Allow template lookup in untrusted context

This is similar to the already-permitted file lookup, but it
templates the result.  The same access restrictions on the
supplied path as file should be applied.

Change-Id: I21b8788d491485cef6b05bebeb4b93c8df6b535c

1 files changed, 27 insertions, 1 deletions

diff --git a/zuul/ansible/base/lookup/template.py b/zuul/ansible/base/lookup/template.py
index d45b9c405..fef56570a 120000..100644
--- a/zuul/ansible/base/lookup/template.py
+++ b/zuul/ansible/base/lookup/template.py
@@ -1 +1,27 @@
-_banned.py
\ No newline at end of file
+# Copyright 2017 Red Hat, Inc.
+#
+# This module is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this software.  If not, see <http://www.gnu.org/licenses/>.
+
+from zuul.ansible import paths
+template_mod = paths._import_ansible_lookup_plugin("template")
+
+
+class LookupModule(template_mod.LookupModule):
+
+    def run(self, terms, variables=None, **kwargs):
+        for term in terms:
+            lookupfile = self.find_file_in_search_path(
+                variables, 'templates', term)
+            paths._fail_if_unsafe(lookupfile, allow_trusted=True)
+        return super(LookupModule, self).run(terms, variables, **kwargs)