From 3acc00a30eb967556e7e6484f17e1b9019d51c85 Mon Sep 17 00:00:00 2001
From: Tristan Cacqueray <tdecacqu@redhat.com>
Date: Tue, 3 Mar 2020 00:23:14 +0000
Subject: [PATCH] executor: do not blacklist host-vars for trusted context

This change lifts the host-vars blacklist for trusted context.

Change-Id: I59c2829adf2a641dc6761aed930ab28471432a9a
---
 .../notes/trusted-blacklist-removal-14c8434d70ab99f2.yaml    | 5 +++++
 zuul/executor/server.py                                      | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/trusted-blacklist-removal-14c8434d70ab99f2.yaml

diff --git a/releasenotes/notes/trusted-blacklist-removal-14c8434d70ab99f2.yaml b/releasenotes/notes/trusted-blacklist-removal-14c8434d70ab99f2.yaml
new file mode 100644
index 0000000000..ed3176a96c
--- /dev/null
+++ b/releasenotes/notes/trusted-blacklist-removal-14c8434d70ab99f2.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    The add_host host-vars blacklist is no longer effective for trusted
+    playbook.
diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index fa004b408c..4282fd3174 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@@ -2450,7 +2450,8 @@ class AnsibleJob(object):
         if self.executor_variables_file is not None:
             cmd.extend(['-e@%s' % self.executor_variables_file])
 
-        cmd.extend(['-e', '@' + self.jobdir.ansible_vars_blacklist])
+        if not playbook.trusted:
+            cmd.extend(['-e', '@' + self.jobdir.ansible_vars_blacklist])
 
         self.emitPlaybookBanner(playbook, 'START', phase)