ansible-core 2.16.13

Fix CVE-2024-8775 (Exposure of Sensitive Information in Ansible Vault
Files Due to Improper Logging.
Fix CVE-2024-9902 (Ansible-core user may read/write unauthorized content)

This also adds back the ansible-test subpackage and drops the doc one.

Resolves: RHEL-69036
Resolves: RHEL-59076
Resolves: RHEL-69034

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>

.gitignore

@@ -51,3 +51,5 @@
 /ansible-documentation-2.16.2.tar.gz
 /ansible-core-2.16.3.tar.gz
 /ansible-documentation-2.16.3.tar.gz
+/ansible-documentation-2.16.13.tar.gz
+/ansible_core-2.16.13.tar.gz

ansible-core.spec

@@ -2,29 +2,31 @@
 # Copyright (C) Fedora Project Authors
 # License Text: https://spdx.org/licenses/MIT.html
 
-# several test dependencies are unwanted in RHEL
-%bcond tests %{undefined rhel}
+# Disable shebang munging for specific paths.  These files are data files.
+# ansible-test munges the shebangs itself.
+%global __brp_mangle_shebangs_exclude_from_file %{SOURCE2}
 
-# controls whether to generate shell completions
-# may be useful for bootstrapping purposes
-%bcond argcomplete 1
-
-# disable the python -s shbang flag as we want to be able to find non system modules
-%undefine _py3_shebang_s
+# RHEL and Fedora add -s to the shebang line.  We do *not* use -s -E -S or -I
+# with ansible because it has many optional features which users need to
+# install libraries on their own to use.  For instance, paramiko for the
+# network connection plugins or winrm to talk to windows hosts.
+# Set this to nil to remove -s
+%define py3_shbang_opts %{nil}
 
 Name: ansible-core
 Summary: A radically simple IT automation system
 Epoch:   1
-Version: 2.16.3
-%global uversion %{version_no_tilde %{quote:%nil}}
-Release: 4%{?dist}
+Version: 2.16.13
+Release: 1%{?dist}
+Group: Development/Libraries
 # The main license is GPLv3+. Many of the files in lib/ansible/module_utils
 # are BSD licensed. There are various files scattered throughout the codebase
 # containing code under different licenses.
 License: GPL-3.0-or-later AND BSD-2-Clause AND PSF-2.0 AND MIT AND Apache-2.0
 
-Source0: https://github.com/ansible/ansible/archive/v%{uversion}/%{name}-%{uversion}.tar.gz
-Source1: https://github.com/ansible/ansible-documentation/archive/v%{uversion}/ansible-documentation-%{uversion}.tar.gz
+Source0: https://files.pythonhosted.org/packages/source/a/ansible-core/ansible_core-%{version}.tar.gz
+Source1: https://github.com/ansible/ansible-documentation/archive/v%{version}/ansible-documentation-%{version}.tar.gz
+Source2: ansible-test-data-files.txt
 
 Url: https://ansible.com
 BuildArch: noarch
@@ -48,42 +50,29 @@ Provides: bundled(python3dist(six)) = 1.16.0
 # SPDX-License-Identifier: GPL-3.0-or-later
 Provides: bundled(python3dist(selectors2)) = 1.1.1
 
-# lib/ansible/module_utils/compat/ipaddress.py
-# SPDX-License-Identifier: PSF-2.0
-Provides: bundled(python3dist(ipaddress)) = 1.0.22
+# We obsolete old ansible, and any version of ansible-base.
+Obsoletes: ansible < 2.10.0
+Obsoletes: ansible-base < 2.11.0
 
