File 0001-Ensure-that-unsafe-is-more-difficult-to-lose-stable-.patch of Package ansible
From f374897940ad8f388c273af91db4863c51799c6d Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Tue, 7 Sep 2021 10:21:47 +0530
Subject: [PATCH 1/2] Ensure that unsafe is more difficult to lose
[stable-2.14] (#82295)
* Ensure that unsafe is more difficult to lose
* Add Task.untemplated_args, and switch assert over to use it
* Don't use re in first_found, switch to using native string methods
* If nested templating results in unsafe, just error, don't continue
(cherry picked from commit 586f1924512b01305f896d9ae4732773023013a3)
* ci_complete
yaml dumper: Add YAML respresenter for AnsibleUndefined (#75078)
Fixes: #75072
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Ensure single vaulted values aren't counted as sequences. Fixes #70784 (#70786)
AnsibleVaultEncryptedUnicode should be considered a string (#71609)
* AnsibleVaultEncryptedUnicode should be considered a string
* linting fix
* clog frag
2.12: Add YAML representers for NativeJinjaUnsafeText and NativeJinjaText (#77299)
* Add a YAML representer for NativeJinjaUnsafeText (#76186)
(cherry picked from commit dd220ddc2faf9510bdfedacf8b755798038591d9)
* Add a YAML representer for NativeJinjaText (#77282)
Fixes #77280
(cherry picked from commit c9db73f04e7a5fae7bbbdff8efbd585d15971d31)
---
.../fragments/70784-vault-is-string.yml | 3 +
.../fragments/71609-is_string-vault.yml | 3 +
changelogs/fragments/75072_undefined_yaml.yml | 3 +
changelogs/fragments/cve-2023-5764.yml | 6 +
.../nativejinjatext-yaml-representer.yml | 2 +
...nativejinjaunsafetext-yaml-representer.yml | 2 +
.../module_utils/common/collections.py | 3 +-
lib/ansible/module_utils/common/json.py | 14 +-
lib/ansible/parsing/yaml/dumper.py | 50 +++-
lib/ansible/playbook/conditional.py | 9 +-
lib/ansible/playbook/task.py | 24 ++
lib/ansible/plugins/action/assert.py | 23 +-
lib/ansible/plugins/callback/__init__.py | 90 +++++-
lib/ansible/plugins/filter/core.py | 25 +-
lib/ansible/plugins/lookup/first_found.py | 25 ++
lib/ansible/template/__init__.py | 23 +-
lib/ansible/utils/unsafe_proxy.py | 263 +++++++++++++++++-
.../targets/apt_repository/tasks/apt.yml | 11 +-
.../assert/assert.out.nested_tmpl.stderr | 4 +
.../assert/assert.out.nested_tmpl.stdout | 12 +
...t.quiet.stderr => assert.out.quiet.stderr} | 0
...t.quiet.stdout => assert.out.quiet.stdout} | 0
.../targets/assert/nested_tmpl.yml | 9 +
test/integration/targets/assert/quiet.yml | 4 +-
test/integration/targets/assert/runme.sh | 3 +-
.../targets/command_shell/tasks/main.yml | 2 +-
test/integration/targets/copy/tasks/tests.yml | 42 +--
test/integration/targets/debug/runme.sh | 2 +
test/integration/targets/debug/unsafe.yml | 13 +
.../integration/targets/expect/tasks/main.yml | 7 +-
.../targets/file/tasks/state_link.yml | 2 +-
test/integration/targets/find/tasks/main.yml | 88 +++++-
.../gathering_facts/test_gathering_facts.yml | 4 +-
test/integration/targets/git/tasks/depth.yml | 2 +-
.../targets/git/tasks/localmods.yml | 4 +-
.../targets/git/tasks/submodules.yml | 25 +-
.../targets/include_vars/tasks/main.yml | 20 +-
.../tests/cli/merged.yaml | 9 +-
.../tests/cli/replaced.yaml | 10 +-
.../test_lookup_properties.yml | 2 +-
.../modules_test_multiple_roles.yml | 2 +-
...ules_test_multiple_roles_reverse_order.yml | 2 +-
.../multiple_roles/bar/tasks/main.yml | 2 +-
.../multiple_roles/foo/tasks/main.yml | 2 +-
.../integration/targets/script/tasks/main.yml | 4 +-
test/integration/targets/slurp/tasks/main.yml | 2 +-
.../targets/template/tasks/main.yml | 2 +-
.../targets/unarchive/tasks/test_mode.yml | 8 +-
.../tasks/test_unprivileged_user.yml | 2 +-
.../targets/unarchive/tasks/test_zip.yml | 2 +-
.../roles/test_vault_embedded/tasks/main.yml | 2 +-
.../tasks/main.yml | 2 +-
.../vyos_config/tests/cli/check_config.yaml | 4 +-
.../vyos_interfaces/tests/cli/deleted.yaml | 9 +-
.../vyos_interfaces/tests/cli/overridden.yaml | 10 +-
.../targets/wait_for/tasks/main.yml | 20 +-
.../module_utils/common/test_collections.py | 15 +-
test/units/parsing/test_ajson.py | 1 +
test/units/parsing/yaml/test_dumper.py | 20 +-
59 files changed, 828 insertions(+), 126 deletions(-)
create mode 100644 changelogs/fragments/70784-vault-is-string.yml
create mode 100644 changelogs/fragments/71609-is_string-vault.yml
create mode 100644 changelogs/fragments/75072_undefined_yaml.yml
create mode 100644 changelogs/fragments/cve-2023-5764.yml
create mode 100644 changelogs/fragments/nativejinjatext-yaml-representer.yml
create mode 100644 changelogs/fragments/nativejinjaunsafetext-yaml-representer.yml
create mode 100644 test/integration/targets/assert/assert.out.nested_tmpl.stderr
create mode 100644 test/integration/targets/assert/assert.out.nested_tmpl.stdout
rename test/integration/targets/assert/{assert_quiet.out.quiet.stderr => assert.out.quiet.stderr} (100%)
rename test/integration/targets/assert/{assert_quiet.out.quiet.stdout => assert.out.quiet.stdout} (100%)
create mode 100644 test/integration/targets/assert/nested_tmpl.yml
create mode 100644 test/integration/targets/debug/unsafe.yml
diff --git a/changelogs/fragments/70784-vault-is-string.yml b/changelogs/fragments/70784-vault-is-string.yml
new file mode 100644
index 0000000000..8dc1164a85
--- /dev/null
+++ b/changelogs/fragments/70784-vault-is-string.yml
@@ -0,0 +1,3 @@
+bugfixes:
+- JSON Encoder - Ensure we treat single vault encrypted values as strings
+ (https://github.com/ansible/ansible/issues/70784)
diff --git a/changelogs/fragments/71609-is_string-vault.yml b/changelogs/fragments/71609-is_string-vault.yml
new file mode 100644
index 0000000000..89ddd91913
--- /dev/null
+++ b/changelogs/fragments/71609-is_string-vault.yml
@@ -0,0 +1,3 @@
+bugfixes:
+- is_string/vault - Ensure the is_string helper properly identifies AnsibleVaultEncryptedUnicode
+ as a string (https://github.com/ansible/ansible/pull/71609)
diff --git a/changelogs/fragments/75072_undefined_yaml.yml b/changelogs/fragments/75072_undefined_yaml.yml
new file mode 100644
index 0000000000..227c24de1b
--- /dev/null
+++ b/changelogs/fragments/75072_undefined_yaml.yml
@@ -0,0 +1,3 @@
+---
+minor_changes:
+- yaml dumper - YAML representer for AnsibleUndefined (https://github.com/ansible/ansible/issues/75072).
diff --git a/changelogs/fragments/cve-2023-5764.yml b/changelogs/fragments/cve-2023-5764.yml
new file mode 100644
index 0000000000..c37127dac1
--- /dev/null
+++ b/changelogs/fragments/cve-2023-5764.yml
@@ -0,0 +1,6 @@
+security_fixes:
+- templating - Address issues where internal templating can cause unsafe
+ variables to lose their unsafe designation (CVE-2023-5764)
+breaking_changes:
+- assert - Nested templating may result in an inability for the conditional
+ to be evaluated. See the porting guide for more information.
diff --git a/changelogs/fragments/nativejinjatext-yaml-representer.yml b/changelogs/fragments/nativejinjatext-yaml-representer.yml
new file mode 100644
index 0000000000..ef2f460a09
--- /dev/null
+++ b/changelogs/fragments/nativejinjatext-yaml-representer.yml
@@ -0,0 +1,2 @@
+bugfixes:
+ - Add a YAML representer for ``NativeJinjaText``
diff --git a/changelogs/fragments/nativejinjaunsafetext-yaml-representer.yml b/changelogs/fragments/nativejinjaunsafetext-yaml-representer.yml
new file mode 100644
index 0000000000..e13486fb30
--- /dev/null
+++ b/changelogs/fragments/nativejinjaunsafetext-yaml-representer.yml
@@ -0,0 +1,2 @@
+bugfixes:
+ - Add a YAML representer for ``NativeJinjaUnsafeText``
diff --git a/lib/ansible/module_utils/common/collections.py b/lib/ansible/module_utils/common/collections.py
index 0a166cd4cf..123ee8354b 100644
--- a/lib/ansible/module_utils/common/collections.py
+++ b/lib/ansible/module_utils/common/collections.py
@@ -58,7 +58,8 @@ class ImmutableDict(Hashable, Mapping):
def is_string(seq):
"""Identify whether the input has a string-like type (inclding bytes)."""
