Templating: make sure only one variable results are cached (#67429)

* Make sure only one variable results are cached. * Add changelog. * Add test.
2020-02-20 00:04:01 +01:00 · 2020-02-20 00:04:01 +01:00 · c520d70bf4
commit c520d70bf4
parent c61c0f7ad5
3 changed files with 18 additions and 1 deletions
--- a/changelogs/fragments/67429-jinja2-caching.yml
+++ b/changelogs/fragments/67429-jinja2-caching.yml
@ -0,0 +1,2 @@
+bugfixes:
+- "Templating - Ansible was caching results of Jinja2 expressions in some cases where these expressions could have dynamic results, like password generation (https://github.com/ansible/ansible/issues/34144)."
--- a/lib/ansible/template/init.py
+++ b/lib/ansible/template/init.py
@ -628,7 +628,7 @@ class Templar:
                        # we only cache in the case where we have a single variable
                        # name, to make sure we're not putting things which may otherwise
                        # be dynamic in the cache (filters, lookups, etc.)
-                        if cache:
+                        if cache and only_one:
                            self._cached_result[sha1_hash] = result

                return result
--- a/test/integration/targets/templating_lookups/template_lookups/tasks/main.yml
+++ b/test/integration/targets/templating_lookups/template_lookups/tasks/main.yml
@ -71,3 +71,18 @@
 - name: set with_dict
  shell: echo "{{ item.key + '=' + item.value  }}"
  with_dict: "{{ mydict }}"
+
+# BUG #34144 bad template caching
+
+- name: generate two random passwords
+  set_fact:
+    password1: "{{ lookup('password', '/dev/null length=20') }}"
+    password2: "{{ lookup('password', '/dev/null length=20') }}"
+    # If the passwords are generated randomly, the chance that they
+    # coincide is neglectable (< 1e-18 assuming 120 bits of randomness
+    # per password).
+
+- name: make sure passwords are not the same
+  assert:
+    that:
+      - password1 != password2