* reset logging to INFO (#70878)
- due to CVE-2019-14846
- also added comments and test to avoid 'oportunistic' reversion
(cherry picked from commit 1223ce656a)
* Update keep_log_at_info.yml
Co-authored-by: Rick Elrod <rick@elrod.me>
* [stable-2.9] Change default file permissions so they are not world readable (#70221)
* Change default file permissions so they are not world readable
CVE-2020-1736
Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.
A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.
- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Fix jboss test
* Fix lamdba_policy test
* Fix aws_lamdba test
* Fix warning for new default permissions when mode is not specified (#70976)
Follow up to #70221
Related to #67794
CVE-2020-1736
When set_mode_if_different() is called with mode of 'None', ensure we issue
a warning about the change in default permissions.
Add integration tests to ensure the warning works properly.
* Fix tests
- actually use custom module 🤦♂️
- verify file permission on created files
- use remote_tmp_dir so we're ready for split controller
- improve test module so we can skip the call to set_fs_attributes_if_different()
- fix tests for CentOS 6
(cherry-picked from commit dc79528cc6)
* Use new category in changelog fragments
A couple of years ago Slackware -current began using a plus (“+”) at the end of the distribution version string to indicate a future version work-in-progress.
Rearrange distribution_files unit tests to easily support more tests
- add conftest with common fixtures
- use parametrize for testing multiple scenarios
* Add changelog
* Add unit tests for Slackware distribution parsing
* Use correct fixtures for Slackware
Data comes from /etc/slackware-version
Co-authored-by: Sam Doran <sdoran@redhat.com>
Co-authored-by: <Eduard Rozenberg <eduardr@pobox.com>>.
(cherry picked from commit 566c5e6ce1)
Co-authored-by: Eduard Rozenberg <2648417+edrozenberg@users.noreply.github.com>
Co-authored-by: Eduard Rozenberg <2648417+edrozenberg@users.noreply.github.com>
* [stable-2.9] facts - fix incorrect time for some date_time_facts (#70665)
The iso8601_micro and iso8601 facts incorrectly called now.utcnow(), resulting
in a new timestamp at the time it was called, not a conversion of the previously
stored timestamp.
Correct this by capturing the UTC timestamp once then calculating the local
time using the UTC offset of the current system.
* Use time.time() for getting the current time
* Convert from that stored epoch timestamp to local and UTC times
* Used existing timestamp for epoch time
* Add unit tests that validate the formate of the return value rather than an exact value since mocking time and timezone is non-trivial
(cherry picked from commit c4f442ed5a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Remove tests for tz_dst since that fact only exists in newer versions
- ensure we preserve the typeerror part of the exception so loop defereed error handling
can postpone those caused by undefined variables until the when check is done.
- fix tests to comply with the 'new normal'
- human_to_bytes and others can issue TypeError not only on 'non string'
but also bad string that is not convertable.
Co-authored-by: Sloane Hertel <shertel@redhat.com>
Co-authored-by: Sloane Hertel <shertel@redhat.com>
(cherry picked from commit cf89ca8a03)
Fixes#70168
ci_complete
Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
Co-authored-by: Matt Clay <matt@mystile.com>
(cherry picked from commit b05e00e99a)
* galaxy - preserve symlinks on build/install (#69959)
* galaxy - preserve symlinks on build/install
* Handle directory symlinks
* py2 compat change
* Updated changelog fragment
(cherry picked from commit d30fc6c0b3)
* Fix integration test
* ansible-galaxy - fix collection installation with trailing slashes (#70016)
If we fail to find a member when extracting a directory, try adding a trailing
slash to the member name. In certain cases, the member in the tarfile will
contain a trailing slash but the file name in FILES.json will never contain
the trailing slash.
If unable to find the member, handle the KeyError and print a nicer error.
Also check if a directory exists before creating it since it may have been
extracted from the archive.
Fixes#70009
* Add unit tests
* Use loop for trying to get members
(cherry picked from commit d45cb01b84)
Co-authored-by: Sam Doran <sdoran@redhat.com>
In the case of a free style strategy, it is possible to end up with
multiple hosts trying to include from the same role, however the tasks
being included may be different with the use of tasks_from. Previously
if you had two hosts that were included the same role when the
process_include_results function tries to determine if a included needs
to be run on a specific host, it would end up merging two different
tasks into which ever one was processed first.
This change updates the equality check to also check if the task uuid
associated with the IncludedFile is the same. The previous check only
checked if the task's parent uuid was the same. This breaks down when
both includes have the same parent.