- return isinstance(seq, (text_type, binary_type))
+ # AnsibleVaultEncryptedUnicode inherits from Sequence, but is expected to be a string like object
+ return isinstance(seq, (text_type, binary_type)) or getattr(seq, '__ENCRYPTED__', False)
def is_iterable(seq, include_strings=False):
diff --git a/lib/ansible/module_utils/common/json.py b/lib/ansible/module_utils/common/json.py
index 3018e9e238..41f9b85fb7 100644
--- a/lib/ansible/module_utils/common/json.py
+++ b/lib/ansible/module_utils/common/json.py
@@ -15,14 +15,22 @@ from ansible.module_utils.common._collections_compat import Mapping
from ansible.module_utils.common.collections import is_sequence
+def _is_unsafe(value):
+ return getattr(value, '__UNSAFE__', False) and not getattr(value, '__ENCRYPTED__', False)
+
+
+def _is_vault(value):
+ return getattr(value, '__ENCRYPTED__', False)
+
+
def _preprocess_unsafe_encode(value):
"""Recursively preprocess a data structure converting instances of ``AnsibleUnsafe``
into their JSON dict representations
Used in ``AnsibleJSONEncoder.iterencode``
"""
- if getattr(value, '__UNSAFE__', False) and not getattr(value, '__ENCRYPTED__', False):
- value = {'__ansible_unsafe': to_text(value, errors='surrogate_or_strict', nonstring='strict')}
+ if _is_unsafe(value):
+ value = {'__ansible_unsafe': to_text(value._strip_unsafe(), errors='surrogate_or_strict', nonstring='strict')}
elif is_sequence(value):
value = [_preprocess_unsafe_encode(v) for v in value]
elif isinstance(value, Mapping):
@@ -51,7 +59,7 @@ class AnsibleJSONEncoder(json.JSONEncoder):
value = {'__ansible_vault': to_text(o._ciphertext, errors='surrogate_or_strict', nonstring='strict')}
elif getattr(o, '__UNSAFE__', False):
# unsafe object, this will never be triggered, see ``AnsibleJSONEncoder.iterencode``
- value = {'__ansible_unsafe': to_text(o, errors='surrogate_or_strict', nonstring='strict')}
+ value = {'__ansible_unsafe': to_text(o._strip_unsafe(), errors='surrogate_or_strict', nonstring='strict')}
elif isinstance(o, Mapping):
# hostvars and other objects
value = dict(o)
diff --git a/lib/ansible/parsing/yaml/dumper.py b/lib/ansible/parsing/yaml/dumper.py
index 67a2efb36d..ddb1363a9e 100644
--- a/lib/ansible/parsing/yaml/dumper.py
+++ b/lib/ansible/parsing/yaml/dumper.py
@@ -21,9 +21,10 @@ __metaclass__ = type
import yaml
-from ansible.module_utils.six import PY3
+from ansible.module_utils.six import PY3, text_type
from ansible.parsing.yaml.objects import AnsibleUnicode, AnsibleSequence, AnsibleMapping, AnsibleVaultEncryptedUnicode
-from ansible.utils.unsafe_proxy import AnsibleUnsafeText, AnsibleUnsafeBytes
+from ansible.utils.unsafe_proxy import AnsibleUnsafeText, AnsibleUnsafeBytes, NativeJinjaUnsafeText, NativeJinjaText, _is_unsafe
+from ansible.template import AnsibleUndefined
from ansible.vars.hostvars import HostVars, HostVarsVars
@@ -44,12 +45,30 @@ def represent_vault_encrypted_unicode(self, data):
return self.represent_scalar(u'!vault', data._ciphertext.decode(), style='|')
-if PY3:
- represent_unicode = yaml.representer.SafeRepresenter.represent_str
- represent_binary = yaml.representer.SafeRepresenter.represent_binary
-else:
- represent_unicode = yaml.representer.SafeRepresenter.represent_unicode
- represent_binary = yaml.representer.SafeRepresenter.represent_str
+def represent_unicode(self, data):
+ if _is_unsafe(data):
+ data = data._strip_unsafe()
+ if PY3:
+ return yaml.representer.SafeRepresenter.represent_str(self, text_type(data))
+ else:
+ return yaml.representer.SafeRepresenter.represent_unicode(self, text_type(data))
+
+
+def represent_binary(self, data):
+ if _is_unsafe(data):
+ data = data._strip_unsafe()
+ if PY3:
+ return yaml.representer.SafeRepresenter.represent_binary(self, binary_type(data))
+ else:
+ return yaml.representer.SafeRepresenter.represent_str(self, binary_type(data))
+
+
+def represent_undefined(self, data):
+ # Here bool will ensure _fail_with_undefined_error happens
+ # if the value is Undefined.
+ # This happens because Jinja sets __bool__ on StrictUndefined
+ return bool(data)
+
AnsibleDumper.add_representer(
AnsibleUnicode,
@@ -90,3 +109,18 @@ AnsibleDumper.add_representer(
AnsibleVaultEncryptedUnicode,
represent_vault_encrypted_unicode,
)
+
+AnsibleDumper.add_representer(
+ AnsibleUndefined,
+ represent_undefined,
+)
+
+AnsibleDumper.add_representer(
+ NativeJinjaUnsafeText,
+ represent_unicode,
+)
+
+AnsibleDumper.add_representer(
+ NativeJinjaText,
+ represent_unicode,
+)
diff --git a/lib/ansible/playbook/conditional.py b/lib/ansible/playbook/conditional.py
index 2fadf77487..ac4fc0c568 100644
--- a/lib/ansible/playbook/conditional.py
+++ b/lib/ansible/playbook/conditional.py
@@ -26,7 +26,7 @@ from jinja2.compiler import generate
from jinja2.exceptions import UndefinedError
from ansible import constants as C
-from ansible.errors import AnsibleError, AnsibleUndefinedVariable
+from ansible.errors import AnsibleError, AnsibleUndefinedVariable, AnsibleTemplateError
from ansible.module_utils.six import text_type
from ansible.module_utils._text import to_native
from ansible.playbook.attribute import FieldAttribute
@@ -138,9 +138,10 @@ class Conditional:
if not isinstance(conditional, text_type) or conditional == "":
return conditional
- # update the lookups flag, as the string returned above may now be unsafe
- # and we don't want future templating calls to do unsafe things
- disable_lookups |= hasattr(conditional, '__UNSAFE__')
+ # If the result of the first-pass template render (to resolve inline templates) is marked unsafe,
+ # explicitly fail since the next templating operation would never evaluate
+ if hasattr(conditional, '__UNSAFE__'):
+ raise AnsibleTemplateError('Conditional is marked as unsafe, and cannot be evaluated.')
# First, we do some low-level jinja2 parsing involving the AST format of the
# statement to ensure we don't do anything unsafe (using the disable_lookup flag above)
diff --git a/lib/ansible/playbook/task.py b/lib/ansible/playbook/task.py
index 7fd480c895..e24d27ba8a 100644
--- a/lib/ansible/playbook/task.py
+++ b/lib/ansible/playbook/task.py
@@ -298,6 +298,30 @@ class Task(Base, Conditional, Taggable, CollectionSearch):
super(Task, self).post_validate(templar)
+ def _post_validate_args(self, attr, value, templar):
+ # smuggle an untemplated copy of the task args for actions that need more control over the templating of their
+ # input (eg, debug's var/msg, assert's "that" conditional expressions)
+ self.untemplated_args = value
+
+ # now recursively template the args dict
+ args = templar.template(value)
+
+ # FIXME: could we just nuke this entirely and/or wrap it up in ModuleArgsParser or something?
+ if '_variable_params' in args:
+ variable_params = args.pop('_variable_params')
+ if isinstance(variable_params, dict):
+ if C.INJECT_FACTS_AS_VARS:
+ display.warning("Using a variable for a task's 'args' is unsafe in some situations "
+ "(see https://docs.ansible.com/ansible/devel/reference_appendices/faq.html#argsplat-unsafe)")
+ variable_params.update(args)
+ args = variable_params
+ else:
+ # if we didn't get a dict, it means there's garbage remaining after k=v parsing, just give up
+ # see https://github.com/ansible/ansible/issues/79862
+ raise AnsibleError(f"invalid or malformed argument: '{variable_params}'")
+
+ return args
+
def _post_validate_loop(self, attr, value, templar):
'''
Override post validation for the loop field, which is templated
diff --git a/lib/ansible/plugins/action/assert.py b/lib/ansible/plugins/action/assert.py
index 7721a6b47c..e8ab6a9a4f 100644
--- a/lib/ansible/plugins/action/assert.py
+++ b/lib/ansible/plugins/action/assert.py
@@ -63,8 +63,29 @@ class ActionModule(ActionBase):
quiet = boolean(self._task.args.get('quiet', False), strict=False)
+ # directly access 'that' via untemplated args from the task so we can intelligently trust embedded
+ # templates and preserve the original inputs/locations for better messaging on assert failures and
+ # errors.
+ # FIXME: even in devel, things like `that: item` don't always work properly (truthy string value
+ # is not really an embedded expression)
+ # we could fix that by doing direct var lookups on the inputs
+ # FIXME: some form of this code should probably be shared between debug, assert, and
+ # Task.post_validate, since they
+ # have a lot of overlapping needs
+ try:
+ thats = self._task.untemplated_args['that']
+ except KeyError:
+ # in the case of "we got our entire args dict from a template", we can just consult the
+ # post-templated dict (the damage has likely already been done for embedded templates anyway)
+ thats = self._task.args['that']
+
+ # FIXME: this is a case where we only want to resolve indirections, NOT recurse containers
+ # (and even then, the leaf-most expression being wrapped is at least suboptimal
+ # (since its expression will be "eaten").
+ if isinstance(thats, str):
+ thats = self._templar.template(thats)
+
# make sure the 'that' items are a list
- thats = self._task.args['that']
if not isinstance(thats, list):
thats = [thats]
diff --git a/lib/ansible/plugins/callback/__init__.py b/lib/ansible/plugins/callback/__init__.py
index 71287f8b5e..08b3b4cb29 100644
--- a/lib/ansible/plugins/callback/__init__.py
+++ b/lib/ansible/plugins/callback/__init__.py
@@ -22,6 +22,7 @@ __metaclass__ = type
import difflib
import json
import os
+import re
import sys
import warnings
@@ -29,12 +30,15 @@ from copy import deepcopy
from ansible import constants as C
from ansible.module_utils.common._collections_compat import MutableMapping
-from ansible.module_utils.six import PY3
+from ansible.module_utils.six import PY3, text_type
from ansible.module_utils._text import to_text
from ansible.parsing.ajson import AnsibleJSONEncoder
+from ansible.parsing.yaml.dumper import AnsibleDumper
+from ansible.parsing.yaml.objects import AnsibleUnicode
from ansible.plugins import AnsiblePlugin, get_plugin_class
from ansible.utils.color import stringc
from ansible.utils.display import Display
+from ansible.utils.unsafe_proxy import AnsibleUnsafeText, NativeJinjaUnsafeText, _is_unsafe
from ansible.vars.clean import strip_internal_keys, module_response_deepcopy
if PY3:
@@ -51,6 +55,90 @@ __all__ = ["CallbackBase"]
_DEBUG_ALLOWED_KEYS = frozenset(('msg', 'exception', 'warnings', 'deprecations'))
+_YAML_TEXT_TYPES = (text_type, AnsibleUnicode, AnsibleUnsafeText, NativeJinjaUnsafeText)
+# Characters that libyaml/pyyaml consider breaks
+_YAML_BREAK_CHARS = '\n\x85\u2028\u2029' # NL, NEL, LS, PS
+# regex representation of libyaml/pyyaml of a space followed by a break character
+_SPACE_BREAK_RE = re.compile(fr' +([{_YAML_BREAK_CHARS}])')
+
+
+class _AnsibleCallbackDumper(AnsibleDumper):
+ def __init__(self, lossy=False):
+ self._lossy = lossy
+
+ def __call__(self, *args, **kwargs):
+ # pyyaml expects that we are passing an object that can be instantiated, but to
+ # smuggle the ``lossy`` configuration, we do that in ``__init__`` and then
+ # define this ``__call__`` that will mimic the ability for pyyaml to instantiate class
+ super().__init__(*args, **kwargs)
+ return self
+
+
+def _should_use_block(scalar):
+ """Returns true if string should be in block format based on the existence of various newline separators"""
+ # This method of searching is faster than using a regex
+ for ch in _YAML_BREAK_CHARS:
+ if ch in scalar:
+ return True
+ return False
+
+
+class _SpecialCharacterTranslator:
+ def __getitem__(self, ch):
+ # "special character" logic from pyyaml yaml.emitter.Emitter.analyze_scalar, translated to decimal
+ # for perf w/ str.translate
+ if (ch == 10 or
+ 32 <= ch <= 126 or
+ ch == 133 or
+ 160 <= ch <= 55295 or
+ 57344 <= ch <= 65533 or
+ 65536 <= ch < 1114111)\
+ and ch != 65279:
+ return ch
+ return None
+
+
+def _filter_yaml_special(scalar):
+ """Filter a string removing any character that libyaml/pyyaml declare as special"""
+ return scalar.translate(_SpecialCharacterTranslator())
+
+
+def _munge_data_for_lossy_yaml(scalar):
+ """Modify a string so that analyze_scalar in libyaml/pyyaml will allow block formatting"""
+ # we care more about readability than accuracy, so...
