New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
POC hack to parse Puppetfile directly W/O eval #885
Conversation
Ruby 2.6 instroduced the RubyVM::AbstractSyntaxTree, which will parse arbitrary Ruby code into an AST. This means that instead of eval'ing code, we can just parse it and take action on the three methods we care about. In other words, the Puppetfile will no longer be arbitrary and unchecked Ruby code. See https://docs.ruby-lang.org/en/trunk/RubyVM/AbstractSyntaxTree.html for more information. Note: This implementation is *experimental* and will almost certainly change. This should not be merged until upstream commits to a stable API. But it's worth exploring and validating that we can indeed have non-executable Puppetfiles.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs rebase
In our environment, we have multiple tenants separated into separate control repositories that all depend on shared modules (roles/profiles) we maintain as a community. This means that when we decide to update underlying component modules, we have to communicate those changes to individual tenants and it creates a release bottleneck. One "hack" that we've been using in the last year was to have our r10k node write the "shared upstream
The fact that This works out pretty well, but might be somewhat impacted by this line of development. Is there an alternative solution to this problem you would suggest? If not, is this feature something that could be gated as configuration? Also, to be clear, definitely amenable to any suggestions here as it's likely not a new problem. Not interested in holding the project back, so if worst comes to worst, we'll either hold back the version of /edit I don't know how interested folks would be in specialized r10k-specific |
FWIW, I would love to see a formally supported "include" in Puppetfile parsing. |
Could also use Ripper to do the AST generation so as to lift the Ruby 2.6 restriction. |
Ruby 2.6 is no longer an onerous requirement since 2.5 goes EOL on 2021-03-31. I would like to make a decision on this. I believe that executable Puppetfiles are dangerous. We can gate this behind a config option and make it default in 4.x. Can someone put some 👀 on this? |
The docs say that the I agree that just calling |
@mwaggett that's a really good point. I think that CM just fork/execs r10k in its own process, but not entirely sure. Regardless, you make a good point that parser or ripper would be better options. I unfortunately don't have time to refactor that, but I'll open a ticket to do so and reference this PR. Thanks! |
Ruby 2.6 instroduced the RubyVM::AbstractSyntaxTree, which will parse
arbitrary Ruby code into an AST. This means that instead of eval'ing
code, we can just parse it and take action on the three methods we care
about. In other words, the Puppetfile will no longer be arbitrary and
unchecked Ruby code.
See https://docs.ruby-lang.org/en/trunk/RubyVM/AbstractSyntaxTree.html
for more information.
Note: This implementation is experimental and will almost certainly
change. This should not be merged until upstream commits to a stable
API. But it's worth exploring and validating that we can indeed have
non-executable Puppetfiles.