David Wilson
8 years ago
commit
b1c7afa948
@ -0,0 +1,15 @@
|
||||
|
||||
Feel free to write an issue in your preferred format, however if in doubt, use
|
||||
the following checklist as a guide for what to include.
|
||||
|
||||
* Have you tried the latest master version from Git?
|
||||
* Mention your host and target OS and versions
|
||||
* Mention your host and target Python versions
|
||||
* If reporting a performance issue, mention the number of targets and a rough
|
||||
description of your workload (lots of copies, lots of tiny file edits, etc.)
|
||||
* If reporting a crash or hang in Ansible, please rerun with -vvvv and include
|
||||
the last 200 lines of output, along with a full copy of any traceback or
|
||||
error text in the log. Beware "-vvvv" may include secret data! Edit as
|
||||
necessary before posting.
|
||||
* If reporting any kind of problem with Ansible, please include the Ansible
|
||||
version along with output of "ansible-config dump --only-changed".
|
||||
@ -1,4 +1,4 @@
|
||||
|
||||
# Mitogen
|
||||
|
||||
<!-- [](https://travis-ci.org/dw/mitogen}) -->
|
||||
<a href="https://mitogen.readthedocs.io/">Please see the documentation</a>.
|
||||
|
||||
@ -0,0 +1,84 @@
|
||||
# Copyright 2017, David Wilson
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright notice,
|
||||
# this list of conditions and the following disclaimer.
|
||||
#
|
||||
# 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
# this list of conditions and the following disclaimer in the documentation
|
||||
# and/or other materials provided with the distribution.
|
||||
#
|
||||
# 3. Neither the name of the copyright holder nor the names of its contributors
|
||||
# may be used to endorse or promote products derived from this software without
|
||||
# specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
"""
|
||||
Classes to detect each case from [0] and prepare arguments necessary for the
|
||||
corresponding Runner class within the target, including preloading requisite
|
||||
files/modules known missing.
|
||||
|
||||
[0] "Ansible Module Architecture", developing_program_flow_modules.html
|
||||
"""
|
||||
|
||||
from __future__ import absolute_import
|
||||
from __future__ import unicode_literals
|
||||
|
||||
import mitogen.core
|
||||
|
||||
|
||||
def parse_script_interpreter(source):
|
||||
"""
|
||||
Parse the script interpreter portion of a UNIX hashbang using the rules
|
||||
Linux uses.
|
||||
|
||||
:param str source: String like "/usr/bin/env python".
|
||||
|
||||
:returns:
|
||||
Tuple of `(interpreter, arg)`, where `intepreter` is the script
|
||||
interpreter and `arg` is its sole argument if present, otherwise
|
||||
:py:data:`None`.
|
||||
"""
|
||||
# Find terminating newline. Assume last byte of binprm_buf if absent.
|
||||
nl = source.find(b'\n', 0, 128)
|
||||
if nl == -1:
|
||||
nl = min(128, len(source))
|
||||
|
||||
# Split once on the first run of whitespace. If no whitespace exists,
|
||||
# bits just contains the interpreter filename.
|
||||
bits = source[0:nl].strip().split(None, 1)
|
||||
if len(bits) == 1:
|
||||
return mitogen.core.to_text(bits[0]), None
|
||||
return mitogen.core.to_text(bits[0]), mitogen.core.to_text(bits[1])
|
||||
|
||||
|
||||
def parse_hashbang(source):
|
||||
"""
|
||||
Parse a UNIX "hashbang line" using the syntax supported by Linux.
|
||||
|
||||
:param str source: String like "#!/usr/bin/env python".
|
||||
|
||||
:returns:
|
||||
Tuple of `(interpreter, arg)`, where `intepreter` is the script
|
||||
interpreter and `arg` is its sole argument if present, otherwise
|
||||
:py:data:`None`.
|
||||
"""
|
||||
# Linux requires first 2 bytes with no whitespace, pretty sure it's the
|
||||
# same everywhere. See binfmt_script.c.
|
||||
if not source.startswith(b'#!'):
|
||||
return None, None
|
||||
|
||||
return parse_script_interpreter(source[2:])
|
||||
@ -0,0 +1,43 @@
|
||||
# Copyright 2017, David Wilson
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright notice,
|
||||
# this list of conditions and the following disclaimer.
|
||||
#
|
||||
# 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
# this list of conditions and the following disclaimer in the documentation
|
||||
# and/or other materials provided with the distribution.
|
||||
#
|
||||
# 3. Neither the name of the copyright holder nor the names of its contributors
|
||||
# may be used to endorse or promote products derived from this software without
|
||||
# specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
import os.path
|
||||
import sys
|
||||
|
||||
try:
|
||||
import ansible_mitogen.connection
|
||||
except ImportError:
|
||||
base_dir = os.path.dirname(__file__)
|
||||
sys.path.insert(0, os.path.abspath(os.path.join(base_dir, '../../..')))
