Skip to content

Commit 22aa5f6

Browse files
markgoddardmarkgoddard
authored
Merge pull request #53 from stackhpc/dev-786-stop-leaks
Prevent passwords and client keys being leaked when tasks fail
2 parents 681cfe2 + 6e5b2cd commit 22aa5f6

File tree

6 files changed

+138
-130
lines changed

6 files changed

+138
-130
lines changed

roles/pulp_content_guard/tasks/main.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,13 @@
55
username: "{{ pulp_username }}"
66
password: "{{ pulp_password }}"
77
validate_certs: "{{ pulp_validate_certs | bool }}"
8-
name: "{{ item.name }}"
9-
description: "{{ item.description | default(omit) }}"
10-
ca_certificate: "{{ item.ca_certificate | default(omit) }}"
11-
state: "{{ item.state }}"
12-
with_items: "{{ pulp_content_guard_x509_cert_guards }}"
8+
name: "{{ pulp_content_guard_x509_cert_guards[cert_guard_index].name }}"
9+
description: "{{ pulp_content_guard_x509_cert_guards[cert_guard_index].description | default(omit) }}"
10+
ca_certificate: "{{ pulp_content_guard_x509_cert_guards[cert_guard_index].ca_certificate | default(omit) }}"
11+
state: "{{ pulp_content_guard_x509_cert_guards[cert_guard_index].state }}"
12+
loop: "{{ pulp_content_guard_x509_cert_guards | map(attribute='name') }}"
1313
loop_control:
14-
label: "{{ item.name }}"
14+
index_var: cert_guard_index
1515

1616
- name: Ensure RBAC cert guards exist
1717
import_tasks: rbac/rbac.yml

roles/pulp_django_user/tasks/main.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,15 +37,15 @@
3737
Cookie: "{{ result_login.cookies_string }}"
3838
body:
3939
csrfmiddlewaretoken: "{{ result_login.cookies.csrftoken }}"
40-
username: "{{ item.username }}"
41-
password1: "{{ item.password }}"
42-
password2: "{{ item.password }}"
40+
username: "{{ pulp_django_users[user_index].username }}"
41+
password1: "{{ pulp_django_users[user_index].password }}"
42+
password2: "{{ pulp_django_users[user_index].password }}"
4343
body_format: form-urlencoded
4444
follow_redirects: all
4545
validate_certs: "{{ pulp_validate_certs | bool }}"
46-
loop: "{{ pulp_django_users }}"
46+
loop: "{{ pulp_django_users | map(attribute='username') }}"
4747
loop_control:
48-
label: "{{ item.username }}"
48+
index_var: user_index
4949

5050
- name: Add or remove user from group(s)
5151
include_tasks: user_groups/add_or_remove_users.yml

roles/pulp_repository/tasks/container.yml

Lines changed: 32 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -5,51 +5,53 @@
55
username: "{{ pulp_username }}"
66
password: "{{ pulp_password }}"
77
validate_certs: "{{ pulp_validate_certs | bool }}"
8-
name: "{{ item.name }}"
9-
state: "{{ item.state }}"
10-
with_items: "{{ pulp_repository_container_repos }}"
8+
name: "{{ pulp_repository_container_repos[repository_index].name }}"
9+
state: "{{ pulp_repository_container_repos[repository_index].state }}"
10+
loop: "{{ pulp_repository_container_repos | map(attribute='name') }}"
1111
loop_control:
12-
label: "{{ item.name }}"
12+
index_var: repository_index
1313