+ # ...libyaml/pyyaml does not permit trailing spaces for block scalars
+ scalar = scalar.rstrip()
+ # ...libyaml/pyyaml does not permit tabs for block scalars
+ scalar = scalar.expandtabs()
+ # ...libyaml/pyyaml only permits special characters for double quoted scalars
+ scalar = _filter_yaml_special(scalar)
+ # ...libyaml/pyyaml only permits spaces followed by breaks for double quoted scalars
+ return _SPACE_BREAK_RE.sub(r'\1', scalar)
+
+
+def _pretty_represent_str(self, data):
+ """Uses block style for multi-line strings"""
+ if _is_unsafe(data):
+ data = data._strip_unsafe()
+ data = text_type(data)
+ if _should_use_block(data):
+ style = '|'
+ if self._lossy:
+ data = _munge_data_for_lossy_yaml(data)
+ else:
+ style = self.default_style
+
+ node = yaml.representer.ScalarNode('tag:yaml.org,2002:str', data, style=style)
+ if self.alias_key is not None:
+ self.represented_objects[self.alias_key] = node
+ return node
+
+
+for data_type in _YAML_TEXT_TYPES:
+ _AnsibleCallbackDumper.add_representer(
+ data_type,
+ _pretty_represent_str
+ )
class CallbackBase(AnsiblePlugin):
diff --git a/lib/ansible/plugins/filter/core.py b/lib/ansible/plugins/filter/core.py
index 1fc6790a4d..d39d8426bc 100644
--- a/lib/ansible/plugins/filter/core.py
+++ b/lib/ansible/plugins/filter/core.py
@@ -53,6 +53,7 @@ from ansible.utils.display import Display
from ansible.utils.encrypt import passlib_or_crypt
from ansible.utils.hashing import md5s, checksum_s
from ansible.utils.unicode import unicode_wrap
+from ansible.utils.unsafe_proxy import _is_unsafe
from ansible.utils.vars import merge_hash
display = Display()
@@ -63,13 +64,19 @@ UUID_NAMESPACE_ANSIBLE = uuid.UUID('361E6D51-FAEC-444A-9079-341386DA8E2E')
def to_yaml(a, *args, **kw):
'''Make verbose, human readable yaml'''
default_flow_style = kw.pop('default_flow_style', None)
- transformed = yaml.dump(a, Dumper=AnsibleDumper, allow_unicode=True, default_flow_style=default_flow_style, **kw)
+ try:
+ transformed = yaml.dump(a, Dumper=AnsibleDumper, allow_unicode=True, default_flow_style=default_flow_style, **kw)
+ except Exception as e:
+ raise AnsibleFilterError("to_yaml - %s" % to_native(e), orig_exc=e)
return to_text(transformed)
def to_nice_yaml(a, indent=4, *args, **kw):
'''Make verbose, human readable yaml'''
- transformed = yaml.dump(a, Dumper=AnsibleDumper, indent=indent, allow_unicode=True, default_flow_style=False, **kw)
+ try:
+ transformed = yaml.dump(a, Dumper=AnsibleDumper, indent=indent, allow_unicode=True, default_flow_style=False, **kw)
+ except Exception as e:
+ raise AnsibleFilterError("to_nice_yaml - %s" % to_native(e), orig_exc=e)
return to_text(transformed)
@@ -207,13 +214,23 @@ def regex_escape(string, re_type='python'):
def from_yaml(data):
if isinstance(data, string_types):
- return yaml.safe_load(data)
+ # The ``text_type`` call here strips any custom
+ # string wrapper class, so that CSafeLoader can
+ # read the data
+ if _is_unsafe(data):
+ data = data._strip_unsafe()
+ return yaml_load(text_type(to_text(data, errors='surrogate_or_strict')))
return data
def from_yaml_all(data):
if isinstance(data, string_types):
- return yaml.safe_load_all(data)
+ # The ``text_type`` call here strips any custom
+ # string wrapper class, so that CSafeLoader can
+ # read the data
+ if _is_unsafe(data):
+ data = data._strip_unsafe()
+ return yaml_load_all(text_type(to_text(data, errors='surrogate_or_strict')))
return data
diff --git a/lib/ansible/plugins/lookup/first_found.py b/lib/ansible/plugins/lookup/first_found.py
index a1828e6b9c..39a2f1aac3 100644
--- a/lib/ansible/plugins/lookup/first_found.py
+++ b/lib/ansible/plugins/lookup/first_found.py
@@ -102,6 +102,8 @@ RETURN = """
"""
import os
+from collections.abc import Mapping, Sequence
+
from jinja2.exceptions import UndefinedError
from ansible.errors import AnsibleFileNotFound, AnsibleLookupError, AnsibleUndefinedVariable
@@ -110,6 +112,29 @@ from ansible.module_utils.parsing.convert_bool import boolean
from ansible.plugins.lookup import LookupBase
+def _splitter(value, chars):
+ chars = set(chars)
+ v = ''
+ for c in value:
+ if c in chars:
+ yield v
+ v = ''
+ continue
+ v += c
+ yield v
+
+
+def _split_on(terms, spliters=','):
+ termlist = []
+ if isinstance(terms, string_types):
+ termlist = list(_splitter(terms, spliters))
+ else:
+ # added since options will already listify
+ for t in terms:
+ termlist.extend(_split_on(t, spliters))
+ return termlist
+
+
class LookupModule(LookupBase):
def run(self, terms, variables, **kwargs):
diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py
index a20b1bae68..94ab31e58d 100644
--- a/lib/ansible/template/__init__.py
+++ b/lib/ansible/template/__init__.py
@@ -35,7 +35,7 @@ try:
except ImportError:
from sha import sha as sha1
-from jinja2.exceptions import TemplateSyntaxError, UndefinedError
+from jinja2.exceptions import TemplateSyntaxError, UndefinedError, SecurityError
from jinja2.loaders import FileSystemLoader
from jinja2.runtime import Context, StrictUndefined
@@ -53,6 +53,9 @@ from ansible.template.vars import AnsibleJ2Vars
from ansible.utils.collection_loader import AnsibleCollectionRef
from ansible.utils.display import Display
from ansible.utils.unsafe_proxy import wrap_var
+from ansible.utils.listify import listify_lookup_plugin_terms
+from ansible.utils.native_jinja import NativeJinjaText
+from ansible.utils.unsafe_proxy import wrap_var, AnsibleUnsafeText, AnsibleUnsafeBytes, NativeJinjaUnsafeText
display = Display()
@@ -259,10 +262,21 @@ class AnsibleContext(Context):
flag is checked post-templating, and (when set) will result in the
final templated result being wrapped in AnsibleUnsafe.
'''
+ _disallowed_callables = frozenset({
+ AnsibleUnsafeText._strip_unsafe.__qualname__,
+ AnsibleUnsafeBytes._strip_unsafe.__qualname__,
+ NativeJinjaUnsafeText._strip_unsafe.__qualname__,
+ })
+
def __init__(self, *args, **kwargs):
super(AnsibleContext, self).__init__(*args, **kwargs)
self.unsafe = False
+ def call(self, obj, *args, **kwargs):
+ if getattr(obj, '__qualname__', None) in self._disallowed_callables or obj in self._disallowed_callables:
+ raise SecurityError(f"{obj!r} is not safely callable")
+ return super().call(obj, *args, **kwargs)
+
def _is_unsafe(self, val):
'''
Our helper function, which will also recursively check dict and
@@ -874,8 +888,11 @@ class Templar:
rf = t.root_render_func(new_context)
try:
- res = j2_concat(rf)
- unsafe = getattr(new_context, 'unsafe', False)
+ if self.jinja2_native:
+ res = ansible_native_concat(rf)
+ else:
+ res = j2_concat(rf)
+ unsafe = getattr(self.cur_context, 'unsafe', False)
if unsafe:
res = wrap_var(res)
except TypeError as te:
diff --git a/lib/ansible/utils/unsafe_proxy.py b/lib/ansible/utils/unsafe_proxy.py
index ffb5f37503..0bfd6340ff 100644
--- a/lib/ansible/utils/unsafe_proxy.py
+++ b/lib/ansible/utils/unsafe_proxy.py
@@ -67,10 +67,267 @@ class AnsibleUnsafe(object):
class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
- pass
+ def _strip_unsafe(self):
+ return super().__bytes__()
+
+ def __str__(self): # pylint: disable=invalid-str-returned
+ return self.encode()
+
+ def __bytes__(self): # pylint: disable=invalid-bytes-returned
+ return self
+
+ def __repr__(self): # pylint: disable=invalid-repr-returned
+ return AnsibleUnsafeText(super().__repr__())
+
+ def __format__(self, format_spec): # pylint: disable=invalid-format-returned
+ return self.__class__(super().__format__(format_spec))
+
+ def __getitem__(self, key):
+ return self.__class__(super().__getitem__(key))
+
+ def __iter__(self):
+ cls = self.__class__
+ return (cls(c) for c in super().__iter__())
+
+ def __reversed__(self):
+ return self[::-1]
+
+ def __add__(self, value):
+ return self.__class__(super().__add__(value))
+
+ def __radd__(self, value):
+ return self.__class__(value.__add__(self))
+
+ def __mul__(self, value):
+ return self.__class__(super().__mul__(value))
+
+ __rmul__ = __mul__
+
+ def __mod__(self, value):
+ return self.__class__(super().__mod__(value))
+
+ def __rmod__(self, value):
+ return self.__class__(super().__rmod__(value))
+
+ def capitalize(self):
+ return self.__class__(super().capitalize())
+
+ def casefold(self):
+ return self.__class__(super().casefold())
+
+ def center(self, width, fillchar=b' '):
+ return self.__class__(super().center(width, fillchar))
+
+ def decode(self, encoding='utf-8', errors='strict'):
+ return AnsibleUnsafeText(super().decode(encoding=encoding, errors=errors))
+
+ def removeprefix(self, prefix):
+ return self.__class__(super().removeprefix(prefix))
+
+ def removesuffix(self, suffix):
+ return self.__class__(super().removesuffix(suffix))
+
+ def expandtabs(self, tabsize=8):
+ return self.__class__(super().expandtabs(tabsize))
+
+ def format(self, *args, **kwargs):
+ return self.__class__(super().format(*args, **kwargs))
+
+ def format_map(self, mapping):
+ return self.__class__(super().format_map(mapping))
+
+ def join(self, iterable_of_bytes):
+ return self.__class__(super().join(iterable_of_bytes))
+
+ def ljust(self, width, fillchar=b' '):
+ return self.__class__(super().ljust(width, fillchar))
+
+ def lower(self):
+ return self.__class__(super().lower())
+
+ def lstrip(self, bytes=None):
+ return self.__class__(super().lstrip(bytes))
+
+ def partition(self, sep):
+ cls = self.__class__
