test_proot.yml

---
# Launch a job and assert that it cannot:
#   - see /var/lib/awx/projects (except for self)
#   - see /var/lib/awx/job_status
#   - see /tmp/ (except for self)
#   - see /etc/awx/settings.py
#   - see /var/log/

- hosts: all
  gather_facts: true
  vars:
    tower_conf_dir: /etc/tower
    tower_tmp_dirs:
        - /tmp
    sys_log_dir: /var/log
    tower_projects_dir: /var/lib/awx/projects
    tower_job_status_dir: /var/lib/awx/job_status

  tasks:
    - command: find {{tower_tmp_dirs|join(' ')}} -mindepth 1 -maxdepth 1 -type d -regex '.*bwrap_.*_.*'
      register: result
    - debug: var=result
    - name: assert that only one bwrap_.*_.* tempfile is visible
      assert:
        that:
          - 'result.rc == 0'
          - 'result.stdout_lines|length <= 1'

    - command: find {{tower_projects_dir}}/ -mindepth 1 -maxdepth 1 -type d
      register: result
    - debug: var=result
    - name: assert that only one tower project directory is visible
      assert:
        that:
          - 'result.rc == 0'
          - 'result.stdout_lines|length == 1'

    - command: find {{tower_job_status_dir}} -mindepth 1 -maxdepth 1 -type f
      register: result
    - debug: var=result
    - name: assert that no job_status files are visible
      assert:
        that:
          - 'result.rc == 0'
          - 'result.stdout_lines|length == 0'

    - command: find {{tower_conf_dir}} -mindepth 1 -maxdepth 1 -type f
      ignore_errors: true
      register: result
    - debug: var=result
    - name: assert that no tower conf files are visible
      assert:
        that:
          - 'result.rc == 0'
          - 'result.stdout_lines|length == 0'

    - command: find {{sys_log_dir}} -mindepth 1 -maxdepth 1 -type f
      ignore_errors: true
      register: result
    - debug: var=result
    - name: assert that no tower log files are visible
      assert:
        that:
          - 'result.rc == 0'
          # - 'result.stdout_lines|length == 0'