[libvirt-ci PATCH v2 04/13] lcitool: Use a temporary JSON file to pass extra variables

Tue, 12 May 2020 07:43:02 -0700 

This patch is a pre-requisite config file consolidation. Currently we've
got a number of files which serve as a configuration either to the
lcitool itself or to the ansible playbooks (majority).  Once we replace
these with a single global lcitool config, we'd end up passing tokens
(potentially some passwords) as ansible extra variables bare naked on
the cmdline. In order to prevent this security flaw use temporary JSON
file holding all these extra variables and pass it as follows:

    $ ansible-playbook --extra-vars @extra_vars.json playbook.yml

Signed-off-by: Erik Skultety <eskul...@redhat.com>
Reviewed-by: Andrea Bolognani <abolo...@redhat.com>
---
 guests/lcitool | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/guests/lcitool b/guests/lcitool
index 56eb543..5b44582 100755
--- a/guests/lcitool
+++ b/guests/lcitool
@@ -506,11 +506,14 @@ class Application:
             git_remote = "default"
             git_branch = "master"
 
+        tempdir = tempfile.TemporaryDirectory(prefix="lcitool")
+
         ansible_cfg_path = os.path.join(base, "ansible.cfg")
         playbook_base = os.path.join(base, "playbooks", playbook)
         playbook_path = os.path.join(playbook_base, "main.yml")
+        extra_vars_path = os.path.join(tempdir.name, "extra_vars.json")
 
-        extra_vars = json.dumps({
+        extra_vars = {
             "base": base,
             "playbook_base": playbook_base,
             "root_password_file": root_pass_file,
@@ -520,7 +523,10 @@ class Application:
             "git_branch": git_branch,
             "gitlab_url_file": gitlab_url_file,
             "gitlab_runner_token_file": gitlab_runner_token_file,
-        })
+        }
+
+        with open(extra_vars_path, "w") as fp:
+            json.dump(extra_vars, fp)
 
         ansible_playbook = distutils.spawn.find_executable("ansible-playbook")
         if ansible_playbook is None:
@@ -529,7 +535,7 @@ class Application:
         cmd = [
             ansible_playbook,
             "--limit", ansible_hosts,
-            "--extra-vars", extra_vars,
+            "--extra-vars", "@" + extra_vars_path,
         ]
 
         # Provide the vault password if available
@@ -548,6 +554,8 @@ class Application:
         except Exception as ex:
             raise Exception(
                 "Failed to run {} on '{}': {}".format(playbook, hosts, ex))
+        finally:
+            tempdir.cleanup()
 
     def _action_hosts(self, args):
         for host in self._inventory.expand_pattern("all"):
-- 
2.25.3

Reply via email to