+ return tuple(cls(e) for e in super().partition(sep))
+
+ def replace(self, old, new, count=-1):
+ return self.__class__(super().replace(old, new, count))
+
+ def rjust(self, width, fillchar=b' '):
+ return self.__class__(super().rjust(width, fillchar))
+
+ def rpartition(self, sep):
+ cls = self.__class__
+ return tuple(cls(e) for e in super().rpartition(sep))
+
+ def rstrip(self, bytes=None):
+ return self.__class__(super().rstrip(bytes))
+
+ def split(self, sep=None, maxsplit=-1):
+ cls = self.__class__
+ return [cls(e) for e in super().split(sep=sep, maxsplit=maxsplit)]
+
+ def rsplit(self, sep=None, maxsplit=-1):
+ cls = self.__class__
+ return [cls(e) for e in super().rsplit(sep=sep, maxsplit=maxsplit)]
+
+ def splitlines(self, keepends=False):
+ cls = self.__class__
+ return [cls(e) for e in super().splitlines(keepends=keepends)]
+
+ def strip(self, bytes=None):
+ return self.__class__(super().strip(bytes))
+
+ def swapcase(self):
+ return self.__class__(super().swapcase())
+
+ def title(self):
+ return self.__class__(super().title())
+
+ def translate(self, table, delete=b''):
+ return self.__class__(super().translate(table, delete=delete))
+
+ def upper(self):
+ return self.__class__(super().upper())
+
+ def zfill(self, width):
+ return self.__class__(super().zfill(width))
class AnsibleUnsafeText(text_type, AnsibleUnsafe):
+ # def __getattribute__(self, name):
+ # print(f'attr: {name}')
+ # return object.__getattribute__(self, name)
+
+ def _strip_unsafe(self):
+ return super().__str__()
+
+ def __str__(self): # pylint: disable=invalid-str-returned
+ return self
+
+ def __repr__(self): # pylint: disable=invalid-repr-returned
+ return self.__class__(super().__repr__())
+
+ def __format__(self, format_spec): # pylint: disable=invalid-format-returned
+ return self.__class__(super().__format__(format_spec))
+
+ def __getitem__(self, key):
+ return self.__class__(super().__getitem__(key))
+
+ def __iter__(self):
+ cls = self.__class__
+ return (cls(c) for c in super().__iter__())
+
+ def __reversed__(self):
+ return self[::-1]
+
+ def __add__(self, value):
+ return self.__class__(super().__add__(value))
+
+ def __radd__(self, value):
+ return self.__class__(value.__add__(self))
+
+ def __mul__(self, value):
+ return self.__class__(super().__mul__(value))
+
+ __rmul__ = __mul__
+
+ def __mod__(self, value):
+ return self.__class__(super().__mod__(value))
+
+ def __rmod__(self, value):
+ return self.__class__(super().__rmod__(value))
+
+ def capitalize(self):
+ return self.__class__(super().capitalize())
+
+ def casefold(self):
+ return self.__class__(super().casefold())
+
+ def center(self, width, fillchar=' '):
+ return self.__class__(super().center(width, fillchar))
+
+ def encode(self, encoding='utf-8', errors='strict'):
+ return AnsibleUnsafeBytes(super().encode(encoding=encoding, errors=errors))
+
+ def removeprefix(self, prefix):
+ return self.__class__(super().removeprefix(prefix))
+
+ def removesuffix(self, suffix):
+ return self.__class__(super().removesuffix(suffix))
+
+ def expandtabs(self, tabsize=8):
+ return self.__class__(super().expandtabs(tabsize))
+
+ def format(self, *args, **kwargs):
+ return self.__class__(super().format(*args, **kwargs))
+
+ def format_map(self, mapping):
+ return self.__class__(super().format_map(mapping))
+
+ def join(self, iterable):
+ return self.__class__(super().join(iterable))
+
+ def ljust(self, width, fillchar=' '):
+ return self.__class__(super().ljust(width, fillchar))
+
+ def lower(self):
+ return self.__class__(super().lower())
+
+ def lstrip(self, chars=None):
+ return self.__class__(super().lstrip(chars))
+
+ def partition(self, sep):
+ cls = self.__class__
+ return tuple(cls(e) for e in super().partition(sep))
+
+ def replace(self, old, new, count=-1):
+ return self.__class__(super().replace(old, new, count))
+
+ def rjust(self, width, fillchar=' '):
+ return self.__class__(super().rjust(width, fillchar))
+
+ def rpartition(self, sep):
+ cls = self.__class__
+ return tuple(cls(e) for e in super().rpartition(sep))
+
+ def rstrip(self, chars=None):
+ return self.__class__(super().rstrip(chars))
+
+ def split(self, sep=None, maxsplit=-1):
+ cls = self.__class__
+ return [cls(e) for e in super().split(sep=sep, maxsplit=maxsplit)]
+
+ def rsplit(self, sep=None, maxsplit=-1):
+ cls = self.__class__
+ return [cls(e) for e in super().rsplit(sep=sep, maxsplit=maxsplit)]
+
+ def splitlines(self, keepends=False):
+ cls = self.__class__
+ return [cls(e) for e in super().splitlines(keepends=keepends)]
+
+ def strip(self, chars=None):
+ return self.__class__(super().strip(chars))
+
+ def swapcase(self):
+ return self.__class__(super().swapcase())
+
+ def title(self):
+ return self.__class__(super().title())
+
+ def translate(self, table):
+ return self.__class__(super().translate(table))
+
+ def upper(self):
+ return self.__class__(super().upper())
+
+ def zfill(self, width):
+ return self.__class__(super().zfill(width))
+
+
+class NativeJinjaUnsafeText(NativeJinjaText, AnsibleUnsafeText):
pass
@@ -133,3 +390,7 @@ def to_unsafe_bytes(*args, **kwargs):
def to_unsafe_text(*args, **kwargs):
return wrap_var(to_text(*args, **kwargs))
+
+
+def _is_unsafe(obj):
+ return getattr(obj, '__UNSAFE__', False) is True
diff --git a/test/integration/targets/apt_repository/tasks/apt.yml b/test/integration/targets/apt_repository/tasks/apt.yml
index 941335f2c6..8d0f4ad896 100644
--- a/test/integration/targets/apt_repository/tasks/apt.yml
+++ b/test/integration/targets/apt_repository/tasks/apt.yml
@@ -50,7 +50,7 @@
that:
- 'result.changed'
- 'result.state == "present"'
- - 'result.repo == "{{test_ppa_name}}"'
+ - 'result.repo == test_ppa_name'
- name: 'examine apt cache mtime'
stat: path='/var/cache/apt/pkgcache.bin'
@@ -81,7 +81,7 @@
that:
- 'result.changed'
- 'result.state == "present"'
- - 'result.repo == "{{test_ppa_name}}"'
+ - 'result.repo == test_ppa_name'
- name: 'examine apt cache mtime'
stat: path='/var/cache/apt/pkgcache.bin'
@@ -112,7 +112,7 @@
that:
- 'result.changed'
- 'result.state == "present"'
- - 'result.repo == "{{test_ppa_name}}"'
+ - 'result.repo == test_ppa_name'
- name: 'examine apt cache mtime'
stat: path='/var/cache/apt/pkgcache.bin'
@@ -146,7 +146,8 @@
that:
- 'result.changed'
- 'result.state == "present"'
- - 'result.repo == "{{test_ppa_spec}}"'
+ - 'result.repo == test_ppa_spec'
+ - result_cache is not changed
- name: 'examine apt cache mtime'
stat: path='/var/cache/apt/pkgcache.bin'
@@ -181,7 +182,7 @@
that:
- 'result.changed'
- 'result.state == "present"'
- - 'result.repo == "{{test_ppa_spec}}"'
+ - 'result.repo == test_ppa_spec'
- name: 'examine source file'
stat: path='/etc/apt/sources.list.d/{{test_ppa_filename}}.list'
diff --git a/test/integration/targets/assert/assert.out.nested_tmpl.stderr b/test/integration/targets/assert/assert.out.nested_tmpl.stderr
new file mode 100644
index 0000000000..ea208a41c7
--- /dev/null
+++ b/test/integration/targets/assert/assert.out.nested_tmpl.stderr
@@ -0,0 +1,4 @@
++ ansible-playbook -i localhost, -c local nested_tmpl.yml
+++ set +x
+[WARNING]: conditional statements should not include jinja2 templating
+delimiters such as {{ }} or {% %}. Found: "{{ foo }}" == "bar"
diff --git a/test/integration/targets/assert/assert.out.nested_tmpl.stdout b/test/integration/targets/assert/assert.out.nested_tmpl.stdout
new file mode 100644
index 0000000000..8ca3fb76d4
--- /dev/null
+++ b/test/integration/targets/assert/assert.out.nested_tmpl.stdout
@@ -0,0 +1,12 @@
+
+PLAY [localhost] ***************************************************************
+
+TASK [assert] ******************************************************************
+ok: [localhost] => {
+ "changed": false,
+ "msg": "All assertions passed"
+}
+
+PLAY RECAP *********************************************************************
+localhost : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
+
diff --git a/test/integration/targets/assert/assert_quiet.out.quiet.stderr b/test/integration/targets/assert/assert.out.quiet.stderr
similarity index 100%
rename from test/integration/targets/assert/assert_quiet.out.quiet.stderr
rename to test/integration/targets/assert/assert.out.quiet.stderr
diff --git a/test/integration/targets/assert/assert_quiet.out.quiet.stdout b/test/integration/targets/assert/assert.out.quiet.stdout
similarity index 100%
rename from test/integration/targets/assert/assert_quiet.out.quiet.stdout
rename to test/integration/targets/assert/assert.out.quiet.stdout
diff --git a/test/integration/targets/assert/nested_tmpl.yml b/test/integration/targets/assert/nested_tmpl.yml
new file mode 100644
index 0000000000..3da4b1d80e
--- /dev/null
+++ b/test/integration/targets/assert/nested_tmpl.yml
@@ -0,0 +1,9 @@
+- hosts: localhost
+ gather_facts: False
+ tasks:
+ - assert:
+ that:
+ - '"{{ foo }}" == "bar"'
+ - foo == "bar"
+ vars:
+ foo: bar
diff --git a/test/integration/targets/assert/quiet.yml b/test/integration/targets/assert/quiet.yml
index 6834712c2c..1c425cb5ba 100644
--- a/test/integration/targets/assert/quiet.yml
+++ b/test/integration/targets/assert/quiet.yml
@@ -5,12 +5,12 @@
item_A: yes
tasks:
- assert:
- that: "{{ item }} is defined"
+ that: "item is defined"
quiet: True
with_items:
- item_A
- assert:
- that: "{{ item }} is defined"
+ that: "item is defined"
