Commit Graph

2089 Commits (9f0130e2c3bb1d48d8291dc889dc1ccd64c6b61b)

Author SHA1 Message Date
Antoine Pietri 9f0130e2c3 module_utils: require X_OK when checking cwd sanity
Every time an Ansible module is run, it checks that it is running from a
"sane" working directory, a.k.a where it has the permission to be. This
is because when running commands, it might temporarily change its
working directory, then later restore pop the cwd to the previous one.

Therefore, if the module is not run from a working directory where it
has the permission to be, the module will execute fine, but then fail
when trying to restore to the previous directory.

Up until now the way this cwd "sanity" was checked was by checking for
the F_OK and R_OK permissions, which respectively check that the
directory exists and is readable. However, this is actually not
sufficient to check whether you can cwd to it! You also need to check
for X_OK, which for directories mean that the directory is searchable.

See for example:

>>> cwd = os.getcwd()
>>> cwd
'/root'
>>> os.access(cwd, os.F_OK | os.R_OK)
True
>>> os.access(cwd, os.F_OK | os.R_OK | os.X_OK)
False
>>> os.chdir(cwd)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
PermissionError: [Errno 13] Permission denied: '/root'

Basically, this means that Ansible will fail every time you run a
"become" command from a directory with the mode o+r-x.

This commit fixes this issue by adding a requirement for X_OK when
checking the sanity of the current working directory.
5 years ago
Matt Clay a050d892d8 Remove obsolete vcenter setup from ansible-test. 5 years ago
Chih-Hsuan Yen bd4fdb1ca2
service_facts: fix for systemd 245 (#68211)
* service_facts: fix for systemd 245

Since systemd 245, `systemctl list-unit-files` comes with a new column
"VENDOR PRESET" [1] and breaks the service_facts module:

$ ansible localhost -m service_facts
localhost | FAILED! => {
    "changed": false,
    "msg": "Malformed output discovered from systemd list-unit-files: auditd.service                             disabled        disabled     "
}

This patch drops the third column to make it work with old and new
systemd. With the new slice operation, IndexError instead of ValueError
is raised if the output contains less than 2 columns.

Test plan: running `ansible-test integration -v service_facts` on
up-to-date Arch Linux

[1] https://github.com/systemd/systemd/pull/14445

* add changelog

Signed-off-by: Rick Elrod <rick@elrod.me>

Co-authored-by: Rick Elrod <rick@elrod.me>
5 years ago
Matt Clay d7da1d9bd0 Fix ansible-test coverage constraints. 5 years ago
Abhijeet Kasurde 572fe9e480
Adjust Openstack Inventory script path (#69058) 5 years ago
Abhijeet Kasurde fce66b9707
Openstack inventory script moved to openstack.cloud (#68908)
Openstack dynamic inventory script is moved from community.general to
openstack.cloud, adjust the bot meta accordingly.

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
5 years ago
Sylvia van Os 3f47610d94
Don't crash ansible-vault create when no arguments (#68667)
* Don't crash ansible-vault create when no arguments

* Add changelog entry
5 years ago
Jesse Pretorius (odyssey4me) da390b297e [pip] Enable virtualenv_command to have arguments
Currently if virtualenv_command has arguments, then the
search for the binary in the path does not work so the
user has to specify the full path to it.

To allow arguments to be used without having to specify
the path to the binary, we split the module argument into
the command and anything after the first space.

This makes using this module argument more flexible and
user friendly.

Fixes: #52275
5 years ago
Matt Martz f27c417fc4
Use Templar for galaxy skeletons (#69106)
* Use Templar for galaxy skeletons. Fixes #69104

* Update checksum, our templar doesn't remove trailing newline, jinja2 seems to remove it
5 years ago
Adam Miller 8b30360ca9
fixed handling of releasever for all known scenarios (#69057)
Signed-off-by: Adam Miller <admiller@redhat.com>
5 years ago
Rick Elrod cace616aab
Filter BLACKLIST_EXTS in PluginLoader (#69029)
Change:
Rather than hardcoding .pyo and .pyc, filter on all BLACKLIST_EXTS in
the non-legacy logic of PluginLoader (_find_fq_plugin). The two harcoded
extensions are part of BLACKLIST_EXTS already and this simply adds the
rest of the blacklisted extensions to the check.