1414
- name: Setup container remotes
1515
pulp.squeezer.container_remote:
1616
pulp_url: "{{ pulp_url }}"
1717
username: "{{ pulp_username }}"
1818
password: "{{ pulp_password }}"
1919
validate_certs: "{{ pulp_validate_certs | bool }}"
20-
name: "{{ item.name }}-remote"
21-
ca_cert: "{{ item.ca_cert | default(omit) }}"
22-
client_cert: "{{ item.client_cert | default(omit) }}"
23-
client_key: "{{ item.client_key | default(omit) }}"
24-
download_concurrency: "{{ item.download_concurrency | default(omit) }}"
25-
exclude_tags: "{{ item.exclude_tags | default(omit) }}"
26-
include_tags: "{{ item.include_tags | default(omit) }}"
27-
policy: "{{ item.policy | default(omit) }}"
28-
proxy_url: "{{ item.proxy_url | default(omit) }}"
29-
proxy_username: "{{ item.proxy_username | default(omit) }}"
30-
proxy_password: "{{ item.proxy_password | default(omit) }}"
31-
remote_username: "{{ item.remote_username | default(omit) }}"
32-
remote_password: "{{ item.remote_password | default(omit) }}"
33-
tls_validation: "{{ item.tls_validation | default(omit) }}"
34-
upstream_name: "{{ item.upstream_name | default(item.name) }}"
35-
url: "{{ item.url | default(omit) }}"
36-
state: "{{ item.state }}"
37-
with_items: "{{ pulp_repository_container_repos }}"
38-
when: item.state == "absent" or item.url is defined
20+
name: "{{ pulp_repository_container_repos[repository_index].name }}-remote"
21+
ca_cert: "{{ pulp_repository_container_repos[repository_index].ca_cert | default(omit) }}"
22+
client_cert: "{{ pulp_repository_container_repos[repository_index].client_cert | default(omit) }}"
23+
client_key: "{{ pulp_repository_container_repos[repository_index].client_key | default(omit) }}"
24+
download_concurrency: "{{ pulp_repository_container_repos[repository_index].download_concurrency | default(omit) }}"
25+
exclude_tags: "{{ pulp_repository_container_repos[repository_index].exclude_tags | default(omit) }}"
26+
include_tags: "{{ pulp_repository_container_repos[repository_index].include_tags | default(omit) }}"
27+
policy: "{{ pulp_repository_container_repos[repository_index].policy | default(omit) }}"
28+
proxy_url: "{{ pulp_repository_container_repos[repository_index].proxy_url | default(omit) }}"
29+
proxy_username: "{{ pulp_repository_container_repos[repository_index].proxy_username | default(omit) }}"
30+
proxy_password: "{{ pulp_repository_container_repos[repository_index].proxy_password | default(omit) }}"
31+
remote_username: "{{ pulp_repository_container_repos[repository_index].remote_username | default(omit) }}"
32+
remote_password: "{{ pulp_repository_container_repos[repository_index].remote_password | default(omit) }}"
33+
tls_validation: "{{ pulp_repository_container_repos[repository_index].tls_validation | default(omit) }}"
34+
upstream_name: "{{ pulp_repository_container_repos[repository_index].upstream_name | default(pulp_repository_container_repos[repository_index].name) }}"
35+
url: "{{ pulp_repository_container_repos[repository_index].url | default(omit) }}"
36+
state: "{{ pulp_repository_container_repos[repository_index].state }}"
37+
when: >
38+
pulp_repository_container_repos[repository_index].state == "absent" or
39+
pulp_repository_container_repos[repository_index].url is defined
40+
loop: "{{ pulp_repository_container_repos | map(attribute='name') }}"
3941
loop_control:
40-
label: "{{ item.name }}"
42+
index_var: repository_index
4143

4244
- name: Sync container remotes into repositories
4345
pulp.squeezer.container_sync:
4446
pulp_url: "{{ pulp_url }}"
4547
username: "{{ pulp_username }}"
4648
password: "{{ pulp_password }}"
4749
validate_certs: "{{ pulp_validate_certs | bool }}"
48-
repository: "{{ item.name }}"
49-
remote: "{{ item.name }}-remote"
50-
with_items: "{{ pulp_repository_container_repos }}"
50+
repository: "{{ pulp_repository_container_repos[repository_index].name }}"
51+
remote: "{{ pulp_repository_container_repos[repository_index].name }}-remote"
5152
when:
52-
- item.url is defined
53-
- item.state == "present"
53+
- pulp_repository_container_repos[repository_index].url is defined
54+
- pulp_repository_container_repos[repository_index].state == "present"
55+
loop: "{{ pulp_repository_container_repos | map(attribute='name') }}"
5456
loop_control:
55-
label: "{{ item.name }}"
57+
index_var: repository_index