-Conflicts: ansible <= 2.9.99
-#
-# obsoletes/provides for ansible-base
-#
-Provides: ansible-base = %{version}-%{release}
-Obsoletes: ansible-base < 2.10.6-1
-
-BuildRequires: make
-BuildRequires: python%{python3_pkgversion}-devel
-# This is only used in %%prep to relax the required setuptools version,
-# which is not necessary in RHEL 10+.
-# Not using it in RHEL avoids unwanted dependencies.
-%if %{undefined rhel}
-BuildRequires: tomcli >= 0.3.0
-%endif
-# Needed to build manpages from source.
-BuildRequires: python%{python3_pkgversion}-docutils
-
-%if %{with tests}
 BuildRequires: git-core
-BuildRequires: glibc-all-langpacks
-BuildRequires: python%{python3_pkgversion}-systemd
-%endif
-
-%if %{with argcomplete}
-Requires: python%{python3_pkgversion}-argcomplete
-%endif
-%if 0%{?fedora} >= 39
-BuildRequires: python3-libdnf5
-Recommends: python3-libdnf5
-%endif
+BuildRequires: make
+BuildRequires: pyproject-rpm-macros
+BuildRequires: python%{python3_pkgversion}-devel
+BuildRequires: python%{python3_pkgversion}-docutils
+BuildRequires: python%{python3_pkgversion}-jinja2
+BuildRequires: python%{python3_pkgversion}-pip
+BuildRequires: python%{python3_pkgversion}-pyyaml
+BuildRequires: python%{python3_pkgversion}-rpm-macros
+BuildRequires: python%{python3_pkgversion}-setuptools
+BuildRequires: python%{python3_pkgversion}-wheel
 
+Requires: git-core
+Requires: python%{python3_pkgversion}-cryptography
+Requires: python%{python3_pkgversion}-jinja2 >= 3.0.0
+Requires: python%{python3_pkgversion}-packaging
+Requires: python%{python3_pkgversion}-pyyaml >= 5.1
+Requires: python%{python3_pkgversion}-resolvelib >= 0.5.3
+Requires: python%{python3_pkgversion}-resolvelib < 1.1.0
 
 %global _description %{expand:
 Ansible is a radically simple model-driven configuration management,
@@ -94,99 +83,30 @@ are transferred to managed machines automatically.}
 
 %description %_description
 
-This is the base part of ansible (the engine).
+%package -n ansible-test
+Summary: Tool for testing ansible plugin and module code
+Requires: %{name} = %{epoch}:%{version}-%{release}
 
-%package doc
-Summary: Documentation for Ansible Core
-Provides: ansible-base-doc = %{version}-%{release}
-Obsoletes: ansible-base-doc < 2.10.6-1
-
-%description doc %_description
-
-This package installs extensive documentation for ansible-core
+%description -n ansible-test %_description
 
+This package installs the ansible-test command for testing modules and plugins
+developed for ansible.
 
 %prep
-%autosetup -p1 -n ansible-%{uversion} -a1
-# Relax setuptools constraint on Fedora
-# Future RHELs have new enough setuptools
-%if %{undefined rhel}
-tomcli-set pyproject.toml lists replace \
-    'build-system.requires' 'setuptools >=.*' 'setuptools'
-%endif
-
-sed -i -s 's|/usr/bin/env python|%{python3}|' \
-    bin/ansible-test \
-    test/lib/ansible_test/_util/target/cli/ansible_test_cli_stub.py
-
-
-# TODO: Investigate why hostname is the only module that still has a shebang
-# and file an upstream issue if needed.
-sed -i -e '1{\@^#!.*@d}' lib/ansible/modules/hostname.py
-
-sed '/^mock$/d' test/lib/ansible_test/_data/requirements/units.txt > _requirements.txt
-
-
-%generate_buildrequires
-%pyproject_buildrequires %{?with_tests:_requirements.txt test/units/requirements.txt}
-%if %{with argcomplete}
-# Shell completions
-echo 'python%{python3_pkgversion}-argcomplete'
-%endif
+%autosetup -n ansible_core-%{version} -a1
 
+# Fix all Python shebangs recursively in ansible-test
+%{py3_shebang_fix} test/lib/ansible_test
 
