mig5/enroll
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity Actions

Some more hardening to not process raw jinja inside salt/ansible cmd. But, I think this is the end of the road
Some checks failed
Lint / test (push) Waiting to run
Details
CI / test (push) Successful in 57s
Details
CI / test (almalinux, docker.io/library/almalinux:9, python3.11) (push) Has been cancelled
Details
CI / test (debian, docker.io/library/debian:13, python3) (push) Has been cancelled
Details

Browse source
This commit is contained in:
Miguel Jacq 2026-06-22 20:26:06 +10:00
parent c3c3608049
commit d96ad3dc02
Signed by: mig5
GPG key ID: 03906B4110AAD3B8
9 changed files with 508 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

12
tests/test_manifest.py
View file

@ -2378,3 +2378,15 @@ def test_manifest_non_fqdn_refuses_existing_output(tmp_path: Path):
with pytest.raises(RuntimeError, match="already exists"):
manifest.manifest(str(bundle), str(out), no_common_roles=True)
def test_yaml_dump_mapping_emits_ansible_unsafe_tag_for_marked_values():
from enroll.render_safety import ansible_unsafe_data
data = ansible_unsafe_data({"value": "{{ lookup('pipe','id') }}"})
dumped = yaml_helpers.yaml_dump_mapping(data)
assert "value: !unsafe" in dumped
assert "{{ lookup(''pipe'',''id'') }}" in dumped
loaded = yaml_helpers.yaml_load_mapping(dumped)
assert loaded["value"] == "{{ lookup('pipe','id') }}"