Merge pull request #23482 from Fryguy/add_ansible_runner_appliance_tests

Add appliance/container tests for ansible-runner

Author: bdunne

config/brakeman.ignore

@@ -1,5 +1,28 @@
 {
   "ignored_warnings": [
+    {
+      "warning_type": "Command Injection",
+      "warning_code": 14,
+      "fingerprint": "57a67fd8c12d36c64fa21e5e7a93eeb6eac1f6fd4e6a1666f98c503574c46360",
+      "check_name": "Execute",
+      "message": "Possible command injection",
+      "file": "lib/ansible/runner.rb",
+      "line": 451,
+      "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
+      "code": "`#{(File.join(venv_bin_path, \"ansible\") or \"ansible\")} --version 2>/dev/null`",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Ansible::Runner",
+        "method": "s(:self).ansible_version_raw"
+      },
+      "user_input": "File.join(venv_bin_path, \"ansible\")",
+      "confidence": "Medium",
+      "cwe_id": [
+        77
+      ],
+      "note": "This method is safe because it only uses hardcoded paths, which cannot be changed by user input."
+    },
     {
       "warning_type": "Unmaintained Dependency",
       "warning_code": 121,
@@ -22,18 +45,18 @@
     {
       "warning_type": "Command Injection",
       "warning_code": 14,
-      "fingerprint": "9a58ac820e59b1edb4530e27646edc1f328915a7a356d987397659b48c52239e",
+      "fingerprint": "c3234e1d86168cb0ac61761b99bdbbf493491fe9b1b5f808889c46e17a6aa781",
       "check_name": "Execute",
       "message": "Possible command injection",
       "file": "lib/ansible/runner.rb",
-      "line": 430,
+      "line": 445,
       "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
       "code": "`python#{version} -c 'import site; print(\":\".join(site.getsitepackages()))'`",
       "render_path": null,
       "location": {
         "type": "method",
         "class": "Ansible::Runner",
-        "method": "s(:self).ansible_python_paths_raw"
+        "method": "s(:self).python_path_raw"
       },
       "user_input": "version",
       "confidence": "Medium",
@@ -43,6 +66,6 @@
       "note": "This method is safe because it verifies that the version is in the form #.#."
     }
   ],
-  "updated": "2025-03-31 10:21:49 -0400",
+  "updated": "2025-06-16 22:28:03 -0400",
   "brakeman_version": "6.2.2"
 }

lib/ansible/content.rb

@@ -8,11 +8,11 @@ def initialize(path)
       @path = Pathname.new(path)
     end
 
-    def fetch_galaxy_roles
+    def fetch_galaxy_roles(env = {})
       return true unless requirements_file.exist?
 
       require "awesome_spawn"
-      AwesomeSpawn.run!("ansible-galaxy", :params => ["install", {:roles_path= => roles_dir, :role_file= => requirements_file}])
+      AwesomeSpawn.run!("ansible-galaxy", :env => env, :params => ["install", {:roles_path= => roles_dir, :role_file= => requirements_file}])
     end
 
     def self.fetch_plugin_galaxy_roles

lib/ansible/runner.rb

@@ -4,7 +4,14 @@ class << self
       def available?
         return @available if defined?(@available)
 
-        @available = system("which ansible-runner >/dev/null 2>&1")
+        @available = system(runner_env, "which ansible-runner >/dev/null 2>&1")
+      end
+
+      def runner_env
+        @runner_env ||= {
+          "PYTHONPATH" => [venv_python_path, ansible_python_path].compact.join(File::PATH_SEPARATOR),
+          "PATH"       => [venv_bin_path, ENV["PATH"].presence].compact.join(File::PATH_SEPARATOR)
+        }.delete_blanks
       end
 
       # Runs a playbook via ansible-runner, see: https://ansible-runner.readthedocs.io/en/latest/standalone.html#running-playbooks
@@ -221,6 +228,8 @@ def run_via_cli(hosts, credentials, env_vars, extra_vars, tags: nil, ansible_run
 
         params = runner_params(base_dir, ansible_runner_method, playbook_or_role_args, verbosity)
 
+        # puts "#{env_vars_hash.map { |k, v| "#{k}=#{v}" }.join(" ")} #{AwesomeSpawn.build_command_line("ansible-runner", params)}"
+
         begin
           fetch_galaxy_roles(playbook_or_role_args)
 
@@ -317,11 +326,7 @@ def fetch_galaxy_roles(playbook_or_role_args)
         return unless playbook_or_role_args[:playbook]
 
         playbook_dir = File.dirname(playbook_or_role_args[:playbook])
-        Ansible::Content.new(playbook_dir).fetch_galaxy_roles
-      end
-
-      def runner_env
-        {"PYTHONPATH" => python_path}.delete_nils
+        Ansible::Content.new(playbook_dir).fetch_galaxy_roles(runner_env)
       end
 
       def credentials_info(credentials, base_dir)
@@ -408,34 +413,42 @@ def wait_for_listener_start(listener)
         end
       end
 
-      def python_path
-        @python_path ||= [manageiq_venv_path, *ansible_python_paths].compact.join(File::PATH_SEPARATOR)
+      VENV_ROOT = "/var/lib/manageiq/venv".freeze
+
+      def venv_python_path
+        return @venv_python_path if defined?(@venv_python_path)
+
+        @venv_python_path = Dir.glob(File.join(VENV_ROOT, "lib/python#{ansible_python_version}/site-packages")).first
       end
 