|
||||
del base_dir
|
||||
|
||||
import ansible_mitogen.connection
|
||||
|
||||
|
||||
class Connection(ansible_mitogen.connection.Connection):
|
||||
transport = 'mitogen_doas'
|
||||
@ -0,0 +1,118 @@
|
||||
# Copyright 2017, David Wilson
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright notice,
|
||||
# this list of conditions and the following disclaimer.
|
||||
#
|
||||
# 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
# this list of conditions and the following disclaimer in the documentation
|
||||
# and/or other materials provided with the distribution.
|
||||
#
|
||||
# 3. Neither the name of the copyright holder nor the names of its contributors
|
||||
# may be used to endorse or promote products derived from this software without
|
||||
# specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||||
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
# POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
import logging
|
||||
import os
|
||||
|
||||
import mitogen.core
|
||||
import mitogen.parent
|
||||
from mitogen.core import b
|
||||
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class PasswordError(mitogen.core.StreamError):
|
||||
pass
|
||||
|
||||
|
||||
class Stream(mitogen.parent.Stream):
|
||||
create_child = staticmethod(mitogen.parent.hybrid_tty_create_child)
|
||||
child_is_immediate_subprocess = False
|
||||
|
||||
#: Once connected, points to the corresponding TtyLogStream, allowing it to
|
||||
#: be disconnected at the same time this stream is being torn down.
|
||||
tty_stream = None
|
||||
|
||||
username = 'root'
|
||||
password = None
|
||||
doas_path = 'doas'
|
||||
password_prompt = b('Password:')
|
||||
incorrect_prompts = (
|
||||
b('doas: authentication failed'),
|
||||
)
|
||||
|
||||
def construct(self, username=None, password=None, doas_path=None,
|
||||
password_prompt=None, incorrect_prompts=None, **kwargs):
|
||||
super(Stream, self).construct(**kwargs)
|
||||
if username is not None:
|
||||
self.username = username
|
||||
if password is not None:
|
||||
self.password = password
|
||||
if doas_path is not None:
|
||||
self.doas_path = doas_path
|
||||
if password_prompt is not None:
|
||||
self.password_prompt = password_prompt.lower()
|
||||
if incorrect_prompts is not None:
|
||||
self.incorrect_prompts = map(str.lower, incorrect_prompts)
|
||||
|
||||
def connect(self):
|
||||
super(Stream, self).connect()
|
||||
self.name = u'doas.' + mitogen.core.to_text(self.username)
|
||||
|
||||
def on_disconnect(self, broker):
|
||||
self.tty_stream.on_disconnect(broker)
|
||||
super(Stream, self).on_disconnect(broker)
|
||||
|
||||
def get_boot_command(self):
|
||||
bits = [self.doas_path, '-u', self.username, '--']
|
||||
bits = bits + super(Stream, self).get_boot_command()
|
||||
LOG.debug('doas command line: %r', bits)
|
||||
return bits
|
||||
|
||||
password_incorrect_msg = 'doas password is incorrect'
|
||||
password_required_msg = 'doas password is required'
|
||||
|
||||
def _connect_bootstrap(self, extra_fd):
|
||||
self.tty_stream = mitogen.parent.TtyLogStream(extra_fd, self)
|
||||
|
||||
password_sent = False
|
||||
it = mitogen.parent.iter_read(
|
||||
fds=[self.receive_side.fd, extra_fd],
|
||||
deadline=self.connect_deadline,
|
||||
)
|
||||
|
||||
for buf in it:
|
||||
LOG.debug('%r: received %r', self, buf)
|
||||
if buf.endswith(self.EC0_MARKER):
|
||||
self._ec0_received()
|
||||
return
|
||||
if any(s in buf.lower() for s in self.incorrect_prompts):
|
||||
if password_sent:
|
||||
raise PasswordError(self.password_incorrect_msg)
|
||||
elif self.password_prompt in buf.lower():
|
||||
if self.password is None:
|
||||
raise PasswordError(self.password_required_msg)
|
||||
if password_sent:
|
||||
raise PasswordError(self.password_incorrect_msg)
|
||||
LOG.debug('sending password')
|
||||
self.tty_stream.transmit_side.write(
|
||||
mitogen.core.to_text(self.password + '\n').encode('utf-8')
|
||||
)
|
||||
password_sent = True
|
||||
raise mitogen.core.StreamError('bootstrap failed')