roles/pulp_repository/tasks/deb.yml

Lines changed: 33 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -5,52 +5,54 @@
55
username: "{{ pulp_username }}"
66
password: "{{ pulp_password }}"
77
validate_certs: "{{ pulp_validate_certs | bool }}"
8-
name: "{{ item.name }}"
9-
state: "{{ item.state }}"
10-
with_items: "{{ pulp_repository_deb_repos }}"
8+
name: "{{ pulp_repository_deb_repos[repository_index].name }}"
9+
state: "{{ pulp_repository_deb_repos[repository_index].state }}"
10+
loop: "{{ pulp_repository_deb_repos | map(attribute='name') }}"
1111
loop_control:
12-
label: "{{ item.name }}"
12+
index_var: repository_index
1313

1414
- name: Setup DEB remotes
1515
pulp.squeezer.deb_remote:
1616
pulp_url: "{{ pulp_url }}"
1717
username: "{{ pulp_username }}"
1818
password: "{{ pulp_password }}"
1919
validate_certs: "{{ pulp_validate_certs | bool }}"
20-
name: "{{ item.name }}-remote"
21-
architectures: "{{ item.architectures | default(omit) }}"
22-
ca_cert: "{{ item.ca_cert | default(omit) }}"
23-
client_cert: "{{ item.client_cert | default(omit) }}"
24-
client_key: "{{ item.client_key | default(omit) }}"
25-
components: "{{ item.components | default(omit) }}"
26-
distributions: "{{ item.distributions | default(omit) }}"
27-
download_concurrency: "{{ item.download_concurrency | default(omit) }}"
28-
policy: "{{ item.policy | default(omit) }}"
29-
proxy_url: "{{ item.proxy_url | default(omit) }}"
30-
proxy_username: "{{ item.proxy_username | default(omit) }}"
31-
proxy_password: "{{ item.proxy_password | default(omit) }}"
32-
remote_username: "{{ item.remote_username | default(omit) }}"
33-
remote_password: "{{ item.remote_password | default(omit) }}"
34-
tls_validation: "{{ item.tls_validation | default(omit) }}"
35-
url: "{{ item.url | default(omit) }}"
36-
state: "{{ item.state }}"
37-
with_items: "{{ pulp_repository_deb_repos }}"
38-
when: item.state == "absent" or item.url is defined
20+
name: "{{ pulp_repository_deb_repos[repository_index].name }}-remote"
21+
architectures: "{{ pulp_repository_deb_repos[repository_index].architectures | default(omit) }}"
22+
ca_cert: "{{ pulp_repository_deb_repos[repository_index].ca_cert | default(omit) }}"
23+
client_cert: "{{ pulp_repository_deb_repos[repository_index].client_cert | default(omit) }}"
24+
client_key: "{{ pulp_repository_deb_repos[repository_index].client_key | default(omit) }}"
25+
components: "{{ pulp_repository_deb_repos[repository_index].components | default(omit) }}"
26+
distributions: "{{ pulp_repository_deb_repos[repository_index].distributions | default(omit) }}"
27+
download_concurrency: "{{ pulp_repository_deb_repos[repository_index].download_concurrency | default(omit) }}"
28+
policy: "{{ pulp_repository_deb_repos[repository_index].policy | default(omit) }}"
29+
proxy_url: "{{ pulp_repository_deb_repos[repository_index].proxy_url | default(omit) }}"
30+
proxy_username: "{{ pulp_repository_deb_repos[repository_index].proxy_username | default(omit) }}"
31+
proxy_password: "{{ pulp_repository_deb_repos[repository_index].proxy_password | default(omit) }}"
32+
remote_username: "{{ pulp_repository_deb_repos[repository_index].remote_username | default(omit) }}"
33+
remote_password: "{{ pulp_repository_deb_repos[repository_index].remote_password | default(omit) }}"
34+
tls_validation: "{{ pulp_repository_deb_repos[repository_index].tls_validation | default(omit) }}"
35+
url: "{{ pulp_repository_deb_repos[repository_index].url | default(omit) }}"
36+
state: "{{ pulp_repository_deb_repos[repository_index].state }}"
37+
when: >
38+
pulp_repository_deb_repos[repository_index].state == "absent" or
39+
pulp_repository_deb_repos[repository_index].url is defined
40+
loop: "{{ pulp_repository_deb_repos | map(attribute='name') }}"
3941
loop_control:
40-
label: "{{ item.name }}"
42+
index_var: repository_index
4143

