From 29c9621731970a859e3b7f93d23da9a5d7c03583 Mon Sep 17 00:00:00 2001 From: hirokuni-kitahara Date: Fri, 27 Oct 2023 17:41:07 +0900 Subject: [PATCH] fix type check in P-rules for special modules Signed-off-by: hirokuni-kitahara --- .../P002_module_argument_key_validation.py | 6 +++++- .../P003_module_argument_value_validation.py | 17 ++++++++++++++--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/ansible_risk_insight/rules/P002_module_argument_key_validation.py b/ansible_risk_insight/rules/P002_module_argument_key_validation.py index 6aa5e10e..fe101070 100644 --- a/ansible_risk_insight/rules/P002_module_argument_key_validation.py +++ b/ansible_risk_insight/rules/P002_module_argument_key_validation.py @@ -31,6 +31,10 @@ def is_set_fact(module_fqcn): return module_fqcn == "ansible.builtin.set_fact" +def is_meta(module_fqcn): + return module_fqcn == "ansible.builtin.meta" + + @dataclass class ModuleArgumentKeyValidationRule(Rule): rule_id: str = "P002" @@ -100,7 +104,7 @@ def process(self, ctx: AnsibleRunContext): available_args = None wrong_keys = [] missing_required_keys = [] - if not is_set_fact(module_fqcn): + if not is_set_fact(module_fqcn) and not is_meta(module_fqcn): if task.module: for arg in task.module.arguments: available_keys.extend(arg.available_keys()) diff --git a/ansible_risk_insight/rules/P003_module_argument_value_validation.py b/ansible_risk_insight/rules/P003_module_argument_value_validation.py index da936a3c..aefa09b7 100644 --- a/ansible_risk_insight/rules/P003_module_argument_value_validation.py +++ b/ansible_risk_insight/rules/P003_module_argument_value_validation.py @@ -44,6 +44,10 @@ def is_loop_var(value, task): return False +def is_debug(module_fqcn): + return module_fqcn == "ansible.builtin.debug" + + @dataclass class ModuleArgumentValueValidationRule(Rule): rule_id: str = "P003" @@ -73,6 +77,8 @@ def process(self, ctx: AnsibleRunContext): if v and v[-1].type == VariableType.RegisteredVars: registered_vars.append(v_name) + module_fqcn = task.module.fqcn + if task.args.type == ArgumentsType.DICT: for key in task.args.raw: raw_value = task.args.raw[key] @@ -90,7 +96,7 @@ def process(self, ctx: AnsibleRunContext): d = {"key": key} wrong_val = False unknown_type_val = False - if spec.type: + if spec.type and not is_debug(module_fqcn): actual_type = "" # if the raw_value is not a variable if not isinstance(raw_value, str) or "{{" not in raw_value: @@ -115,10 +121,15 @@ def process(self, ctx: AnsibleRunContext): type_wrong = False if spec.type != "any" and actual_type != spec.type: type_wrong = True + + elements_type = spec.elements + if spec.type == "list" and not spec.elements: + elements_type = "any" + elements_type_wrong = False no_elements = False - if spec.elements: - if spec.elements != "any" and actual_type != spec.elements: + if elements_type: + if elements_type != "any" and actual_type != elements_type: elements_type_wrong = True else: no_elements = True