fix: write extra_vars into a file when call ansible-runner (#1343)

Treat all str values in extra_vars as unsafe. Write them to a yaml file
to be consumed by the ansible-runner.

Author: bzwei

src/aap_eda/core/utils/safe_yaml.py

@@ -0,0 +1,57 @@
+#  Copyright 2025 Red Hat, Inc.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import yaml
+
+
+class UnsafeString(str):
+    pass
+
+
+def unsafe_string_representer(
+    dumper: yaml.SafeDumper, obj: UnsafeString
+) -> yaml.ScalarNode:
+    return dumper.represent_scalar("!unsafe", obj)
+
+
+def get_dumper() -> yaml.SafeDumper:
+    """Add representers to a YAML seriailizer."""
+    safe_dumper = yaml.SafeDumper
+    safe_dumper.add_representer(UnsafeString, unsafe_string_representer)
+    return safe_dumper
+
+
+def dump(filename: str, data: dict) -> None:
+    """Write data to a file as YAML with unsafe strings."""
+    if not isinstance(data, dict):
+        raise TypeError("Data must be a dictionary")
+
+    def transform_strings(data):
+        """Recursively transform any string type to UnsafeString."""
+        if isinstance(data, str):
+            return UnsafeString(data)
+        if isinstance(data, dict):
+            return {k: transform_strings(v) for k, v in data.items()}
+        if isinstance(data, list):
+            return [transform_strings(v) for v in data]
+        if isinstance(data, tuple):
+            return tuple(transform_strings(v) for v in data)
+        if isinstance(data, set):
+            return {transform_strings(v) for v in data}
+        return data
+
+    data = transform_strings(data)
+
+    with open(filename, "w") as f:
+        yaml.dump(data, f, Dumper=get_dumper())

src/aap_eda/services/project/scm.py

@@ -29,7 +29,7 @@
 
 from aap_eda.core.models import EdaCredential
 from aap_eda.core.types import StrPath
-from aap_eda.core.utils.credentials import inputs_from_store
+from aap_eda.core.utils import credentials, safe_yaml
 
 logger = logging.getLogger(__name__)
 
@@ -151,7 +151,9 @@ def clone(
         gpg_key_file = None
         gpg_home_dir = None
         if credential:
-            inputs = inputs_from_store(credential.inputs.get_secret_value())
+            inputs = credentials.inputs_from_store(
+                credential.inputs.get_secret_value()
+            )
             secret = inputs.get("password", "")
             key_data = inputs.get("ssh_key_data", "")
 
@@ -171,7 +173,7 @@ def clone(
                 key_password = inputs.get("ssh_key_unlock")
 
         if gpg_credential:
-            gpg_inputs = inputs_from_store(
+            gpg_inputs = credentials.inputs_from_store(
                 gpg_credential.inputs.get_secret_value()
             )
             gpg_key = gpg_inputs.get("gpg_public_key")
@@ -295,12 +297,15 @@ def __call__(
         env_vars: dict,
     ):
         with tempfile.TemporaryDirectory(prefix="EDA_RUNNER") as data_dir:
+            env_dir = os.path.join(data_dir, "env")
+            os.makedirs(env_dir)
+            safe_yaml.dump(os.path.join(env_dir, "extravars"), extra_vars)
+
             outputs = io.StringIO()
             with contextlib.redirect_stdout(outputs):
                 runner = ansible_runner.run(
                     private_data_dir=data_dir,
                     playbook=PLAYBOOK,
-                    extravars=extra_vars,
                     envvars=env_vars,
                 )
 
@@ -355,7 +360,4 @@ def is_refspec_valid(refspec: str, is_branch: bool) -> bool:
                 f"{result.returncode}"
             )
             return False
-        if is_branch and all(arg in refspec for arg in ["{{", "}}", "lookup"]):
-            logger.error(f"branch {refspec} is invalid")
-            return False
         return True

tests/unit/test_scm.py

@@ -245,7 +245,7 @@ def test_is_git_url_valid(url: str, expected: bool):
         ("refs/heads/branch1", False, True),
         ("@{-1}", True, False),
         ("branch1", True, True),
-        ("{{lookup('branch1')}}", True, False),
+        ("{{lookup('branch1')}}", True, True),
         ("{{lookup('branch1')}}", False, False),
     ],
 )

tests/unit/test_utils.py

@@ -12,6 +12,7 @@
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 
+import tempfile
 from importlib.metadata import PackageNotFoundError, version
 from unittest.mock import patch
 
@@ -21,6 +22,7 @@
 from drf_spectacular.utils import OpenApiParameter
 from rest_framework import serializers
 
+from aap_eda.core.utils import safe_yaml
 from aap_eda.core.utils.strings import extract_variables
 from aap_eda.utils import (
     get_package_version,
@@ -213,3 +215,43 @@ def test_identifier_with_invalid_first_character_raises():
     too_long = "1" + "a" * 62
     with pytest.raises(ValueError, match="invalid first character"):
         sanitize_postgres_identifier(too_long)
+
+
+TEST_YAML_DATA = {
+    "dict": {"a": "b", "c": "d"},
+    "list": ["a", "b", "c"],
+    "tuple": ("a", "b", "c"),
+    "set": {"a", "b", "c"},
+    "num": 300,
+}
+
+
+TEST_YAML_OUTPUT = """dict:
+  a: !unsafe 'b'
+  c: !unsafe 'd'
+list:
+- !unsafe 'a'
+- !unsafe 'b'
+- !unsafe 'c'
+num: 300
+set: !!set
+  !unsafe 'a': null
+  !unsafe 'b': null
+  !unsafe 'c': null
+tuple:
+- !unsafe 'a'
+- !unsafe 'b'
+- !unsafe 'c'
+"""
+
+
+def test_dump_safe_yaml():
+    with tempfile.NamedTemporaryFile() as f:
+        safe_yaml.dump(f.name, TEST_YAML_DATA)
+        with open(f.name) as f:
+            assert f.read() == TEST_YAML_OUTPUT
+
+
+def test_dump_safe_yaml_invalid_type():
+    with pytest.raises(TypeError, match="Data must be a dictionary"):
+        safe_yaml.dump("test", "test")