Sanitize labels. (#985) (#986)

(cherry picked from commit 1e10834905)

Co-authored-by: Felix Fontein <felix@fontein.de>

changelogs/fragments/985-label-sanitize.yml

@@ -0,0 +1,9 @@
+bugfixes:
+  - "docker_compose_v2_run - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985)."
+  - "docker_config - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985)."
+  - "docker_network - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985)."
+  - "docker_node - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985)."
+  - "docker_secret - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985)."
+  - "docker_swarm - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985)."
+  - "docker_swarm_service - make sure to sanitize ``labels`` and ``container_labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985)."
+  - "docker_volume - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985)."

plugins/module_utils/module_container/base.py

@@ -22,6 +22,7 @@ from ansible_collections.community.docker.plugins.module_utils.util import (
     compare_generic,
     normalize_healthcheck,
     omit_none_from_dict,
+    sanitize_labels,
 )
 
 from ansible_collections.community.docker.plugins.module_utils._platform import (
@@ -651,6 +652,17 @@ def _preprocess_mounts(module, values):
     return values
 
 
+def _preprocess_labels(module, values):
+    result = {}
+    if 'labels' in values:
+        labels = values['labels']
+        if labels is not None:
+            labels = dict(labels)
+            sanitize_labels(labels, 'labels', module=module)
+        result['labels'] = labels
+    return result
+
+
 def _preprocess_log(module, values):
     result = {}
     if 'log_driver' not in values:
@@ -978,7 +990,7 @@ OPTION_KERNEL_MEMORY = (
 )
 
 OPTION_LABELS = (
-    OptionGroup()
+    OptionGroup(preprocess=_preprocess_labels)
     .add_option('labels', type='dict', needs_no_suboptions=True)
 )
 

plugins/module_utils/util.py

@@ -12,7 +12,9 @@ from datetime import timedelta
 
 from ansible.module_utils.basic import env_fallback
 from ansible.module_utils.common.collections import is_sequence
+from ansible.module_utils.six import string_types
 from ansible.module_utils.six.moves.urllib.parse import urlparse
+from ansible.module_utils.common.text.converters import to_text
 
 
 DEFAULT_DOCKER_HOST = 'unix:///var/run/docker.sock'
@@ -283,6 +285,28 @@ class DifferenceTracker(object):
         return result
 
 
+def sanitize_labels(labels, labels_field, client=None, module=None):
+    def fail(msg):
+        if client is not None:
+            client.module.fail(msg)
+        if module is not None:
+            module.fail_json(msg=msg)
+        raise ValueError(msg)
+
+    if labels is None:
+        return
+    for k, v in list(labels.items()):
+        if not isinstance(k, string_types):
+            fail(
+                "The key {key!r} of {field} is not a string!".format(
+                    field=labels_field, key=k))
+        if isinstance(v, (bool, float)):
+            fail(
+                "The value {value!r} for {key!r} of {field} is not a string or something than can be safely converted to a string!".format(
+                    field=labels_field, key=k, value=v))
+        labels[k] = to_text(v)
+
+
 def clean_dict_booleans_for_docker_api(data, allow_sequences=False):
     '''
     Go doesn't like Python booleans 'True' or 'False', while Ansible is just

plugins/modules/docker_compose_v2_run.py

@@ -248,6 +248,8 @@ from ansible_collections.community.docker.plugins.module_utils.compose_v2 import
     common_compose_argspec_ex,
 )
 
+from ansible_collections.community.docker.plugins.module_utils.util import sanitize_labels
+
 
 class ExecManager(BaseComposeManager):
     def __init__(self, client):
@@ -416,6 +418,7 @@ def main():
         needs_api_version=False,
         **argspec_ex
     )
+    sanitize_labels(client.module.params['labels'], 'labels', client)
 
     try:
         manager = ExecManager(client)

plugins/modules/docker_config.py

@@ -212,6 +212,7 @@ from ansible_collections.community.docker.plugins.module_utils.common import (
 from ansible_collections.community.docker.plugins.module_utils.util import (
     DockerBaseClass,
     compare_generic,
+    sanitize_labels,
 )
 from ansible.module_utils.common.text.converters import to_native, to_bytes
 
@@ -414,6 +415,7 @@ def main():
         min_docker_api_version='1.30',
         option_minimal_versions=option_minimal_versions,
     )
+    sanitize_labels(client.module.params['labels'], 'labels', client)
 
     try:
         results = dict(

plugins/modules/docker_network.py

@@ -284,6 +284,7 @@ from ansible_collections.community.docker.plugins.module_utils.util import (
     DockerBaseClass,
     DifferenceTracker,
     clean_dict_booleans_for_docker_api,
+    sanitize_labels,
 )
 from ansible_collections.community.docker.plugins.module_utils._api.errors import DockerException
 
