From c23177170e69a8f7ee78684a1699f4f065ed531a Mon Sep 17 00:00:00 2001 From: Arthur BOUDREAULT Date: Tue, 12 Oct 2021 14:00:56 +0000 Subject: [PATCH] =?UTF-8?q?=E2=99=BBrefactor:=20Command=20ansible=20module?= =?UTF-8?q?=20across=20the=20repo=20for=20better=20security?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Shell module is not needed here. According to various sources (https://www.youtube.com/watch?v=57gAqKvAKck or https://stackoverflow.com/questions/56663332/difference-between-shell-and-command-in-ansible) it is not useful to use shell ansible module when not working with operands. Therefore I have decided to switch every actions to command module, more secure. Ansible-lint says "Shell should only be used when piping, redirecting or chaining commands" --- tasks/apps.yml | 4 ++-- tasks/domains.yml | 4 ++-- tasks/main.yml | 12 ++++++------ tasks/users.yml | 14 +++++++------- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tasks/apps.yml b/tasks/apps.yml index a0e7a50..bf55203 100644 --- a/tasks/apps.yml +++ b/tasks/apps.yml @@ -1,6 +1,6 @@ --- - name: List currently installed apps - ansible.builtin.shell: yunohost app map --output-as json + ansible.builtin.command: yunohost app map --output-as json register: ynh_installed_apps_raw changed_when: False @@ -8,7 +8,7 @@ ansible.builtin.set_fact: ynh_installed_apps="{{ ynh_installed_apps_raw.stdout | from_json }}" - name: Install yunohost apps - ansible.builtin.shell: yunohost app install {{ item.link }} \ + ansible.builtin.command: yunohost app install {{ item.link }} \ --label "{{ item.label }}" \ --args "{% for key, value in item.args.items() %}{{ key }}={{ value }}{% if not loop.last %}&{% endif %}{% endfor %}" diff --git a/tasks/domains.yml b/tasks/domains.yml index db41c0a..7c9ad27 100644 --- a/tasks/domains.yml +++ b/tasks/domains.yml @@ -1,6 +1,6 @@ --- - name: List currently installed domains - ansible.builtin.shell: yunohost domain list --output-as json + ansible.builtin.command: yunohost domain list --output-as json register: ynh_installed_domains_raw changed_when: False @@ -8,6 +8,6 @@ ansible.builtin.set_fact: ynh_installed_domains="{{ ynh_installed_domains_raw.stdout | from_json }}" - name: Create domains - ansible.builtin.shell: yunohost domain add {{ item }} + ansible.builtin.command: yunohost domain add {{ item }} with_items: "{{ ynh_extra_domains }}" when: item not in ynh_installed_domains.domains diff --git a/tasks/main.yml b/tasks/main.yml index 3d9e9ba..419d4e0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,11 +22,11 @@ when: ynh_file_install.stat.exists == False - name: Launch Yunohost postinstall - ansible.builtin.shell: " + ansible.builtin.command: yunohost tools postinstall \ - --domain {{ ynh_main_domain }} \ - --password {{ ynh_admin_password }} \ - {% if ynh_ignore_dyndns_server == True %} --ignore-dyndns {% endif %}" + --domain "{{ ynh_main_domain }}" \ + --password "{{ ynh_admin_password }}" \ + {% if ynh_ignore_dyndns_server == True %} --ignore-dyndns {% endif %} when: ynh_file_install.stat.exists == False - name: Create extra domains @@ -34,10 +34,10 @@ when: ynh_extra_domains - name: Run first Yunohost diagnosis - ansible.builtin.shell: yunohost diagnosis run + ansible.builtin.command: yunohost diagnosis run - name: Install domain certificates - ansible.builtin.shell: yunohost domain cert-install + ansible.builtin.command: yunohost domain cert-install changed_when: False - name: Add Yunohost users diff --git a/tasks/users.yml b/tasks/users.yml index f3e7eb1..ac3e087 100644 --- a/tasks/users.yml +++ b/tasks/users.yml @@ -1,6 +1,6 @@ --- - name: List users - ansible.builtin.shell: yunohost user list --output-as json + ansible.builtin.command: yunohost user list --output-as json register: ynh_registered_users_raw changed_when: False @@ -8,11 +8,11 @@ ansible.builtin.set_fact: ynh_registered_users="{{ ynh_registered_users_raw.stdout | from_json }}" - name: Create missing Yunohost users - ansible.builtin.shell: | - yunohost user create {{ item.name }} \ - -f {{ item.firstname }} \ - -l {{ item.lastname }} \ - -d {{ item.mail_domain }} \ - -p {{ item.pass }} + ansible.builtin.command: + yunohost user create "{{ item.name }}" \ + -f "{{ item.firstname }}" \ + -l "{{ item.lastname }}" \ + -d "{{ item.mail_domain }}" \ + -p "{{ item.pass }}" loop: "{{ ynh_users }}" when: item.name not in ynh_registered_users.users.keys()