Using $PIPE to sanitize a variable value; am I smoking it?

[Brice Burgess]

We use anisble for provisioning and deploying our application's "feature branches" [git branch] to an accessible environment. Under our current approach we deploy the application code to;

/apps/[application]-[branch]

using the `git` module. Because [branch] sometimes contains special characters that are not directory or URL safe (spaces, slashes, etc.). I am using $PIPE to sanitize it (sed regex replaces non alphanumeric characters with an underscore). Here's my code;


# normalize $git_branch, replace non-alphanumerics with `_`
branch: $PIPE(echo "$git_branch" | sed 's/[^a-zA-Z0-9\_\-]/_/g')

I have a strange feeling there's a better, more "ansible way" to do this. Is there a better recommended approach? I also execute similar code to sanitize database names (that are based on git_branch) for the `postgresql` module.

Many thanks for your tips,

~ Brice

[Michael DeHaan]

Hi Brice,

Trying to understand the use case.

Are you saying you are having users input data for where their git
branches are stored and you don't trust that data?

It might make sense to write your own lookup plugin, and we could even
include it in core if that made sense, that would be cleaner than the
PIPE.. perhaps $UNTAINT as a node to perl?

--Michael

> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>



--
Michael DeHaan <mic...@ansibleworks.com>
CTO, AnsibleWorks, Inc.
http://www.ansibleworks.com/

[Michael DeHaan]

s/node/nod/g

[Brice Burgess]

Michael,

Thank you for looking at my post. I'll try to clarify -- feel free to skip towards the bottom and examine the playbook as this is verbose;

Jenkins jobs are used to test and deploy our application [using ansible] if the tests pass. Development of our application occurs in feature branches -- and ansible provisions an accessible environment for each branch as part of the deployment process. So for instance if our goal is to implement "excel import functionality", we create a git branch named "f/excel" and then instruct the application's jenkins job to build the "f/excel" branch via a "post build task" shell script -- which makes the application code accessible e.g. at http://[branch].features.application.com/ - The post build task resembles something like;

----

#!/bin/sh

APPLICATION="example"
ROLE="app-server"

#strip origin/ from GIT_BRANCH
GIT_BRANCH=${GIT_BRANCH#*/}


### prepare environment (if not already prepared)
ENVIRONS=~/.environs/$APPLICATION
mkdir -p $ENVIRONS
if [ ! -f $ENVIRONS/$GIT_SAFE_BRANCH];
then
ansible-playbook -i automation/common/hosts automation/apps/$APPLICATION/$APPLICATION+$ROLE.yml -e "git_branch=$GIT_BRANCH" --private-key=infrastructure/keys/$ROLE+root.key
touch "$ENVIRONS/$GIT_SAFE_BRANCH"
fi

## deploy branch
ansible-playbook -i automation/common/hosts automation/apps/$APPLICATION/$APPLICATION-deploy.yml -e "git_branch=$GIT_BRANCH" --private-key=infrastructure/keys/$ROLE+$APPLICATION.key

----

Notice that we pass `git_branch` as an external variable to the ansible playbook, based on the branch passed to the jenkins build. I currently use this to hint the desired target environment (e.g. master == production, develop == staging, f/excel == feature branch)... and need this normalized as I create user accounts, application directories, etc. etc. based on the branch/environment. E.g.

  tasks:
  - name: checkout to application server
    action: git repo=$git_repo dest=$application_dir version=$git_branch

so;

/apps/application-master/[code]  features code running our production environment available at https://application.com/
/apps/application-develop/[code] features code running our staging environment available at https://staging.application.com/
/apps/application-f_excel/[code]  features code runninng the import excel feature available at http://excel.features.application.com/


Here is stripped example of my deploy playbook;

---
- name: APPLICATION DEPLOYMENT
  hosts: $host_group
  user: application
  gather_facts: no

  vars:
    namespace: application
   
    ###############################################################################
    # @var host_group: (str) host(s) to deploy to [e.g. fermata-production]
    # @var git_branch: (str) master|develop
    #
    # MUST BE PASSED VIA COMMAND LINE, e.g.
    #  ansible deploy.yml -e "git_branch=develop workspace=/builds/app host_group="
    ###############################################################################

   
    # normalize $git_branch, replace non-alphanumerics with `_`
    branch: $PIPE(echo "$git_branch" | sed 's/[^a-zA-Z0-9\_\-]/_/g')
   
   

  vars_files:
    - "../../common/vars/global_vars.yml"
    - [ "vars/$namespace-$branch.yml", "vars/$namespace.yml" ]

  tasks:
 
  - name: checkout to application server
    action: git repo=$git_repo dest=$application_dir version=$git_branch

  - name: (configuration) synching settings.$branch.clj with settings.clj
    action: template src=$item dest=$application_dir/settings.clj
    first_available_file:
      - templates/settings.$branch.clj
      - templates/settings.clj
   
  - include: $task_dir/application-restart.yml

----

The line I am most concerned with is;

# normalize $git_branch, replace non-alphanumerics with `_`
branch: $PIPE(echo "$git_branch" | sed 's/[^a-zA-Z0-9\_\-]/_/g')

(Should I be using | Is it possible to use) Python to sanitize $git_branch ?

Thanks again,

~ Brice

[Brice Burgess]

P.s.

I like your idea about an $UNTAINT lookup, but think having $REGEX or something that allows us to search/replace may be more powerful. Again -- there's probably something already implemented that I'm unaware of :)