Add linting rule to enforce no-same-owner policy
Change-Id: I92c66a21be95935d11fc8e9887d9d91c645d28d4
This commit is contained in:
parent
aeca4e34e3
commit
3d4f3a3a28
81
.rules/ZuulJobsNoSameOwner.py
Normal file
81
.rules/ZuulJobsNoSameOwner.py
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
import re
|
||||||
|
|
||||||
|
from ansiblelint import AnsibleLintRule
|
||||||
|
|
||||||
|
|
||||||
|
class ZuulJobsNoSameOwner(AnsibleLintRule):
|
||||||
|
|
||||||
|
id = 'ZUULJOBS0002'
|
||||||
|
shortdesc = 'Owner should not be kept between executor and remote'
|
||||||
|
description = """
|
||||||
|
Since there is no way to guarantee that the user and or group on the remote
|
||||||
|
node also exist on the executor and vice versa, owner and group should not
|
||||||
|
be preserved when transfering files between them.
|
||||||
|
|
||||||
|
See:
|
||||||
|
https://zuul-ci.org/docs/zuul-jobs/policy.html\
|
||||||
|
#preservation-of-owner-between-executor-and-remote
|
||||||
|
"""
|
||||||
|
|
||||||
|
tags = {'zuul-jobs-no-same-owner'}
|
||||||
|
|
||||||
|
def matchplay(self, file, play):
|
||||||
|
results = []
|
||||||
|
if file.get('type') not in ('tasks',
|
||||||
|
'handlers',
|
||||||
|
'playbooks'):
|
||||||
|
return results
|
||||||
|
|
||||||
|
results.extend(self.handle_play(play))
|
||||||
|
return results
|
||||||
|
|
||||||
|
def handle_play(self, task):
|
||||||
|
results = []
|
||||||
|
if 'block' in task:
|
||||||
|
results.extend(self.handle_playlist(task['block']))
|
||||||
|
else:
|
||||||
|
results.extend(self.handle_task(task))
|
||||||
|
return results
|
||||||
|
|
||||||
|
def handle_playlist(self, playlist):
|
||||||
|
results = []
|
||||||
|
for play in playlist:
|
||||||
|
results.extend(self.handle_play(play))
|
||||||
|
return results
|
||||||
|
|
||||||
|
def handle_task(self, task):
|
||||||
|
results = []
|
||||||
|
if 'synchronize' in task:
|
||||||
|
if self.handle_synchronize(task):
|
||||||
|
results.append(("", self.shortdesc))
|
||||||
|
elif 'unarchive' in task:
|
||||||
|
if self.handle_unarchive(task):
|
||||||
|
results.append(("", self.shortdesc))
|
||||||
|
|
||||||
|
return results
|
||||||
|
|
||||||
|
def handle_synchronize(self, task):
|
||||||
|
if task.get('delegate_to') is not None:
|
||||||
|
return False
|
||||||
|
|
||||||
|
synchronize = task['synchronize']
|
||||||
|
archive = synchronize.get('archive', True)
|
||||||
|
|
||||||
|
if synchronize.get('owner', archive) or\
|
||||||
|
synchronize.get('group', archive):
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
def handle_unarchive(self, task):
|
||||||
|
unarchive = task['unarchive']
|
||||||
|
delegate_to = task.get('delegate_to')
|
||||||
|
|
||||||
|
if delegate_to == 'localhost' or\
|
||||||
|
delegate_to != 'localhost' and 'remote_src' not in unarchive:
|
||||||
|
if unarchive['src'].endswith('zip'):
|
||||||
|
if '-X' in unarchive.get('extra_opts', []):
|
||||||
|
return True
|
||||||
|
if re.search(r'.*\.tar(\.(gz|bz2|xz))?$', unarchive['src']):
|
||||||
|
if '--no-same-owner' not in unarchive.get('extra_opts', []):
|
||||||
|
return True
|
||||||
|
return False
|
@ -219,20 +219,30 @@ group should not be preserved when transfering files between them.
