Add linting rule to enforce no-same-owner policy

Change-Id: I92c66a21be95935d11fc8e9887d9d91c645d28d4
This commit is contained in:
Albin Vass 2020-05-13 09:19:03 +02:00
parent aeca4e34e3
commit 3d4f3a3a28
17 changed files with 163 additions and 12 deletions

View File

@ -0,0 +1,81 @@
import re
from ansiblelint import AnsibleLintRule
class ZuulJobsNoSameOwner(AnsibleLintRule):
id = 'ZUULJOBS0002'
shortdesc = 'Owner should not be kept between executor and remote'
description = """
Since there is no way to guarantee that the user and or group on the remote
node also exist on the executor and vice versa, owner and group should not
be preserved when transfering files between them.
See:
https://zuul-ci.org/docs/zuul-jobs/policy.html\
#preservation-of-owner-between-executor-and-remote
"""
tags = {'zuul-jobs-no-same-owner'}
def matchplay(self, file, play):
results = []
if file.get('type') not in ('tasks',
'handlers',
'playbooks'):
return results
results.extend(self.handle_play(play))
return results
def handle_play(self, task):
results = []
if 'block' in task:
results.extend(self.handle_playlist(task['block']))
else:
results.extend(self.handle_task(task))
return results
def handle_playlist(self, playlist):
results = []
for play in playlist:
results.extend(self.handle_play(play))
return results
def handle_task(self, task):
results = []
if 'synchronize' in task:
if self.handle_synchronize(task):
results.append(("", self.shortdesc))
elif 'unarchive' in task:
if self.handle_unarchive(task):
results.append(("", self.shortdesc))
return results
def handle_synchronize(self, task):
if task.get('delegate_to') is not None:
return False
synchronize = task['synchronize']
archive = synchronize.get('archive', True)
if synchronize.get('owner', archive) or\
synchronize.get('group', archive):
return True
return False
def handle_unarchive(self, task):
unarchive = task['unarchive']
delegate_to = task.get('delegate_to')
if delegate_to == 'localhost' or\
delegate_to != 'localhost' and 'remote_src' not in unarchive:
if unarchive['src'].endswith('zip'):
if '-X' in unarchive.get('extra_opts', []):
return True
if re.search(r'.*\.tar(\.(gz|bz2|xz))?$', unarchive['src']):
if '--no-same-owner' not in unarchive.get('extra_opts', []):
return True
return False

View File

@ -219,20 +219,30 @@ group should not be preserved when transfering files between them.
For example when using the synchronize module set owner and group For example when using the synchronize module set owner and group
to ``false``:: to ``false``::
synchronize: - name: valid
dest: /tmp/log.txt synchronize:
src: /tmp/log.txt dest: /tmp/log.txt
owner: false src: /tmp/log.txt
group: false owner: false
group: false
And when using the unarchive module add ``--no-same-owner`` to When using the unarchive module add ``--no-same-owner`` to extra_opts
extra-ops:: when handling tarballs and do not use ``-X`` when handling zipfiles::
- name: valid
unarchive:
dest: ~/example
src: /tmp/example.tar.gz
extra_opts:
- '--no-same-owner'
- name: faulty
unarchive:
dest: ~/example
src: /tmp/example.zip
extra_opts:
- '-X'
unarchive:
dest: ~/example
src: /tmp/example.tar.gz
extra_ops:
- '--no-same-owner'
Testing Testing
------- -------

View File

@ -0,0 +1,4 @@
- block:
- synchronize:
src: dummy
dest: dummy

View File

@ -0,0 +1,5 @@
- block:
- block:
- synchronize:
src: dummy
dest: dummy

View File

@ -0,0 +1,3 @@
- synchronize:
src: dummy
dest: dummy

View File

@ -0,0 +1,3 @@
- unarchive:
src: "{{ file }}.tar.bz2"
dest: "dummy"

View File

@ -0,0 +1,4 @@
- unarchive:
src: "{{ file }}.tar.bz2"
dest: "dummy"
delegate_to: localhost

View File

@ -0,0 +1,3 @@
- unarchive:
src: "{{ file }}.tar.gz"
dest: "dummy"

View File

@ -0,0 +1,3 @@
- unarchive:
src: "{{ file }}.tar"
dest: "dummy"

View File

@ -0,0 +1,3 @@
- unarchive:
src: "{{ file }}.tar.xz"
dest: "dummy"

View File

@ -0,0 +1,6 @@
- unarchive:
src: "{{ file }}.zip"
dest: dummy
extra_opts:
- '-X'

View File

@ -0,0 +1,5 @@
- unarchive:
src: "{{ file }}.zip"
dest: dummy
extra_opts:
- '-X'

View File

@ -0,0 +1,4 @@
- synchronize:
src: dummy
dest: dummy
delegate_to: localhost

View File

@ -0,0 +1,5 @@
- synchronize:
src: dummy
dest: dummy
owner: no
group: no

View File

@ -0,0 +1,5 @@
- unarchive:
src: "{{ file }}.tar.gz"
dest: dummy
extra_opts:
- '--no-same-owner'

View File

@ -0,0 +1,4 @@
- unarchive:
src: "{{ file }}.tar.xz"
dest: "dummy"
remote_src: true

View File

@ -0,0 +1,3 @@
- unarchive:
src: "{{ file }}"
dest: "dummy"