quiet: False
with_items:
- item_A
diff --git a/test/integration/targets/assert/runme.sh b/test/integration/targets/assert/runme.sh
index ca0a858726..b79072813d 100755
--- a/test/integration/targets/assert/runme.sh
+++ b/test/integration/targets/assert/runme.sh
@@ -45,7 +45,7 @@ cleanup() {
fi
}
-BASEFILE=assert_quiet.out
+BASEFILE=assert.out
ORIGFILE="${BASEFILE}"
OUTFILE="${BASEFILE}.new"
@@ -69,3 +69,4 @@ export ANSIBLE_NOCOLOR=1
export ANSIBLE_RETRY_FILES_ENABLED=0
run_test quiet
+run_test nested_tmpl
diff --git a/test/integration/targets/command_shell/tasks/main.yml b/test/integration/targets/command_shell/tasks/main.yml
index 9dc6c9beb6..d685443b55 100644
--- a/test/integration/targets/command_shell/tasks/main.yml
+++ b/test/integration/targets/command_shell/tasks/main.yml
@@ -286,7 +286,7 @@
assert:
that:
- shell_result0 is changed
- - shell_result0.cmd == '{{ output_dir_test }}/test.sh'
+ - shell_result0.cmd == output_dir_test ~ '/test.sh'
- shell_result0.rc == 0
- shell_result0.stderr == ''
- shell_result0.stdout == 'win'
diff --git a/test/integration/targets/copy/tasks/tests.yml b/test/integration/targets/copy/tasks/tests.yml
index 900f86a66a..2a150c4217 100644
--- a/test/integration/targets/copy/tasks/tests.yml
+++ b/test/integration/targets/copy/tasks/tests.yml
@@ -1176,7 +1176,7 @@
assert:
that:
- "copy_result6.changed"
- - "copy_result6.dest == '{{remote_dir_expanded}}/multiline.txt'"
+ - "copy_result6.dest == remote_dir_expanded ~ '/multiline.txt'"
- "copy_result6.checksum == '9cd0697c6a9ff6689f0afb9136fa62e0b3fee903'"
# test overwriting a file as an unprivileged user (pull request #8624)
@@ -2060,26 +2060,26 @@
assert:
that:
- testcase5 is changed
- - "stat_new_dir_with_chown.stat.uid == {{ ansible_copy_test_user.uid }}"
- - "stat_new_dir_with_chown.stat.gid == {{ ansible_copy_test_group.gid }}"
- - "stat_new_dir_with_chown.stat.pw_name == '{{ ansible_copy_test_user_name }}'"
- - "stat_new_dir_with_chown.stat.gr_name == '{{ ansible_copy_test_user_name }}'"
- - "stat_new_dir_with_chown_file1.stat.uid == {{ ansible_copy_test_user.uid }}"
- - "stat_new_dir_with_chown_file1.stat.gid == {{ ansible_copy_test_group.gid }}"
- - "stat_new_dir_with_chown_file1.stat.pw_name == '{{ ansible_copy_test_user_name }}'"
- - "stat_new_dir_with_chown_file1.stat.gr_name == '{{ ansible_copy_test_user_name }}'"
- - "stat_new_dir_with_chown_subdir.stat.uid == {{ ansible_copy_test_user.uid }}"
- - "stat_new_dir_with_chown_subdir.stat.gid == {{ ansible_copy_test_group.gid }}"
- - "stat_new_dir_with_chown_subdir.stat.pw_name == '{{ ansible_copy_test_user_name }}'"
- - "stat_new_dir_with_chown_subdir.stat.gr_name == '{{ ansible_copy_test_user_name }}'"
- - "stat_new_dir_with_chown_subdir_file12.stat.uid == {{ ansible_copy_test_user.uid }}"
- - "stat_new_dir_with_chown_subdir_file12.stat.gid == {{ ansible_copy_test_group.gid }}"
- - "stat_new_dir_with_chown_subdir_file12.stat.pw_name == '{{ ansible_copy_test_user_name }}'"
- - "stat_new_dir_with_chown_subdir_file12.stat.gr_name == '{{ ansible_copy_test_user_name }}'"
- - "stat_new_dir_with_chown_link_file12.stat.uid == {{ ansible_copy_test_user.uid }}"
- - "stat_new_dir_with_chown_link_file12.stat.gid == {{ ansible_copy_test_group.gid }}"
- - "stat_new_dir_with_chown_link_file12.stat.pw_name == '{{ ansible_copy_test_user_name }}'"
- - "stat_new_dir_with_chown_link_file12.stat.gr_name == '{{ ansible_copy_test_user_name }}'"
+ - "stat_new_dir_with_chown.stat.uid == ansible_copy_test_user.uid"
+ - "stat_new_dir_with_chown.stat.gid == ansible_copy_test_group.gid"
+ - "stat_new_dir_with_chown.stat.pw_name == ansible_copy_test_user_name"
+ - "stat_new_dir_with_chown.stat.gr_name == ansible_copy_test_user_name"
+ - "stat_new_dir_with_chown_file1.stat.uid == ansible_copy_test_user.uid"
+ - "stat_new_dir_with_chown_file1.stat.gid == ansible_copy_test_group.gid"
+ - "stat_new_dir_with_chown_file1.stat.pw_name == ansible_copy_test_user_name"
+ - "stat_new_dir_with_chown_file1.stat.gr_name == ansible_copy_test_user_name"
+ - "stat_new_dir_with_chown_subdir.stat.uid == ansible_copy_test_user.uid"
+ - "stat_new_dir_with_chown_subdir.stat.gid == ansible_copy_test_group.gid"
+ - "stat_new_dir_with_chown_subdir.stat.pw_name == ansible_copy_test_user_name"
+ - "stat_new_dir_with_chown_subdir.stat.gr_name == ansible_copy_test_user_name"
+ - "stat_new_dir_with_chown_subdir_file12.stat.uid == ansible_copy_test_user.uid"
+ - "stat_new_dir_with_chown_subdir_file12.stat.gid == ansible_copy_test_group.gid"
+ - "stat_new_dir_with_chown_subdir_file12.stat.pw_name == ansible_copy_test_user_name"
+ - "stat_new_dir_with_chown_subdir_file12.stat.gr_name == ansible_copy_test_user_name"
+ - "stat_new_dir_with_chown_link_file12.stat.uid == ansible_copy_test_user.uid"
+ - "stat_new_dir_with_chown_link_file12.stat.gid == ansible_copy_test_group.gid"
+ - "stat_new_dir_with_chown_link_file12.stat.pw_name == ansible_copy_test_user_name"
+ - "stat_new_dir_with_chown_link_file12.stat.gr_name == ansible_copy_test_user_name"
always:
- name: execute - remove the user for test
diff --git a/test/integration/targets/debug/runme.sh b/test/integration/targets/debug/runme.sh
index 5ccb1bfda6..05357c2a37 100755
--- a/test/integration/targets/debug/runme.sh
+++ b/test/integration/targets/debug/runme.sh
@@ -15,3 +15,5 @@ for i in 1 2 3; do
grep "ok: \[localhost\] => (item=$i)" out
grep "\"item\": $i" out
done
+
+ansible-playbook unsafe.yml "$@"
diff --git a/test/integration/targets/debug/unsafe.yml b/test/integration/targets/debug/unsafe.yml
new file mode 100644
index 0000000000..6a78af1a69
--- /dev/null
+++ b/test/integration/targets/debug/unsafe.yml
@@ -0,0 +1,13 @@
+- hosts: localhost
+ gather_facts: false
+ vars:
+ unsafe_var: !unsafe undef()|mandatory
+ tasks:
+ - debug:
+ var: '{{ unsafe_var }}'
+ ignore_errors: true
+ register: result
+
+ - assert:
+ that:
+ - result is successful
diff --git a/test/integration/targets/expect/tasks/main.yml b/test/integration/targets/expect/tasks/main.yml
index 0c408d282d..b46474367f 100644
--- a/test/integration/targets/expect/tasks/main.yml
+++ b/test/integration/targets/expect/tasks/main.yml
@@ -109,10 +109,15 @@
foo: bar
register: chdir_result
+- name: get output_dir real path
+ raw: >
+ {{ ansible_python_interpreter }} -c 'import os; os.chdir("{{output_dir}}"); print(os.getcwd())'
+ register: output_dir_real_path
+
- name: assert chdir works
assert:
that:
- - "'{{chdir_result.stdout |expanduser | realpath }}' == '{{output_dir | expanduser | realpath}}'"
+ - "chdir_result.stdout | trim == output_dir_real_path.stdout | trim"
- name: test timeout option
expect:
diff --git a/test/integration/targets/file/tasks/state_link.yml b/test/integration/targets/file/tasks/state_link.yml
index d9ac96740c..9e13eccbd1 100644
--- a/test/integration/targets/file/tasks/state_link.yml
+++ b/test/integration/targets/file/tasks/state_link.yml
@@ -196,7 +196,7 @@
- "missing_dst_no_follow_enable_force_use_mode2 is changed"
- "missing_dst_no_follow_enable_force_use_mode3 is not changed"
- "soft3_result['stat'].islnk"
- - "soft3_result['stat'].lnk_target == '{{ user.home }}/nonexistent'"
+ - "soft3_result['stat'].lnk_target == user.home ~ '/nonexistent'"
#
# Test creating a link to a directory https://github.com/ansible/ansible/issues/1369
diff --git a/test/integration/targets/find/tasks/main.yml b/test/integration/targets/find/tasks/main.yml
index 028d3cb45c..f8ea1a45f6 100644
--- a/test/integration/targets/find/tasks/main.yml
+++ b/test/integration/targets/find/tasks/main.yml
@@ -116,4 +116,90 @@
- name: assert we skipped the ogg file
assert:
that:
- - '"{{ output_dir_test }}/e/f/g/h/8.ogg" not in find_test3_list'
\ No newline at end of file
+ - 'output_dir_test ~ "/e/f/g/h/8.ogg" not in find_test3_list'
+
+- name: patterns with regex
+ find:
+ paths: "{{ output_dir_test }}"
+ recurse: yes
+ use_regex: true
+ patterns: .*\.ogg
+ register: find_test4
+
+- name: assert we matched the ogg file
+ assert:
+ that:
+ - output_dir_test ~ "/e/f/g/h/8.ogg" in find_test4.files|map(attribute="path")
+
+- name: create our age/size testing sub-directory
+ file:
+ path: "{{ output_dir_test }}/astest"
+ state: directory
+
+- name: create test file with old timestamps
+ file:
+ path: "{{ output_dir_test }}/astest/old.txt"
+ state: touch
+ modification_time: "202001011200.0"
+
+- name: create test file with current timestamps
+ file:
+ path: "{{ output_dir_test }}/astest/new.txt"
+ state: touch
+
+- name: create hidden test file with current timestamps
+ file:
+ path: "{{ output_dir_test }}/astest/.hidden.txt"
+ state: touch
+
+- name: find files older than 1 week
+ find:
+ path: "{{ output_dir_test }}/astest"
+ age: 1w
+ hidden: true
+ register: result
+
+- set_fact:
+ astest_list: "{{ result.files|map(attribute='path') }}"
+
+- name: assert we only find the old file
+ assert:
+ that:
+ - result.matched == 1
+ - 'output_dir_test ~ "/astest/old.txt" in astest_list'
+
+- name: find files newer than 1 week
+ find:
+ path: "{{ output_dir_test }}/astest"
+ age: -1w
+ register: result
+
+- set_fact:
+ astest_list: "{{ result.files|map(attribute='path') }}"
+
+- name: assert we only find the current file
+ assert:
+ that:
+ - result.matched == 1
+ - 'output_dir_test ~ "/astest/new.txt" in astest_list'
+
+- name: add some content to the new file
