Move the variable checks to separate file

and explain better why this is problematic Drops also the check for internal variables as the user should not bother with these. Signed-off-by: Jakub Jelen <[email protected]>
willshersystems · Sep 6, 2024 · 1debbff · 1debbff
1 parent 65aaa87
commit 1debbff
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 16 deletions.
diff --git a/tasks/check_vars.yml b/tasks/check_vars.yml
@@ -0,0 +1,24 @@
+---
+- name: Ensure sshd_sysconfig_use_strong_rng is safe to use in shell/command
+ ansible.builtin.assert:
+ that:
+ - (sshd_sysconfig_use_strong_rng | string) == (sshd_sysconfig_use_strong_rng | quote)
+ msg: |
+ The variable `sshd_sysconfig_use_strong_rng` is not safe for shell/command/template expansions:
+ sshd_sysconfig_use_strong_rng: {{ sshd_sysconfig_use_strong_rng }} == {{ sshd_sysconfig_use_strong_rng | quote }}
+
+- name: Ensure sshd_binary is safe to use in shell/command
+ ansible.builtin.assert:
+ that:
+ - sshd_binary == (sshd_binary | quote)
+ msg: |
+ The variable `sshd_binary` is not safe for shell/command/template expansions: 
+ sshd_binary: {{ sshd_binary }} == {{ sshd_binary | quote }}
+
+- name: Ensure sshd_config_file is safe to use in shell/command
+ ansible.builtin.assert:
+ that:
+ - sshd_config_file == (sshd_config_file | quote)
+ msg: |
+ The variable `sshd_sysconfig_use_strong_rng` is not safe for shell/command/template expansions: 
+ sshd_config_file: {{ sshd_config_file }} == {{ sshd_config_file | quote }}
diff --git a/tasks/install.yml b/tasks/install.yml
@@ -4,22 +4,8 @@
  when:
  - not __sshd_os_supported | bool
 
-- name: Ensure variables used in templates in shell or systemd unit contexts are okay
- ansible.builtin.assert:
- that:
- - (sshd_sysconfig_use_strong_rng | string) == (sshd_sysconfig_use_strong_rng | quote)
- - sshd_binary == (sshd_binary | quote)
- - sshd_config_file == (sshd_config_file | quote)
- - (__sshd_runtime_directory is none) or (__sshd_runtime_directory == (__sshd_runtime_directory | quote))
- - __sshd_runtime_directory_mode == (__sshd_runtime_directory_mode | quote)
- msg: |
- sshd_sysconfig_use_strong_rng: {{ sshd_sysconfig_use_strong_rng }} == {{ sshd_sysconfig_use_strong_rng | quote }}
- sshd_binary: {{ sshd_binary }} == {{ sshd_binary | quote }}
- sshd_config_file: {{ sshd_config_file }} == {{ sshd_config_file | quote }}
- {%- if __sshd_runtime_directory is not none %}
- __sshd_runtime_directory: {{ __sshd_runtime_directory }} == {{ __sshd_runtime_directory | quote }}
- {% endif %}
- __sshd_runtime_directory_mode: {{ __sshd_runtime_directory_mode }} == {{ __sshd_runtime_directory_mode | quote }}
+- name: Check variables are safe for use for shell expansions and word splitting
+ ansible.builtin.include_tasks: check_vars.yml
 
 - name: Install ssh packages
  ansible.builtin.package: