Fix ansible -K become_pass regression (#69629)

* Fix `ansible -K` become_pass regression Change: - This fixes a breaking change introduced in 2165f9ac40 Test Plan: - Local VM for now, with plans to add an integration test for -K going forward. Tickets: Refs #69244
2020-05-22 08:34:26 -05:00 · 2020-05-22 08:34:26 -05:00 · fe9696be52
commit fe9696be52
parent de3f7c7739
4 changed files with 76 additions and 5 deletions
--- a/lib/ansible/executor/task_executor.py
+++ b/lib/ansible/executor/task_executor.py
@ -1010,16 +1010,19 @@ class TaskExecutor:

        task_keys = self._task.dump_attrs()

-        # set options with 'templated vars' specific to this plugin and dependant ones
+        # set options with 'templated vars' specific to this plugin and dependent ones
        self._connection.set_options(task_keys=task_keys, var_options=options)
        varnames.extend(self._set_plugin_options('shell', variables, templar, task_keys))

        if self._connection.become is not None:
+            if self._play_context.become_pass:
+                # FIXME: eventually remove from task and play_context, here for backwards compat
+                # keep out of play objects to avoid accidental disclosure, only become plugin should have
+                # The become pass is already in the play_context if given on
+                # the CLI (-K). Make the plugin aware of it in this case.
+                task_keys['become_pass'] = self._play_context.become_pass

            varnames.extend(self._set_plugin_options('become', variables, templar, task_keys))
-            # FIXME: eventually remove from task and play_context, here for backwards compat
-            # keep out of play objects to avoid accidental disclosure, only become plugin should have
-            task_keys['become_pass'] = self._connection.become.get_option('become_pass')

            # FOR BACKWARDS COMPAT:
            for option in ('become_user', 'become_flags', 'become_exe', 'become_pass'):
--- a/test/integration/targets/cli/aliases
+++ b/test/integration/targets/cli/aliases
@ -1,2 +1,5 @@
+destructive
+needs/root
+needs/ssh
 needs/target/setup_pexpect
 shippable/posix/group3
--- a/test/integration/targets/cli/setup.yml
+++ b/test/integration/targets/cli/setup.yml
@ -1,4 +1,42 @@
 - hosts: localhost
-  gather_facts: no
+  gather_facts: yes
  roles:
    - setup_pexpect
+
+  tasks:
+    - name: Test ansible-playbook and ansible with -K
+      block:
+        - name: Create user to connect as
+          user:
+            name: cliuser1
+            shell: /bin/bash
+            groups: wheel
+            append: yes
+            password: "{{ 'secretpassword' | password_hash('sha512', 'mysecretsalt') }}"
+        - name: Create user to become
+          user:
+            name: cliuser2
+            shell: /bin/bash
+            password: "{{ 'secretpassword' | password_hash('sha512', 'mysecretsalt') }}"
+        # Sometimes this file doesn't get removed, and we need it gone to ssh
+        - name: Remove /run/nologin
+          file:
+            path: /run/nologin
+            state: absent
+        # Make Ansible run Python to run Ansible
+        - name: Run the test
+          shell: python test_k_and_K.py {{ ansible_python_interpreter }}
+      always:
+        - name: Remove users
+          user:
+            name: "{{ item }}"
+            state: absent
+          with_items:
+            - cliuser1
+            - cliuser2
+      # For now, we don't test this everywhere, because `user` works differently
+      # on some platforms, as does sudo/sudoers. On Fedora, we can just add
+      # the user to 'wheel' and things magically work.
+      # TODO: In theory, we should test this with all the different 'become'
+      # plugins in base.
+      when: ansible_distribution == 'Fedora'
--- a/test/integration/targets/cli/test_k_and_K.py
+++ b/test/integration/targets/cli/test_k_and_K.py
@ -0,0 +1,27 @@
+#!/usr/bin/env python
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import sys
+
+import pexpect
+
+os.environ['ANSIBLE_NOCOLOR'] = '1'
+
+out = pexpect.run(
+    'ansible -c ssh -i localhost, -u cliuser1 -e ansible_python_interpreter={0} '
+    '-m command -a whoami -Kkb --become-user cliuser2 localhost'.format(sys.argv[1]),
+    events={
+        'SSH password:': 'secretpassword\n',
+        'BECOME password': 'secretpassword\n',
+    },
+    timeout=10
+)
+
+print(out)
+
+assert b'cliuser2' in out