- hosts: all
strategy: free
gather_facts: false
tasks:
- include_role:
name: random_sleep
- block:
- name: set a fact (1)
include_role:
name: set_a_fact
tasks_from: fact1.yml
- name: set a fact (2)
include_role:
name: set_a_fact
tasks_from: fact2.yml
- name: include didn't run
fail:
msg: >
set_a_fact didn't run
fact1: {{ fact1 | default('not defined')}}
fact2: {{ fact2 | default('not defined') }}"
when: (fact1 is not defined or fact2 is not defined)
Closes#69521
(cherry picked from commit 247e43b252)
* [stable-2.9] Allow the use of _paramiko_conn even if the connection hasn't been started. (#61570)
* Allow the use of _paramiko_conn even if the connection hasn't been started.
I'm not sure what the benefit is of Noneing paramiko_conn on close, but will keep for now
* Fix test
* Try to fix up net_put & net_get
* Add changelog.
(cherry picked from commit 50e09be14f)
Co-authored-by: Nathaniel Case <ncase@redhat.com>
* Restore check_prompt and task_uuid
* Fix filedescriptor out of range in select() when running commands
* Simplify the run_command() code
Now that we're using selectors in run_command(), we can simplify some of
the code.
* Use fileobj.read() instead of os.read()
* No longer use get_buffer_size() as we can just slurp all of the data
instead.
Also use a simpler conditional check of whether the selector map is
empty
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>.
(cherry picked from commit f200487414)
Co-authored-by: Bob Weinand <bobwei9@hotmail.com>
Co-authored-by: Bob Weinand <bobwei9@hotmail.com>
* Prevent Ansible 2.9 to choke on collections using deprecation by date or collection_name for deprecation calls.
* Add changelog fragment.
* Fix YAML.
* Improve C# compatibility.
* Add tests for AnsibleModule.
* Fix var name.
* Fix type.
* Update C# code.
* Show deprecation warning if removed_at_date is used for Python modules.
* Update changelogs/fragments/69935-2.10-deprecation-support.yml
Co-authored-by: Alicia Cozine <879121+acozine@users.noreply.github.com>
* Prevent crash of validate-modules if 'removed_in' is not in 'deprecated'.
Co-authored-by: Alicia Cozine <879121+acozine@users.noreply.github.com>
* fix delegation vars usage (debug still shows inventory_hostname) (#69244)
* fix delegation vars usage and reporting
- just pass delegated host vars + task vars to plugins
and avoid poluting with original host vars
- updated tests
(cherry picked from commit 2165f9ac40)
* fix delegated interpreter discovery (#69604)
* fix delegated interpeter
* allow returning fact if it is 'the right host'
* added note for future fix/efficiency
as it stands we rerun discovery for the delegated host
unless its saving facts to itself
* fixed test lacking delegate_to mock
(cherry picked from commit de3f7c7739)
* Fix `ansible -K` become_pass regression (#69629)
* Fix `ansible -K` become_pass regression
Change:
- This fixes a breaking change introduced in
2165f9ac40
Test Plan:
- Local VM for now, with plans to add an integration test for -K going
forward.
Tickets:
Refs #69244
(cherry picked from commit fe9696be52)
* fix discovery on loop with delegation (#70013)
* fix discovery on loop with delegation
fixes#69963
(cherry picked from commit 4c9d9dbb56)
Co-authored-by: Rick Elrod <rick@elrod.me>
* fix get_data on case_insensitive fs
* implement case-sensitive-forcing versions of various os.path methods that just pass through on case-sensitive systems.
* catch broader IOError for py2/py3 compat
* optimization: factor out case-insensitive comparison
* implement case-sensitive open
* ansible-galaxy - Fix tar path traversal issue during install - CVE-2020-10691 (#68596)
(cherry picked from commit a20a527014)
* Remove extra tests missing from rebase
* Fix colorization to not extend across newline boundary
* Fix unit test to look for the newline outside the coloration
* Add changelog fragment
(cherry picked from commit 2068131589)
* galaxy - preserve mode properly on artifact (#68418)
* galaxy - preserve mode properly on artifact
* Fix py2 encoding issue
* Update lib/ansible/galaxy/collection.py
Co-Authored-By: Matt Clay <matt@mystile.com>
* Use sane defaults instead of sourcing from tarfile
Co-authored-by: Matt Clay <matt@mystile.com>
(cherry picked from commit 127d54b363)
* added mode to dir creation that was missed in backport
* Fix implicit string - only looked right because of the vault __repr__
* Add tests for strings and implicit strings
(cherry picked from commit 8eb00dd14c)
* ansible-galaxy - optimise some paths and use fake galaxy int tests (#67685)
* ansible-galaxy - optimise some paths and use fake galaxy int tests
* Added init, built, and publish tests
* Test against both mocked Galaxy and AH server
* Finish off writing the install tests
* Fix up broken tests
* Rename test target and add migrated tests
* Use cloud provider for Galaxy implementation
* Added blank static config
* Use correct alias group
* Set release version and fix copy typo
* Remove reset step as it is no longer needed
* Use sane env var names for test container name
(cherry picked from commit 26129fcb80)
* Use --api-key and not --token
* Set fallaxy tests as a smoketest
(cherry picked from commit b241c021b7)
As AnsibleModule._log_invocation is currently implemented, any parameter
with a name that matches PASSWORD_MATCH triggers the no_log warning as a
precaution against parameters that may contain sensitive data, but have not
been marked as sensitive by the module author.