4244
- name: Sync DEB remotes into repositories
4345
pulp.squeezer.deb_sync:
4446
pulp_url: "{{ pulp_url }}"
4547
username: "{{ pulp_username }}"
4648
password: "{{ pulp_password }}"
4749
validate_certs: "{{ pulp_validate_certs | bool }}"
48-
repository: "{{ item.name }}"
49-
remote: "{{ item.name }}-remote"
50-
mirror: "{{ item.mirror | default(omit) }}"
51-
with_items: "{{ pulp_repository_deb_repos }}"
50+
repository: "{{ pulp_repository_deb_repos[repository_index].name }}"
51+
remote: "{{ pulp_repository_deb_repos[repository_index].name }}-remote"
52+
mirror: "{{ pulp_repository_deb_repos[repository_index].mirror | default(omit) }}"
5253
when:
53-
- item.url is defined
54-
- item.state == "present"
54+
- pulp_repository_deb_repos[repository_index].url is defined
55+
- pulp_repository_deb_repos[repository_index].state == "present"
56+
loop: "{{ pulp_repository_deb_repos | map(attribute='name') }}"
5557
loop_control:
56-
label: "{{ item.name }}"
58+
index_var: repository_index

roles/pulp_repository/tasks/python.yml

Lines changed: 32 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -5,51 +5,53 @@
55
username: "{{ pulp_username }}"
66
password: "{{ pulp_password }}"
77
validate_certs: "{{ pulp_validate_certs | bool }}"
8-
name: "{{ item.name }}"
9-
state: "{{ item.state }}"
10-
with_items: "{{ pulp_repository_python_repos }}"
8+
name: "{{ pulp_repository_python_repos[repository_index].name }}"
9+
state: "{{ pulp_repository_python_repos[repository_index].state }}"
10+
loop: "{{ pulp_repository_python_repos | map(attribute='name') }}"
1111
loop_control:
12-
label: "{{ item.name }}"
12+
index_var: repository_index
1313