|
||||
@ -1,4 +1,5 @@
|
||||
- import_playbook: remote_file_exists.yml
|
||||
- import_playbook: remote_expand_user.yml
|
||||
- import_playbook: low_level_execute_command.yml
|
||||
- import_playbook: make_tmp_path.yml
|
||||
- import_playbook: transfer_data.yml
|
||||
|
||||
@ -0,0 +1,104 @@
|
||||
# related to issue 301. Essentially ensure remote_expand_user does not support
|
||||
# $HOME expansion.
|
||||
|
||||
- name: integration/action/remote_expand_user.yml
|
||||
hosts: test-targets
|
||||
any_errors_fatal: true
|
||||
tasks:
|
||||
- name: "Find out root's homedir."
|
||||
# Runs first because it blats regular Ansible facts with junk, so
|
||||
# non-become run fixes that up.
|
||||
setup: gather_subset=min
|
||||
become: true
|
||||
register: root_facts
|
||||
|
||||
- name: "Find regular homedir"
|
||||
setup: gather_subset=min
|
||||
register: user_facts
|
||||
|
||||
# ------------------------
|
||||
|
||||
- name: "Expand ~/foo"
|
||||
action_passthrough:
|
||||
method: _remote_expand_user
|
||||
kwargs:
|
||||
path: '~/foo'
|
||||
sudoable: false
|
||||
register: out
|
||||
- assert:
|
||||
that: out.result == '{{user_facts.ansible_facts.ansible_user_dir}}/foo'
|
||||
|
||||
- name: "Expand ~/foo with become active. ~ is become_user's home."
|
||||
action_passthrough:
|
||||
method: _remote_expand_user
|
||||
kwargs:
|
||||
path: '~/foo'
|
||||
sudoable: false
|
||||
register: out
|
||||
become: true
|
||||
- assert:
|
||||
that: out.result == '{{user_facts.ansible_facts.ansible_user_dir}}/foo'
|
||||
|
||||
- name: "Expand ~user/foo"
|
||||
action_passthrough:
|
||||
method: _remote_expand_user
|
||||
kwargs:
|
||||
path: '~{{ansible_user_id}}/foo'
|
||||
sudoable: false
|
||||
register: out
|
||||
- assert:
|
||||
that: out.result == '{{user_facts.ansible_facts.ansible_user_dir}}/foo'
|
||||
|
||||
- name: "Expanding $HOME/foo has no effect."
|
||||
action_passthrough:
|
||||
method: _remote_expand_user
|
||||
kwargs:
|
||||
path: '$HOME/foo'
|
||||
sudoable: false
|
||||
register: out
|
||||
- assert:
|
||||
that: out.result == '$HOME/foo'
|
||||
|
||||
# ------------------------
|
||||
|
||||
- name: "sudoable; Expand ~/foo"
|
||||
action_passthrough:
|
||||
method: _remote_expand_user
|
||||
kwargs:
|
||||
path: '~/foo'
|
||||
sudoable: true
|
||||
register: out
|
||||
- assert:
|
||||
that: out.result == '{{user_facts.ansible_facts.ansible_user_dir}}/foo'
|
||||
|
||||
- name: "sudoable; Expand ~/foo with become active. ~ is become_user's home."
|
||||
action_passthrough:
|
||||
method: _remote_expand_user
|
||||
kwargs:
|
||||
path: '~/foo'
|
||||
sudoable: true
|
||||
register: out
|
||||
become: true
|
||||
|
||||
- assert:
|
||||
that: out.result == '{{root_facts.ansible_facts.ansible_user_dir}}/foo'
|
||||
|
||||
- name: "sudoable; Expand ~user/foo"
|
||||
action_passthrough:
|
||||
method: _remote_expand_user
|
||||
kwargs:
|
||||
path: '~{{ansible_user_id}}/foo'
|
||||
sudoable: true
|
||||
register: out
|
||||
- assert:
|
||||
that: out.result == '{{user_facts.ansible_facts.ansible_user_dir}}/foo'
|
||||
|
||||
- name: "sudoable; Expanding $HOME/foo has no effect."