 %build
-%pyproject_wheel
+%{pyproject_wheel}
 
 # Build manpages
 mkdir -p docs/man/man1
 %{python3} packaging/cli-doc/build.py man --output-dir docs/man/man1
 
-
-%if %{with argcomplete}
-# Build shell completions
-(
-    cd bin
-    for shell in bash fish; do
-        mkdir -p "../${shell}_completions"
-        for bin in *; do
-            if grep -q PYTHON_ARGCOMPLETE_OK "${bin}"; then
-                case "${shell}" in
-                    bash)
-                        format="${bin}"
-                        ;;
-                    fish)
-                        format="${bin}.${shell}"
-                        ;;
-                esac
-                register-python-argcomplete --shell "${shell}" "${bin}" > "../${shell}_completions/${format}"
-            else
-                echo "Skipped generating completions for ${bin}"
-            fi
-        done
-    done
-)
-%endif
-
-
 %install
-%pyproject_install
-%pyproject_save_files ansible ansible_test
-
-# These files are executable when they shouldn't be.
-# Only the actual "binaries" in %%{_bindir} need to be executable
-# and have shebangs.
-while read -r file; do
-    sed -i -e '1{\@^#!.*@d}' "${file}"
-done < <(find \
-    %{buildroot}%{python3_sitelib}/ansible/cli/*.py \
-    %{buildroot}%{python3_sitelib}/ansible/cli/scripts/ansible_connection_cli_stub.py \
-        -type f ! -executable)
-
-%if %{with argcomplete}
-install -Dpm 0644 bash_completions/* -t %{buildroot}%{bash_completions_dir}
-install -Dpm 0644 fish_completions/* -t %{buildroot}%{fish_completions_dir}
-%endif
+%{pyproject_install}
 
 # Create system directories that Ansible defines as default locations in
 # ansible/config/base.yml
@@ -212,7 +132,7 @@ DATADIR_LOCATIONS='%{_datadir}/ansible/collections
 %{_datadir}/ansible/plugins/test
 %{_datadir}/ansible/plugins/vars'
 
-UPSTREAM_DATADIR_LOCATIONS=$(grep -ri default lib/ansible/config/base.yml| tr ':' '\n' | grep '/usr/share/ansible')
+UPSTREAM_DATADIR_LOCATIONS=$(grep -ri default lib/ansible/config/base.yml | tr ':' '\n' | grep '/usr/share/ansible')
 
 if [ "$SYSTEM_LOCATIONS" != "$UPSTREAM_SYSTEM_LOCATIONS" ] ; then
   echo "The upstream Ansible datadir locations have changed.  Spec file needs to be updated"
@@ -226,8 +146,8 @@ done
 mkdir -p %{buildroot}%{_sysconfdir}/ansible/
 mkdir -p %{buildroot}%{_sysconfdir}/ansible/roles/
 
-cp ansible-documentation-%{uversion}/examples/hosts %{buildroot}/etc/ansible/
-cp ansible-documentation-%{uversion}/examples/ansible.cfg %{buildroot}/etc/ansible/
+cp ansible-documentation-%{version}/examples/hosts %{buildroot}%{_sysconfdir}/ansible/
+cp ansible-documentation-%{version}/examples/ansible.cfg %{buildroot}%{_sysconfdir}/ansible/
 mkdir -p %{buildroot}/%{_mandir}/man1
 cp -v docs/man/man1/*.1 %{buildroot}/%{_mandir}/man1/
 
@@ -239,14 +159,8 @@ cp -v docs/man/man1/*.1 %{buildroot}/%{_mandir}/man1/
 %global _pkglicensedir %{_licensedir}/ansible-core
 install -Dpm 0644 licenses/* -t %{buildroot}%{_pkglicensedir}
 