@@ -698,6 +699,7 @@ def main():
         # "The docker server >= 1.10.0"
         option_minimal_versions=option_minimal_versions,
     )
+    sanitize_labels(client.module.params['labels'], 'labels', client)
 
     try:
         cm = DockerNetworkManager(client)

plugins/modules/docker_node.py

@@ -153,6 +153,7 @@ from ansible_collections.community.docker.plugins.module_utils.common import (
 from ansible.module_utils.common.text.converters import to_native
 
 from ansible_collections.community.docker.plugins.module_utils.swarm import AnsibleDockerSwarmClient
+from ansible_collections.community.docker.plugins.module_utils.util import sanitize_labels
 
 
 class TaskParameters(DockerBaseClass):
@@ -172,6 +173,8 @@ class TaskParameters(DockerBaseClass):
         for key, value in client.module.params.items():
             setattr(self, key, value)
 
+        sanitize_labels(self.labels, "labels", client)
+
 
 class SwarmNodeManager(DockerBaseClass):
 

plugins/modules/docker_secret.py

@@ -204,6 +204,7 @@ from ansible_collections.community.docker.plugins.module_utils.common import (
 from ansible_collections.community.docker.plugins.module_utils.util import (
     DockerBaseClass,
     compare_generic,
+    sanitize_labels,
 )
 from ansible.module_utils.common.text.converters import to_native, to_bytes
 
@@ -384,6 +385,7 @@ def main():
         mutually_exclusive=mutually_exclusive,
         min_docker_version='2.1.0',
     )
+    sanitize_labels(client.module.params['labels'], 'labels', client)
 
     try:
         results = dict(

plugins/modules/docker_swarm.py

@@ -324,6 +324,7 @@ from ansible_collections.community.docker.plugins.module_utils.common import (
 )
 from ansible_collections.community.docker.plugins.module_utils.util import (
     DifferenceTracker,
+    sanitize_labels,
 )
 
 from ansible_collections.community.docker.plugins.module_utils.swarm import AnsibleDockerSwarmClient
@@ -714,6 +715,7 @@ def main():
         min_docker_version='1.10.0',
         option_minimal_versions=option_minimal_versions,
     )
+    sanitize_labels(client.module.params['labels'], 'labels', client)
 
     try:
         results = dict(

plugins/modules/docker_swarm_service.py

@@ -954,6 +954,7 @@ from ansible_collections.community.docker.plugins.module_utils.util import (
     convert_duration_to_nanosecond,
     parse_healthcheck,
     clean_dict_booleans_for_docker_api,
+    sanitize_labels,
 )
 
 from ansible.module_utils.basic import human_to_bytes
@@ -1531,10 +1532,9 @@ class DockerService(DockerBaseClass):
         secret_ids,
         config_ids,
         network_ids,
-        docker_api_version,
+        client,
-        docker_py_version,
     ):
-        s = DockerService(docker_api_version, docker_py_version)
+        s = DockerService(client.docker_api_version, client.docker_py_version)
         s.image = image_digest
         s.args = ap['args']
         s.endpoint_mode = ap['endpoint_mode']
@@ -1546,7 +1546,9 @@ class DockerService(DockerBaseClass):
         s.hosts = ap['hosts']
         s.tty = ap['tty']
         s.labels = ap['labels']
+        sanitize_labels(s.labels, 'labels', client)
         s.container_labels = ap['container_labels']
+        sanitize_labels(s.container_labels, 'container_labels', client)
         s.sysctls = ap['sysctls']
         s.mode = ap['mode']
         s.stop_signal = ap['stop_signal']
@@ -2488,8 +2490,7 @@ class DockerServiceManager(object):
                 secret_ids,
                 config_ids,
                 network_ids,
-                self.client.docker_api_version,
+                self.client,
-                self.client.docker_py_version
             )
         except Exception as e:
             return self.client.fail(

plugins/modules/docker_volume.py

@@ -127,6 +127,7 @@ from ansible_collections.community.docker.plugins.module_utils.common_api import
 from ansible_collections.community.docker.plugins.module_utils.util import (
     DockerBaseClass,
     DifferenceTracker,
+    sanitize_labels,
 )
 from ansible_collections.community.docker.plugins.module_utils._api.errors import (
     APIError,
@@ -296,6 +297,7 @@ def main():
         supports_check_mode=True,
         # "The docker server >= 1.9.0"
     )
+    sanitize_labels(client.module.params['labels'], 'labels', client)
 
     try:
         cm = DockerVolumeManager(client)