1414
- name: Setup PyPI remotes
1515
pulp.squeezer.python_remote:
1616
pulp_url: "{{ pulp_url }}"
1717
username: "{{ pulp_username }}"
1818
password: "{{ pulp_password }}"
1919
validate_certs: "{{ pulp_validate_certs | bool }}"
20-
name: "{{ item.name }}-remote"
21-
ca_cert: "{{ item.ca_cert | default(omit) }}"
22-
client_cert: "{{ item.client_cert | default(omit) }}"
23-
client_key: "{{ item.client_key | default(omit) }}"
24-
download_concurrency: "{{ item.download_concurrency | default(omit) }}"
25-
excludes: "{{ item.excludes | default(omit) }}"
26-
includes: "{{ item.includes | default(omit) }}"
27-
policy: "{{ item.policy | default(omit) }}"
28-
prereleases: "{{ item.prereleases | default(omit) }}"
29-
proxy_url: "{{ item.proxy_url | default(omit) }}"
30-
proxy_username: "{{ item.proxy_username | default(omit) }}"
31-
proxy_password: "{{ item.proxy_password | default(omit) }}"
32-
remote_username: "{{ item.remote_username | default(omit) }}"
33-
remote_password: "{{ item.remote_password | default(omit) }}"
34-
tls_validation: "{{ item.tls_validation | default(omit) }}"
35-
url: "{{ item.url | default(omit) }}"
36-
state: "{{ item.state }}"
37-
with_items: "{{ pulp_repository_python_repos }}"
38-
when: item.state == "absent" or item.url is defined
20+
name: "{{ pulp_repository_python_repos[repository_index].name }}-remote"
21+
ca_cert: "{{ pulp_repository_python_repos[repository_index].ca_cert | default(omit) }}"
22+
client_cert: "{{ pulp_repository_python_repos[repository_index].client_cert | default(omit) }}"
23+
client_key: "{{ pulp_repository_python_repos[repository_index].client_key | default(omit) }}"
24+
download_concurrency: "{{ pulp_repository_python_repos[repository_index].download_concurrency | default(omit) }}"
25+
excludes: "{{ pulp_repository_python_repos[repository_index].excludes | default(omit) }}"
26+
includes: "{{ pulp_repository_python_repos[repository_index].includes | default(omit) }}"
27+
policy: "{{ pulp_repository_python_repos[repository_index].policy | default(omit) }}"
28+
prereleases: "{{ pulp_repository_python_repos[repository_index].prereleases | default(omit) }}"
29+
proxy_url: "{{ pulp_repository_python_repos[repository_index].proxy_url | default(omit) }}"
30+
proxy_username: "{{ pulp_repository_python_repos[repository_index].proxy_username | default(omit) }}"
31+
proxy_password: "{{ pulp_repository_python_repos[repository_index].proxy_password | default(omit) }}"
32+
remote_username: "{{ pulp_repository_python_repos[repository_index].remote_username | default(omit) }}"
33+
remote_password: "{{ pulp_repository_python_repos[repository_index].remote_password | default(omit) }}"
34+
tls_validation: "{{ pulp_repository_python_repos[repository_index].tls_validation | default(omit) }}"
35+
url: "{{ pulp_repository_python_repos[repository_index].url | default(omit) }}"
36+
state: "{{ pulp_repository_python_repos[repository_index].state }}"
37+
when: >
38+
pulp_repository_python_repos[repository_index].state == "absent" or
39+
pulp_repository_python_repos[repository_index].url is defined
40+
loop: "{{ pulp_repository_python_repos | map(attribute='name') }}"
3941
loop_control:
40-
label: "{{ item.name }}"
42+
index_var: repository_index
4143

4244
- name: Sync PyPI remotes into repositories
4345
pulp.squeezer.python_sync:
4446
pulp_url: "{{ pulp_url }}"
4547
username: "{{ pulp_username }}"
4648
password: "{{ pulp_password }}"
4749
validate_certs: "{{ pulp_validate_certs | bool }}"
48-
repository: "{{ item.name }}"
49-
remote: "{{ item.name }}-remote"
50-
with_items: "{{ pulp_repository_python_repos }}"
50+
repository: "{{ pulp_repository_python_repos[repository_index].name }}"
51+
remote: "{{ pulp_repository_python_repos[repository_index].name }}-remote"
5152
when:
52-
- item.url is defined
53-
- item.state == "present"
53+
- pulp_repository_python_repos[repository_index].url is defined
54+
- pulp_repository_python_repos[repository_index].state == "present"
55+
loop: "{{ pulp_repository_python_repos | map(attribute='name') }}"
5456
loop_control:
55-
label: "{{ item.name }}"
57+
index_var: repository_index

roles/pulp_repository/tasks/rpm.yml

Lines changed: 30 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -5,49 +5,51 @@
55
username: "{{ pulp_username }}"
66
password: "{{ pulp_password }}"
77
validate_certs: "{{ pulp_validate_certs | bool }}"
8-
name: "{{ item.name }}"
9-
state: "{{ item.state }}"
10-
with_items: "{{ pulp_repository_rpm_repos }}"
8+
name: "{{ pulp_repository_rpm_repos[repository_index].name }}"
9+
state: "{{ pulp_repository_rpm_repos[repository_index].state }}"
10+
loop: "{{ pulp_repository_rpm_repos | map(attribute='name') }}"
1111
loop_control:
12-
label: "{{ item.name }}"
12+
index_var: repository_index
1313

