CVE-2019-14904 - solaris_zone module accepts zone name and performs actions related to that.
However, there is no user input validation done while performing actions.
A malicious user could provide a crafted zone name which allows executing commands
into the server manipulating the module behaviour.
Adding user input validation as per Solaris Zone documentation fixes this issue.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Since older versions of paramiko do not require cryptography,
we cannot catch the exact exception from cryptography.
Remove other exceptions since we're catching everything now
Previously you'd get one of the following behaviours:
- A boto3 error
- Nothing would change
- An error that you're not allowed to change the strategy
So of the bahaviour would depend on the random order that AWS returns the list of all Placement Groups
* Use correct var, move cleanup for async
* Add changelog and tests. Fixes#65393. Fixes#65277.
* Kill off all long running async tasks from listen_ports_facts
* Update task to work with older jinja2
If user specifies a port number in vmware_vm_inventory plugin configuration,
then use that port to connect to vCenter rather than connecting to 443 which
is default port.
Fixes: #64096
* Finished implementing the "start" parameter to the nagios module. The backend functions already had it; this change just exposes it. This allows setting the time a Nagios outage begins rather than always starting at the time the module was run. If not provided, "start" defaults to the current time (preserving compability with existing playbooks).
* Changed default start time to None, as per comment by @goneri. This avoids initializing the variable twice.
* win_find - refactor to make more performance and use newer style
* win_find - refactor for performance improvements and alignment to find
* More path alignment to find
* Fix yamllint error
* Fix encrypt command output when using --stdin-name
Add a new line after reading input if input doesn't end with a new line
* Only print is we're in a tty
* Add changelog fragment
* Add test for print() call in module_utils and modules.
* Add changelog fragment.
* Add ignore.txt entries.
* Use blacklist plugin instead of adding a new.
* Update ignore.txt
Although it's not enforced that fail_json['msg'] should be a string
[1], I think it is pretty strongly implied.
In this case the failure_response['msg'] is sent through as the
fail_json['msg'], and the trailing commas here turn it into a tuple.
It's not clear if this is a typo or intended, but it does cause
problems for callbacks that expect this as a string (e.g. [2]).
Since there seems no point to having these values as a tuple, remove
the trailing commas so they return a string as per everywhere else.
[1] 4c589661c2/lib/ansible/module_utils/basic.py (L2078)
[2] https://review.opendev.org/#/c/696081
* win_share - Implement append paramtere for access rules
* changed fragment
* add test
* missing bracket
* removed whitespace
* Wrong number of lines
* Forgot the actual new parameter in the test
* community review
* Change option names
* version update
* Update tests.yml
* Add idempotence to rule_action: add
* Ensure `allow_duplicates: true` enables to run single role multiple times(#64902)
* Changed return value in `_load_roles` . Fixes#64902
* Add changelog fragment
* Add an integration test for the issue
* Fix changelog generation error and integration test.
* Fix yaml syntax error in changelog fragment
* The ssh key may be created manually prior the task execution with a
passphrase. And the task will be executed on the same key.
* The ssh key may be broken and not usable.
The module will check the private key and if the key is password
protected or broken, it will be overridden.
The check of the ssh key performed by retrieve the public key from the
private key.
Set the "self.force" check before the "isPrivateKeyValid" check.
In case of any issue with the "isPrivateKeyValid" function, the user
will be able to force the regeneration of the key with the "force: yes"
argument.
* ufw: escalate privileges in integration tests
A few of the integration tests for the UFW module forgot to `become`.
This is problematic if the test suite is executed as a non-privileged
user. This commit amends that by adding `become` when appropriate.
* ufw: add unit tests for direction and interface
Extend the unit tests for the UFW module to test the `direction` and
`interface` parameters. This will help in the implementation of a fix
for issue #63903.
* ufw: add support for interface_in and interface_out
The UFW module has support for specifying `direction` and `interface`
for UFW rules. Rules with these parameters are built such that
per-interface filtering only apply to a single direction based on the
value of `direction`.
Not being able to specify multiple interfaces complicates things for
`routed` rules where one might want to apply filtering only for a
specific combination of `in` and `out` interfaces.
This commit introduces two new parameters to the UFW module:
`interface_in` and `interface_out`. These rules are mutually exclusive
with the old `direction` and `interface` parameter because of the
ambiguity of having e.g.:
direction: XXX
interface: foo
interface_XXX: bar
Fixes#63903
* Elevate privileges for luks_device integration tests
Several tests in `key-management.yml` don't `become` before executing,
despite needing elevated privileges. This commit fixes that.
* Add passphrase support for luks_device
Previously, the luks_device module only worked with keyfiles. The
implication was that the key had to be written to disk before the module
could be used.
This commit implements support for opening, adding and removing
passphrases supplied as strings to the module.
Closes#52408
* proxmox: use 'release' key for version detection if possible
* proxmox: fix PEP issues
* add changelog fragment
* Uses LooseVersion for proxmox version detection
* move imports
* removes useless comment
* Replaced 'ansible_facts' by 'foreman_facts'
'foreman_facts' is the key that the foreman inventory script used
'ansible_facts' is a special key that is overwritten internally and has never worked in this inventory plugin
* Added changelog
Lookup 'first_found' returns empty list which results in
raw_params checking. Check NoneType for 'raw_params' before
proceeding.
