From 1625c07b885fcf99adb9eade5e499b5258764e9d Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Tue, 22 Sep 2020 13:26:29 +1000 Subject: [PATCH] Allow find on the executor Allow the "find" module to run on the executor under allowed paths. We allow fileglob filter, so this seems like a natural related function. Change-Id: Iab4fe4f9ef4efed38c38981f4f13e90ff0c1a76f --- .../notes/find-executor-cd3f110245c499c0.yaml | 4 ++++ .../org_plugin-project/playbooks/find_local_bad.yaml | 5 +++++ .../playbooks/find_local_good.yaml | 5 +++++ tests/unit/test_v3.py | 2 ++ zuul/ansible/base/action/normal.py | 12 ++++++++++++ 5 files changed, 28 insertions(+) create mode 100644 releasenotes/notes/find-executor-cd3f110245c499c0.yaml create mode 100644 tests/fixtures/config/ansible/git/org_plugin-project/playbooks/find_local_bad.yaml create mode 100644 tests/fixtures/config/ansible/git/org_plugin-project/playbooks/find_local_good.yaml diff --git a/releasenotes/notes/find-executor-cd3f110245c499c0.yaml b/releasenotes/notes/find-executor-cd3f110245c499c0.yaml new file mode 100644 index 0000000000..b3dc5bd351 --- /dev/null +++ b/releasenotes/notes/find-executor-cd3f110245c499c0.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + The ``find`` module is now allowed to run on the executor. diff --git a/tests/fixtures/config/ansible/git/org_plugin-project/playbooks/find_local_bad.yaml b/tests/fixtures/config/ansible/git/org_plugin-project/playbooks/find_local_bad.yaml new file mode 100644 index 0000000000..c6eb4d7230 --- /dev/null +++ b/tests/fixtures/config/ansible/git/org_plugin-project/playbooks/find_local_bad.yaml @@ -0,0 +1,5 @@ +- hosts: localhost + tasks: + - name: Find in a bad location + find: + paths: '/tmp/' diff --git a/tests/fixtures/config/ansible/git/org_plugin-project/playbooks/find_local_good.yaml b/tests/fixtures/config/ansible/git/org_plugin-project/playbooks/find_local_good.yaml new file mode 100644 index 0000000000..2e9af5b900 --- /dev/null +++ b/tests/fixtures/config/ansible/git/org_plugin-project/playbooks/find_local_good.yaml @@ -0,0 +1,5 @@ +- hosts: localhost + tasks: + - name: Find in a good location + find: + paths: '{{ zuul.executor.work_root }}' diff --git a/tests/unit/test_v3.py b/tests/unit/test_v3.py index d236655792..5885bab61c 100644 --- a/tests/unit/test_v3.py +++ b/tests/unit/test_v3.py @@ -2841,6 +2841,8 @@ class FunctionalAnsibleMixIn(object): ('file_local_bad', 'FAILURE'), ('fileglob_local_good', 'SUCCESS'), ('fileglob_local_bad', 'FAILURE'), + ('find_local_good', 'SUCCESS'), + ('find_local_bad', 'FAILURE'), ('zuul_return', 'SUCCESS'), ('password_create_good', 'SUCCESS'), ('password_null_good', 'SUCCESS'), diff --git a/zuul/ansible/base/action/normal.py b/zuul/ansible/base/action/normal.py index c07c198894..d0329aed4b 100644 --- a/zuul/ansible/base/action/normal.py +++ b/zuul/ansible/base/action/normal.py @@ -103,3 +103,15 @@ class ActionModule(normal.ActionModule): path = self._task.args.get(arg) if path: paths._fail_if_unsafe(path) + + def handle_find(self): + '''Allow find module on localhost if it doesn't traverse unsafe files. + + The :ansible:module:`find` can be used from the executor to + gather a list of files. + ''' + find_paths = self._task.args.get('paths') + if not isinstance(find_paths, list): + find_paths = (find_paths,) + for path in find_paths: + paths._fail_if_unsafe(path)