Fix privilege escalation on some tasks.

jfrog · Jun 28, 2024 · dc02433 · dc02433
1 parent 1714e55
commit dc02433
Show file tree

Hide file tree

Showing 14 changed files with 31 additions and 33 deletions.
diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/meta/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/meta/main.yml
@@ -6,18 +6,19 @@ galaxy_info:
   description: "The artifactory role installs the Artifactory Pro software onto the host."
   company: JFrog
   issue_tracker_url: "https://github.com/jfrog/JFrog-Cloud-Installers/issues"
-  license: license (Apache-2.0)
+  license: 'license (Apache-2.0)'
   min_ansible_version: '2.9'
   platforms:
     - name: EL
       versions:
-        - 8
-        - 9
+        - '8'
+        - '9'
     - name: Ubuntu
       versions:
         - bionic
         - focal
         - jammy
+        - noble
     - name: Debian
       versions:
         - buster

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/shared/jdbc_driver.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/shared/jdbc_driver.yml
@@ -1,16 +1,19 @@
 ---
 - name: Check if included database driver is the correct version
+  become: true
   ansible.builtin.stat:
     path: "{{ artifactory_home }}/app/artifactory/tomcat/lib/postgresql-{{ postgres_driver_version }}.jar"
   register: included_database_driver
 
 - name: Check if jdbc driver exists
+  become: true
   ansible.builtin.stat:
     path: "{{ artifactory_home }}/app/artifactory/tomcat/lib/jf_postgresql-{{ postgres_driver_version }}.jar"
   when: not included_database_driver.stat.exists
   register: database_driver
 
 - name: Download jdbc driver
+  become: true
   ansible.builtin.get_url:
     url: "{{ postgres_driver_download_url }}"
     dest: "{{ artifactory_home }}/var/bootstrap/artifactory/tomcat/lib"

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/shared/prerequisites.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/shared/prerequisites.yml
@@ -40,11 +40,13 @@
   when: artifactory_allow_crontab | bool
 
 - name: Ensure group artifactory exists
+  become: true
   ansible.builtin.group:
     name: "{{ artifactory_group }}"
     state: present
 
 - name: Ensure user artifactory exists
+  become: true
   ansible.builtin.user:
     name: "{{ artifactory_user }}"
     group: "{{ artifactory_group }}"
@@ -54,6 +56,7 @@
     state: present
 
 - name: Ensure jfrog_home_directory exists
+  become: true
   ansible.builtin.file:
     path: "{{ jfrog_home_directory }}"
     owner: "{{ artifactory_user }}"

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/upgrade.yml
@@ -14,7 +14,6 @@
   block:
 
     - name: Ensure artifactory is stopped
-      become: true
       ansible.builtin.systemd_service:
         name: "{{ artifactory_daemon }}"
         state: stopped

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/handlers/main.yml
@@ -3,7 +3,7 @@
 
 - name: Update CA trust store
   become: true
-  ansible.builtin.command: "{{ system_trust_store_update | quote }}"
+  ansible.builtin.command: "{{ system_trust_store_update }}"
 
 - name: Restart NGINX
   become: true

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/meta/main.yml
@@ -6,13 +6,13 @@ galaxy_info:
   description: "This role installs NGINX for artifactory. This role is automatically called by the artifactory role and isn't intended to be used separately."
   company: JFrog
   issue_tracker_url: "https://github.com/jfrog/JFrog-Cloud-Installers/issues"
-  license: license (Apache-2.0)
+  license: 'license (Apache-2.0)'
   min_ansible_version: '2.9'
   platforms:
     - name: EL
       versions:
-        - 8
-        - 9
+        - '8'
+        - '9'
     - name: Ubuntu
       versions:
         - bionic

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/debian.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/debian.yml
@@ -1,16 +1,15 @@
 ---
 - name: Configure NGINX repositories
   when: nginx_use_official_repos | bool
+  become: true
   block:
 