|
|||||||
For example when using the synchronize module set owner and group
|
For example when using the synchronize module set owner and group
|
||||||
to ``false``::
|
to ``false``::
|
||||||
|
|
||||||
synchronize:
|
- name: valid
|
||||||
dest: /tmp/log.txt
|
synchronize:
|
||||||
src: /tmp/log.txt
|
dest: /tmp/log.txt
|
||||||
owner: false
|
src: /tmp/log.txt
|
||||||
group: false
|
owner: false
|
||||||
|
group: false
|
||||||
|
|
||||||
And when using the unarchive module add ``--no-same-owner`` to
|
When using the unarchive module add ``--no-same-owner`` to extra_opts
|
||||||
extra-ops::
|
when handling tarballs and do not use ``-X`` when handling zipfiles::
|
||||||
|
|
||||||
|
- name: valid
|
||||||
|
unarchive:
|
||||||
|
dest: ~/example
|
||||||
|
src: /tmp/example.tar.gz
|
||||||
|
extra_opts:
|
||||||
|
- '--no-same-owner'
|
||||||
|
|
||||||
|
- name: faulty
|
||||||
|
unarchive:
|
||||||
|
dest: ~/example
|
||||||
|
src: /tmp/example.zip
|
||||||
|
extra_opts:
|
||||||
|
- '-X'
|
||||||
|
|
||||||
unarchive:
|
|
||||||
dest: ~/example
|
|
||||||
src: /tmp/example.tar.gz
|
|
||||||
extra_ops:
|
|
||||||
- '--no-same-owner'
|
|
||||||
|
|
||||||
Testing
|
Testing
|
||||||
-------
|
-------
|
||||||
|
@ -0,0 +1,4 @@
|
|||||||
|
- block:
|
||||||
|
- synchronize:
|
||||||
|
src: dummy
|
||||||
|
dest: dummy
|
@ -0,0 +1,5 @@
|
|||||||
|
- block:
|
||||||
|
- block:
|
||||||
|
- synchronize:
|
||||||
|
src: dummy
|
||||||
|
dest: dummy
|
@ -0,0 +1,3 @@
|
|||||||
|
- synchronize:
|
||||||
|
src: dummy
|
||||||
|
dest: dummy
|
@ -0,0 +1,3 @@
|
|||||||
|
- unarchive:
|
||||||
|
src: "{{ file }}.tar.bz2"
|
||||||
|
dest: "dummy"
|
@ -0,0 +1,4 @@
|
|||||||
|
- unarchive:
|
||||||
|
src: "{{ file }}.tar.bz2"
|
||||||
|
dest: "dummy"
|
||||||
|
delegate_to: localhost
|
@ -0,0 +1,3 @@
|
|||||||
|
- unarchive:
|
||||||
|
src: "{{ file }}.tar.gz"
|
||||||
|
dest: "dummy"
|
@ -0,0 +1,3 @@
|
|||||||
|
- unarchive:
|
||||||
|
src: "{{ file }}.tar"
|
||||||
|
dest: "dummy"
|
@ -0,0 +1,3 @@
|
|||||||
|
- unarchive:
|
||||||
|
src: "{{ file }}.tar.xz"
|
||||||
|
dest: "dummy"
|
@ -0,0 +1,6 @@
|
|||||||
|
- unarchive:
|
||||||
|
src: "{{ file }}.zip"
|
||||||
|
dest: dummy
|
||||||
|
extra_opts:
|
||||||
|
- '-X'
|
||||||
|
|
@ -0,0 +1,5 @@
|
|||||||
|
- unarchive:
|
||||||
|
src: "{{ file }}.zip"
|
||||||
|
dest: dummy
|
||||||
|
extra_opts:
|
||||||
|
- '-X'
|
@ -0,0 +1,4 @@
|
|||||||
|
- synchronize:
|
||||||
|
src: dummy
|
||||||
|
dest: dummy
|
||||||
|
delegate_to: localhost
|
@ -0,0 +1,5 @@
|
|||||||
|
- synchronize:
|
||||||
|
src: dummy
|
||||||
|
dest: dummy
|
||||||
|
owner: no
|
||||||
|
group: no
|
@ -0,0 +1,5 @@
|
|||||||
|
- unarchive:
|
||||||
|
src: "{{ file }}.tar.gz"
|
||||||
|
dest: dummy
|
||||||
|
extra_opts:
|
||||||
|
- '--no-same-owner'
|
@ -0,0 +1,4 @@
|
|||||||
|
- unarchive:
|
||||||
|
src: "{{ file }}.tar.xz"
|
||||||
|
dest: "dummy"
|
||||||
|
remote_src: true
|
@ -0,0 +1,3 @@
|
|||||||
|
- unarchive:
|
||||||
|
src: "{{ file }}"
|
||||||
|
dest: "dummy"
|
Loading…
Reference in New Issue
Block a user