* adds year-round link to AnsibleFest from the Ansible docs index page
Co-authored-by: Alicia Cozine <acozine@users.noreply.github.com>
(cherry picked from commit ae3b8eec12)
* [stable-2.9] Change default file permissions so they are not world readable (#70221)
* Change default file permissions so they are not world readable
CVE-2020-1736
Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.
A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.
- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Fix jboss test
* Fix lamdba_policy test
* Fix aws_lamdba test
* Fix warning for new default permissions when mode is not specified (#70976)
Follow up to #70221
Related to #67794
CVE-2020-1736
When set_mode_if_different() is called with mode of 'None', ensure we issue
a warning about the change in default permissions.
Add integration tests to ensure the warning works properly.
* Fix tests
- actually use custom module 🤦♂️
- verify file permission on created files
- use remote_tmp_dir so we're ready for split controller
- improve test module so we can skip the call to set_fs_attributes_if_different()
- fix tests for CentOS 6
(cherry-picked from commit dc79528cc6)
* Use new category in changelog fragments
* Add boilerplate snippet into `examples/`
It is a partial backport of #70224
(partially cherry picked from commit 4816bb4f43)
* Refactor Python API examples and docs
PR #70446: it's a follow-up for #70445.
It includes a merge of `examples/scripts/uptime.py` and a similar
code snippet from `docs/docsite/rst/dev_guide/developing_api.rst`.
This patch also changes the docs RST file to include contents of
the example file instead of holding a copy of a similar code.
(cherry picked from commit 20bb915092)
Previous version initialized the `TaskQueueManager` after calling
`Play.load()` while advertising a way to inject a custom library
location path. This caused the tasks loader not to find any custom
modules because it was triggered before the path was actually added
to the module loader.
This patch changes the order of the operations to ensure that the
customized `context.CLIARGS` actually influences things.
Resolves https://github.com/ansible/ansible/issues/69758.
(cherry picked from commit 8d97c8c222)
As Molecule started to use https://github.com/ansible-community/molecule/discussions we need to update documentation before retiring
the molecule-users mailing list.
(cherry picked from commit b7ee07215d)
Co-authored-by: Sorin Sbarnea <ssbarnea@users.noreply.github.com>
Lightbulb is deprecated in favor of https://ansible.github.io/workshops/. Update links accordingly.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit e4f48c920c)
* Allow tasks to notify a fqcn handler name
* Add tests. Fixes#68181
* Add changelog fragment
* Add test to ensure handlers are deduped properly with fqcn, role, and just handler names
* Add some docs about new special vars
(cherry picked from commit 087be1da50)
Co-authored-by: Matt Martz <matt@sivel.net>
wrong module path for module_utils.basic in developing_modules_best_practices.rst
(cherry picked from commit ff98ecc4d0)
Co-authored-by: usatosi <usatosi@e-mail.jp>
With collections migration, inventory scripts are moved from devel (2.10).
Point docs for inventory script to their respective version.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Remove the params module option from ldap_attr and ldap_entry
Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html
Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.
Fixes CVE-2020-1746
(cherry picked from commit 0ff609f1bc)
* Fix formatting for option names
Co-Authored-By: Felix Fontein <felix@fontein.de>
* Fix fail_json
* fix indentation error
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Fixed sphinx theme to navigate "Edit on Github" link to locate correct
plugin, cli source in GitHub repo.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit 2728c2476e)
As AnsibleModule._log_invocation is currently implemented, any parameter
with a name that matches PASSWORD_MATCH triggers the no_log warning as a
precaution against parameters that may contain sensitive data, but have not
been marked as sensitive by the module author.
This patch would allow module authors to explicitly mark the aforementioned
parameters as not sensitive thereby bypassing an erroneous warning message,
while still catching parameters which have not been marked at all by the
author.
Adds tests for various no_log states including True, False, and None (as
extracted by AnsibleModule._log_invocation) when applied to an argument with
a name that matches PASSWORD_MATCH.
Fixes: #49465#64656
(cherry picked from commit 3ca4580cb4)
Use "name" when possible rather than "src" to make the examples
of roles and collections in a single requirements files more
coherenant. Fundamentally, roles and collections are completely different.
But we can make the requiremets file easier to read by unifying the
format as much as possible.
(cherry picked from commit 6c70959131)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* add info on creating doc fragments in a collection
Co-authored-by: Alicia Cozine <879121+acozine@users.noreply.github.com>
(cherry picked from commit 4dd2513371)
* Fix netconf plugin related to collections
Fixes#65655 (partly)
* Make netconf plugins configurable so that the
information of ncclient device handler
for give platform resides in the platform
specific netconf plugin.
* If the device handler value in ncclient is
different from the ansible_network_os value
the right value of `ncclient_device_handler`
should be set in the plugin documentation.
* Fix review comments
* Fix CI issue
* Fix review comment
(cherry picked from commit 1cfab26fab)
* Remove duplicated and broken link to Roles (#64991)
(cherry picked from commit f198036d7f)
* Fix link to Roles (#64992)
(cherry picked from commit 1d0a832692)
* fix collection broken links (#65010)
(cherry picked from commit 2749090bc6)
* Fix validate-modules support for collections.
- Relative imports now work correctly.
- The collection loader is now used.
- Modules are invoked as `__main__`.
* Remove obsolete validate-modules code ignores.
* Handle sys.exit in validate-modules.
* Add check for AnsibleModule initialization.
* Remove `missing-module-utils-import` check.
This check does not support relative imports or collections.
Instead of trying to overhaul the test, we can rely on the `ansible-module-not-initialized` test instead.
* Fix badly named error codes with `c#` in the name.
The `#` conflicts with comments in the sanity test ignore files.
* Add changelog entries.
(cherry picked from commit e9f8a34dce)
Co-authored-by: Matt Clay <matt@mystile.com>
Sandra McCann