     - name: Import NGINX signing key
-      become: true
       ansible.builtin.apt_key:
         url: "{{ nginx_repo_signing_key }}"
         state: present
 
     - name: Add NGINX stable repo
-      become: true
       ansible.builtin.apt_repository:
         repo: "deb {{ nginx_official_repo_url }} {{ ansible_facts['ansible_distribution_release'] | lower }} nginx"
         filename: "{{ nginx_official_repo_filename }}"

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/redhat.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/tasks/install/redhat.yml
@@ -1,16 +1,15 @@
 ---
 - name: Configure NGINX repositories
   when: nginx_use_official_repos | bool
+  become: true
   block:
 
     - name: Import NGINX signing key
-      become: true
       ansible.builtin.rpm_key:
         key: "{{ nginx_official_repo_signing_key }}"
         state: present
 
     - name: Add NGINX stable repo
-      become: true
       ansible.builtin.yum_repository:
         name: "{{ nginx_official_repo_filename }}"
         description: "{{ nginx_official_repo_description }}"
@@ -23,7 +22,6 @@
       ignore_errors: true
 
     - name: Fallback to manually adding the repo if the previous task failed
-      become: true
       ansible.builtin.copy:
         dest: "/etc/yum.repos.d/{{ nginx_official_repo_filename }}.repo"
         owner: root
@@ -40,7 +38,6 @@
       when: __nginx_setup_repo is failed
 
     - name: Update cache
-      become: true
       ansible.builtin.dnf:
         state: present
         update_cache: true

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/debian.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/debian.yml
@@ -3,7 +3,6 @@ nginx_packages:
   - nginx
 
 nginx_system_daemon: nginx
-nginx_system_repositories: []
 
 ###########################
 ##      CERTIFICATES     ##

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/redhat.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx/vars/redhat.yml
@@ -1,5 +1,6 @@
 ---
-nginx_packages: ['nginx']
+nginx_packages:
+  - nginx
 
 nginx_system_daemon: 'nginx'
 

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/postgres/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/postgres/defaults/main.yml
@@ -137,7 +137,7 @@ postgresql_databases_users:
     lc_ctype: "{{ xray_db_lc_ctype | d(postgresql_locale) }}"
     encoding: "{{ xray_db_encoding | d('UTF-8') }}"
     template: "{{ xray_db_template | d('template0') }}"
-    login_host: "{{ xray_db_login_host | d(null) }}"
+    login_host: "{{ xray_db_login_host | d('localhost') }}"
     login_port: "{{ xray_db_login_port | d(null) }}"
     login_user: "{{ xray_db_login_user | d(postgresql_user) }}"
     login_password: "{{ xray_db_login_password | d(null) }}"
@@ -161,7 +161,7 @@ postgresql_databases_users:
     lc_ctype: "{{ distribution_db_lc_ctype | d(postgresql_locale) }}"
     encoding: "{{ distribution_db_encoding | d('UTF-8') }}"
     template: "{{ distribution_db_template | d('template0') }}"
-    login_host: "{{ distribution_db_login_host | d(null) }}"
+    login_host: "{{ distribution_db_login_host | d('localhost') }}"
     login_port: "{{ distribution_db_login_port | d(null) }}"
     login_user: "{{ distribution_db_login_user | d(postgresql_user) }}"
     login_password: "{{ distribution_db_login_password | d(null) }}"
@@ -185,7 +185,7 @@ postgresql_databases_users:
     lc_ctype: "{{ insight_db_lc_ctype | d(postgresql_locale) }}"
     encoding: "{{ insight_db_encoding | d('UTF-8') }}"
     template: "{{ insight_db_template | d('template0') }}"
-    login_host: "{{ insight_db_login_host | d(null) }}"
+    login_host: "{{ insight_db_login_host | d('localhost') }}"
     login_port: "{{ insight_db_login_port | d(null) }}"
     login_user: "{{ insight_db_login_user | d(postgresql_user) }}"
     login_password: "{{ insight_db_login_password | d(null) }}"