This patch would allow module authors to explicitly mark the aforementioned
parameters as not sensitive thereby bypassing an erroneous warning message,
while still catching parameters which have not been marked at all by the
author.
Adds tests for various no_log states including True, False, and None (as
extracted by AnsibleModule._log_invocation) when applied to an argument with
a name that matches PASSWORD_MATCH.
Fixes: #49465#64656
(cherry picked from commit 3ca4580cb4)
* nxos_interfaces: RMB state fixes
* shippable fixes
* Add add'l comments per review
* fix long line
* Fix mode/enabled system defaults handling
* fix N3L test skips
* lint
* test updates for titanium images
* doc fix
(cherry picked from commit d72025be75)
Add changelog for nxos_interfaces fix
Co-authored-by: Chris Van Heuveln <cvanheuv@cisco.com>
* Fixes#66478
* When no quantity is set, then candlepin server usually uses
default value 1. When more quantities are required, then
candlepin server can automatically choose correct minimal
value.
(cherry picked from commit 6f1bb37feb)
* Make banner detection non-greedy in ios_banner (#63092)
* Make banner detection non-greedy in ios_banner
* Added ios_banner unit test to detect bug #63091
* Corrected PEP8 errors
* Added integration test
* Corrected typo in integration test
(cherry picked from commit 01a92f0191)
* Added changelog fragment
* Update 66274-ios_banner_nongreedy.yml
Co-authored-by: kalimsshar <34369784+kalimsshar@users.noreply.github.com>
Co-authored-by: Matt Davis <nitzmahone@users.noreply.github.com>
* throttle tests: fix detection of parallel execution
The test wasn't able to detect if too many workers were running.
On my laptop:
- without this change, the 'throttle' target takes ~20 seconds
- with this change, the 'throttle' target takes ~70 seconds
- 1 second isn't long enough to encounter the issue
* Fix throttle test when strategy is 'free' based
'free' strategy allows multiple tasks to be executed in parallel: use
one 'throttledir' per task.
Use 'linear' strategy with a dedicated play for cleanup/setup tasks
* throttle: reset worker idx before queuing a new task
* TestStrategyBase: define task.throttle
otherwise '1' will be used instead of the default value due to the
following expression being equal to '1':
int(templar.template(task_mock.throttle))
Co-authored-by: James Cammarata <jimi@sngx.net>
(cherry picked from commit bbbdc1c25c)
* Fix fact gathering for sensor-groups (#66439)
(cherry picked from commit 5c158755fc)
Add changelog for nxos_telemetry fix
* Update 66439_fix_nxos_telemetry_facts.yaml
Co-authored-by: Mike Wiebe <mwiebe@cisco.com>
Co-authored-by: Matt Davis <nitzmahone@users.noreply.github.com>
On Python 2, leave all fds open since there is no mechanism to close specific fds with subprocess.Popen() on Python 2
Add unit tests.
Co-authored-by: Matt Martz <matt@sivel.net>
(cherry picked from commit 617fbad743)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Fix network action plugin load in collection
Fixes https://github.com/ansible/ansible/issues/65071
* Load network action plugin that matches the module
prefix name from list of collections.
* Update changelog
* Fix unit test
(cherry picked from commit 74e9b1e219)
This causes multiple unneeded http redirects.
Since each http redirect takes a few hundred
milliseconds, handling the redirects starts to
take up a significant amount of wall time.
Fixes: #63281
(cherry picked from commit d1c39b9068)
Co-authored-by: Adrian Likins <alikins@redhat.com>
* Fix multiple subnet (of same IP version) idempotence for docker_network.
* Add changelog.
* Unit tests no longer make sense, since the part of the code they test has been removed.
* Re-add CIDR validation. Move it to better position (module setup instead of idempotence check).
* Update changelog.
* Only run new tests on VM test images.
* Actually do what is documented. Especially since an empty object is a valid value for aux_addresses.
(cherry picked from commit 17ef253ad1)
* fix all modules to be able to get parameter with value false (very important fix) (#65040)
* add import of future and __metaclass__
* fix all modules to be able to get parameter with value false (very importent fix)
* Update ignore.txt
(cherry picked from commit b1e6667664)
* Update ignore.txt
* Create 65043-enable-parameter-value-to-be-false.yaml
* Update 65043-enable-parameter-value-to-be-false.yaml
* [stable-2.9] Do not treat AnsibleUndefined as being unsafe (#65202)
* Do not treat AnsibleUndefined as being unsafe. Fixes#65198
* fix yaml formatting.
(cherry picked from commit b08e7daf46)
Co-authored-by: Matt Martz <matt@sivel.net>
* Linting fix
* additional linting fix
Jordan Borean