+ shell: "echo hello world > {{ output_dir_test }}/astest/new.txt"
+
+- name: find files with MORE than 5 bytes, also get checksums
+ find:
+ path: "{{ output_dir_test }}/astest"
+ size: 5
+ hidden: true
+ get_checksum: true
+ register: result
+
+- set_fact:
+ astest_list: "{{ result.files|map(attribute='path') }}"
+
+- name: assert we only find the hello world file
+ assert:
+ that:
+ - result.matched == 1
+ - 'output_dir_test ~ "/astest/new.txt" in astest_list'
+ - '"checksum" in result.files[0]'
diff --git a/test/integration/targets/gathering_facts/test_gathering_facts.yml b/test/integration/targets/gathering_facts/test_gathering_facts.yml
index 5924a15649..c32bb3c8b8 100644
--- a/test/integration/targets/gathering_facts/test_gathering_facts.yml
+++ b/test/integration/targets/gathering_facts/test_gathering_facts.yml
@@ -371,7 +371,7 @@
- name: Test reading facts from default fact_path
assert:
that:
- - '"{{ ansible_local.testfact.fact_dir }}" == "default"'
+ - 'ansible_local.testfact.fact_dir == "default"'
- hosts: facthost9
tags: [ 'fact_local']
@@ -382,7 +382,7 @@
- name: Test reading facts from custom fact_path
assert:
that:
- - '"{{ ansible_local.testfact.fact_dir }}" == "custom"'
+ - 'ansible_local.testfact.fact_dir == "custom"'
- hosts: facthost20
tags: [ 'fact_facter_ohai' ]
diff --git a/test/integration/targets/git/tasks/depth.yml b/test/integration/targets/git/tasks/depth.yml
index 547f84f7b5..e0585ca39b 100644
--- a/test/integration/targets/git/tasks/depth.yml
+++ b/test/integration/targets/git/tasks/depth.yml
@@ -169,7 +169,7 @@
- name: DEPTH | check update arrived
assert:
that:
- - "{{ a_file.content | b64decode | trim }} == 3"
+ - a_file.content | b64decode | trim == "3"
- git_fetch is changed
- name: DEPTH | clear checkout_dir
diff --git a/test/integration/targets/git/tasks/localmods.yml b/test/integration/targets/git/tasks/localmods.yml
index 09a1326d58..0e0cf684ed 100644
--- a/test/integration/targets/git/tasks/localmods.yml
+++ b/test/integration/targets/git/tasks/localmods.yml
@@ -47,7 +47,7 @@
- name: LOCALMODS | check update arrived
assert:
that:
- - "{{ a_file.content | b64decode | trim }} == 2"
+ - a_file.content | b64decode | trim == "2"
- git_fetch_force is changed
- name: LOCALMODS | clear checkout_dir
@@ -105,7 +105,7 @@
- name: LOCALMODS | check update arrived
assert:
that:
- - "{{ a_file.content | b64decode | trim }} == 2"
+ - a_file.content | b64decode | trim == "2"
- git_fetch_force is changed
- name: LOCALMODS | clear checkout_dir
diff --git a/test/integration/targets/git/tasks/submodules.yml b/test/integration/targets/git/tasks/submodules.yml
index 647d1e23b4..1ba84afbde 100644
--- a/test/integration/targets/git/tasks/submodules.yml
+++ b/test/integration/targets/git/tasks/submodules.yml
@@ -32,7 +32,7 @@
- name: SUBMODULES | Ensure submodu1 is at the appropriate commit
assert:
- that: '{{ submodule1.stdout_lines | length }} == 2'
+ that: 'submodule1.stdout_lines | length == 2'
- name: SUBMODULES | clear checkout_dir
file:
@@ -53,7 +53,7 @@
- name: SUBMODULES | Ensure submodule1 is at the appropriate commit
assert:
- that: '{{ submodule1.stdout_lines | length }} == 4'
+ that: 'submodule1.stdout_lines | length == 4'
- name: SUBMODULES | Copy the checkout so we can run several different tests on it
command: 'cp -pr {{ checkout_dir }} {{ checkout_dir }}.bak'
@@ -84,8 +84,8 @@
- name: SUBMODULES | Ensure both submodules are at the appropriate commit
assert:
that:
- - '{{ submodule1.stdout_lines|length }} == 4'
- - '{{ submodule2.stdout_lines|length }} == 2'
+ - 'submodule1.stdout_lines|length == 4'
+ - 'submodule2.stdout_lines|length == 2'
- name: SUBMODULES | Remove checkout dir
@@ -112,7 +112,7 @@
- name: SUBMODULES | Ensure submodule1 is at the appropriate commit
assert:
- that: '{{ submodule1.stdout_lines | length }} == 5'
+ that: 'submodule1.stdout_lines | length == 5'
- name: SUBMODULES | Test that update with recursive found new submodules
@@ -121,4 +121,17 @@
- name: SUBMODULES | Enusre submodule2 is at the appropriate commit
assert:
- that: '{{ submodule2.stdout_lines | length }} == 4'
+ that: 'submodule2.stdout_lines | length == 4'
+
+- name: SUBMODULES | clear checkout_dir
+ file:
+ state: absent
+ path: "{{ checkout_dir }}"
+
+
+- name: SUBMODULES | Clone main submodule repository
+ git:
+ repo: "{{ repo_submodules }}"
+ dest: "{{ checkout_dir }}/test.gitdir"
+ version: 45c6c07ef10fd9e453d90207e63da1ce5bd3ae1e
+ recursive: yes
diff --git a/test/integration/targets/include_vars/tasks/main.yml b/test/integration/targets/include_vars/tasks/main.yml
index 799d7b26a6..3c5816b0d4 100644
--- a/test/integration/targets/include_vars/tasks/main.yml
+++ b/test/integration/targets/include_vars/tasks/main.yml
@@ -15,7 +15,7 @@
that:
- "testing == 789"
- "base_dir == 'environments/development'"
- - "{{ included_one_file.ansible_included_var_files | length }} == 1"
+ - "included_one_file.ansible_included_var_files | length == 1"
- "'vars/environments/development/all.yml' in included_one_file.ansible_included_var_files[0]"
- name: include the vars/environments/development/all.yml and save results in all
@@ -51,7 +51,7 @@
assert:
that:
- webapp_version is defined
- - "'file_without_extension' in '{{ include_without_file_extension.ansible_included_var_files | join(' ') }}'"
+ - "'file_without_extension' in include_without_file_extension.ansible_included_var_files | join(' ')"
- name: include every directory in vars
include_vars:
@@ -65,7 +65,7 @@
- "testing == 456"
- "base_dir == 'services'"
- "webapp_containers == 10"
- - "{{ include_every_dir.ansible_included_var_files | length }} == 7"
+ - "include_every_dir.ansible_included_var_files | length == 7"
- "'vars/all/all.yml' in include_every_dir.ansible_included_var_files[0]"
- "'vars/environments/development/all.yml' in include_every_dir.ansible_included_var_files[1]"
- "'vars/environments/development/services/webapp.yml' in include_every_dir.ansible_included_var_files[2]"
@@ -85,9 +85,9 @@
that:
- "testing == 789"
- "base_dir == 'environments/development'"
- - "{{ include_without_webapp.ansible_included_var_files | length }} == 4"
- - "'webapp.yml' not in '{{ include_without_webapp.ansible_included_var_files | join(' ') }}'"
- - "'file_without_extension' not in '{{ include_without_webapp.ansible_included_var_files | join(' ') }}'"
+ - "include_without_webapp.ansible_included_var_files | length == 4"
+ - "'webapp.yml' not in include_without_webapp.ansible_included_var_files | join(' ')"
+ - "'file_without_extension' not in include_without_webapp.ansible_included_var_files | join(' ')"
- name: include only files matching webapp.yml
include_vars:
@@ -101,9 +101,9 @@
- "testing == 101112"
- "base_dir == 'development/services'"
- "webapp_containers == 20"
- - "{{ include_match_webapp.ansible_included_var_files | length }} == 1"
+ - "include_match_webapp.ansible_included_var_files | length == 1"
- "'vars/environments/development/services/webapp.yml' in include_match_webapp.ansible_included_var_files[0]"
- - "'all.yml' not in '{{ include_match_webapp.ansible_included_var_files | join(' ') }}'"
+ - "'all.yml' not in include_match_webapp.ansible_included_var_files | join(' ')"
- name: include only files matching webapp.yml and store results in webapp
include_vars:
@@ -162,3 +162,7 @@
that:
- "'my_custom_service' == service_name_fqcn"
- "'my_custom_service' == service_name_tmpl_fqcn"
+
+- assert:
+ that:
+ - baz.ansible_facts.foo|type_debug != "AnsibleUnsafeText"
diff --git a/test/integration/targets/iosxr_lacp_interfaces/tests/cli/merged.yaml b/test/integration/targets/iosxr_lacp_interfaces/tests/cli/merged.yaml
index be5134091b..a2947d2959 100644
--- a/test/integration/targets/iosxr_lacp_interfaces/tests/cli/merged.yaml
+++ b/test/integration/targets/iosxr_lacp_interfaces/tests/cli/merged.yaml
@@ -24,17 +24,17 @@
- name: Assert that before dicts were correctly generated
assert:
- that: "{{ merged['before'] | symmetric_difference(result['before']) |length == 0 }}"
+ that: "merged['before'] | symmetric_difference(result['before']) |length == 0"
- name: Assert that correct set of commands were generated
assert:
that:
- - "{{ merged['commands'] | symmetric_difference(result['commands']) |length == 0 }}"
+ - "merged['commands'] | symmetric_difference(result['commands']) |length == 0"
- name: Assert that after dicts was correctly generated
assert:
that:
- - "{{ merged['after'] | symmetric_difference(result['after']) |length == 0 }}"
+ - "merged['after'] | symmetric_difference(result['after']) |length == 0"
- name: Merge the provided configuration with the existing running configuration (IDEMPOTENT)
iosxr_lacp_interfaces: *merged
@@ -49,6 +49,7 @@
- name: Assert that before dicts were correctly generated
assert:
that:
- - "{{ merged['after'] | symmetric_difference(result['before']) |length == 0 }}"
+ - "merged['after'] | symmetric_difference(result['before']) |length == 0"
+
always:
- include_tasks: _remove_config.yaml
diff --git a/test/integration/targets/iosxr_lacp_interfaces/tests/cli/replaced.yaml b/test/integration/targets/iosxr_lacp_interfaces/tests/cli/replaced.yaml
index 0dcb8505e0..ccf9d803b2 100644
--- a/test/integration/targets/iosxr_lacp_interfaces/tests/cli/replaced.yaml
+++ b/test/integration/targets/iosxr_lacp_interfaces/tests/cli/replaced.yaml