In addition, check .endswith() instead of an exact match of the suffix,
like everywhere else that uses BLACKLIST_EXTS. This allows for
blacklisting, for example, emacs's backup files which can appear after
any extension, leading to things like `foo.py~`.

Test Plan:
Ran `ansible-playbook` against a collection where a `foo.py~` module was
getting executed instead of `foo.py` which also appeared in the same
directory. `foo.py~` is no longer executed.

Tickets:
Fixes #22268
Refs #27235

Signed-off-by: Rick Elrod <rick@elrod.me>
5 years ago
Matt Martz da98fc267a
Allow a collection role to call a standalone role by default (#69102)
* Allow a collection role to call a standalone role by default. Fixes #69101

* tweaked changelog text

* Guard against NoneType

Co-authored-by: Matt Davis <nitzmahone@users.noreply.github.com>
5 years ago
rwagnergit 977b58740b
update ActionBase._low_level_execute_command to honor executable (#68315)
* update ActionBase._low_level_execute_command to honor executable

* adding changelog fragment

* renaming changelog fragment to .yml

* noop change to bump shippable

* adding raw_executable integration test

* copying aliases from raw

* removing blank lines

* skipping aix and freebsd

* noop to bump shippable

* moving tests to raw/

* removing become_method: sudo ; it doesn't work on AIX

* removing trailing blank line

* forcing become_method: su to try to get AIX to work

Co-authored-by: Rob Wagner <rob.wagner@sas.com>
5 years ago
Rick Elrod 2a90e9b615 Fix incorrect CVE reference in changelog fragment
Change:
This corrects an incorrect CVE identifier in the changelog entry for
CVE-2020-1735.

Test Plan:
N/A

Tickets:
Refs #67793, #68720

Signed-off-by: Rick Elrod <rick@elrod.me>
5 years ago
David Shrewsbury af44bd4ddd
Fix --start-at-task when skipping tasks with no name (#68951)
Using --start-at-task on a playbook with tasks with no name would fail
if those unnamed tasks were encountered before the targetted start task.
5 years ago
Martin Krizek cb389f6c31
Prevent rewriting nested Block's data in filter_tagged_tasks (#68337)
This patch fixes the issue where nested Block copies were created from
incorrect Block object. This resulted in nested Blocks data like ``name``
or ``_uuid`` to contain values from the Block the filter_tagged_tasks
method was called on.
5 years ago
Matt Clay 122743ae30
Update ansible-test handling of delegation paths. (#69056) 5 years ago
Brian Coca d3cab602a5
Fix fileglob when using 'file*' vs 'stuff/file*' (#68945)
* Fix fileglob when using 'file*' vs 'stuff/file*'

 when not having dir in glob, files/ subdir was being ignored.

* tests for fileglob
5 years ago
Abhijeet Kasurde 3591451bc7
include_role: Strictly check string datatype for *_from (#68958)
Strictly check string datatype for 'tasks_from', 'vars_from',
'defaults_from', and 'handlers_from' in include_role

Fixes: #68515

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
5 years ago
Brian Coca ac509d489b
Revert "stricter permissions on atomic_move when creating new file (#68970)" (#68983)
This reverts commit 566f2467f6.
5 years ago
Brian Coca 566f2467f6
stricter permissions on atomic_move when creating new file (#68970)
fixes #67794
  updated some tests that expected previous defaults
  CVE-2020-1736
5 years ago
Jordan Borean de6b047fc3
Add variable for DEFAULT_NO_TARGET_SYSLOG (#68971)
* Add variable for DEFAULT_NO_TARGET_SYSLOG

* Added version_added to new var
5 years ago
Jordan Borean 702949e64c
windows - fix up env var quoting for unicode single quotes (#68968)
* windows - fix up env var quoting for unicode single quotes

* Add sanity ignore check for smart quotes
5 years ago
Yanis Guenane 46d82179d8
Testing: Add support for CentOS Linux On Power platform (#68130)
* Testing: Add CentOS Linux On Power platform

* Add arch designation to remotes.

