc87f059
Expect upper case message 'levels' for galaxy publish results (#63530) 3 years ago
Sloane Hertel 76220c4a7b
ansible-galaxy - fix the --ignore-certs flag for the implicit galaxy server (#76735)
* ansible-galaxy - fix the --ignore-certs flag for the implicit galaxy server

* changelog

* Add a test without the server config

* Fix respecting --ignore-certs for individual --server URLs also

* Update changelogs/fragments/76735-ansible-galaxy-fix-ignore-certs.yaml
3 years ago
Matt Martz 0ef5274a3c Don't assert stdlib behavior, just assert that urllib was called 3 years ago
Jordan Borean aaa7944b02
Fix tests failing on pytest 7 (#76670)
* Fix pytest 7 failures with leaky fixture
3 years ago
Matt Clay 97104f1221
Avoid deprecated TestCase functions in unit tests. (#76678)
* Avoid deprecated TestCase functions in unit tests.
* Add assertRaisesRegex for Python 2.7.
* Fix indentation.
3 years ago
Jaromaz 16def8050a
facts - Set correct OS family for EuroLinux (#76624)
Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
3 years ago
Sloane Hertel ed6581e4db
check finder type before passing path (#76448)
* check finder type before passing path

ci_complete

* Reduce nesting

* Test find_module does not cause a traceback with Python 3 FileFinder

* Update lib/ansible/utils/collection_loader/_collection_finder.py
3 years ago
Jordan Borean 8482ee4e9a
galaxy build - ignore existing MANIFEST and FILES (#76479) 3 years ago
James Livulpi 7830e5308e
add tencentos fact distro (#76459)
Fixes #76459

Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
3 years ago
Brian Coca 472028c869
catch the case that cowsay is broken (#76326)
* catch the case that cowsay is broken

fixes https://github.com/ansible/ansible/issues/72582

  add changelog
  raise Exception for broken cowsay
  add test for broken cowsay

Co-authored-by: Matthias Bernt <m.bernt@ufz.de>
3 years ago
Brian Coca b02168d644
better handling of sudo flag replacement (#76389)
* better handling of sudo flag replacement
3 years ago
Richie B2B 1b34933414
Fix ansible-doc -l ansible.builtin / ansible.legacy (#76235) 3 years ago
Martijn Pieters 08af0fbf95
Unbreak hostname.RedHatStrategy (#76032)
- On Python 3, decode bytes to str
- Tolerate whitespace around the line.
- Report a missing HOSTNAME line as an error.
- Don't clobber line separators when setting a new hostname.
- Add some tests for this strategy to verify correct operation.
3 years ago
Martin Krizek 5c225dc0f5
Introduce public methods to access PlayIterator._host_states (#74416) 3 years ago
Jan Fader 17ec2d4952
check /.dockerenv and /.dockerinit to guess a dockercontainer (#74349)
* use os.path.exists for docker-check

Co-authored-by: Jacob Floyd <cognifloyd@gmail.com>
3 years ago
Martin Krizek 47ee282227
Parser errors from within includes should not be rescueable (#73722)
* Parser errors from within includes should not be rescueable
* Also fixes unit tests
Fixes #73657
3 years ago
Martin Krizek 26707a3c6b
Heisen jinja2_native (#75587)
* Use NativeEnvironment for all templating

ci_complete

* Keep Templar.copy_with_new_env for backwards compat

* Mention that AnsibleUndefined.__repr__ changed in the porting guide

* Templar.copy_with_new_env backwards compat

* ci_complete
3 years ago
Martin Krizek 395e5e20fa
PlayIterator: use enums for states (#74511) 3 years ago
Martin Krizek 7621784b94
Require Jinja2 3.0.0 (#75881)
* Require Jinja2 3.0.0

ci_complete

* Fix sanity

* Remove Jinja min/max tests

* ansible-test changes

* ci_complete

* More cleanup

ci_complete

* Revert _count_newlines_from_end :( and other stuff

* Fix sanity

* It's using host_vars ...

* Unused import

* Remove overridden groupby filter

* environmentfilter -> pass_environment

* Explain preserve_trailing_newlines

* Add changelog

* ci_complete

* Deprecated ANSIBLE_JINJA2_NATIVE_WARNING

* native_helpers.py cleanup

* More cleanup in the find intgration test
3 years ago
Martin Krizek 23f95300bd
Intentional tests (#76051)
ci_complete
ci_coverage
3 years ago
Miroslav Brabenec bc0caad2ad
Fix parsing of device serial number for RHEL8 (#75876)
* Fix parsing of device serial number for RHEL8

* Add tests and changelog

Co-authored-by: Miroslav Brabenec <miroslav.brabenec@memsource.com>
3 years ago
Martin Krizek f774292439
cli - remove deprecated setting verbosity before sub command (#75840)
* cli - remove deprecated setting verbosity before sub command

Fixes #75823

* Fix tests
3 years ago
Matt Martz 79e9dae292
Don't show params when there is an issue with `set_option(s)` (#75805) 3 years ago
Matt Martz 96b221b344
Update vendored copy of distro to 1.6.0 (#75732)
* Update vendored copy of distro to 1.6.0

* copy pasta mistake

* ci_complete
3 years ago
Ross Bender 7a4b5d14fc
ansible-galaxy role install: download from API response location (#73114)
* download role from api response location

* include changelog fragment

* add unit test for role download url

Co-authored-by: Sam Doran <sdoran@redhat.com>
3 years ago
Thomas Sjögren 57359d0174
use passlib default if `password_hash` option isn't set (#75043)
* add changelog fragment
* password_hash|length == 120
* mention the new default bcrypt format in the porting guide
3 years ago
Sloane Hertel 7ecc227488
ansible-galaxy: Clone git collections using shallow clones (#75722)
* ansible-galaxy: Clone git collections using shallow clones

This ensures the collection obtained via git url is a result of a
shallow git clone (git clone --depth=1). The git history of the
collection is not used by ansible, and as such, cloning the entire
history of the repo is unnecessary.