-%check
-%if %{with tests}
-%{python3} bin/ansible-test \
-    units --local --python-interpreter %{python3} -vv
-%endif
-
-
-%files -f %{pyproject_files}
+%files
+%defattr(-,root,root)
 %license COPYING
 %license %{_pkglicensedir}/{Apache-License,MIT-license,PSF-license,simplified_bsd}.txt
 %doc README.md changelogs/CHANGELOG-v2.1?.rst
@@ -254,20 +168,24 @@ install -Dpm 0644 licenses/* -t %{buildroot}%{_pkglicensedir}
 %config(noreplace) %{_sysconfdir}/ansible/*
 %{_bindir}/ansible*
 %{_datadir}/ansible/
-%if %{with argcomplete}
-%{bash_completions_dir}/ansible*
-%{fish_completions_dir}/ansible*.fish
-%endif
 %{_mandir}/man1/ansible*
+%{python3_sitelib}/ansible*
+%exclude %{_bindir}/ansible-test
+%exclude %{python3_sitelib}/ansible_test
 
-%files doc
-%doc ansible-documentation-%{uversion}/docs/docsite/rst
-%if %{with docs}
-%doc ansible-documentation-%{uversion}/docs/docsite/_build/html
-%endif
-
+%files -n ansible-test
+%{_bindir}/ansible-test
+%{python3_sitelib}/ansible_test
 
 %changelog
+* Tue Nov 26 2024 Dimitri Savineau <dsavinea@redhat.com> - 1:2.16.13-1
+- ansible-core 2.16.13 release (RHEL-69036)
+- Add back ansible-test subpackage and drop doc subpackage
+- Fix CVE-2024-8775 (Exposure of Sensitive Information in Ansible
+  Vault Files Due to Improper Logging) (RHEL-59076)
+- Fix CVE-2024-9902 (Ansible-core user may read/write unauthorized
+  content) (RHEL-69034)
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:2.16.3-4
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018

ansible-test-data-files.txt

@@ -0,0 +1,2 @@
+/usr/lib/python[0-9]+\.[0-9]+/site-packages/ansible_test/_data/.*
+/usr/lib/python[0-9]+\.[0-9]+/site-packages/ansible_test/_util/.*

gating.yaml

@@ -1,10 +1,7 @@
 --- !Policy
 product_versions:
-  - fedora-*
-decision_contexts:
-  - bodhi_update_push_testing
-  - bodhi_update_push_stable
-subject_type: koji_build
+  - rhel-10
+decision_context: osci_compose_gate
 rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
 ...

sources

@@ -1,2 +1,2 @@
-SHA512 (ansible-core-2.16.3.tar.gz) = 2bc88dbd2d30e50cb999bf8c744070accc042a2c4f1317558ee3edae45592002a0595ba57c3d89d1cc92e512d462734a241e3e392475326d44b8c2ee3c4aa0b0
-SHA512 (ansible-documentation-2.16.3.tar.gz) = c073b0b961e38bee560be78e2c12534facec891f6e375df14fdcaf99241f711cf6955ee58b936f7f23ab62a732d2dbde5fd279976989be06e747c2bf3db41661
+SHA512 (ansible_core-2.16.13.tar.gz) = 54435f9973137461887b5cc542ab92d520236bea3f6fb65cb4c785c2fc322612a6e8c65adb26f5027f8d521149f09d3271cd0d6c0af4d5724f256af15b7dd4c3
+SHA512 (ansible-documentation-2.16.13.tar.gz) = 2fe14706af4def874549b99de3e701ca00afa7cc0c6dc6adb6253872f338f2c54ec2325f3ea6322afcb48342bdb4d680825af50a02169799a6ae55640e9b9167

