Add partially backwards compatible version of _fixup_perms. (#17427)

Also added a deprecation notice for _fixup_perms. Resolves issue #17352 (assumes custom actions use recursive=False). (cherry picked from commit 94a0d2afb4)
2016-09-06 16:49:59 -07:00 · 2016-09-06 16:49:59 -07:00 · 2587d2aaf9
commit 2587d2aaf9
parent e83840c3fd
10 changed files with 45 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,19 @@ Ansible Changes By Release
 * Fix a bug with async's poll keyword not making use of ansible_python_interpreter to run (and thus breaking when /usr/bin/python is not present on the remote machine.)
 * Fix a bug where hosts that started with a range in inventory were being treated as an invalid section header.
 * Fix a bug where the fetch module was not idempotent when retrieving the target of a symlink.
+
+###Deprecations:
+
+* Deprecated the use of `_fixup_perms`. Use `_fixup_perms2` instead.
+  This change only impacts custom action plugins using `_fixup_perms`.
+
+###Incompatible Changes:
+
+* Use of `_fixup_perms` with `recursive=True` (the default) is no longer supported.
+  Custom action plugins using `_fixup_perms` will require changes unless they already use `recursive=False`.
+  Use `_fixup_perms2` if support for previous releases is not required.
+  Otherwise use `_fixup_perms` with `recursive=False`.
+
 ## 2.1.1 "The Song Remains the Same" - 07-28-2016

 ###Minor Changes:
--- a/lib/ansible/plugins/action/init.py
+++ b/lib/ansible/plugins/action/init.py
@ -293,7 +293,29 @@ class ActionBase(with_metaclass(ABCMeta, object)):

        return remote_path

-    def _fixup_perms(self, remote_paths, remote_user, execute=True):
+    def _fixup_perms(self, remote_path, remote_user, execute=True, recursive=True):
+        """
+        We need the files we upload to be readable (and sometimes executable)
+        by the user being sudo'd to but we want to limit other people's access
+        (because the files could contain passwords or other private
+        information.
+
+        Deprecated in favor of _fixup_perms2. Ansible code has been updated to
+        use _fixup_perms2. This code is maintained to provide partial support
+        for custom actions (non-recursive mode only).
+
+        """
+
+        display.deprecated('_fixup_perms is deprecated. Use _fixup_perms2 instead.', version='2.4', removed=False)
+
+        if recursive:
+            raise AnsibleError('_fixup_perms with recursive=True (the default) is no longer supported. ' +
+                               'Use _fixup_perms2 if support for previous releases is not required. '
+                               'Otherwise use fixup_perms with recursive=False.')
+
+        return self._fixup_perms2([remote_path], remote_user, execute)
+
+    def _fixup_perms2(self, remote_paths, remote_user, execute=True):
        """
        We need the files we upload to be readable (and sometimes executable)
        by the user being sudo'd to but we want to limit other people's access
@ -611,7 +633,7 @@ class ActionBase(with_metaclass(ABCMeta, object)):
        # Fix permissions of the tmp path and tmp files.  This should be
        # called after all files have been transferred.
        if remote_files:
-            self._fixup_perms(remote_files, remote_user)
+            self._fixup_perms2(remote_files, remote_user)

        cmd = ""
        in_data = None
--- a/lib/ansible/plugins/action/assemble.py
+++ b/lib/ansible/plugins/action/assemble.py
@ -153,7 +153,7 @@ class ActionModule(ActionBase):
            xfered = self._transfer_file(path, remote_path)

            # fix file permissions when the copy is done as a different user
-            self._fixup_perms((tmp, remote_path), remote_user)
+            self._fixup_perms2((tmp, remote_path), remote_user)

            new_module_args.update( dict( src=xfered,))

--- a/lib/ansible/plugins/action/async.py
+++ b/lib/ansible/plugins/action/async.py
@ -76,7 +76,7 @@ class ActionModule(ActionBase):
        if argsfile:
            remote_paths += argsfile,

-        self._fixup_perms(remote_paths, remote_user, execute=True)
+        self._fixup_perms2(remote_paths, remote_user, execute=True)

        async_limit = self._task.async
        async_jid   = str(random.randint(0, 999999999999))
--- a/lib/ansible/plugins/action/copy.py
+++ b/lib/ansible/plugins/action/copy.py
@ -230,7 +230,7 @@ class ActionModule(ActionBase):

                # fix file permissions when the copy is done as a different user
                if remote_path:
-                    self._fixup_perms((tmp, remote_path), remote_user)
+                    self._fixup_perms2((tmp, remote_path), remote_user)

                if raw:
                    # Continue to next iteration if raw is defined.
--- a/lib/ansible/plugins/action/patch.py
+++ b/lib/ansible/plugins/action/patch.py
@ -59,7 +59,7 @@ class ActionModule(ActionBase):
        tmp_src = self._connection._shell.join_path(tmp, os.path.basename(src))
        self._transfer_file(src, tmp_src)

-        self._fixup_perms((tmp, tmp_src), remote_user)
+        self._fixup_perms2((tmp, tmp_src), remote_user)

        new_module_args = self._task.args.copy()
        new_module_args.update(
--- a/lib/ansible/plugins/action/script.py
+++ b/lib/ansible/plugins/action/script.py
@ -79,7 +79,7 @@ class ActionModule(ActionBase):
        self._transfer_file(source, tmp_src)

        # set file permissions, more permissive when the copy is done as a different user
-        self._fixup_perms((tmp, tmp_src), remote_user, execute=True)
+        self._fixup_perms2((tmp, tmp_src), remote_user, execute=True)

        # add preparation steps to one ssh roundtrip executing the script
        env_string = self._compute_environment_string()
--- a/lib/ansible/plugins/action/template.py
+++ b/lib/ansible/plugins/action/template.py
@ -164,7 +164,7 @@ class ActionModule(ActionBase):
                xfered = self._transfer_data(self._connection._shell.join_path(tmp, 'source'), resultant)

                # fix file permissions when the copy is done as a different user
-                self._fixup_perms((tmp, xfered), remote_user)
+                self._fixup_perms2((tmp, xfered), remote_user)

                # run the copy module
                new_module_args.update(
--- a/lib/ansible/plugins/action/unarchive.py
+++ b/lib/ansible/plugins/action/unarchive.py
@ -93,7 +93,7 @@ class ActionModule(ActionBase):

        if copy:
            # fix file permissions when the copy is done as a different user
-            self._fixup_perms((tmp, tmp_src), remote_user)
+            self._fixup_perms2((tmp, tmp_src), remote_user)
            # Build temporary module_args.
            new_module_args = self._task.args.copy()
            new_module_args.update(
--- a/test/units/plugins/action/test_action.py
+++ b/test/units/plugins/action/test_action.py
@ -570,7 +570,7 @@ class TestActionBase(unittest.TestCase):
        action_base._transfer_data = MagicMock()
        action_base._compute_environment_string = MagicMock()
        action_base._low_level_execute_command = MagicMock()
-        action_base._fixup_perms = MagicMock()
+        action_base._fixup_perms2 = MagicMock()

        action_base._configure_module.return_value = ('new', '#!/usr/bin/python', 'this is the module data')
        action_base._late_needs_tmp_path.return_value = False