@@ -21,17 +21,17 @@
- name: Assert that correct set of commands were generated
assert:
that:
- - "{{ replaced['commands'] | symmetric_difference(result['commands']) |length == 0 }}"
+ - "replaced['commands'] | symmetric_difference(result['commands']) |length == 0"
- name: Assert that before dicts are correctly generated
assert:
that:
- - "{{ populate | symmetric_difference(result['before']) |length == 0 }}"
+ - "populate | symmetric_difference(result['before']) |length == 0"
- name: Assert that after dict is correctly generated
assert:
that:
- - "{{ replaced['after'] | symmetric_difference(result['after']) |length == 0 }}"
+ - "replaced['after'] | symmetric_difference(result['after']) |length == 0"
- name: Replace device configurations of listed interfaces with provided configurarions (IDEMPOTENT)
iosxr_lacp_interfaces: *replaced
@@ -46,7 +46,7 @@
- name: Assert that before dict is correctly generated
assert:
that:
- - "{{ replaced['after'] | symmetric_difference(result['before']) |length == 0 }}"
-
+ - "replaced['after'] | symmetric_difference(result['before']) |length == 0"
+
always:
- include_tasks: _remove_config.yaml
diff --git a/test/integration/targets/lookup_properties/test_lookup_properties.yml b/test/integration/targets/lookup_properties/test_lookup_properties.yml
index a8cad9de48..7c33a70b0b 100644
--- a/test/integration/targets/lookup_properties/test_lookup_properties.yml
+++ b/test/integration/targets/lookup_properties/test_lookup_properties.yml
@@ -10,7 +10,7 @@
test_dot: "{{lookup('ini', 'value.dot type=properties file=lookup.properties')}}"
field_with_space: "{{lookup('ini', 'field.with.space type=properties file=lookup.properties')}}"
- assert:
- that: "{{item}} is defined"
+ that: "item is defined"
with_items: [ 'test1', 'test2', 'test_dot', 'field_with_space' ]
- name: "read ini value"
set_fact:
diff --git a/test/integration/targets/module_precedence/modules_test_multiple_roles.yml b/test/integration/targets/module_precedence/modules_test_multiple_roles.yml
index f4bd264957..182c2158e8 100644
--- a/test/integration/targets/module_precedence/modules_test_multiple_roles.yml
+++ b/test/integration/targets/module_precedence/modules_test_multiple_roles.yml
@@ -14,4 +14,4 @@
- assert:
that:
- '"location" in result'
- - 'result["location"] == "{{ expected_location}}"'
+ - 'result["location"] == expected_location'
diff --git a/test/integration/targets/module_precedence/modules_test_multiple_roles_reverse_order.yml b/test/integration/targets/module_precedence/modules_test_multiple_roles_reverse_order.yml
index 5403ae238c..ec5619f39e 100644
--- a/test/integration/targets/module_precedence/modules_test_multiple_roles_reverse_order.yml
+++ b/test/integration/targets/module_precedence/modules_test_multiple_roles_reverse_order.yml
@@ -13,4 +13,4 @@
- assert:
that:
- '"location" in result'
- - 'result["location"] == "{{ expected_location}}"'
+ - 'result["location"] == expected_location'
diff --git a/test/integration/targets/module_precedence/multiple_roles/bar/tasks/main.yml b/test/integration/targets/module_precedence/multiple_roles/bar/tasks/main.yml
index 52c3402013..62b38a7cb5 100644
--- a/test/integration/targets/module_precedence/multiple_roles/bar/tasks/main.yml
+++ b/test/integration/targets/module_precedence/multiple_roles/bar/tasks/main.yml
@@ -7,4 +7,4 @@
assert:
that:
- '"location" in result'
- - 'result["location"] == "{{ expected_location }}"'
+ - 'result["location"] == expected_location'
diff --git a/test/integration/targets/module_precedence/multiple_roles/foo/tasks/main.yml b/test/integration/targets/module_precedence/multiple_roles/foo/tasks/main.yml
index 52c3402013..62b38a7cb5 100644
--- a/test/integration/targets/module_precedence/multiple_roles/foo/tasks/main.yml
+++ b/test/integration/targets/module_precedence/multiple_roles/foo/tasks/main.yml
@@ -7,4 +7,4 @@
assert:
that:
- '"location" in result'
- - 'result["location"] == "{{ expected_location }}"'
+ - 'result["location"] == expected_location'
diff --git a/test/integration/targets/script/tasks/main.yml b/test/integration/targets/script/tasks/main.yml
index f1746f7c48..3a10a1fec4 100644
--- a/test/integration/targets/script/tasks/main.yml
+++ b/test/integration/targets/script/tasks/main.yml
@@ -197,7 +197,7 @@
assert:
that:
- _check_mode_test2 is skipped
- - '_check_mode_test2.msg == "{{ output_dir_test | expanduser }}/afile2.txt exists, matching creates option"'
+ - '_check_mode_test2.msg == output_dir_test | expanduser ~ "/afile2.txt exists, matching creates option"'
- name: Remove afile2.txt
file:
@@ -219,7 +219,7 @@
assert:
that:
- _check_mode_test3 is skipped
- - '_check_mode_test3.msg == "{{ output_dir_test | expanduser }}/afile2.txt does not exist, matching removes option"'
+ - '_check_mode_test3.msg == output_dir_test | expanduser ~ "/afile2.txt does not exist, matching removes option"'
# executable
diff --git a/test/integration/targets/slurp/tasks/main.yml b/test/integration/targets/slurp/tasks/main.yml
index 4f3556fad4..fd61b7f4bc 100644
--- a/test/integration/targets/slurp/tasks/main.yml
+++ b/test/integration/targets/slurp/tasks/main.yml
@@ -33,7 +33,7 @@
- 'slurp_existing.encoding == "base64"'
- 'slurp_existing is not changed'
- 'slurp_existing is not failed'
- - '"{{ slurp_existing.content | b64decode }}" == "We are at the café"'
+ - 'slurp_existing.content | b64decode == "We are at the café"'
- name: Create a binary file to test with
copy:
diff --git a/test/integration/targets/template/tasks/main.yml b/test/integration/targets/template/tasks/main.yml
index da80343686..daed110855 100644
--- a/test/integration/targets/template/tasks/main.yml
+++ b/test/integration/targets/template/tasks/main.yml
@@ -356,7 +356,7 @@
- assert:
that:
- "\"foo t'e~m\\plated\" in unusual_results.stdout_lines"
- - "{{unusual_results.stdout_lines| length}} == 1"
+ - "unusual_results.stdout_lines| length == 1"
- name: check that the unusual filename can be checked for changes
template:
diff --git a/test/integration/targets/unarchive/tasks/test_mode.yml b/test/integration/targets/unarchive/tasks/test_mode.yml
index c69e3bd2b2..06fbc7b8d9 100644
--- a/test/integration/targets/unarchive/tasks/test_mode.yml
+++ b/test/integration/targets/unarchive/tasks/test_mode.yml
@@ -24,7 +24,7 @@
- "unarchive06_stat.stat.mode == '0600'"
# Verify that file list is generated
- "'files' in unarchive06"
- - "{{unarchive06['files']| length}} == 1"
+ - "unarchive06['files']| length == 1"
- "'foo-unarchive.txt' in unarchive06['files']"
- name: remove our tar.gz unarchive destination
@@ -74,7 +74,7 @@
- "unarchive07.changed == false"
# Verify that file list is generated
- "'files' in unarchive07"
- - "{{unarchive07['files']| length}} == 1"
+ - "unarchive07['files']| length == 1"
- "'foo-unarchive.txt' in unarchive07['files']"
- name: remove our tar.gz unarchive destination
@@ -108,7 +108,7 @@
- "unarchive08_stat.stat.mode == '0601'"
# Verify that file list is generated
- "'files' in unarchive08"
- - "{{unarchive08['files']| length}} == 3"
+ - "unarchive08['files']| length == 3"
- "'foo-unarchive.txt' in unarchive08['files']"
- "'foo-unarchive-777.txt' in unarchive08['files']"
- "'FOO-UNAR.TXT' in unarchive08['files']"
@@ -140,7 +140,7 @@
- "unarchive08_stat.stat.mode == '0601'"
# Verify that file list is generated
- "'files' in unarchive08"
- - "{{unarchive08['files']| length}} == 3"
+ - "unarchive08['files']| length == 3"
- "'foo-unarchive.txt' in unarchive08['files']"
- "'foo-unarchive-777.txt' in unarchive08['files']"
- "'FOO-UNAR.TXT' in unarchive08['files']"
diff --git a/test/integration/targets/unarchive/tasks/test_unprivileged_user.yml b/test/integration/targets/unarchive/tasks/test_unprivileged_user.yml
index 6181e3bd62..b3653c0872 100644
--- a/test/integration/targets/unarchive/tasks/test_unprivileged_user.yml
+++ b/test/integration/targets/unarchive/tasks/test_unprivileged_user.yml
@@ -48,7 +48,7 @@
- unarchive10 is changed
# Verify that file list is generated
- "'files' in unarchive10"
- - "{{unarchive10['files']| length}} == 1"
+ - "unarchive10['files']| length == 1"
- "'foo-unarchive.txt' in unarchive10['files']"
- archive_path.stat.exists
diff --git a/test/integration/targets/unarchive/tasks/test_zip.yml b/test/integration/targets/unarchive/tasks/test_zip.yml
index aae57d8ec9..d11c5f7223 100644
--- a/test/integration/targets/unarchive/tasks/test_zip.yml
+++ b/test/integration/targets/unarchive/tasks/test_zip.yml
@@ -17,7 +17,7 @@
- "unarchive03.changed == true"
# Verify that file list is generated
- "'files' in unarchive03"
- - "{{unarchive03['files']| length}} == 3"
+ - "unarchive03['files']| length == 3"
- "'foo-unarchive.txt' in unarchive03['files']"
- "'foo-unarchive-777.txt' in unarchive03['files']"
- "'FOO-UNAR.TXT' in unarchive03['files']"
diff --git a/test/integration/targets/vault/roles/test_vault_embedded/tasks/main.yml b/test/integration/targets/vault/roles/test_vault_embedded/tasks/main.yml
index eba938966d..98ef751b86 100644
--- a/test/integration/targets/vault/roles/test_vault_embedded/tasks/main.yml
+++ b/test/integration/targets/vault/roles/test_vault_embedded/tasks/main.yml
@@ -2,7 +2,7 @@
- name: Assert that a embedded vault of a string with no newline works
assert:
that:
- - '"{{ vault_encrypted_one_line_var }}" == "Setec Astronomy"'
