From f1503874de82353cbed8b51408d20fdfa899f8f7 Mon Sep 17 00:00:00 2001 From: Alex Willmer Date: Mon, 4 Jul 2022 21:50:58 +0100 Subject: [PATCH] ansible_mitogen: Correct ansible_become_pass/ansible_become_password precendence Until Ansible 2.9 it looks like ansible_become_password had higher priority. From Ansible 2.10 ansible_become_pass has higher priority [1]. Mitogen was not respecting this. I may need to rework this further, instatiating the become plugin may have slowed down execution. [1] Based on testing with ``` [ubuntus] become-pass-pass ansible_become_pass=1234 become-pass-password ansible_become_password=1234 become-pass-both ansible_become_password=wrong ansible_become_pass=1234 [ubuntus:vars] ansible_host=ubuntu2004.local ansible_user=ubuntu ``` ``` - hosts: ubuntus gather_facts: false become: true tasks: - ping: ``` --- ansible_mitogen/loaders.py | 2 ++ ansible_mitogen/transport_config.py | 10 +++++++--- tests/ansible/hosts/transport_config.hosts | 2 +- .../integration/transport_config/become_pass.yml | 9 ++++----- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/ansible_mitogen/loaders.py b/ansible_mitogen/loaders.py index 24f3d2a17..1f4d8fc6a 100644 --- a/ansible_mitogen/loaders.py +++ b/ansible_mitogen/loaders.py @@ -39,6 +39,7 @@ __all__ = [ 'action_loader', + 'become_loader', 'connection_loader', 'module_loader', 'module_utils_loader', @@ -90,6 +91,7 @@ def assert_supported_release(): from ansible.plugins.loader import action_loader +from ansible.plugins.loader import become_loader from ansible.plugins.loader import connection_loader from ansible.plugins.loader import module_loader from ansible.plugins.loader import module_utils_loader diff --git a/ansible_mitogen/transport_config.py b/ansible_mitogen/transport_config.py index b488b8510..cc4e4a796 100644 --- a/ansible_mitogen/transport_config.py +++ b/ansible_mitogen/transport_config.py @@ -79,6 +79,7 @@ except ImportError: from ansible.vars.unsafe_proxy import AnsibleUnsafeText +import ansible_mitogen.loaders import mitogen.core @@ -435,7 +436,10 @@ def become_user(self): return self._play_context.become_user def become_pass(self): - return optional_secret(self._play_context.become_pass) + become_method = self.become_method() + become_plugin = ansible_mitogen.loaders.become_loader.get(become_method) + become_pass = become_plugin.get_option('become_pass', hostvars=self._task_vars) + return optional_secret(become_pass) def password(self): return optional_secret(self._play_context.password) @@ -652,8 +656,8 @@ def become_user(self): def become_pass(self): return optional_secret( - self._host_vars.get('ansible_become_password') or - self._host_vars.get('ansible_become_pass') + self._host_vars.get('ansible_become_pass') or + self._host_vars.get('ansible_become_password') ) def password(self): diff --git a/tests/ansible/hosts/transport_config.hosts b/tests/ansible/hosts/transport_config.hosts index 05e0d4f1f..dc21c3325 100644 --- a/tests/ansible/hosts/transport_config.hosts +++ b/tests/ansible/hosts/transport_config.hosts @@ -47,7 +47,7 @@ tc-become-user-set ansible_become_user=ansi-become-user tc-become-pass-unset tc-become-pass-password ansible_become_password=apassword tc-become-pass-pass ansible_become_pass=apass -tc-become-pass-both ansible_become_password=a.b.c ansible_become_pass=c.b.a +tc-become-pass-both ansible_become_pass=bpass ansible_become_password=bpassword # port() tc-port-unset diff --git a/tests/ansible/integration/transport_config/become_pass.yml b/tests/ansible/integration/transport_config/become_pass.yml index 5cbbdf190..317e0522b 100644 --- a/tests/ansible/integration/transport_config/become_pass.yml +++ b/tests/ansible/integration/transport_config/become_pass.yml @@ -119,9 +119,6 @@ fail_msg: out={{out}} - -# ansible_become_pass & ansible_become_password set, password used to take precedence -# but it's possible since https://github.com/ansible/ansible/pull/69629/files#r428376864, now it doesn't - hosts: tc-become-pass-both become: true tasks: @@ -132,7 +129,9 @@ - out.result|length == 2 - out.result[0].method == "ssh" - out.result[1].method == "sudo" - - out.result[1].kwargs.password == "c.b.a" + # Ansible >= 2.10 builtin become plugins (e.g. sudo, su) give priority + # to ansible_become_pass over ansible_become_password. + - out.result[1].kwargs.password == "bpass" fail_msg: out={{out}} @@ -147,6 +146,6 @@ - out.result|length == 3 - out.result[0].method == "ssh" - out.result[1].method == "sudo" - - out.result[1].kwargs.password == "a.b.c" + - out.result[1].kwargs.password == "bpass" - out.result[2].method == "ssh" fail_msg: out={{out}}