Add linting rule to enforce no-same-owner policy
Change-Id: I92c66a21be95935d11fc8e9887d9d91c645d28d4
This commit is contained in:
Albin Vass
parent
aeca4e34e3
commit
3d4f3a3a28
81
.rules/ZuulJobsNoSameOwner.py
Normal file
81
.rules/ZuulJobsNoSameOwner.py
Normal file
@ -0,0 +1,81 @@
|
||||
import re
|
||||
|
||||
from ansiblelint import AnsibleLintRule
|
||||
|
||||
|
||||
class ZuulJobsNoSameOwner(AnsibleLintRule):
|
||||
|
||||
id = 'ZUULJOBS0002'
|
||||
shortdesc = 'Owner should not be kept between executor and remote'
|
||||
description = """
|
||||
Since there is no way to guarantee that the user and or group on the remote
|
||||
node also exist on the executor and vice versa, owner and group should not
|
||||
be preserved when transfering files between them.
|
||||
|
||||
See:
|
||||
https://zuul-ci.org/docs/zuul-jobs/policy.html\
|
||||
#preservation-of-owner-between-executor-and-remote
|
||||
"""
|
||||
|
||||
tags = {'zuul-jobs-no-same-owner'}
|
||||
|
||||
def matchplay(self, file, play):
|
||||
results = []
|
||||
if file.get('type') not in ('tasks',
|
||||
'handlers',
|
||||
'playbooks'):
|
||||
return results
|
||||
|
||||
results.extend(self.handle_play(play))
|
||||
return results
|
||||
|
||||
def handle_play(self, task):
|
||||
results = []
|
||||
if 'block' in task:
|
||||
results.extend(self.handle_playlist(task['block']))
|
||||
else:
|
||||
results.extend(self.handle_task(task))
|
||||
return results
|
||||
|
||||
def handle_playlist(self, playlist):
|
||||
results = []
|
||||
for play in playlist:
|
||||
results.extend(self.handle_play(play))
|
||||
return results
|
||||
|
||||
def handle_task(self, task):
|
||||
results = []
|
||||
if 'synchronize' in task:
|
||||
if self.handle_synchronize(task):
|
||||
results.append(("", self.shortdesc))
|
||||
elif 'unarchive' in task:
|
||||
if self.handle_unarchive(task):
|
||||
results.append(("", self.shortdesc))
|
||||
|
||||
return results
|
||||
|
||||
def handle_synchronize(self, task):
|
||||
if task.get('delegate_to') is not None:
|
||||
return False
|
||||
|
||||
synchronize = task['synchronize']
|
||||
archive = synchronize.get('archive', True)
|
||||
|
||||
if synchronize.get('owner', archive) or\
|
||||
synchronize.get('group', archive):
|
||||
return True
|
||||
return False
|
||||
|
||||
def handle_unarchive(self, task):
|
||||
unarchive = task['unarchive']
|
||||
delegate_to = task.get('delegate_to')
|
||||
|
||||
if delegate_to == 'localhost' or\
|
||||
delegate_to != 'localhost' and 'remote_src' not in unarchive:
|
||||
if unarchive['src'].endswith('zip'):
|
||||
if '-X' in unarchive.get('extra_opts', []):
|
||||
return True
|
||||
if re.search(r'.*\.tar(\.(gz|bz2|xz))?$', unarchive['src']):
|
||||
if '--no-same-owner' not in unarchive.get('extra_opts', []):
|
||||
return True
|
||||
return False
|
||||
@ -219,20 +219,30 @@ group should not be preserved when transfering files between them.
|
||||
For example when using the synchronize module set owner and group
|
||||
to ``false``::
|
||||
|
||||
synchronize:
|
||||
dest: /tmp/log.txt
|
||||
src: /tmp/log.txt
|
||||
owner: false
|
||||
group: false
|
||||
- name: valid
|
||||
synchronize:
|
||||
dest: /tmp/log.txt
|
||||
src: /tmp/log.txt
|
||||
owner: false
|
||||
group: false
|
||||
|
||||
And when using the unarchive module add ``--no-same-owner`` to
|
||||
extra-ops::
|
||||
When using the unarchive module add ``--no-same-owner`` to extra_opts
|
||||
when handling tarballs and do not use ``-X`` when handling zipfiles::
|
||||
|
||||
- name: valid
|
||||
unarchive:
|
||||
dest: ~/example
|
||||
src: /tmp/example.tar.gz
|
||||
extra_opts:
|
||||
- '--no-same-owner'
|
||||
|
||||
- name: faulty
|
||||
unarchive:
|
||||
dest: ~/example
|
||||
src: /tmp/example.zip
|
||||
extra_opts:
|
||||
- '-X'
|
||||
|
||||
unarchive:
|
||||
dest: ~/example
|
||||
src: /tmp/example.tar.gz
|
||||
extra_ops:
|
||||
- '--no-same-owner'
|
||||
|
||||
Testing
|
||||
-------
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
- block:
|
||||
- synchronize:
|
||||
src: dummy
|
||||
dest: dummy
|
||||
@ -0,0 +1,5 @@
|
||||
- block:
|
||||
- block:
|
||||
- synchronize:
|
||||
src: dummy
|
||||
dest: dummy
|
||||
@ -0,0 +1,3 @@
|
||||
- synchronize:
|
||||
src: dummy
|
||||
dest: dummy
|
||||
@ -0,0 +1,3 @@
|
||||
- unarchive:
|
||||
src: "{{ file }}.tar.bz2"
|
||||
dest: "dummy"
|
||||
@ -0,0 +1,4 @@
|
||||
- unarchive:
|
||||
src: "{{ file }}.tar.bz2"
|
||||
dest: "dummy"
|
||||
delegate_to: localhost
|
||||
@ -0,0 +1,3 @@
|
||||
- unarchive:
|
||||
src: "{{ file }}.tar.gz"
|
||||
dest: "dummy"
|
||||
@ -0,0 +1,3 @@
|
||||
- unarchive:
|
||||
src: "{{ file }}.tar"
|
||||
dest: "dummy"
|
||||
@ -0,0 +1,3 @@
|
||||
- unarchive:
|
||||
src: "{{ file }}.tar.xz"
|
||||
dest: "dummy"
|
||||
@ -0,0 +1,6 @@
|
||||
- unarchive:
|
||||
src: "{{ file }}.zip"
|
||||
dest: dummy
|
||||
extra_opts:
|
||||
- '-X'
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
- unarchive:
|
||||
src: "{{ file }}.zip"
|
||||
dest: dummy
|
||||
extra_opts:
|
||||
- '-X'
|
||||
@ -0,0 +1,4 @@
|
||||
- synchronize:
|
||||
src: dummy
|
||||
dest: dummy
|
||||
delegate_to: localhost
|
||||
@ -0,0 +1,5 @@
|
||||
- synchronize:
|
||||
src: dummy
|
||||
dest: dummy
|
||||
owner: no
|
||||
group: no
|
||||
@ -0,0 +1,5 @@
|
||||
- unarchive:
|
||||
src: "{{ file }}.tar.gz"
|
||||
dest: dummy
|
||||
extra_opts:
|
||||
- '--no-same-owner'
|
||||
@ -0,0 +1,4 @@
|
||||
- unarchive:
|
||||
src: "{{ file }}.tar.xz"
|
||||
dest: "dummy"
|
||||
remote_src: true
|
||||
@ -0,0 +1,3 @@
|
||||
- unarchive:
|
||||
src: "{{ file }}"
|
||||
dest: "dummy"
|
||||
Loading…
Reference in New Issue
Block a user