Allow known_hosts to be run in untrusted context

When using add_host on localhost (zuul-executor) we also need to add the
ssh known_host entry, otherwise when a play tries to use the new host
ansible will fail to connect since we try to validate SSH host keys by
default.

Change-Id: Ifc99f57085ab4e4ed022e411db77965673c6dbcf
Signed-off-by: Paul Belanger <pabelanger@redhat.com>

releasenotes/notes/relax-ssh-known-hosts-d71a57e77436110b.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The restriction on using ``known_hosts`` in playbooks has been lifted.

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/known-hosts-bad.yaml

@@ -0,0 +1,8 @@
+- hosts: all
+  tasks:
+    - name: Add fake known_hosts entry
+      delegate_to: localhost
+      known_hosts:
+        name: fake
+        path: /root/.ssh/known_hosts
+        key: fake ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOaqWfpmnMiCYaLUq0ugyQ6OUIvtPzkOqLTG03HXxU9

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/known-hosts-delegate.yaml

@@ -0,0 +1,7 @@
+- hosts: all
+  tasks:
+    - name: Add fake known_hosts entry
+      delegate_to: localhost
+      known_hosts:
+        name: fake
+        key: fake ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOaqWfpmnMiCYaLUq0ugyQ6OUIvtPzkOqLTG03HXxU9

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/known-hosts-good.yaml

@@ -0,0 +1,6 @@
+- hosts: all
+  tasks:
+    - name: Add fake known_hosts entry
+      known_hosts:
+        name: fake
+        key: fake ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOaqWfpmnMiCYaLUq0ugyQ6OUIvtPzkOqLTG03HXxU9

tests/fixtures/config/remote-action-modules/git/org_project/playbooks/known-hosts-localhost.yaml

@@ -0,0 +1,6 @@
+- hosts: localhost
+  tasks:
+    - name: Add fake known_hosts entry
+      known_hosts:
+        name: fake
+        key: fake ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOaqWfpmnMiCYaLUq0ugyQ6OUIvtPzkOqLTG03HXxU9

tests/remote/test_remote_action_modules.py

@@ -186,3 +186,14 @@ class TestActionModules(AnsibleZuulTestCase):
 
         self._run_job('unarchive-bad', 'FAILURE', ERROR_ACCESS_OUTSIDE)
         self._run_job('unarchive-bad-symlink', 'FAILURE', ERROR_ACCESS_OUTSIDE)
+
+    def test_known_hosts_module(self):
+        self._run_job('known-hosts-good', 'SUCCESS')
+
+        # known-hosts-delegate does multiple tests with various delegates and
+        # safe and non-safe paths. It asserts by itself within ansible so we
+        # expect SUCCESS here.
+        self._run_job('known-hosts-delegate', 'SUCCESS')
+        self._run_job('known-hosts-localhost', 'SUCCESS')
+
+        self._run_job('known-hosts-bad', 'FAILURE', ERROR_ACCESS_OUTSIDE)

zuul/ansible/action/normal.py

@@ -79,6 +79,21 @@ class ActionModule(normal.ActionModule):
             if dest:
                 paths._fail_if_unsafe(dest)
 
+    def handle_known_hosts(self):
+        '''Allow known_hosts on localhost
+
+        The :ansible:module:`known_hosts` can be used to add SSH host keys of
+        a remote system. When run from a executor it can be used with the
+        add_host task to access remote servers. This is needed because ansible
+        on the executor is configured to check host keys by default.
+
+        Block any access of files outside the zuul work dir.
+        '''
+        if paths._is_localhost_task(self):
+            path = self._task.args.get('path')
+            if path:
+                paths._fail_if_unsafe(path)
+
     def handle_uri(self):
         '''Allow uri module on localhost if it doesn't touch unsafe files.