Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make risky-file-permissions rule does not ignore FQCN #1563

Merged
merged 2 commits into from
May 21, 2021
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 48 additions & 18 deletions src/ansiblelint/rules/MissingFilePermissionsRule.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
# THE SOFTWARE.
"""MissingFilePermissionsRule used with ansible-lint."""
import sys
from typing import TYPE_CHECKING, Any, Dict, Union
from typing import TYPE_CHECKING, Any, Dict, Set, Union

from ansiblelint.rules import AnsibleLintRule

Expand All @@ -35,6 +35,33 @@
'template',
)

_MODULES: Set[str] = {
'archive',
'community.general.archive',
'assemble',
'ansible.builtin.assemble',
'copy', # supports preserve
'ansible.builtin.copy',
'file',
'ansible.builtin.file',
'replace', # implicit preserve behavior but mode: preserve is invalid
'ansible.builtin.replace',
'template', # supports preserve
'ansible.builtin.template',
# 'unarchive', # disabled because .tar.gz files can have permissions inside
}

_MODULES_WITH_CREATE: Dict[str, bool] = {
'blockinfile': False,
'ansible.builtin.blockinfile': False,
'htpasswd': True,
'community.general.htpasswd': True,
'ini_file': True,
'community.general.ini_file': True,
'lineinfile': False,
'ansible.builtin.lineinfile': False,
}


class MissingFilePermissionsRule(AnsibleLintRule):
id = "risky-file-permissions"
Expand All @@ -51,22 +78,8 @@ class MissingFilePermissionsRule(AnsibleLintRule):
tags = ['unpredictability', 'experimental']
version_added = 'v4.3.0'

_modules = {
'archive',
'assemble',
'copy', # supports preserve
'file',
'replace', # implicit preserve behavior but mode: preserve is invalid
'template', # supports preserve
# 'unarchive', # disabled because .tar.gz files can have permissions inside
}

_modules_with_create = {
'blockinfile': False,
'htpasswd': True,
'ini_file': True,
'lineinfile': False,
}
_modules = _MODULES
_modules_with_create = _MODULES_WITH_CREATE

def matchtask(
self, task: Dict[str, Any], file: 'Optional[Lintable]' = None
Expand Down Expand Up @@ -173,6 +186,15 @@ def matchtask(
file:
state: directory
recurse: yes
- name: permissions not missing and numeric (fqcn)
ansible.builtin.file:
path: bar
mode: 755
- name: file edit when create is false (fqcn)
ansible.builtin.lineinfile:
path: foo
create: false
line: some content here
'''

FAIL_PRESERVE_MODE = '''
Expand Down Expand Up @@ -219,6 +241,14 @@ def matchtask(
replace:
path: foo
mode: preserve
- name: permissions are missing (fqcn)
ansible.builtin.file:
path: bar
- name: lineinfile when create is true (fqcn)
ansible.builtin.lineinfile:
path: foo
create: true
line: some content here
'''

FAIL_PERMISSION_COMMENT = '''
Expand Down Expand Up @@ -346,7 +376,7 @@ def test_fail_lineinfile_create(rule_runner: Any) -> None:
def test_fail_replace_preserve(rule_runner: Any) -> None:
"""Replace does not allow preserve mode."""
results = rule_runner.run_playbook(FAIL_REPLACE_PRESERVE)
assert len(results) == 1
assert len(results) == 3

@pytest.mark.parametrize(
'rule_runner', (MissingFilePermissionsRule,), indirect=['rule_runner']
Expand Down