+ - 'vault_encrypted_one_line_var == "Setec Astronomy"'
- name: Assert that a multi line embedded vault works, including new line
assert:
diff --git a/test/integration/targets/vault/roles/test_vault_file_encrypted_embedded/tasks/main.yml b/test/integration/targets/vault/roles/test_vault_file_encrypted_embedded/tasks/main.yml
index e09004a1d9..107e65cb11 100644
--- a/test/integration/targets/vault/roles/test_vault_file_encrypted_embedded/tasks/main.yml
+++ b/test/integration/targets/vault/roles/test_vault_file_encrypted_embedded/tasks/main.yml
@@ -2,7 +2,7 @@
- name: Assert that a vault encrypted file with embedded vault of a string with no newline works
assert:
that:
- - '"{{ vault_file_encrypted_with_encrypted_one_line_var }}" == "Setec Astronomy"'
+ - 'vault_file_encrypted_with_encrypted_one_line_var == "Setec Astronomy"'
- name: Assert that a vault encrypted file with multi line embedded vault works, including new line
assert:
diff --git a/test/integration/targets/vyos_config/tests/cli/check_config.yaml b/test/integration/targets/vyos_config/tests/cli/check_config.yaml
index 65076b3c54..30c43599af 100644
--- a/test/integration/targets/vyos_config/tests/cli/check_config.yaml
+++ b/test/integration/targets/vyos_config/tests/cli/check_config.yaml
@@ -22,7 +22,7 @@
- name: Check that multiple duplicate lines collapse into a single commands
assert:
that:
- - "{{ result.commands|length }} == 1"
+ - "result.commands|length == 1"
- name: Check that set is correctly prepended
assert:
@@ -58,6 +58,6 @@
- assert:
that:
- - "{{ result.filtered|length }} == 2"
+ - "result.filtered|length == 2"
- debug: msg="END cli/config_check.yaml on connection={{ ansible_connection }}"
diff --git a/test/integration/targets/vyos_interfaces/tests/cli/deleted.yaml b/test/integration/targets/vyos_interfaces/tests/cli/deleted.yaml
index 5b08ea95f8..b2aa51fc77 100644
--- a/test/integration/targets/vyos_interfaces/tests/cli/deleted.yaml
+++ b/test/integration/targets/vyos_interfaces/tests/cli/deleted.yaml
@@ -16,17 +16,17 @@
- name: Assert that the before dicts were correctly generated
assert:
that:
- - "{{ populate | symmetric_difference(result['before']) |length == 0 }}"
+ - "populate | symmetric_difference(result['before']) |length == 0"
- name: Assert that the correct set of commands were generated
assert:
that:
- - "{{ deleted['commands'] | symmetric_difference(result['commands']) |length == 0 }}"
+ - "deleted['commands'] | symmetric_difference(result['commands']) |length == 0"
- name: Assert that the after dicts were correctly generated
assert:
that:
- - "{{ deleted['after'] | symmetric_difference(result['after']) |length == 0 }}"
+ - "deleted['after'] | symmetric_difference(result['after']) |length == 0"
- name: Delete attributes of given interfaces (IDEMPOTENT)
vyos_interfaces: *deleted
@@ -40,7 +40,6 @@
- name: Assert that the before dicts were correctly generated
assert:
that:
- - "{{ deleted['after'] | symmetric_difference(result['before']) |length == 0 }}"
-
+ - "deleted['after'] | symmetric_difference(result['before']) |length == 0"
always:
- include_tasks: _remove_config.yaml
diff --git a/test/integration/targets/vyos_interfaces/tests/cli/overridden.yaml b/test/integration/targets/vyos_interfaces/tests/cli/overridden.yaml
index 43040c1e67..4f2e323b36 100644
--- a/test/integration/targets/vyos_interfaces/tests/cli/overridden.yaml
+++ b/test/integration/targets/vyos_interfaces/tests/cli/overridden.yaml
@@ -22,17 +22,17 @@
- name: Assert that before dicts were correctly generated
assert:
that:
- - "{{ populate | symmetric_difference(result['before']) |length == 0 }}"
+ - "populate_intf | symmetric_difference(result['before']) |length == 0"
- name: Assert that correct commands were generated
assert:
that:
- - "{{ overridden['commands'] | symmetric_difference(result['commands']) |length == 0 }}"
+ - "overridden['commands'] | symmetric_difference(result['commands']) |length == 0"
- name: Assert that after dicts were correctly generated
assert:
that:
- - "{{ overridden['after'] | symmetric_difference(result['after']) |length == 0 }}"
+ - "overridden['after'] | symmetric_difference(result['after']) |length == 0"
- name: Overrides all device configuration with provided configurations (IDEMPOTENT)
vyos_interfaces: *overridden
@@ -46,7 +46,7 @@
- name: Assert that before dicts were correctly generated
assert:
that:
- - "{{ overridden['after'] | symmetric_difference(result['before']) |length == 0 }}"
-
+ - "overridden['after'] | symmetric_difference(result['before']) |length == 0"
+
always:
- include_tasks: _remove_config.yaml
diff --git a/test/integration/targets/wait_for/tasks/main.yml b/test/integration/targets/wait_for/tasks/main.yml
index 1898fd1253..7bdbdd951a 100644
--- a/test/integration/targets/wait_for/tasks/main.yml
+++ b/test/integration/targets/wait_for/tasks/main.yml
@@ -29,7 +29,7 @@
assert:
that:
- waitfor is successful
- - waitfor.path == "{{ output_dir | expanduser }}/wait_for_file"
+ - waitfor.path == output_dir | expanduser ~ "/wait_for_file"
- waitfor.elapsed >= 2
- waitfor.elapsed <= 15
@@ -47,7 +47,7 @@
assert:
that:
- waitfor is successful
- - waitfor.path == "{{ output_dir | expanduser }}/wait_for_file"
+ - waitfor.path == output_dir | expanduser ~ "/wait_for_file"
- waitfor.elapsed >= 2
- waitfor.elapsed <= 15
@@ -135,7 +135,7 @@
that:
- waitfor is successful
- waitfor is not changed
- - "waitfor.port == {{ http_port }}"
+ - "waitfor.port == http_port"
- name: install psutil using pip (non-Linux only)
pip:
@@ -163,4 +163,16 @@
that:
- waitfor is successful
- waitfor is not changed
- - "waitfor.port == {{ http_port }}"
+ - "waitfor.port == http_port"
+
+- name: test wait_for with delay
+ wait_for:
+ timeout: 2
+ delay: 2
+ register: waitfor
+
+- name: verify test wait_for with delay
+ assert:
+ that:
+ - waitfor is successful
+ - waitfor.elapsed >= 4
diff --git a/test/units/module_utils/common/test_collections.py b/test/units/module_utils/common/test_collections.py
index eb6e376a2c..95b2a402f2 100644
--- a/test/units/module_utils/common/test_collections.py
+++ b/test/units/module_utils/common/test_collections.py
@@ -35,8 +35,21 @@ class IterableStub:
return IteratorStub()
+class FakeAnsibleVaultEncryptedUnicode(Sequence):
+ __ENCRYPTED__ = True
+
+ def __init__(self, data):
+ self.data = data
+
+ def __getitem__(self, index):
+ return self.data[index]
+
+ def __len__(self):
+ return len(self.data)
+
+
TEST_STRINGS = u'he', u'Україна', u'Česká republika'
-TEST_STRINGS = TEST_STRINGS + tuple(s.encode('utf-8') for s in TEST_STRINGS)
+TEST_STRINGS = TEST_STRINGS + tuple(s.encode('utf-8') for s in TEST_STRINGS) + (FakeAnsibleVaultEncryptedUnicode(u'foo'),)
TEST_ITEMS_NON_SEQUENCES = (
{}, object(), frozenset(),
diff --git a/test/units/parsing/test_ajson.py b/test/units/parsing/test_ajson.py
index 929d19966d..c38f43ea57 100644
--- a/test/units/parsing/test_ajson.py
+++ b/test/units/parsing/test_ajson.py
@@ -158,6 +158,7 @@ class TestAnsibleJSONEncoder:
Test for passing AnsibleVaultEncryptedUnicode to AnsibleJSONEncoder.default().
"""
assert ansible_json_encoder.default(test_input) == {'__ansible_vault': expected}
+ assert json.dumps(test_input, cls=AnsibleJSONEncoder, preprocess_unsafe=True) == '{"__ansible_vault": "%s"}' % expected.replace('\n', '\\n')
@pytest.mark.parametrize(
'test_input,expected',
diff --git a/test/units/parsing/yaml/test_dumper.py b/test/units/parsing/yaml/test_dumper.py
index 8129ca3ab2..ee9ea8b07a 100644
--- a/test/units/parsing/yaml/test_dumper.py
+++ b/test/units/parsing/yaml/test_dumper.py
@@ -19,13 +19,16 @@ from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import io
+import yaml
+
+from jinja2.exceptions import UndefinedError
from units.compat import unittest
from ansible.parsing import vault
from ansible.parsing.yaml import dumper, objects
from ansible.parsing.yaml.loader import AnsibleLoader
from ansible.module_utils.six import PY2
-from ansible.utils.unsafe_proxy import AnsibleUnsafeText, AnsibleUnsafeBytes
+from ansible.template import AnsibleUndefined
from units.mock.yaml_helper import YamlTestUtils
from units.mock.vault_helper import TextVaultSecret
@@ -64,8 +67,7 @@ class TestAnsibleDumper(unittest.TestCase, YamlTestUtils):
def test_bytes(self):
b_text = u'tréma'.encode('utf-8')
- unsafe_object = AnsibleUnsafeBytes(b_text)
- yaml_out = self._dump_string(unsafe_object, dumper=self.dumper)
+ yaml_out = self._dump_string(b_text, dumper=self.dumper)
stream = self._build_stream(yaml_out)
loader = self._loader(stream)
@@ -92,8 +94,7 @@ class TestAnsibleDumper(unittest.TestCase, YamlTestUtils):
def test_unicode(self):
u_text = u'nöel'
- unsafe_object = AnsibleUnsafeText(u_text)
- yaml_out = self._dump_string(unsafe_object, dumper=self.dumper)
+ yaml_out = self._dump_string(u_text, dumper=self.dumper)
stream = self._build_stream(yaml_out)
loader = self._loader(stream)
@@ -101,3 +102,12 @@ class TestAnsibleDumper(unittest.TestCase, YamlTestUtils):
data_from_yaml = loader.get_single_data()
self.assertEqual(u_text, data_from_yaml)
+
+ def test_undefined(self):
+ undefined_object = AnsibleUndefined()
+ try:
+ yaml_out = self._dump_string(undefined_object, dumper=self.dumper)
+ except UndefinedError:
+ yaml_out = None
+
+ self.assertIsNone(yaml_out)
--
2.44.0
