Allow zuul_return in untrusted jobs
Whitelist zuul_return to allow untrusted jobs to run the task on the executor (localhost). Otherwise, only trusted jobs are only able to use it. Change-Id: I768394251d7a2ee102883694bfc93845254e8514 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This commit is contained in:
parent
f67bdd0f35
commit
3316507181
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Untrusted playbooks no longer see 'Executing local code is prohibited' when
|
||||
using the zuul_return Ansible task.
|
6
tests/fixtures/config/ansible/git/org_plugin-project/playbooks/zuul_return.yaml
vendored
Normal file
6
tests/fixtures/config/ansible/git/org_plugin-project/playbooks/zuul_return.yaml
vendored
Normal file
|
@ -0,0 +1,6 @@
|
|||
- hosts: localhost
|
||||
tasks:
|
||||
- name: Execute zuul_return
|
||||
zuul_return:
|
||||
data:
|
||||
foo: bar
|
|
@ -2221,6 +2221,7 @@ class TestAnsible(AnsibleZuulTestCase):
|
|||
('block_local_override', 'FAILURE'),
|
||||
('file_local_good', 'SUCCESS'),
|
||||
('file_local_bad', 'FAILURE'),
|
||||
('zuul_return', 'SUCCESS'),
|
||||
]
|
||||
for job_name, result in plugin_tests:
|
||||
count += 1
|
||||
|
|
|
@ -50,6 +50,10 @@ class ActionModule(normal.ActionModule):
|
|||
return True
|
||||
return False
|
||||
|
||||
def handle_zuul_return(self):
|
||||
'''Allow zuul_return module on localhost.'''
|
||||
pass
|
||||
|
||||
def handle_stat(self):
|
||||
'''Allow stat module on localhost if it doesn't touch unsafe files.
|
||||
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
import imp
|
||||
import os
|
||||
|
||||
from ansible import constants as C
|
||||
from ansible.errors import AnsibleError
|
||||
import ansible.modules
|
||||
import ansible.plugins.action
|
||||
|
@ -131,7 +132,10 @@ def _import_ansible_lookup_plugin(name):
|
|||
def _is_official_module(module):
|
||||
task_module_path = module._shared_loader_obj.module_loader.find_plugin(
|
||||
module._task.action)
|
||||
ansible_module_path = os.path.dirname(ansible.modules.__file__)
|
||||
ansible_module_paths = [os.path.dirname(ansible.modules.__file__)]
|
||||
# Also check library path in ansible.cfg for action plugins like
|
||||
# zuul_return.
|
||||
ansible_module_paths.extend(C.DEFAULT_MODULE_PATH)
|
||||
|
||||
# If the module is not beneath the main ansible library path that means
|
||||
# someone has included a module with a playbook or a role that has the
|
||||
|
@ -139,7 +143,10 @@ def _is_official_module(module):
|
|||
# local execution it's a problem because their version could subvert our
|
||||
# path checks and/or do other things on the local machine that we don't
|
||||
# want them to do.
|
||||
return task_module_path.startswith(ansible_module_path)
|
||||
for path in ansible_module_paths:
|
||||
if task_module_path.startswith(path):
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
def _fail_module_dict(module_name):
|
||||
|
|
Loading…
Reference in New Issue