From 1debbff7ef4647584a42055260f9f608411657c1 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 6 Sep 2024 14:59:21 +0200
Subject: [PATCH] Move the variable checks to separate file

and explain better why this is problematic

Drops also the check for internal variables as the user should not
bother with these.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
 tasks/check_vars.yml | 24 ++++++++++++++++++++++++
 tasks/install.yml    | 18 ++----------------
 2 files changed, 26 insertions(+), 16 deletions(-)
 create mode 100644 tasks/check_vars.yml

diff --git a/tasks/check_vars.yml b/tasks/check_vars.yml
new file mode 100644
index 0000000..ec242fb
--- /dev/null
+++ b/tasks/check_vars.yml
@@ -0,0 +1,24 @@
+---
+- name: Ensure sshd_sysconfig_use_strong_rng is safe to use in shell/command
+  ansible.builtin.assert:
+    that:
+      - (sshd_sysconfig_use_strong_rng | string) == (sshd_sysconfig_use_strong_rng | quote)
+    msg: |
+      The variable `sshd_sysconfig_use_strong_rng` is not safe for shell/command/template expansions:
+      sshd_sysconfig_use_strong_rng: {{ sshd_sysconfig_use_strong_rng }} == {{ sshd_sysconfig_use_strong_rng | quote }}
+
+- name: Ensure sshd_binary is safe to use in shell/command
+  ansible.builtin.assert:
+    that:
+      - sshd_binary == (sshd_binary | quote)
+    msg: |
+      The variable `sshd_binary` is not safe for shell/command/template expansions: 
+      sshd_binary: {{ sshd_binary }} == {{ sshd_binary | quote }}
+
+- name: Ensure sshd_config_file is safe to use in shell/command
+  ansible.builtin.assert:
+    that:
+      - sshd_config_file == (sshd_config_file | quote)
+    msg: |
+      The variable `sshd_sysconfig_use_strong_rng` is not safe for shell/command/template expansions: 
+      sshd_config_file: {{ sshd_config_file }} == {{ sshd_config_file | quote }}
diff --git a/tasks/install.yml b/tasks/install.yml
index b9ae456..cbc4b7d 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -4,22 +4,8 @@
   when:
     - not __sshd_os_supported | bool
 
-- name: Ensure variables used in templates in shell or systemd unit contexts are okay
-  ansible.builtin.assert:
-    that:
-      - (sshd_sysconfig_use_strong_rng | string) == (sshd_sysconfig_use_strong_rng | quote)
-      - sshd_binary == (sshd_binary | quote)
-      - sshd_config_file == (sshd_config_file | quote)
-      - (__sshd_runtime_directory is none) or (__sshd_runtime_directory == (__sshd_runtime_directory | quote))
-      - __sshd_runtime_directory_mode == (__sshd_runtime_directory_mode | quote)
-    msg: |
-      sshd_sysconfig_use_strong_rng: {{ sshd_sysconfig_use_strong_rng }} == {{ sshd_sysconfig_use_strong_rng | quote }}
-      sshd_binary: {{ sshd_binary }} == {{ sshd_binary | quote }}
-      sshd_config_file: {{ sshd_config_file }} == {{ sshd_config_file | quote }}
-      {%- if __sshd_runtime_directory is not none %}
-      __sshd_runtime_directory: {{ __sshd_runtime_directory }} == {{ __sshd_runtime_directory | quote }}
-      {% endif %}
-      __sshd_runtime_directory_mode: {{ __sshd_runtime_directory_mode }} == {{ __sshd_runtime_directory_mode | quote }}
+- name: Check variables are safe for use for shell expansions and word splitting
+  ansible.builtin.include_tasks: check_vars.yml
 
 - name: Install ssh packages
   ansible.builtin.package: