From 3cbd134f7c347384172cf0cf7ce8db799ab6bb62 Mon Sep 17 00:00:00 2001
From: Markus Linnala <Markus.Linnala@knowit.fi>
Date: Sat, 5 Aug 2023 18:53:52 +0300
Subject: [PATCH] robustness: fail if systemd.unit could have something in need
 of quote

Ensure systemd.unit contents is robust. This disables possibility to
have something that needs to be quoted there. But as ansible lacks
proper way to quote systemd unit files (see man systemd.syntax, rules
are not shell rules), it is better to fail such configs. If you are
trying to do that, you are doing it wrong anyway or have malicious
intent.

Also ensure similar issue with sysctl.conf.

Issue can be seen with `tests_hostkeys_unsafe_path.yml`, when adding
following to role params:

       sshd_install_service: true
       sshd_config_file: "{{ ansible_facts.env.TMPDIR }}/sshd.d/foo.conf"
       sshd_binary: "{{ ansible_facts.env.TMPDIR }}/sshd"
       __sshd_runtime_directory: "{{ ansible_facts.env.TMPDIR }}/run"
---
 tasks/install.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/tasks/install.yml b/tasks/install.yml
index e8e87d33..89e93f18 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -4,6 +4,23 @@
   when:
     - not __sshd_os_supported | bool
 
+- name: Ensure variables used in templates in shell or systemd unit contexts are okay
+  ansible.builtin.assert:
+    that:
+      - (sshd_sysconfig_use_strong_rng | string) == (sshd_sysconfig_use_strong_rng | quote)
+      - sshd_binary == (sshd_binary | quote)
+      - sshd_config_file == (sshd_config_file | quote)
+      - (__sshd_runtime_directory is none) or (__sshd_runtime_directory == (__sshd_runtime_directory | quote))
+      - __sshd_runtime_directory_mode == (__sshd_runtime_directory_mode | quote)
+    fail_msg: |
+      sshd_sysconfig_use_strong_rng: {{ sshd_sysconfig_use_strong_rng }} == {{ sshd_sysconfig_use_strong_rng | quote }}
+      sshd_binary: {{ sshd_binary }} == {{ sshd_binary | quote }}
+      sshd_config_file: {{ sshd_config_file }} == {{ sshd_config_file | quote }}
+      {%- if __sshd_runtime_directory is not none %}
+      __sshd_runtime_directory: {{ __sshd_runtime_directory }} == {{ __sshd_runtime_directory | quote }}
+      {% endif %}
+      __sshd_runtime_directory_mode: {{ __sshd_runtime_directory_mode }} == {{ __sshd_runtime_directory_mode | quote }}
+
 - name: Install ssh packages
   ansible.builtin.package:
     name: "{{ sshd_packages }}"