Add appliance/container tests for ansible-runner

This commit introduces Bats tests for ansible-runner to allow testing
the manageiq-ansible-venv installation. This tests cover ansible-runner
CLI tests as well as tests running through the Ansible::Runner Ruby
class, even without database access.

This commit also includes changes to Ansible::Runner itself to allow for
better detection of ansible and the manageiq-ansible-venv, allowing the
tests to run on the old appliances with python3.9 as well as the new
appliances with python3.12.

Author: Fryguy

config/brakeman.ignore

@@ -1,5 +1,28 @@
 {
   "ignored_warnings": [
+    {
+      "warning_type": "Command Injection",
+      "warning_code": 14,
+      "fingerprint": "7ead8455ac1333e286f0ffe378b2ecff77f3abe3e942866471d598851e0ef89f",
+      "check_name": "Execute",
+      "message": "Possible command injection",
+      "file": "lib/ansible/runner.rb",
+      "line": 452,
+      "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
+      "code": "`#{(File.join(venv_bin_path, \"ansible\") or \"ansible\")} --version 2>/dev/null`",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Ansible::Runner",
+        "method": "s(:self).ansible_python_version_raw"
+      },
+      "user_input": "File.join(venv_bin_path, \"ansible\")",
+      "confidence": "Medium",
+      "cwe_id": [
+        77
+      ],
+      "note": "This method is safe because it only uses hardcoded paths, which cannot be changed by user input."
+    },
     {
       "warning_type": "Unmaintained Dependency",
       "warning_code": 121,
@@ -22,18 +45,18 @@
     {
       "warning_type": "Command Injection",
       "warning_code": 14,
-      "fingerprint": "9a58ac820e59b1edb4530e27646edc1f328915a7a356d987397659b48c52239e",
+      "fingerprint": "a8efd255cf411737c44782259d6c4eff8e56c29a0249272a7ad317c2a5a2e816",
       "check_name": "Execute",
       "message": "Possible command injection",
       "file": "lib/ansible/runner.rb",
-      "line": 430,
+      "line": 446,
       "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
       "code": "`python#{version} -c 'import site; print(\":\".join(site.getsitepackages()))'`",
       "render_path": null,
       "location": {
         "type": "method",
         "class": "Ansible::Runner",
-        "method": "s(:self).ansible_python_paths_raw"
+        "method": "s(:self).ansible_python_path_raw"
       },
       "user_input": "version",
       "confidence": "Medium",
@@ -43,6 +66,6 @@
       "note": "This method is safe because it verifies that the version is in the form #.#."
     }
   ],
-  "updated": "2025-03-31 10:21:49 -0400",
+  "updated": "2025-06-13 18:54:18 -0400",
   "brakeman_version": "6.2.2"
 }

lib/ansible/content.rb

@@ -8,11 +8,11 @@ def initialize(path)
       @path = Pathname.new(path)
     end
 
-    def fetch_galaxy_roles
+    def fetch_galaxy_roles(env = {})
       return true unless requirements_file.exist?
 
       require "awesome_spawn"
-      AwesomeSpawn.run!("ansible-galaxy", :params => ["install", {:roles_path= => roles_dir, :role_file= => requirements_file}])
+      AwesomeSpawn.run!("ansible-galaxy", :env => env, :params => ["install", {:roles_path= => roles_dir, :role_file= => requirements_file}])
     end
 
     def self.fetch_plugin_galaxy_roles

lib/ansible/runner.rb

@@ -221,6 +221,8 @@ def run_via_cli(hosts, credentials, env_vars, extra_vars, tags: nil, ansible_run
 
         params = runner_params(base_dir, ansible_runner_method, playbook_or_role_args, verbosity)
 
+        # puts "#{env_vars_hash.map { |k, v| "#{k}=#{v}" }.join(" ")} #{AwesomeSpawn.build_command_line("ansible-runner", params)}"
+
         begin
           fetch_galaxy_roles(playbook_or_role_args)
 
@@ -317,11 +319,11 @@ def fetch_galaxy_roles(playbook_or_role_args)
         return unless playbook_or_role_args[:playbook]
 
         playbook_dir = File.dirname(playbook_or_role_args[:playbook])
-        Ansible::Content.new(playbook_dir).fetch_galaxy_roles
+        Ansible::Content.new(playbook_dir).fetch_galaxy_roles(runner_env)
       end
 
       def runner_env
-        {"PYTHONPATH" => python_path}.delete_nils
+        {"PYTHONPATH" => runner_python_path, "PATH" => runner_path}.compact
       end
 
       def credentials_info(credentials, base_dir)
@@ -408,20 +410,34 @@ def wait_for_listener_start(listener)
         end
       end
 
-      def python_path
-        @python_path ||= [manageiq_venv_path, *ansible_python_paths].compact.join(File::PATH_SEPARATOR)
+      def runner_python_path
+        @runner_python_path ||= [venv_python_path, ansible_python_path].compact.join(File::PATH_SEPARATOR)
+      end
+
+      def runner_path
+        @runner_path ||= [venv_bin_path, ENV["PATH"].presence].compact.join(File::PATH_SEPARATOR)
+      end
+
+      VENV_ROOT = "/var/lib/manageiq/venv".freeze
+
+      def venv_python_path
+        Dir.glob(File.join(VENV_ROOT, "lib/python*/site-packages")).first
       end
 
-      def manageiq_venv_path
-        Dir.glob("/var/lib/manageiq/venv/lib/python*/site-packages").first
+      def venv_bin_path
+        Dir.glob(File.join(VENV_ROOT, "bin")).first
       end
 
-      def ansible_python_paths
-        ansible_python_paths_raw(ansible_python_version).chomp.split(":")
+      def ansible_python_path
+        ansible_python_path_raw(ansible_python_version).presence
+      end
+
+      def ansible_python_version
+        ansible_python_version_raw.match(/python version = (\d+\.\d+)\./)&.captures&.first
       end
 
       # NOTE: This method is ignored by brakeman in the config/brakeman.ignore
-      def ansible_python_paths_raw(version)
+      def ansible_python_path_raw(version)
         return "" if version.blank?
 
         # This check allows us to ignore the brakeman warning about command line injection
@@ -430,12 +446,10 @@ def ansible_python_paths_raw(version)
         `python#{version} -c 'import site; print(":".join(site.getsitepackages()))'`.chomp
       end
 
-      def ansible_python_version
-        ansible_python_version_raw.match(/python version = (\d+\.\d+)\./)&.captures&.first
-      end
-
+      # NOTE: This method is ignored by brakeman in the config/brakeman.ignore
       def ansible_python_version_raw
-        `ansible --version 2>/dev/null`.chomp
+        ansible = venv_bin_path ? File.join(venv_bin_path, "ansible") : "ansible"
+        `#{ansible} --version 2>/dev/null`.chomp
       end
     end
   end

lib/tasks/test_security_helper.rb

@@ -23,7 +23,7 @@ def self.brakeman(format: "human")
     app_path = Rails.root.to_s
     engine_paths = Vmdb::Plugins.paths.except(ManageIQ::Schema::Engine).values
 
-    puts "** Running brakeman in #{app_path}"
+    puts "** Running brakeman in #{app_path}#{" (interactive ignore)" if interactive_ignore}"
     puts "**   engines:"
     puts "**   - #{engine_paths.join("\n**   - ")}"
 

spec/lib/ansible/runner/data/aws.yml

@@ -0,0 +1,8 @@
+- name: Test aws collection
+  hosts: localhost
+  tasks:
+  - name: Connect to aws
+    amazon.aws.ec2_instance_info:
+      access_key: 'access_key'
+      secret_key: 'secret_key'
+      region: us-east-1

spec/lib/ansible/runner/data/vmware.yml

@@ -0,0 +1,9 @@
+- name: Test vmware collection
+  hosts: localhost
+  tasks:
+  - name: Connect to vcenter
+    community.vmware.vmware_vm_info:
+      hostname: 'vcenter_hostname'
+      username: 'vcenter_username'
+      password: 'vcenter_password'
+      validate_certs: false

