Allow trusted for find_needle

In ansible find_needle is used for finding source files. This must be allowed also for roles from trusted repos. Change-Id: I0491bc08ba1869849a562bd5047253e60c40c7d7
2018-03-12 20:29:59 +01:00 · 2018-03-12 20:29:59 +01:00 · 1214b104d1
parent 035e034233
commit 1214b104d1
5 changed files with 24 additions and 3 deletions
--- a/tests/fixtures/config/remote-action-modules/git/common-config/roles/common-copy/files/common-file
+++ b/tests/fixtures/config/remote-action-modules/git/common-config/roles/common-copy/files/common-file
@ -0,0 +1 @@
+file
--- a/tests/fixtures/config/remote-action-modules/git/common-config/roles/common-copy/tasks/main.yaml
+++ b/tests/fixtures/config/remote-action-modules/git/common-config/roles/common-copy/tasks/main.yaml
@ -0,0 +1,9 @@
+- name: Create a destination directory for copied files
+  tempfile:
+    state: directory
+  register: destdir
+
+- name: Common copy
+  copy:
+    src: common-file
+    dest: "{{destdir.path}}/common-file"
--- a/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/copy-good.yaml
+++ b/tests/fixtures/config/remote-action-modules/git/org_project/playbooks/copy-good.yaml
@ -1,4 +1,5 @@
 - hosts: all
  roles:
+    - common-copy
    - role: copy-test
      src_file: file
--- a/tests/remote/test_remote_action_modules.py
+++ b/tests/remote/test_remote_action_modules.py
@ -46,6 +46,8 @@ class TestActionModules(AnsibleZuulTestCase):
            - job:
                name: {job_name}
                run: playbooks/{job_name}.yaml
+                roles:
+                  - zuul: org/common-config
                nodeset:
                  nodes:
                    - name: controller
--- a/zuul/ansible/paths.py
+++ b/zuul/ansible/paths.py
@ -24,7 +24,9 @@ import ansible.plugins.lookup

 def _safe_find_needle(super, dirname, needle):
    result = super._find_needle(dirname, needle)
-    if not _is_safe_path(result):
+    # find_needle is only used for source files so it is safe to allow the
+    # trusted folder where trusted roles reside
+    if not _is_safe_path(result, allow_trusted=True):
        fail_dict = _fail_dict(_full_path(result))
        raise AnsibleError("{msg}. Invalid path: {path}".format(
            msg=fail_dict['msg'], path=fail_dict['path']))
@ -35,9 +37,15 @@ def _full_path(path):
    return os.path.realpath(os.path.abspath(os.path.expanduser(path)))


-def _is_safe_path(path):
+def _is_safe_path(path, allow_trusted=False):
    full_path = _full_path(path)
-    if not full_path.startswith(os.path.abspath(os.path.expanduser('~'))):
+    home_path = os.path.abspath(os.path.expanduser('~'))
+    if not full_path.startswith(home_path):
+        if allow_trusted:
+            trusted_path = os.path.abspath(
+                os.path.join(home_path, '../trusted'))
+            if full_path.startswith(trusted_path):
+                return True
        return False
    return True