-      def manageiq_venv_path
-        Dir.glob("/var/lib/manageiq/venv/lib/python*/site-packages").first
+      def venv_bin_path
+        return @venv_bin_path if defined?(@venv_bin_path)
+
+        @venv_bin_path = Dir.glob(File.join(VENV_ROOT, "bin")).first
+      end
+
+      def ansible_python_path
+        python_path_raw(ansible_python_version).presence
       end
 
-      def ansible_python_paths
-        ansible_python_paths_raw(ansible_python_version).chomp.split(":")
+      def ansible_python_version
+        ansible_version_raw.match(/python version = (\d+\.\d+)\./)&.captures&.first
       end
 
       # NOTE: This method is ignored by brakeman in the config/brakeman.ignore
-      def ansible_python_paths_raw(version)
+      def python_path_raw(version)
         return "" if version.blank?
 
         # This check allows us to ignore the brakeman warning about command line injection
-        raise "ansible python version is not a number: #{version}" unless version.match?(/^\d+\.\d+$/)
+        raise "python version is not a number: #{version}" unless version.match?(/^\d+\.\d+$/)
 
         `python#{version} -c 'import site; print(":".join(site.getsitepackages()))'`.chomp
       end
 
-      def ansible_python_version
-        ansible_python_version_raw.match(/python version = (\d+\.\d+)\./)&.captures&.first
-      end
-
-      def ansible_python_version_raw
-        `ansible --version 2>/dev/null`.chomp
+      # NOTE: This method is ignored by brakeman in the config/brakeman.ignore
+      def ansible_version_raw
+        ansible = venv_bin_path ? File.join(venv_bin_path, "ansible") : "ansible"
+        `#{ansible} --version 2>/dev/null`.chomp
       end
     end
   end

lib/tasks/test_security_helper.rb

@@ -23,7 +23,7 @@ def self.brakeman(format: "human")
     app_path = Rails.root.to_s
     engine_paths = Vmdb::Plugins.paths.except(ManageIQ::Schema::Engine).values
 
-    puts "** Running brakeman in #{app_path}"
+    puts "** Running brakeman in #{app_path}#{" (interactive ignore)" if interactive_ignore}"
     puts "**   engines:"
     puts "**   - #{engine_paths.join("\n**   - ")}"
 

spec/lib/ansible/content_spec.rb

@@ -8,6 +8,16 @@
   after { FileUtils.rm_rf(content_dir) }
 
   describe "#fetch_galaxy_roles" do
+    let(:expected_params) do
+      [
+        "install",
+        {
+          :roles_path= => roles_dir,
+          :role_file=  => roles_requirements
+        }
+      ]
+    end
+
     it "doesn't run anything if there is no requirements file" do
       expect(AwesomeSpawn).not_to receive(:run!)
 
@@ -18,12 +28,7 @@
       FileUtils.mkdir(roles_dir)
       FileUtils.touch(roles_requirements)
 
-      expected_params = [
-        "install",
-        {:roles_path= => roles_dir,
-        :role_file=  => roles_requirements}
-      ]
-      expect(AwesomeSpawn).to receive(:run!).with("ansible-galaxy", :params => expected_params)
+      expect(AwesomeSpawn).to receive(:run!).with("ansible-galaxy", :env => {}, :params => expected_params)
 
       subject.fetch_galaxy_roles
     end
@@ -32,14 +37,19 @@
       FileUtils.mkdir(roles_dir)
       FileUtils.touch(roles_requirements)
 
-      expected_params = [
-        "install",
-        {:roles_path= => roles_dir,
-        :role_file=  => roles_requirements}
-      ]
-      expect(AwesomeSpawn).to receive(:run!).with("ansible-galaxy", :params => expected_params)
+      expect(AwesomeSpawn).to receive(:run!).with("ansible-galaxy", :env => {}, :params => expected_params)
 
       described_class.new(content_dir.to_s).fetch_galaxy_roles
     end
+
+    it "accepts an env" do
+      FileUtils.mkdir(roles_dir)
+      FileUtils.touch(roles_requirements)
+      env = {"PYTHONPATH" => "/var/lib/manageiq/venv/python3.12/site-packages", "PATH" => "/var/lib/manageiq/venv/bin"}
+
+      expect(AwesomeSpawn).to receive(:run!).with("ansible-galaxy", :env => env, :params => expected_params)
+
+      subject.fetch_galaxy_roles(env)
+    end
   end
 end

spec/lib/ansible/runner/data/aws.yml

@@ -0,0 +1,8 @@
+- name: Test aws collection
+  hosts: localhost
+  tasks:
+  - name: Connect to aws
+    amazon.aws.ec2_instance_info:
+      access_key: 'access_key'
+      secret_key: 'secret_key'
+      region: us-east-1

spec/lib/ansible/runner/data/vmware.yml

@@ -0,0 +1,9 @@
+- name: Test vmware collection
+  hosts: localhost
+  tasks:
+  - name: Connect to vcenter
+    community.vmware.vmware_vm_info:
+      hostname: 'vcenter_hostname'
+      username: 'vcenter_username'
+      password: 'vcenter_password'
+      validate_certs: false