spec/lib/ansible/runner_execution_spec.bats

@@ -0,0 +1,202 @@
+#/usr/bin/env bats
+
+# This test file is for testing ansible-runner on a production appliance to verify
+# that the real installation is working as expected. It is a duplicate of the tests
+# in runner_execution_spec.rb but without the rspec and rspec-rails overhead.
+#
+# This test requires the Bats test framework to be installed
+#   macOS: brew install bats-core
+#   appliance: dnf install bats
+# as well as the bats-support and bats-assert plugins installed
+#   git clone https://github.com/bats-core/bats-support ~/.bats/libs/bats-support
+#   git clone https://github.com/bats-core/bats-assert ~/.bats/libs/bats-assert
+
+setup_file() {
+  export BATS_LIB_PATH="$HOME/.bats/libs:$BATS_LIB_PATH"
+
+  export PYTHON_VERSION="3.12"
+
+  export SCRIPT_DIR="$(cd "$(dirname "$BATS_TEST_FILENAME")" >/dev/null 2>&1 && pwd)"
+  export DATA_DIR="$SCRIPT_DIR/runner/data"
+  export TEST_DIR="/tmp/ansible-runner-test"
+  export ROLES_DIR="/tmp/ansible-runner-test-roles"
+  export VAULT_FILE="$TEST_DIR/vault_password"
+}
+
+setup() {
+  bats_load_library 'bats-support'
+  bats_load_library 'bats-assert'
+
+  rm -rf $TEST_DIR
+  rm -rf $ROLES_DIR
+
+  mkdir -p $TEST_DIR
+}
+
+teardown() {
+  rm -rf $DATA_DIR/hello_world_with_requirements_github/roles/manageiq.example
+}
+
+setup_roles_dir() {
+  # In prod builds, ansible-galaxy lives in the venv, so set up the PATH temporarily to install the roles
+  PATH="/var/lib/manageiq/venv/bin:$PATH"
+
+  roles_path="$1"
+  source_role_file="${2:-$1/requirements.yml}"
+  role_file="$roles_path/requirements.yml"
+  if [ "$source_role_file" != "$role_file" ]; then
+    mkdir -p $roles_path
+    cp $source_role_file $role_file
+  fi
+  ansible-galaxy install --roles-path=$roles_path --role-file=$role_file
+
+  PATH="${PATH#*:}"
+}
+
+################################################################################
+
+exec_ansible_runner_cli() {
+  PATH="/var/lib/manageiq/venv/bin:$PATH" \
+    PYTHONPATH="/var/lib/manageiq/venv/lib/python${PYTHON_VERSION}/site-packages:/usr/local/lib64/python${PYTHON_VERSION}/site-packages:/usr/local/lib/python${PYTHON_VERSION}/site-packages:/usr/lib64/python${PYTHON_VERSION}/site-packages:/usr/lib/python${PYTHON_VERSION}/site-packages" \
+    ansible-runner run $TEST_DIR --ident result --playbook $1 --project-dir $DATA_DIR
+}
+
+exec_ansible_runner_cli_role() {
+  PATH="/var/lib/manageiq/venv/bin:$PATH" \
+    PYTHONPATH="/var/lib/manageiq/venv/lib/python${PYTHON_VERSION}/site-packages:/usr/local/lib64/python${PYTHON_VERSION}/site-packages:/usr/local/lib/python${PYTHON_VERSION}/site-packages:/usr/lib64/python${PYTHON_VERSION}/site-packages:/usr/lib/python${PYTHON_VERSION}/site-packages" \
+    ansible-runner run $TEST_DIR --ident result --role $1 --roles-path $ROLES_DIR --role-skip-facts --hosts localhost
+}
+
+@test "[ansible-runner] runs a playbook" {
+  run exec_ansible_runner_cli hello_world.yml
+  assert_success
+  assert_output --partial '"msg": "Hello World!"'
+}
+
+@test "[ansible-runner] runs a playbook with variables in a vars file" {
+  run exec_ansible_runner_cli hello_world_vars_file.yml
+  assert_success
+  assert_output --partial '"msg": "Hello World! vars_file_1=vars_file_1_value, vars_file_2=vars_file_2_value"'
+}
+
+@test "[ansible-runner] runs a playbook with vault encrypted variables" {
+  echo -n "vault" >> $VAULT_FILE
+  ANSIBLE_VAULT_PASSWORD_FILE=$VAULT_FILE run exec_ansible_runner_cli hello_world_vault_encrypted_vars.yml
+  assert_success
+  assert_output --partial '"msg": "Hello World! (NOTE: This message has been encrypted with ansible-vault)"'
+}
+
+@test "[ansible-runner] runs a playbook with variables in a vault encrypted vars file" {
+  echo -n "vault" >> $VAULT_FILE
+  ANSIBLE_VAULT_PASSWORD_FILE=$VAULT_FILE run exec_ansible_runner_cli hello_world_vault_encrypted_vars_file.yml
+  assert_success
+  assert_output --partial '"msg": "Hello World! vars_file_1=vars_file_1_value, vars_file_2=vars_file_2_value"'
+}
+
+@test "[ansible-runner] runs a playbook using roles from github" {
+  setup_roles_dir $DATA_DIR/hello_world_with_requirements_github/roles
+
+  run exec_ansible_runner_cli hello_world_with_requirements_github/hello_world_with_requirements_github.yml