Fixes: #64939
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Inventory CLI - Ignore settings for when vars plugins should run and just always run them
* Add note to porting guide
* Fix loading vars plugins
* changelog
* Remove a staging test for ansible-inventory since it ignores that setting
* docker_swarm_service: Sort lists when checking for changes
When two lists are checked for changes in this module, the lists are
reported changed when the order of the items is different. This PR
resolves this issue.
* docker_swarm_service: Minor typo fix
* docker_swarm_service: Another minor typo
* docker_swarm_service: Should use sorted(), not sort()
* docker_swarm_service: Sort lists of dictionaries
* docker_swarm_service: Fix style issues in tests
* docker_swarm_service: Updates to integration tests
* docker_swarm_service: Casting string types within lists when comparing
* docker_swarm_service: Special handling of unordered networks with ordered aliases
* docker_swarm_service: Sorting network lists
* docker_swarm_serivce: Better unit test code coverage for lists and networks
* docker_swarm_service: Fixed coding style for sanity tests
* docker_swarm_service: More coding style fixes
* docker_swarm_service: Ignoring test for Python < 3
* docker_swarm_service: Update to version info check for backwards compatibility
* docker_swarm_service: Added change fragment #63887
* docker_swarm_service: Better handling of missing sort key for dictionary of lists
* docker_swarm_service: Preventing sorts from modifying in-place
Co-Authored-By: Felix Fontein <felix@fontein.de>
* docker_swarm_service: Removed spurious import in test
* docker_swarm_service: Preventing sorts from modifying more data in-place
Co-Authored-By: Felix Fontein <felix@fontein.de>
* Set name_version when version is not specified, fix#55097
This will default to installing the latest version available
* Add changelog fragment
* update changelog
self._get_user_property returns a string, so when doing a comparison
using this value, cast the second variable to a string so that the
comparison behaves correctly
* Add changelog
* Add to_text import
* Add integration test
* iam_user: use AnsibleAWSModule.client to fetch connection rather than C&P code
* iam_role: Add deprecation warning so we can switch purge_polices default behaviour from true to false
* iam_user/role/group: Rename 'managed_policy' and 'purge_policy'
Rename from singluar to plural (we accept a *list* of policies), and add aliases for the old values.
* Cleanup documentation
* Changelog
* ansible.utils.color.stringc: add wrap_nonvisible_chars flag in stringc
* add exaplanation for `wrap_nonvisible_chars` case in utils.stringc
* add changelog entry
* reworked iam_policy
* Deprecate policy_document option
* deprecate defaulting skip_duplicates to true
* No longer explicitly catch ParamValidationError.
ParamValidationErrror is already caught by ClientError
* Work with complex policy objects rather than json documents
comparisons can better cope with the special cases (eg True vs "True" )
* Enable check_mode tests and fix related 'changed' bug
* changelog
* doc cleanup based on review
* Implementing ability to specify certificates.
* Changelog fragment for rabbitmq_publish certificate checking
* Fixing version_added
* Reducing line size.
* Minor documentation updates.
* Update to add missing space.
Co-Authored-By: Felix Fontein <felix@fontein.de>
If two tags with same name and different category exists, vmware_tag_manager
used to take first found tag.
This commit use combination of tag and category to identify the category.
Fixes: #59379
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Revert most of PR #61605 commit e218c9814c
This removes the git error handling that converted all git errors into warnings.
* Fix ansible-test handling of git submodules.
Due to confusion between 'Custom Attributes' and 'Advanced options',
this change got in devel. Revert to original behavior i.e. customizing
custom values using vmware_guest is done in this PR.
Fixes: #64291
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* renamed module tls client auth parameters to avoid overlaping with ansible fetch_url
* added version_added info for params
* Updated version_added
Updated version_added info from 2.9 to 2.10
* Update pulp_repo.py
removed version_added for renamed params
* Apply suggestions from code review
added ca_cert alias and 'version_added'
Co-Authored-By: Mark Chappell <mchappel@redhat.com>
* Apply suggestions from code review
added old behavior for client_cert and client_key which will deprecate in 2.14
Co-Authored-By: Mark Chappell <mchappel@redhat.com>
* Update pulp_repo.py
fix for linting error ansibot is complaining
* added changelog fragment for 59522
* Apply suggestions from code review
more informative depreciation warning and changelog fragment
Co-Authored-By: Felix Fontein <felix@fontein.de>
* added mention for changes in client_key and client_cert behavior
* fixed too long line (linting)
* deprecated ca_cert alias to have consistent module params in Ansible 2.14
* fixed indentation for deprecation warning
* changed deprecated alias handling to argument_spec
* moved deprecated_aliases insied argument dict, thanks tremble
* suggestions from felixfontein
Move doc info about client_cert and client_key into its own paragraph
Co-Authored-By: Felix Fontein <felix@fontein.de>
* Add full IPv6 support to win_dns_client - Fixes#55962
* Fix missing cast
* Add type to win_dns_client.py
* Remove version_added again, to hopefully make ansibot happy. Even though it was added as a response to the bot...
* Fix $params undefined error, that was introduced by fixing the "global variable" linting issue
* Fix casting error
* Fix inverted logic
* Fix rebase error
* Fix assignment to readonly variable
* Fix "reset IPv4 DNS back to DHCP adapter_name"
* Fix legacy windows server support (2008/2008R2)
* Fix 2k8
* Remove unecessary pslint ignore
* Added IPv6 tests, changelog fragment and further docs