tests/collections_path_warnings.sh

@@ -1,54 +0,0 @@
-#!/usr/bin/bash
-
-set -xeuo pipefail
-
-export NO_COLOR=1
-
-TMP=$(mktemp -d)
-
-trap "rm -rf $TMP" EXIT
-
-testcase() {
-    set +x
-    echo
-    echo
-    echo "$1"
-    echo
-    echo
-    set -x
-}
-
-fix_log() {
-    tr '\n' ' ' <log | sponge log
-}
-
-
-cd $TMP
-version="0.2.1"
-git clone https://git.sr.ht/~gotmax23/ansible-collection-epel --branch="v${version}" --depth=1
-cd ansible-collection-epel
-mkdir abc
-ansible-galaxy collection build .
-
-run="unbuffer ansible-galaxy collection install gotmax23-epel-${version}.tar.gz"
-warning="The installed collection will not be picked up in an Ansible run"
-
-testcase "Control: Check plain collection install"
-${run} |& tee log
-fix_log
-(! grep "${warning}" log)
-
-testcase "Check special collection install"
-${run} -p abc |& tee log
-fix_log
-grep "${warning}" log
-
-testcase "Check special collection install with option"
-ANSIBLE_GALAXY_COLLECTIONS_PATH_WARNING=1 ${run} -p abc |& tee log
-fix_log
-grep "${warning}" log
-
-testcase "Check special collection install without option"
-ANSIBLE_GALAXY_COLLECTIONS_PATH_WARNING=0 ${run} -p abc |& tee log
-fix_log
-(! grep "${warning}" log)

tests/fedora.fmf

@@ -1,16 +0,0 @@
-summary: A set of Fedora specific ansible integration tests
-discover:
-  - name: Generic ansible integration tests
-    how: shell
-    tests:
-      - name: Run tests/collections_path_warnings.sh
-        summary: Ensure GALAXY_COLLECTIONS_PATH_WARNINGS works properly
-        test: tests/collections_path_warnings.sh
-        require:
-          - ansible-core
-          - git-core
-          - python3-distlib
-          - /usr/bin/sponge
-          - /usr/bin/unbuffer
-execute:
-  how: tmt

tests/smoke.fmf

@@ -3,13 +3,10 @@ discover:
   - name: Smoke tests with ansible
     how: shell
     tests:
-      - name: Run tests/smoke.sh
-        test: tests/smoke.sh
+      - name: List installed RPM packages
+        test: /usr/bin/ansible localhost -m dnf -a "list=installed"
         require:
-          - python3
           - python3-dnf
-          - dnf-plugins-core
           - ansible-core
-          - ansible
 execute:
   how: tmt

tests/smoke.sh

@@ -1,40 +0,0 @@
-#!/usr/bin/bash -x
-
-set -euo pipefail
-
-ansible --version
-
-cat <<EOF >inventory
-[all]
-localhost ansible_connection=local
-EOF
-export ANSIBLE_INVENTORY=inventory
-
-chroot="fedora-rawhide-x86_64"
-
-ansible localhost -bm setup |& tee out
-
-if ! grep Fedora out; then
-    chroot="epel-9-x86_64"
-fi
-
-ansible localhost -b \
-    -m package \
-    -a name=filesystem \
-  |& tee out
-grep -F 'localhost | SUCCESS' out
-(! grep -F 'localhost | CHANGED' out)
-
-ansible localhost -b \
-    -m community.general.copr \
-    -a "name=gotmax23/community.general.copr_integration_tests chroot=${chroot}" \
-  |& tee out
-grep -F 'localhost | CHANGED' out
-
-ansible localhost -b \
-    -m package \
-    -a name=copr-module-integration-dummy-package \
-  |& tee out
-grep -F 'localhost | CHANGED' out
-
-rpm -ql copr-module-integration-dummy-package

tests/smoke2.fmf

@@ -1,15 +0,0 @@
-summary: Run smoke tests with the standalone ansible-collection-community-general installed
-discover:
-  - name: Smoke tests with community.general
-    how: shell
-    tests:
-      - name: Run tests/smoke.sh
-        test: tests/smoke.sh
-        require:
-          - python3
-          - python3-dnf
-          - dnf-plugins-core
-          - ansible-core
-          - ansible-collection-community-general
-execute:
-  how: tmt