Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix type check in P-rules for special modules #205

Merged
merged 1 commit into from
Oct 27, 2023
Merged

fix type check in P-rules for special modules #205

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion ansible_risk_insight/rules/P002_module_argument_key_validation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ def is_set_fact(module_fqcn):
return module_fqcn == "ansible.builtin.set_fact"


def is_meta(module_fqcn):
return module_fqcn == "ansible.builtin.meta"


@dataclass
class ModuleArgumentKeyValidationRule(Rule):
rule_id: str = "P002"
Expand Down Expand Up @@ -100,7 +104,7 @@ def process(self, ctx: AnsibleRunContext):
available_args = None
wrong_keys = []
missing_required_keys = []
if not is_set_fact(module_fqcn):
if not is_set_fact(module_fqcn) and not is_meta(module_fqcn):
if task.module:
for arg in task.module.arguments:
available_keys.extend(arg.available_keys())
Expand Down
17 changes: 14 additions & 3 deletions ansible_risk_insight/rules/P003_module_argument_value_validation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ def is_loop_var(value, task):
return False


def is_debug(module_fqcn):
return module_fqcn == "ansible.builtin.debug"


@dataclass
class ModuleArgumentValueValidationRule(Rule):
rule_id: str = "P003"
Expand Down Expand Up @@ -73,6 +77,8 @@ def process(self, ctx: AnsibleRunContext):
if v and v[-1].type == VariableType.RegisteredVars:
registered_vars.append(v_name)

module_fqcn = task.module.fqcn

if task.args.type == ArgumentsType.DICT:
for key in task.args.raw:
raw_value = task.args.raw[key]
Expand All @@ -90,7 +96,7 @@ def process(self, ctx: AnsibleRunContext):
d = {"key": key}
wrong_val = False
unknown_type_val = False
if spec.type:
if spec.type and not is_debug(module_fqcn):
actual_type = ""
# if the raw_value is not a variable
if not isinstance(raw_value, str) or "{{" not in raw_value:
Expand All @@ -115,10 +121,15 @@ def process(self, ctx: AnsibleRunContext):
type_wrong = False
if spec.type != "any" and actual_type != spec.type:
type_wrong = True

elements_type = spec.elements
if spec.type == "list" and not spec.elements:
elements_type = "any"

elements_type_wrong = False
no_elements = False
if spec.elements:
if spec.elements != "any" and actual_type != spec.elements:
if elements_type:
if elements_type != "any" and actual_type != elements_type:
elements_type_wrong = True
else:
no_elements = True
Expand Down
Loading