Signed-off-by: Tomas Babej <tomas@tbabej.com>

* ansible-galaxy: Only perform shallow clones on non-versioned git urls

In general, the version can be anything we can checkout (branch, tag,
but also a commit hash). In particular for commit hashes we cannot
perform a shallow clone.

Err on the safe side and only perform shallow clones for non-versioned
git urls (cloning HEAD).

* galaxy-install: Make shallow cloning compatible with older Python versions

Signed-off-by: Tomas Babej <tomas@tbabej.com>

* Pass args as a tuple

Add tests for the git command created from different repo and version combinations

* changelog

Co-authored-by: Tomas Babej <tomas@tbabej.com>
3 years ago
Matt Clay 4ea8d9a782
ansible-test - split controller/target testing (#75605) 3 years ago
Daniel Goldman 989eeb243f
Add an `undef` global Jinja function (#75435)
* add tests for fail filter

also tests that fail does not block inspectability

* add fail filter

fallback message is a bit clunky,
since you can't invoke a filter without specifying an input.
That is, "{{ fail }}" doesn't work,
so you have to do "{{ None | fail }}"

* document 'fail' filter

* add changelog fragment

* fail filter uses default message on Undefined or emptystring

makes it slightly easier to use the default message:
```diff
- "{{ None | fail }}"
+ "{{ '' | fail }}"
```

and the user sees a slightly more relevant message
if the message itself is undefined:

```diff
- The error was: {{ failmsg | fail }}: 'failmsg' is undefined
+ The error was: {{ failmsg | fail }}: Mandatory variable has not been overridden
```

* rebuild as the builtin `Undefined`

* harmonise `hint` parameter for make_undefined with jinja

* use code block for documentation item

[ref](https://github.com/ansible/ansible/pull/75435#discussion_r707661035)

* rename to `undef` to expose less Python into the Jinja

[ref](https://github.com/ansible/ansible/pull/75435#pullrequestreview-757799031)

* explicitly instantiate undefined value now that it's possible

see I knew we would break something with reflection

* preserve test coverage of undefined variable

Co-authored-by: Matt Davis <nitzmahone@users.noreply.github.com>
3 years ago
Chris Hambridge 1353678f23
Enable ansible-galaxy to specify client id override with Keycloak Token (#75601)
* Enable ansible-galaxy to specify client id override with Keycloak Token

* Specify ability to provide override of client_id

* Test client_id can be configured for individual servers

* Add issue link to changelog

* Document client_id as a config option and add an example

Co-authored-by: s-hertel <19572925+s-hertel@users.noreply.github.com>
3 years ago
Sloane Hertel 72ba2bdc82
ansible-galaxy - add a per-server validate_certs option (#75710)
* Add a validate_certs option to galaxy server configuration

* Add a unit test for cert validation

* changelog
3 years ago
Abhijeet Kasurde 12734fa21c
yaml dumper: Add YAML respresenter for AnsibleUndefined (#75078)
Fixes: #75072

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
3 years ago
Matt Clay de01db08d0
pip - Use pip from the current Python interpreter. (#75634)
* pip - Use pip from the current Python interpreter.

If `executable` and `virtualenv` were not specified, and
the `pip` Python module is available for the current interpreter,
use that `pip` module instead of searching for a `pip` command.

* Add comment about needing `__main__` to run `pip`.

* Fix unit test.

* Add porting guide entry.

* Update changelog to match porting guide description.

ci_complete
3 years ago
Matt Martz 74f5367673
Ensure `heuristic_log_sanitize` returns correct data if no password found (#75570)
* Ensure heuristic_log_sanitize returns correct data if no password found. See #75542

* Need to allow code to flow through
3 years ago
Pilou 3d7f2a1366
Fix an exception when passlib library is used with a wrapped algo (#75527)
* Test a passlib wrapped algo with a password lookup

* Fix error when passlib is used with a wrapped algo

The exception was:

     An unhandled exception occurred while running the lookup plugin 'password'.
     Error was a <class 'TypeError'>, original message: issubclass() arg 1 must be a class

and can be reproduced using the following command:

    ansible localhost -i localhost, -mdebug -amsg="{{ lookup('password', '/dev/null encrypt=ldap_sha512_crypt') }}"

The concerned algo are: bsd_nthash, django_argon2, django_bcrypt, ldap_bcrypt,
ldap_bsdi_crypt, ldap_des_crypt, ldap_hex_md5, ldap_hex_sha1, ldap_md5_crypt,
ldap_pbkdf2_sha1, ldap_pbkdf2_sha256, ldap_pbkdf2_sha512, ldap_sha1_crypt,
ldap_sha256_crypt, ldap_sha512_crypt, roundup_plaintext
3 years ago