Allow zuul_return in untrusted jobs

Whitelist zuul_return to allow untrusted jobs to run the task on the executor (localhost). Otherwise, only trusted jobs are only able to use it. Change-Id: I768394251d7a2ee102883694bfc93845254e8514 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2018-06-13 12:56:05 -04:00 · 2018-06-13 12:56:05 -04:00 · 3316507181
parent f67bdd0f35
commit 3316507181
5 changed files with 25 additions and 2 deletions
--- a/releasenotes/notes/whitelist-zuul-return-bd78bf3e598e85f6.yaml
+++ b/releasenotes/notes/whitelist-zuul-return-bd78bf3e598e85f6.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Untrusted playbooks no longer see 'Executing local code is prohibited' when
+    using the zuul_return Ansible task.
--- a/tests/fixtures/config/ansible/git/org_plugin-project/playbooks/zuul_return.yaml
+++ b/tests/fixtures/config/ansible/git/org_plugin-project/playbooks/zuul_return.yaml
@ -0,0 +1,6 @@
+- hosts: localhost
+  tasks:
+    - name: Execute zuul_return
+      zuul_return:
+        data:
+          foo: bar
--- a/tests/unit/test_v3.py
+++ b/tests/unit/test_v3.py
@ -2221,6 +2221,7 @@ class TestAnsible(AnsibleZuulTestCase):
            ('block_local_override', 'FAILURE'),
            ('file_local_good', 'SUCCESS'),
            ('file_local_bad', 'FAILURE'),
+            ('zuul_return', 'SUCCESS'),
        ]
        for job_name, result in plugin_tests:
            count += 1
--- a/zuul/ansible/action/normal.py
+++ b/zuul/ansible/action/normal.py
@ -50,6 +50,10 @@ class ActionModule(normal.ActionModule):
            return True
        return False

+    def handle_zuul_return(self):
+        '''Allow zuul_return module on localhost.'''
+        pass
+
    def handle_stat(self):
        '''Allow stat module on localhost if it doesn't touch unsafe files.

--- a/zuul/ansible/paths.py
+++ b/zuul/ansible/paths.py
@ -16,6 +16,7 @@
 import imp
 import os

+from ansible import constants as C
 from ansible.errors import AnsibleError
 import ansible.modules
 import ansible.plugins.action
@ -131,7 +132,10 @@ def _import_ansible_lookup_plugin(name):
 def _is_official_module(module):
    task_module_path = module._shared_loader_obj.module_loader.find_plugin(
        module._task.action)
-    ansible_module_path = os.path.dirname(ansible.modules.__file__)
+    ansible_module_paths = [os.path.dirname(ansible.modules.__file__)]
+    # Also check library path in ansible.cfg for action plugins like
+    # zuul_return.
+    ansible_module_paths.extend(C.DEFAULT_MODULE_PATH)

    # If the module is not beneath the main ansible library path that means
    # someone has included a module with a playbook or a role that has the
@ -139,7 +143,10 @@ def _is_official_module(module):
    # local execution it's a problem because their version could subvert our
    # path checks and/or do other things on the local machine that we don't
    # want them to do.
-    return task_module_path.startswith(ansible_module_path)
+    for path in ansible_module_paths:
+        if task_module_path.startswith(path):
+            return True
+    return False


 def _fail_module_dict(module_name):