|
||||
action_passthrough:
|
||||
method: _remote_expand_user
|
||||
kwargs:
|
||||
path: '$HOME/foo'
|
||||
sudoable: true
|
||||
register: out
|
||||
- assert:
|
||||
that: out.result == '$HOME/foo'
|
||||
@ -0,0 +1,19 @@
|
||||
# https://github.com/dw/mitogen/issues/291
|
||||
- name: integration/runner/custom_bash_hashbang_argument.yml
|
||||
hosts: test-targets
|
||||
any_errors_fatal: true
|
||||
tasks:
|
||||
|
||||
- custom_bash_old_style_module:
|
||||
foo: true
|
||||
with_sequence: start=1 end={{end|default(1)}}
|
||||
register: out
|
||||
vars:
|
||||
ansible_bash_interpreter: "/usr/bin/env RUN_VIA_ENV=yes bash"
|
||||
|
||||
- assert:
|
||||
that: |
|
||||
(not out.changed) and
|
||||
(not out.results[0].changed) and
|
||||
out.results[0].msg == 'Here is my input' and
|
||||
out.results[0].run_via_env == "yes"
|
||||
@ -0,0 +1,50 @@
|
||||
# issue #309: ensure process environment is restored after a module runs.
|
||||
|
||||
|
||||
- name: integration/runner/environment_isolation.yml
|
||||
hosts: test-targets
|
||||
any_errors_fatal: true
|
||||
gather_facts: true
|
||||
tasks:
|
||||
|
||||
# ---
|
||||
# Verify custom env setting is cleared out.
|
||||
# ---
|
||||
|
||||
# Verify sane state first.
|
||||
- custom_python_detect_environment:
|
||||
register: out
|
||||
- assert:
|
||||
that: not out.env.evil_key is defined
|
||||
|
||||
- shell: echo 'hi'
|
||||
environment:
|
||||
evil_key: evil
|
||||
|
||||
# Verify environment was cleaned up.
|
||||
- custom_python_detect_environment:
|
||||
register: out
|
||||
- assert:
|
||||
that: not out.env.evil_key is defined
|
||||
|
||||
|
||||
# ---
|
||||
# Verify non-explicit module env mutations are cleared out.
|
||||
# ---
|
||||
|
||||
# Verify sane state first.
|
||||
- custom_python_detect_environment:
|
||||
register: out
|
||||
- assert:
|
||||
that: not out.env.evil_key is defined
|
||||
|
||||
- custom_python_modify_environ:
|
||||
key: evil_key
|
||||
val: evil
|
||||
|
||||
# Verify environment was cleaned up.
|
||||
- custom_python_detect_environment:
|
||||
register: out
|
||||
- assert:
|
||||
that: not out.env.evil_key is defined
|
||||
|
||||
@ -0,0 +1,22 @@
|
||||
#!/usr/bin/python
|
||||
# I am an Ansible new-style Python module. I modify the process environment and
|
||||
# don't clean up after myself.
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
|
||||
import os
|
||||
import pwd
|
||||
import socket
|
||||
import sys
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(argument_spec={
|
||||
'key': {'type': str},
|
||||
'val': {'type': str}
|
||||
})
|
||||
os.environ[module.params['key']] = module.params['val']
|
||||
module.exit_json(msg='Muahahaha!')
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
@ -0,0 +1,21 @@
|
||||
This banner tests Mitogen's ability to differentiate the word 'password'
|
||||
appearing in a login banner, and 'password' appearing in a password prompt.
|
||||
|
||||
This system is for the use of authorized users only. Individuals using this
|
||||
computer system without authority or in excess of their authority are subject
|
||||
to having all of their activities on this system monitored and recorded by
|
||||
system personnel.
|
||||
|
||||
In the course of monitoring this system with regard to any unauthorized or
|
||||
improper use or in the course of system maintenance the system personnel may
|
||||
have insights into regular business activity.
|
||||
|
||||
Anyone using this system expressly consents to such monitoring and is advised
|
||||
that if such monitoring reveals possible evidence of improper activity, system
|
||||
personnel may provide the evidence of such monitoring to internal Compliance
|
||||
and Security Officers who will - in the case of criminal offences - relay such
|
||||
incidents to law enforcement officials.
|
||||
|
||||
**************************************************************
|
||||
NOTE: This system is connected to DOMAIN.COM,
|
||||
please use your password.
|
||||
@ -0,0 +1,12 @@
|
||||
#!/bin/bash
|
||||
# This script exists to test the behavior of Stream.python_path being set to a
|
||||
# list. It sets an environmnt variable that we can detect, then executes any
|
||||
# arguments passed to it.
|
||||
export EXECUTED_VIA_ENV_WRAPPER=1
|
||||
if [ "${1:0:1}" == "-" ]; then
|
||||
exec "$PYTHON" "$@"
|
||||
else
|
||||
export ENV_WRAPPER_FIRST_ARG="$1"
|
||||
shift
|
||||
exec "$@"
|
||||
fi
|
||||
Loading…
Reference in New Issue