Filter secret ZUUL_ env variables from ansible env

Change-Id: I4c8df21399240fe32760f8af1d183ba3a237eede
2020-04-15 18:23:02 +02:00 · 2020-04-15 18:23:02 +02:00 · d919666778
commit d919666778
parent 0b946516a8
6 changed files with 60 additions and 1 deletions
--- a/releasenotes/notes/zuul-ansible-environment-secrets-983e8ced908b294d.yaml
+++ b/releasenotes/notes/zuul-ansible-environment-secrets-983e8ced908b294d.yaml
@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Zuul no longer adds environment variables starting with the ``ZUUL_`` prefix
+    to ansibles environment which could result in secrets being exposed.
--- a/tests/fixtures/config/zuul-environment-filter/git/common-config/playbooks/zuul-environment-filter.yaml
+++ b/tests/fixtures/config/zuul-environment-filter/git/common-config/playbooks/zuul-environment-filter.yaml
@ -0,0 +1,10 @@
+- hosts: all
+  tasks:
+    - debug:
+        var: lookup('env', 'ZUUL_TEST_VAR')
+    - assert:
+        that: lookup('env', 'ZUUL_TEST_VAR') == ""
+    - debug:
+        var: lookup('env', 'TEST_VAR')
+    - assert:
+        that: lookup('env', 'TEST_VAR') == "not-empty"
--- a/tests/fixtures/config/zuul-environment-filter/git/common-config/zuul.yaml
+++ b/tests/fixtures/config/zuul-environment-filter/git/common-config/zuul.yaml
@ -0,0 +1,21 @@
+- pipeline:
+    name: promote
+    manager: supercedent
+    post-review: true
+    trigger:
+      gerrit:
+        - event: change-merged
+
+- job:
+    name: zuul-environment-filter
+    parent: null
+    run: playbooks/zuul-environment-filter.yaml
+    nodeset:
+      nodes:
+        - name: ubuntu-xenial
+          label: ubuntu-xenial
+
+- project:
+    promote:
+      jobs:
+        - zuul-environment-filter
--- a/tests/fixtures/config/zuul-environment-filter/main.yaml
+++ b/tests/fixtures/config/zuul-environment-filter/main.yaml
@ -0,0 +1,6 @@
+- tenant:
+    name: tenant-one
+    source:
+      gerrit:
+        config-projects:
+          - common-config
--- a/tests/unit/test_executor.py
+++ b/tests/unit/test_executor.py
@ -816,6 +816,21 @@ class TestExecutorFacts(AnsibleZuulTestCase):
        self.assertEqual(18, len(date_time))


+class TestExecutorEnvironment(AnsibleZuulTestCase):
+    tenant_config_file = 'config/zuul-environment-filter/main.yaml'
+
+    @mock.patch.dict('os.environ', {'ZUUL_TEST_VAR': 'some-value',
+                                    'TEST_VAR': 'not-empty'})
+    def test_zuul_environment_filter(self):
+        A = self.fake_gerrit.addFakeChange('common-config', 'master', 'A')
+        self.fake_gerrit.addEvent(A.getChangeMergedEvent())
+        self.waitUntilSettled()
+
+        self.assertEqual(
+            self.getJobFromHistory('zuul-environment-filter').result,
+            'SUCCESS')
+
+
 class TestExecutorStart(ZuulTestCase):
    tenant_config_file = 'config/single-tenant/main.yaml'

--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@ -2117,7 +2117,9 @@ class AnsibleJob(object):
    def runAnsible(self, cmd, timeout, playbook, ansible_version,
                   wrapped=True, cleanup=False):
        config_file = playbook.ansible_config
-        env_copy = os.environ.copy()
+        env_copy = {key: value
+                    for key, value in os.environ.copy().items()
+                    if not key.startswith("ZUUL_")}
        env_copy.update(self.ssh_agent.env)
        if self.ara_callbacks:
            env_copy['ARA_LOG_CONFIG'] = self.jobdir.logging_json