1414
- name: Setup RPM remotes
1515
pulp.squeezer.rpm_remote:
1616
pulp_url: "{{ pulp_url }}"
1717
username: "{{ pulp_username }}"
1818
password: "{{ pulp_password }}"
1919
validate_certs: "{{ pulp_validate_certs | bool }}"
20-
name: "{{ item.name }}-remote"
21-
ca_cert: "{{ item.ca_cert | default(omit) }}"
22-
client_cert: "{{ item.client_cert | default(omit) }}"
23-
client_key: "{{ item.client_key | default(omit) }}"
24-
download_concurrency: "{{ item.download_concurrency | default(omit) }}"
25-
policy: "{{ item.policy | default(omit) }}"
26-
proxy_url: "{{ item.proxy_url | default(omit) }}"
27-
proxy_username: "{{ item.proxy_username | default(omit) }}"
28-
proxy_password: "{{ item.proxy_password | default(omit) }}"
29-
remote_username: "{{ item.remote_username | default(omit) }}"
30-
remote_password: "{{ item.remote_password | default(omit) }}"
31-
tls_validation: "{{ item.tls_validation | default(omit) }}"
32-
url: "{{ item.url | default(omit) }}"
33-
state: "{{ item.state }}"
34-
with_items: "{{ pulp_repository_rpm_repos }}"
35-
when: item.state == "absent" or item.url is defined
20+
name: "{{ pulp_repository_rpm_repos[repository_index].name }}-remote"
21+
ca_cert: "{{ pulp_repository_rpm_repos[repository_index].ca_cert | default(omit) }}"
22+
client_cert: "{{ pulp_repository_rpm_repos[repository_index].client_cert | default(omit) }}"
23+
client_key: "{{ pulp_repository_rpm_repos[repository_index].client_key | default(omit) }}"
24+
download_concurrency: "{{ pulp_repository_rpm_repos[repository_index].download_concurrency | default(omit) }}"
25+
policy: "{{ pulp_repository_rpm_repos[repository_index].policy | default(omit) }}"
26+
proxy_url: "{{ pulp_repository_rpm_repos[repository_index].proxy_url | default(omit) }}"
27+
proxy_username: "{{ pulp_repository_rpm_repos[repository_index].proxy_username | default(omit) }}"
28+
proxy_password: "{{ pulp_repository_rpm_repos[repository_index].proxy_password | default(omit) }}"
29+
remote_username: "{{ pulp_repository_rpm_repos[repository_index].remote_username | default(omit) }}"
30+
remote_password: "{{ pulp_repository_rpm_repos[repository_index].remote_password | default(omit) }}"
31+
tls_validation: "{{ pulp_repository_rpm_repos[repository_index].tls_validation | default(omit) }}"
32+
url: "{{ pulp_repository_rpm_repos[repository_index].url | default(omit) }}"
33+
state: "{{ pulp_repository_rpm_repos[repository_index].state }}"
34+
when: >
35+
pulp_repository_rpm_repos[repository_index].state == "absent" or
36+
pulp_repository_rpm_repos[repository_index].url is defined
37+
loop: "{{ pulp_repository_rpm_repos | map(attribute='name') }}"
3638
loop_control:
37-
label: "{{ item.name }}"
39+
index_var: repository_index
3840

3941
- name: Sync RPM remotes into repositories
4042
pulp.squeezer.rpm_sync:
4143
pulp_url: "{{ pulp_url }}"
4244
username: "{{ pulp_username }}"
4345
password: "{{ pulp_password }}"
4446
validate_certs: "{{ pulp_validate_certs | bool }}"
45-
repository: "{{ item.name }}"
46-
remote: "{{ item.name }}-remote"
47-
sync_policy: "{{ item.sync_policy | default(omit) }}"
48-
with_items: "{{ pulp_repository_rpm_repos }}"
47+
repository: "{{ pulp_repository_rpm_repos[repository_index].name }}"
48+
remote: "{{ pulp_repository_rpm_repos[repository_index].name }}-remote"
49+
sync_policy: "{{ pulp_repository_rpm_repos[repository_index].sync_policy | default(omit) }}"
4950
when:
50-
- item.url is defined
51-
- item.state == "present"
51+
- pulp_repository_rpm_repos[repository_index].url is defined
52+
- pulp_repository_rpm_repos[repository_index].state == "present"
53+
loop: "{{ pulp_repository_rpm_repos | map(attribute='name') }}"
5254
loop_control:
53-
label: "{{ item.name }}"
55+
index_var: repository_index

0 commit comments

Comments
 (0)