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/install/debian.yml b/Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/install/debian.yml
@@ -1,17 +1,16 @@
 ---
 - name: Configure PostgreSQL repositories
   when: artifactory_postgresql_use_official_repos | bool
+  become: true
   block:
 
     - name: Import PostgreSQL repository signing key
-      become: true
       ansible.builtin.apt_key:
         url: "{{ postgresql_repo_key_url }}"
         id: "{{ postgresql_repo_key_id }}"
         state: present
 
     - name: Add PostgreSQL repository
-      become: true
       ansible.builtin.apt_repository:
         repo: "{{ postgres_apt_repository_repo }}"
         state: present

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/install/redhat.yml b/Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/install/redhat.yml
@@ -1,22 +1,20 @@
 ---
 - name: Configure PostgreSQL repositories
   when: artifactory_postgresql_use_official_repos | bool
+  become: true
   block:
 
     - name: Import PostgreSQL signing key
-      become: true
       ansible.builtin.rpm_key:
         key: "{{ postgres_rpmkey_url }}"
         state: present
 
     - name: Add PostgreSQL PDGD repo
-      become: true
       ansible.builtin.dnf:
         name: "{{ postgresql_repo_url }}"
         state: present
 
     - name: Disable PostgreSQL module
-      become: true
       ansible.builtin.copy:
         dest: /etc/dnf/modules.d/postgresql.module
         owner: root
@@ -30,7 +28,6 @@
           state=disabled
 
     - name: Update cache
-      become: true
       ansible.builtin.dnf:
         state: present
         update_cache: true

diff --git a/Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/setup.yml b/Ansible/ansible_collections/jfrog/platform/roles/postgres/tasks/setup.yml
@@ -1,5 +1,7 @@
 ---
 - name: Ensure PostgreSQL users are present
+  become: true
+  become_user: "{{ postgresql_user }}"
   community.postgresql.postgresql_user:
     name: "{{ item.value.username }}"
     password: "{{ item.value.userpass }}"
@@ -11,13 +13,13 @@
     login_password: "{{ item.value.login_password | d(omit) }}"
     login_unix_socket: "{{ item.value.login_unix_socket | d(omit) }}"
   loop: "{{ lookup('ansible.builtin.dict', postgresql_databases_users) }}"
-  no_log: "{{ postgres_users_no_log }}"
-  become: true
-  become_user: "{{ postgresql_user }}"
+  no_log: "{{ postgres_users_no_log  | d(true) }}"
   environment:
     PGOPTIONS: "{{ (postgresql_auth_method == 'scram-sha-256') | ternary('-c password_encryption=scram-sha-256', '') }}"
 
 - name: Ensure PostgreSQL databases are present
+  become: true
+  become_user: "{{ postgresql_user }}"
   community.postgresql.postgresql_db:
     name: "{{ item.value.name }}"
     lc_collate: "{{ item.value.lc_collate }}"
@@ -31,10 +33,10 @@
     login_unix_socket: "{{ item.value.login_unix_socket | d(omit) }}"
     state: "{{ item.value.state }}"
   loop: "{{ lookup('ansible.builtin.dict', postgresql_databases_users) }}"
-  become: true
-  become_user: "{{ postgresql_user }}"
 
 - name: Ensure PostgreSQL users privileges are present
+  become: true
+  become_user: "{{ postgresql_user }}"
   community.postgresql.postgresql_privs:
     database: "{{ item.value.name }}"
     state: "{{ item.value.state }}"
@@ -47,6 +49,4 @@
     login_password: "{{ item.value.login_password | d(omit) }}"
     login_unix_socket: "{{ item.value.login_unix_socket | d(omit) }}"
   loop: "{{ lookup('ansible.builtin.dict', postgresql_databases_users) }}"
-  no_log: "{{ postgres_users_no_log }}"
-  become: true
-  become_user: "{{ postgresql_user }}"
+  no_log: "{{ postgres_users_no_log | d(true) }}"