use fileglob to lookup selinux module file (#155)

use `fileglob` to lookup selinux module file. This should use the same lookup path that `copy` `src` uses so that we can get the same semantics. The wrinkle is that the filename must have file glob characters escaped so that we do not do an actual `glob` lookup. Some of the selinux module files used in testing are moved to the `tests/files/selinux_modules/` directory so that we can test the file lookups, and some of the tests use an absolute path so we can verify that works too. One file was left in place to ensure that that scenario continues to work. A test was added to ensure that if a file name is passed that uses fileglob characters, it will be escaped and not matched.
linux-system-roles · Feb 9, 2023 · 33e0df1 · 33e0df1
1 parent 7a322f1
commit 33e0df1
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 9 deletions.
diff --git a/tasks/selinux_load_module.yml b/tasks/selinux_load_module.yml
@@ -1,17 +1,27 @@
 ---
 # NOTE: The use of `become: false` in the
-# `stat` is to avoid using a become method,
-# in order to work like the `file` lookup,
-# which cannot be used on EL7.
+# `stat` is to avoid using a become method.
+# NOTE: `fileglob` is the only lookup that will
+# look in the correct lookup path for files.  Yes,
+# I tried `first_file` and it did not work the same
+# way.  The wrinkle is that we do not want to match
+# file globs, so we escape any file glob patterns
+# in the string before using `fileglob`.
 - name: Prepare module installation
   when:
     - state == "enabled"
     - item.path is defined
   block:
     - name: Get checksum for {{ item.path }}
       stat:
-        path: "{{ item.path }}"
+        path: "{{ __resolved_file }}"
         checksum_algorithm: sha256
+      vars:
+        __esc: \\
+        __glob_pat: "([*?[])"
+        __escaped_file: "{{ item.path |
+          regex_replace(__glob_pat, __esc ~ '\\1') }}"
+        __resolved_file: "{{ lookup('fileglob', __escaped_file) }}"
       register: module_file
       delegate_to: localhost
       become: false

diff --git a/tests/linux-system-roles-selinux-test-a.pp → ...ules/linux-system-roles-selinux-test-a.pp b/tests/linux-system-roles-selinux-test-a.pp → ...ules/linux-system-roles-selinux-test-a.pp
diff --git a/tests/linux-system-roles-selinux-test-c.pp → ...ules/linux-system-roles-selinux-test-c.pp b/tests/linux-system-roles-selinux-test-c.pp → ...ules/linux-system-roles-selinux-test-c.pp
diff --git a/tests/tests_selinux_modules.yml b/tests/tests_selinux_modules.yml
@@ -5,13 +5,14 @@
     - name: Execute the role and catch errors
       vars:
         selinux_modules:
-          - {path: "linux-system-roles-selinux-test-a.pp"}
+          - {path: "selinux_modules/linux-system-roles-selinux-test-a.pp"}
           - {name: "linux-system-roles-selinux-test-a", state: "disabled"}
           - {name: "linux-system-roles-selinux-test-a", state: "enabled"}
           - {path: "linux-system-roles-selinux-test-b.pp", priority: "500"}
           - {name: "linux-system-roles-selinux-test-b", priority: "500",
              state: "disabled"}
-          - {path: "linux-system-roles-selinux-test-c.pp", priority: "600"}
+          # yamllint disable rule:line-length
+          - {path: "{{ playbook_dir }}/files/selinux_modules/linux-system-roles-selinux-test-c.pp", priority: "600"}
           - {name: "linux-system-roles-selinux-test-c", priority: "600",
              state: "absent"}
       when: ansible_distribution == "Fedora" or
@@ -73,12 +74,13 @@
     - name: Execute the role and catch errors
       vars:
         selinux_modules:
-          - {path: "linux-system-roles-selinux-test-a.pp"}
+          - {path: "selinux_modules/linux-system-roles-selinux-test-a.pp"}
           - {name: "linux-system-roles-selinux-test-a", state: "disabled"}
           - {name: "linux-system-roles-selinux-test-a", state: "enabled"}
           - {path: "linux-system-roles-selinux-test-b.pp", priority: "400"}
           - {name: "linux-system-roles-selinux-test-b", state: "disabled"}
-          - {path: "linux-system-roles-selinux-test-c.pp", priority: "200"}
+          # yamllint disable rule:line-length
+          - {path: "{{ playbook_dir }}/files/selinux_modules/linux-system-roles-selinux-test-c.pp", priority: "200"}
           - {name: "linux-system-roles-selinux-test-c", priority: "300",
              state: "absent"}
       when: ansible_distribution_major_version | int < 7 and
@@ -134,3 +136,19 @@
             - "semodule -r linux-system-roles-selinux-test-c"
           ignore_errors: true  # noqa ignore-errors
           changed_when: false
+    - name: Ensure file glob patterns do not work
+      block:
+        - name: Call the role with a fileglob pattern
+          include_role:
+            name: linux-system-roles.selinux
+          vars:
+            selinux_modules:
+              - {path: "selinux_modules/[lmno]?nux-system-roles-selinux-test-*.pp"}
+
+        - name: Should not get here
+          fail:
+            msg: UNREACH
+      rescue:
+        - name: Check the returned error
+          assert:
+            that: ansible_failed_result.msg != "UNREACH"
diff --git a/tests/tests_selinux_modules_checksum.yml b/tests/tests_selinux_modules_checksum.yml
@@ -8,7 +8,7 @@
         ansible_distribution_version is version("8.6", ">="))
       vars:
         selinux_modules:
-          - {path: "linux-system-roles-selinux-test-a.pp"}
+          - {path: "selinux_modules/linux-system-roles-selinux-test-a.pp"}
       block:
         - name: Execute the role
           include_role: