Merge "Safely add Ansible password lookup plugin"

tests/fixtures/config/ansible/git/org_plugin-project/playbooks/password_create_bad.yaml

@@ -0,0 +1,5 @@
+- hosts: all
+  vars:
+    value: "{{ lookup('password', '/etc/passwd') }}"
+  tasks:
+    - debug: msg="value is {{ value }}"

tests/fixtures/config/ansible/git/org_plugin-project/playbooks/password_create_good.yaml

@@ -0,0 +1,5 @@
+- hosts: all
+  vars:
+    value: "{{ lookup('password', '{{ zuul.executor.work_root }}/test.newpassword') }}"
+  tasks:
+    - debug: msg="value is {{ value }}"

tests/fixtures/config/ansible/git/org_plugin-project/playbooks/password_null_good.yaml

@@ -0,0 +1,5 @@
+- hosts: all
+  vars:
+    value: "{{ lookup('password', '/dev/null') }}"
+  tasks:
+    - debug: msg="value is {{ value }}"

tests/fixtures/config/ansible/git/org_plugin-project/playbooks/password_read_bad.yaml

@@ -0,0 +1,5 @@
+- hosts: all
+  vars:
+    value: "{{ lookup('password', '/etc/passwd') }}"
+  tasks:
+    - debug: msg="value is {{ value }}"

tests/fixtures/config/ansible/git/org_plugin-project/playbooks/password_read_good.yaml

@@ -0,0 +1,10 @@
+- hosts: all
+  tasks:
+    - copy:
+        content: 'an_example_password'
+        dest: "{{zuul.executor.work_root}}/test.password"
+- hosts: all
+  vars:
+    value: "{{ lookup('password', '{{zuul.executor.work_root}}/test.password') }}"
+  tasks:
+    - debug: msg="value is {{ value }}"

tests/unit/test_v3.py

@@ -2555,7 +2555,7 @@ class TestAnsible25(AnsibleZuulTestCase):
 
     def test_playbook(self):
         # This test runs a bit long and needs extra time.
-        self.wait_timeout = 240
+        self.wait_timeout = 300
         # Keep the jobdir around so we can inspect contents if an
         # assert fails.
         self.executor_server.keep_jobdir = True
@@ -2706,7 +2706,13 @@ class TestAnsible25(AnsibleZuulTestCase):
             ('file_local_good', 'SUCCESS'),
             ('file_local_bad', 'FAILURE'),
             ('zuul_return', 'SUCCESS'),
+            ('password_create_good', 'SUCCESS'),
+            ('password_null_good', 'SUCCESS'),
+            ('password_read_good', 'SUCCESS'),
+            ('password_create_bad', 'FAILURE'),
+            ('password_read_bad', 'FAILURE'),
         ]
+
         for job_name, result in plugin_tests:
             count += 1
             self._add_job(job_name)

zuul/ansible/base/lookup/password.py

@@ -1 +0,0 @@
-_banned.py

zuul/ansible/base/lookup/password.py

@@ -0,0 +1,30 @@
+# Copyright 2019 OpenStack Foundation
+#
+# This module is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this software.  If not, see <http://www.gnu.org/licenses/>.
+
+
+from zuul.ansible import paths
+password = paths._import_ansible_lookup_plugin("password")
+
+
+class LookupModule(password.LookupModule):
+
+    def run(self, terms, variables, **kwargs):
+        for term in terms:
+            relpath = password._parse_parameters(term)[0]
+            # /dev/null is whitelisted because it's interpreted specially
+            if relpath != "/dev/null":
+                path = self._loader.path_dwim(relpath)
+                paths._fail_if_unsafe(path, allow_trusted=True)
+        return super(LookupModule, self).run(terms, variables, **kwargs)