From d329985d4c2f511a810ab6c23832de26ae891c92 Mon Sep 17 00:00:00 2001
From: Sloane Hertel <shertel@redhat.com>
Date: Tue, 21 Jul 2020 14:19:52 -0400
Subject: [PATCH] [2.10] template connection variables accessed directly before
 using (#70657) (#70688)

* template connection variables accessed directly before using (#70657)

* template variables accessed directly when using them instead of FieldAttributes

(cherry picked from commit 8c213c93345db5489c24458880ec3ff81b334dbd)

* changelog
---
 .../70657-template-connection-vars.yaml       |  2 ++
 lib/ansible/executor/task_executor.py         | 17 +++++++++---
 .../targets/var_templating/runme.sh           |  2 ++
 .../var_templating/test_connection_vars.yml   | 26 +++++++++++++++++++
 .../var_templating/vars/connection.yml        |  3 +++
 5 files changed, 47 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/70657-template-connection-vars.yaml
 create mode 100644 test/integration/targets/var_templating/test_connection_vars.yml
 create mode 100644 test/integration/targets/var_templating/vars/connection.yml

diff --git a/changelogs/fragments/70657-template-connection-vars.yaml b/changelogs/fragments/70657-template-connection-vars.yaml
new file mode 100644
index 00000000000..0a8c93b2717
--- /dev/null
+++ b/changelogs/fragments/70657-template-connection-vars.yaml
@@ -0,0 +1,2 @@
+bugfixes:
+  - Template connection variables before using them (https://github.com/ansible/ansible/issues/70598).
diff --git a/lib/ansible/executor/task_executor.py b/lib/ansible/executor/task_executor.py
index dc4616a5c8a..ba15257ca9d 100644
--- a/lib/ansible/executor/task_executor.py
+++ b/lib/ansible/executor/task_executor.py
@@ -889,7 +889,10 @@ class TaskExecutor:
             cvars = variables
 
         # use magic var if it exists, if not, let task inheritance do it's thing.
-        self._play_context.connection = cvars.get('ansible_connection', self._task.connection)
+        if cvars.get('ansible_connection') is not None:
+            self._play_context.connection = templar.template(cvars['ansible_connection'])
+        else:
+            self._play_context.connection = self._task.connection
 
         # TODO: play context has logic to update the conneciton for 'smart'
         # (default value, will chose between ssh and paramiko) and 'persistent'
@@ -910,8 +913,16 @@ class TaskExecutor:
             raise AnsibleError("the connection plugin '%s' was not found" % conn_type)
 
         # load become plugin if needed
-        if boolean(cvars.get('ansible_become', self._task.become)):
-            become_plugin = self._get_become(cvars.get('ansible_become_method', self._task.become_method))
+        if cvars.get('ansible_become') is not None:
+            become = boolean(templar.template(cvars['ansible_become']))
+        else:
+            become = self._task.become
+
+        if become:
+            if cvars.get('ansible_become_method'):
+                become_plugin = self._get_become(templar.template(cvars['ansible_become_method']))
+            else:
+                become_plugin = self._get_become(self._task.become_method)
 
             try:
                 connection.set_become_plugin(become_plugin)
diff --git a/test/integration/targets/var_templating/runme.sh b/test/integration/targets/var_templating/runme.sh
index ed436cfe7d0..0d3ac6bb1af 100755
--- a/test/integration/targets/var_templating/runme.sh
+++ b/test/integration/targets/var_templating/runme.sh
@@ -13,3 +13,5 @@ ansible-playbook undall.yml -i inventory -v "$@"
 
 # test hostvars templating
 ansible-playbook task_vars_templating.yml -v "$@"
+
+ansible-playbook test_connection_vars.yml -v "$@" 2>&1 | grep 'sudo'
diff --git a/test/integration/targets/var_templating/test_connection_vars.yml b/test/integration/targets/var_templating/test_connection_vars.yml
new file mode 100644
index 00000000000..2b22eea68a8
--- /dev/null
+++ b/test/integration/targets/var_templating/test_connection_vars.yml
@@ -0,0 +1,26 @@
+---
+- hosts: localhost
+  gather_facts: no
+  vars:
+    my_var:
+      become_method: sudo
+      connection: local
+      become: 1
+  tasks:
+
+  - include_vars: "./vars/connection.yml"
+
+  - command: whoami
+    ignore_errors: yes
+    register: result
+    failed_when: result is not success and (result.module_stderr is defined or result.module_stderr is defined)
+
+  - assert:
+      that:
+        - "'sudo' in result.module_stderr"
+    when: result is not success and result.module_stderr is defined
+
+  - assert:
+      that:
+        - "'Invalid become method specified'  not in result.msg"
+    when: result is not success and result.msg is defined
diff --git a/test/integration/targets/var_templating/vars/connection.yml b/test/integration/targets/var_templating/vars/connection.yml
new file mode 100644
index 00000000000..263929a890f
--- /dev/null
+++ b/test/integration/targets/var_templating/vars/connection.yml
@@ -0,0 +1,3 @@
+ansible_become: "{{ my_var.become }}"
+ansible_become_method: "{{ my_var.become_method }}"
+ansible_connection: "{{ my_var.connection }}"