From nobody Mon Feb  9 16:52:19 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 207.211.31.81 as permitted sender) client-ip=207.211.31.81;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1587562153; cv=none;
	d=zohomail.com; s=zohoarc;
	b=i+R8XWSzmYaJmo8sCllRL+tRZUhtqHinkZP15Y/2kyAC+uSAqqXeOOnylWO7Mb1oFxeKWhi8PU7n8g56o4CHgS+infbENkX6mzJJlg8PSwX+oDbWCsV0eU3BKS7LYJrKgbiXT0k5BZateQ1k16gprefY6NvaU7PiQ1NKJ0K0h1U=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1587562153;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=vS+1LTQ7gNBh84TYxbi3ZRnQWOCFOIj/U0DzsRSJ0Oc=;
	b=UPkCjpBm4zrZLbPGRpmKms0/xf34EkmFz9HIW/p02FpGDPAf3WNAKxb8RQRn/qxB/Gk9wzM2fVMDd3weO6dVHF/xqm5eXspqWEQf75yNCM6Dyoz+fFZdetMNXiREj1wV1Hwk+j8R2FK8dB5WN2KWCE7BMQIprQrd8eM/Xp3TmsE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<eskultet@redhat.com> (p=none dis=none)
 header.from=<eskultet@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com
 [207.211.31.81]) by mx.zohomail.com
	with SMTPS id 1587562153297236.56064611557974;
 Wed, 22 Apr 2020 06:29:13 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-387-LaQYoqyiMDOY-XQ-83ID5g-1; Wed, 22 Apr 2020 09:29:08 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EACF0DB23;
	Wed, 22 Apr 2020 13:29:01 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B701D5D706;
	Wed, 22 Apr 2020 13:29:01 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 51A7B941BF;
	Wed, 22 Apr 2020 13:29:01 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
	[10.5.11.13])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 03MDSer4005814 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 22 Apr 2020 09:28:40 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id C78926084D; Wed, 22 Apr 2020 13:28:40 +0000 (UTC)
Received: from sturgeon.redhat.com (unknown [10.40.192.155])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 197EC6084A;
	Wed, 22 Apr 2020 13:28:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1587562152;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=vS+1LTQ7gNBh84TYxbi3ZRnQWOCFOIj/U0DzsRSJ0Oc=;
	b=FEnJ09c6SAohUgePQBSdDIJDBhm7xA5lrU1Nwy/DCqKY04fw3y+vOJ98Hn6ryXQSPTOay6
	Tei4JV7ZsYOVESw0bYKayrVu7Yilg6NtLmBVFM+3OfX80X7DBkOps3Bf6KKXsSmzA6hgFC
	+h/p+Uhl64WTADj0H3nm6tK5k+vL8+A=
X-MC-Unique: LaQYoqyiMDOY-XQ-83ID5g-1
From: Erik Skultety <eskultet@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt-ci PATCH 04/13] lcitool: Use a temporary JSON file to pass
	extra variables
Date: Wed, 22 Apr 2020 15:28:22 +0200
Message-Id: 
 <864cbf035339b3dc056a4ca7b7a99af4969f37d8.1587562058.git.eskultet@redhat.com>
In-Reply-To: <cover.1587562058.git.eskultet@redhat.com>
References: <cover.1587562058.git.eskultet@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-loop: libvir-list@redhat.com
Cc: Erik Skultety <eskultet@redhat.com>
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

This patch is a pre-requisite config file consolidation. Currently we've
got a number of files which serve as a configuration either to the
lcitool itself or to the ansible playbooks (majority).  Once we replace
these with a single global lcitool config, we'd end up passing tokens
(potentially some passwords) as ansible extra variables bare naked on
the cmdline. In order to prevent this security flaw use temporary JSON
file holding all these extra variables and pass it as follows:

    $ ansible-playbook --extra-vars @extra_vars.json playbook.yml

Signed-off-by: Erik Skultety <eskultet@redhat.com>
---
 guests/lcitool | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/guests/lcitool b/guests/lcitool
index 51ee211..138b5e2 100755
--- a/guests/lcitool
+++ b/guests/lcitool
@@ -504,21 +504,26 @@ class Application:
             git_remote =3D "default"
             git_branch =3D "master"
=20
+        tempdir =3D tempfile.TemporaryDirectory(prefix=3D'lcitool')
+
         ansible_cfg_path =3D os.path.join(base, "ansible.cfg")
         playbook_base =3D os.path.join(base, "playbooks", playbook)
         playbook_path =3D os.path.join(playbook_base, "main.yml")
+        extra_vars_path =3D os.path.join(tempdir.name, 'extra_vars.json')
=20
-        extra_vars =3D json.dumps({
-            "base": base,
-            "playbook_base": playbook_base,
-            "root_password_file": root_pass_file,
-            "flavor": flavor,
-            "selected_projects": selected_projects,
-            "git_remote": git_remote,
-            "git_branch": git_branch,
-            "gitlab_url_file": gitlab_url_file,
-            "gitlab_runner_token_file": gitlab_runner_token_file,
-        })
+        with open(extra_vars_path, 'w') as fp:
+            extra_vars =3D {
+                "base": base,
+                "playbook_base": playbook_base,
+                "root_password_file": root_pass_file,
+                "flavor": flavor,
+                "selected_projects": selected_projects,
+                "git_remote": git_remote,
+                "git_branch": git_branch,
+                "gitlab_url_file": gitlab_url_file,
+                "gitlab_runner_token_file": gitlab_runner_token_file,
+            }
+            json.dump(extra_vars, fp)
=20
         ansible_playbook =3D distutils.spawn.find_executable("ansible-play=
book")
         if ansible_playbook is None:
@@ -527,7 +532,7 @@ class Application:
         cmd =3D [
             ansible_playbook,
             "--limit", ansible_hosts,
-            "--extra-vars", extra_vars,
+            "--extra-vars", "@" + extra_vars_path,
         ]
=20
         # Provide the vault password if available
@@ -546,6 +551,8 @@ class Application:
         except Exception as ex:
             raise Exception(
                 "Failed to run {} on '{}': {}".format(playbook, hosts, ex))
+        finally:
+            tempdir.cleanup()
=20
     def _action_hosts(self, args):
         for host in self._inventory.expand_pattern("all"):
--=20
2.25.3