From e318d1c4f8a4dc7ded3ba414015860ea17e24f6c Mon Sep 17 00:00:00 2001
From: Cedric Cuche <cedric.cuche@swisscom.com>
Date: Tue, 26 Jul 2022 09:31:05 +0200
Subject: [PATCH] #998 Execute task-template within python-virtual environment
 and ensure sensitive environment variable are not passed to ansible-playbook
 command

---
 lib/AnsiblePlaybook.go | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/lib/AnsiblePlaybook.go b/lib/AnsiblePlaybook.go
index 75dd1ad49..779c3e216 100644
--- a/lib/AnsiblePlaybook.go
+++ b/lib/AnsiblePlaybook.go
@@ -16,10 +16,23 @@ type AnsiblePlaybook struct {
 }
 
 func (p AnsiblePlaybook) makeCmd(command string, args []string, environmentVars *[]string) *exec.Cmd {
-	cmd := exec.Command(command, args...) //nolint: gas
+	commandToExec := command
+	cmdInPythonDefaultVenv := fmt.Sprintf("%s/.venv/bin/%s", p.GetFullPath(), command)
+	if _, err := os.Stat(cmdInPythonDefaultVenv); !os.IsNotExist(err) {
+		// Run .venv/bin/command instead of the one in PATH
+		commandToExec = cmdInPythonDefaultVenv
+	}
+	cmd := exec.Command(commandToExec, args...) //nolint: gas
 	cmd.Dir = p.GetFullPath()
 
 	cmd.Env = os.Environ()
+	pythonDefaultVenv := fmt.Sprintf("%s/.venv", cmd.Dir)
+	if _, err := os.Stat(pythonDefaultVenv); !os.IsNotExist(err) {
+		// Prepend python .venv binaries to PATH allowing specific ansible version per task-template
+		p.Logger.Log(fmt.Sprintf("Using python venv at: %s\n", pythonDefaultVenv))
+		cmd.Env = append(cmd.Env, fmt.Sprintf("VIRTUAL_ENV=%s", pythonDefaultVenv))
+		cmd.Env = append(cmd.Env, fmt.Sprintf("PATH=%s/bin:%s", pythonDefaultVenv, os.Getenv("PATH")))
+	}
 	cmd.Env = append(cmd.Env, fmt.Sprintf("HOME=%s", util.Config.TmpPath))
 	cmd.Env = append(cmd.Env, fmt.Sprintf("PWD=%s", cmd.Dir))
 	cmd.Env = append(cmd.Env, "PYTHONUNBUFFERED=1")
@@ -27,6 +40,12 @@ func (p AnsiblePlaybook) makeCmd(command string, args []string, environmentVars
 	if environmentVars != nil {
 		cmd.Env = append(cmd.Env, *environmentVars...)
 	}
+	// Remove sensitive env variables from cmd process as they can be read using ansible "debug" task and "-vvv"
+	cmd.Env = append(cmd.Env, "SEMAPHORE_ACCESS_KEY_ENCRYPTION=")
+	cmd.Env = append(cmd.Env, "SEMAPHORE_ADMIN_PASSWORD=")
+	cmd.Env = append(cmd.Env, "SEMAPHORE_DB_USER=")
+	cmd.Env = append(cmd.Env, "SEMAPHORE_DB_PASS=")
+	cmd.Env = append(cmd.Env, "SEMAPHORE_LDAP_PASSWORD=")
 
 	return cmd
 }