This avoids overloading the provider with the arch.

Also add a changelog entry.

Co-authored-by: Matt Clay <matt@mystile.com>
5 years ago
Abhijeet Kasurde 6493a190f6
docs: Update inventory script paths (#68905)
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
5 years ago
Sam Doran cdb24e0078
ansible-galaxy - fix listing specific role and role description (#67409)
* ansible-galaxy - fix listing specific role

If the role was not in the first search path, it was reported as not found

* Properly display role description

Default to description to top level description, falling back to the description from within galaxy_info

* Display proper message when a role does not exist

* Add integration tests

* Use context manager

* BSD and macOS ruining all the fun
5 years ago
Martin Krizek ff1ba39c8a
Prevent templating unused variables for {%include%} (#68749)
Fixes #68699
5 years ago
Mads Jensen eaf648e600
Use context manager in yum module. (#65376) 5 years ago
Brian Coca 8077d8e401
avoid mkdir -p (#68921)
* also consolidated temp dir name generation, added pid for more 'uniqness'
* generalize error message
* added notes about remote expansion

CVE-2020-1733
fixes #67791
5 years ago
David Shrewsbury 18a66e291d
Force collections to be static (#68723)
* Force collections to be static

Templating of collection names does not work at all. Force them to
be static so that a warning is generated for the user.

* Add collectionsearch unit test and fix for reviews

New unit test validates the new _load_collections() code and moves
the new check to the end of the method.

* Change unit test to pytest

* Adjust unit test to use capsys instead of monkeypatch

* Fix pep8 error

* Add changelog fragment

Closes #68704
5 years ago
Sloane Hertel d91658ec0c
subversion module - provide password securely when possible or warn (#67829)
* subversion module - provide password securely with svn command line option --password-from-stdin when possible, and provide a warning otherwise.
* Update lib/ansible/modules/source_control/subversion.py.
* Add a test.

Co-authored-by: Sam Doran <sdoran@redhat.com>
5 years ago
Zhanwei Wang 1097694355
get_url pass incorrect If-Modified-Since header(#67417) (#67419)
Fix #67417. HTTP header value of `If-Modified-Since` set by `get_url` does not follow HTTP protocol.
5 years ago
Matt Clay a095172130 Fix ansible-test --docker without tests dir. 5 years ago
Matt Martz d86d20a378
Fix label lookup in the default callback for includes (#68822)
* Replace included_file._args w/ included_file._vars

* Fix item value in output of include_tasks loop

Signed-off-by: Yadnyawalk Tale <ytale@redhat.com>

* Update tests for loop callback fix. Add changelog

Co-authored-by: Yadnyawalk Tale <ytale@redhat.com>

Fixes #65904
Fixes #66018
5 years ago
Abhijeet Kasurde 0f8937f2ed
basic: Update required library message (#68657)
Updated missing_required_lib API message.

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
5 years ago
Felix Fontein bae5f18f5c
ansible-test: don't trigger full CI run for changes to changelogs/ and docs/ in collections (#68550)
* Don't trigger full CI run for changes to changelogs/ and docs/ in collections.

* Add changelog fragment.

