Ensure -k is set to delegated hosts without a pass (#71136) (#71168)

* Ensure -k is set to delegated hosts without a pass

* Fix up some broken tests

* Update task_executor.py

one possible fix, the other is updating winrm to normalize on 'password' like the other connection plugins

* Add alias for winrm and fix incorrect assumption

* Make sure aliases are used for keyword options

* Conditionally run test if sshpass is present, fix sanity

Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
(cherry picked from commit 3f22f79e73)

changelogs/fragments/delegation_password.yml

@@ -0,0 +1,2 @@
+bugfixes:
+- Ensure password passed in by -k is used on delegated hosts that do not have ansible_password set

lib/ansible/config/manager.py

@@ -429,10 +429,12 @@ class ConfigManager(object):
         defs = self.get_configuration_definitions(plugin_type, plugin_name)
         if config in defs:
 
+            aliases = defs[config].get('aliases', [])
+
             # direct setting via plugin arguments, can set to None so we bypass rest of processing/defaults
             direct_aliases = []
             if direct:
-                direct_aliases = [direct[alias] for alias in defs[config].get('aliases', []) if alias in direct]
+                direct_aliases = [direct[alias] for alias in aliases if alias in direct]
             if direct and config in direct:
                 value = direct[config]
                 origin = 'Direct'
@@ -447,9 +449,20 @@ class ConfigManager(object):
                     origin = 'var: %s' % origin
 
                 # use playbook keywords if you have em
-                if value is None and keys and config in keys:
+                if value is None and keys:
-                    value, origin = keys[config], 'keyword'
+                    if config in keys:
-                    origin = 'keyword: %s' % origin
+                        value = keys[config]
+                        keyword = config
+
+                    elif aliases:
+                        for alias in aliases:
+                            if alias in keys:
+                                value = keys[alias]
+                                keyword = alias
+                                break
+
+                    if value is not None:
+                        origin = 'keyword: %s' % keyword
 
                 # env vars are next precedence
                 if value is None and defs[config].get('env'):

lib/ansible/plugins/connection/psrp.py

@@ -39,7 +39,8 @@ options:
     - name: ansible_password
     - name: ansible_winrm_pass
     - name: ansible_winrm_password
-    aliases: [ password ]
+    aliases:
+    - password  # Needed for --ask-pass to come through on delegation
   port:
     description:
     - The port for PSRP to connect on the remote target.

lib/ansible/plugins/connection/winrm.py

@@ -40,6 +40,8 @@ DOCUMENTATION = """
             - name: ansible_winrm_pass
             - name: ansible_winrm_password
         type: str
+        aliases:
+        - password  # Needed for --ask-pass to come through on delegation
       port:
         description:
             - port for winrm to connect on remote target

test/integration/targets/connection_delegation/action_plugins/delegation_action.py

@@ -0,0 +1,12 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.plugins.action import ActionBase
+
+
+class ActionModule(ActionBase):
+
+    def run(self, tmp=None, task_vars=None):
+        return {
+            'remote_password': self._connection.get_option('remote_password'),
+        }

test/integration/targets/connection_delegation/aliases

@@ -0,0 +1,4 @@
+shippable/posix/group1
+skip/freebsd  # No sshpass
+skip/osx  # No sshpass
+skip/rhel  # No sshpass

test/integration/targets/connection_delegation/connection_plugins/delegation_connection.py

@@ -0,0 +1,45 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+DOCUMENTATION = """
+author: Ansible Core Team
+connection: delegation_connection
+short_description: Test connection for delegated host check
+description:
+- Some further description that you don't care about.
+options:
+  remote_password:
+    description: The remote password
+    type: str
+    vars:
+    - name: ansible_password
+    # Tests that an aliased key gets the -k option which hardcodes the value to password
+    aliases:
+    - password
+"""
+
+from ansible.plugins.connection import ConnectionBase
+
+
+class Connection(ConnectionBase):
+
+    transport = 'delegation_connection'
+    has_pipelining = True
+
+    def __init__(self, *args, **kwargs):
+        super(Connection, self).__init__(*args, **kwargs)
+
+    def _connect(self):
+        super(Connection, self)._connect()
+
+    def exec_command(self, cmd, in_data=None, sudoable=True):
+        super(Connection, self).exec_command(cmd, in_data, sudoable)
+
+    def put_file(self, in_path, out_path):
+        super(Connection, self).put_file(in_path, out_path)
+
+    def fetch_file(self, in_path, out_path):
+        super(Connection, self).fetch_file(in_path, out_path)
+
+    def close(self):
+        super(Connection, self).close()

test/integration/targets/connection_delegation/inventory.ini

@@ -0,0 +1 @@
+my_host  ansible_host=127.0.0.1 ansible_connection=delegation_connection

test/integration/targets/connection_delegation/runme.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -ux
+
+echo "Checking if sshpass is present"
+which sshpass 2>&1 || exit 0
+echo "sshpass is present, continuing with test"
+
+sshpass -p my_password ansible-playbook -i inventory.ini test.yml -k "$@"

test/integration/targets/connection_delegation/test.yml

@@ -0,0 +1,23 @@
+---
+- hosts: localhost
+  gather_facts: no
+  tasks:
+  - name: test connection receives -k from play_context when delegating
+    delegation_action:
+    delegate_to: my_host
+    register: result
+
+  - assert:
+      that:
+      - result.remote_password == 'my_password'
+
+  - name: ensure vars set for that host take precedence over -k
+    delegation_action:
+    delegate_to: my_host
+    vars:
+      ansible_password: other_password
+    register: result
+
+  - assert:
+      that:
+      - result.remote_password == 'other_password'