+  assert_success
+  assert_output --partial '"msg": "Hello World! example_var='\''example var value'\''"'
+}
+
+@test "[ansible-runner] runs a role" {
+  setup_roles_dir $ROLES_DIR $DATA_DIR/hello_world_with_requirements_github/roles/requirements.yml
+
+  run exec_ansible_runner_cli_role manageiq.example
+  assert_success
+  assert_output --partial '"msg": "Hello from manageiq.example role! example_var='\''example var value'\''"'
+}
+
+@test "[ansible-runner] vmware collection" {
+  if [ ! -d /var/lib/manageiq/venv ]; then
+    skip "manageiq venv collections are not present"
+  fi
+
+  run exec_ansible_runner_cli vmware.yml
+  assert_failure # We expect to this to fail due to connecting to an unknown vcenter
+  assert_output --partial '"msg": "Unknown error while connecting to vCenter or ESXi API at vcenter_hostname:443 : [Errno -2] Name or service not known"'
+}
+
+@test "[ansible-runner] aws collection" {
+  if [ ! -d /var/lib/manageiq/venv ]; then
+    skip "manageiq venv collections are not present"
+  fi
+
+  run exec_ansible_runner_cli aws.yml
+  assert_failure # We expect to this to fail due to connecting with bad creds
+  assert_output --partial '"msg": "Failed to describe instances: An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials"'
+}
+
+################################################################################
+
+exec_ansible_runner() {
+  rails runner "resp = Ansible::Runner.run({}, {}, '$DATA_DIR/$1'); puts resp.human_stdout; exit resp.return_code"
+}
+
+exec_ansible_runner_role() {
+  rails runner "resp = Ansible::Runner.run_role({}, {}, '$1', roles_path: '$ROLES_DIR'); puts resp.human_stdout; exit resp.return_code"
+}
+
+@test "[Ansible::Runner] runs a playbook" {
+  run exec_ansible_runner hello_world.yml
+  assert_success
+  assert_output --partial '"msg": "Hello World!"'
+}
+
+@test "[Ansible::Runner] runs a playbook with variables in a vars file" {
+  run exec_ansible_runner hello_world_vars_file.yml
+  assert_success
+  assert_output --partial '"msg": "Hello World! vars_file_1=vars_file_1_value, vars_file_2=vars_file_2_value"'
+}
+
+@test "[Ansible::Runner] runs a playbook with vault encrypted variables" {
+  skip "requires database access"
+
+  run exec_ansible_runner hello_world_vault_encrypted_vars.yml
+  assert_success
+  assert_output --partial '"msg": "Hello World! (NOTE: This message has been encrypted with ansible-vault)"'
+}
+
+@test "[Ansible::Runner] runs a playbook with variables in a vault encrypted vars file" {
+  skip "requires database access"
+
+  run exec_ansible_runner hello_world_vault_encrypted_vars_file.yml
+  assert_success
+  assert_output --partial '"msg": "Hello World! vars_file_1=vars_file_1_value, vars_file_2=vars_file_2_value"'
+}
+
+@test "[Ansible::Runner] runs a playbook using roles from github" {
+  run exec_ansible_runner hello_world_with_requirements_github/hello_world_with_requirements_github.yml
+  assert_success
+  assert_output --partial '"msg": "Hello World! example_var='\''example var value'\''"'
+}
+
+@test "[Ansible::Runner] runs a role" {
+  setup_roles_dir $ROLES_DIR $DATA_DIR/hello_world_with_requirements_github/roles/requirements.yml
+
+  run exec_ansible_runner_role manageiq.example
+  assert_success
+  assert_output --partial '"msg": "Hello from manageiq.example role! example_var='\''example var value'\''"'
+}
+
+@test "[Ansible::Runner] vmware collection" {
+  if [ ! -d /var/lib/manageiq/venv ]; then
+    skip "manageiq venv collections are not present"
+  fi
+
+  run exec_ansible_runner vmware.yml
+  assert_failure # We expect to this to fail due to connecting to an unknown vcenter
+  assert_output --partial '"msg": "Unknown error while connecting to vCenter or ESXi API at vcenter_hostname:443 : [Errno -2] Name or service not known"'
+}
+
+@test "[Ansible::Runner] aws collection" {
+  if [ ! -d /var/lib/manageiq/venv ]; then
+    skip "manageiq venv collections are not present"
+  fi
+
+  run exec_ansible_runner aws.yml
+  assert_failure # We expect to this to fail due to connecting with bad creds
+  assert_output --partial '"msg": "Failed to describe instances: An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials"'
+}