* Update changelogs/fragments/68550-ansible-test-docs-changelogs.yml

Co-Authored-By: Matt Clay <matt@mystile.com>

Co-authored-by: Matt Clay <matt@mystile.com>
5 years ago
Rick Elrod 38b7ceb75a
Update docker.txt to use the OpenSUSE 15.1 container image (devel edition) (#68785)
* Update docker.txt to use the OpenSUSE 15.1 container image

Signed-off-by: Rick Elrod <rick@elrod.me>

* handle installing mysql on suse

Signed-off-by: Rick Elrod <rick@elrod.me>

* add changelog fragment

Signed-off-by: Rick Elrod <rick@elrod.me>

* Update changelogs/fragments/ansible-test-opensuse-15.1.yml

Co-Authored-By: Matt Clay <matt@mystile.com>

Co-authored-by: Matt Clay <matt@mystile.com>
5 years ago
Matt Clay 04edd77c42
Update tests to use RHEL 7.8. (#68787)
* Update tests to use RHEL 7.8.

Keeping support for RHEL 7.6 since collections are still using it.

* Fix tests for RHEL 7.7+ due to extras repo name change.
5 years ago
Chris Holland c9c1146cc8
dnf: remove un-needed function (#68482) 5 years ago
Brian Coca ba87c225cd
fixed fetch traversal from slurp (#68720)
* fixed fetch traversal from slurp

  * ignore slurp result for dest
  * fixed naming when source is relative
  * fixed bug in local connection plugin
  * added tests with fake slurp
  * moved existing role tests into runme.sh
  * normalized on action excepts
  * moved dest transform down to when needed
  * added is_subpath check
  * fixed bug in local connection

fixes #67793

CVE-2019-3828
5 years ago
Matt Martz 087be1da50
Allow tasks to notify a fqcn handler name (#68213)
* Allow tasks to notify a fqcn handler name

* Add tests. Fixes #68181

* Add changelog fragment

* Add test to ensure handlers are deduped properly with fqcn, role, and just handler names

* Add some docs about new special vars
5 years ago
Toshio Kuratomi 4f8e98d322 Update changelogs/fragments/allow-fail-json-msg-to-be-positional.yaml
Co-Authored-By: Matt Martz <matt@sivel.net>
5 years ago
Toshio Kuratomi e0e7713fd8 Fix yaml in changelog 5 years ago
Toshio Kuratomi 6531ba38f8 Allow the msg argument to fail_json() to be a positional argument
fial_json() requires a message be given to it to inform the end user of
why the module failed.  Prior to this commit, the message had to be a
keyword argument:

    module.fail_json(msg='Failed due to error')

Since this is a required parameter, this commit allows the message to be
given as a positional argument instead:

   module.fail_json('Failed due to an error')
5 years ago
Matt Clay 148e83f832
Fix ansible-test submodule handling. (#68759)
* Refactor ansible-test integration test.
* Add env --list-files option.
* Add tests for collection files tracked by git.
* Fix ansible-test submodule usage on older git.
* Fix submodule directory detection as files.
* Improve handling of nested source control.
5 years ago
Rick Elrod 13aef3c2e5
Add --docker-terminate flag to ansible-test (#68688)
* Add --docker-terminate flag to ansible-test

Signed-off-by: Rick Elrod <rick@elrod.me>
5 years ago
Rick Elrod 4916be24fd
[git] make force=True apply to git fetches (#68691)
Fixes #67972

Signed-off-by: Rick Elrod <rick@elrod.me>
5 years ago
Matt Martz 123c624b28
Always set the discovered interpreter on the delegated host (#64906)
* Always set the discovered interpreter on the delegated host. Fixes #63180

* Make code a little more generic

* Move code into a function

* Implement some changes based on reviews

* Add changelog fragment
5 years ago
Rick Elrod 82c60db49b
pip - Fix check_mode for prerelease packages (#68690)
* pip - Fix check_mode for prerelease packages

Fixes #68592.

Signed-off-by: Rick Elrod <rick@elrod.me>
Co-authored-by: Matt Martz <matt@sivel.net>
5 years ago
Brian Coca 28f9fbdb5e
safely use vault to edit secrets (#68644)
* when possible, use filedescriptors from mkstemp to avoid race
  * when using path strings, ensure we are always creating the file

CVE-2020-1740
Fixes #67798

Co-authored-by: samdoran
5 years ago