Merge pull request #1169 from moreati/issue1083-become_pass

ansible_mitogen: Support templated become passwords

Author: moreati

ansible_mitogen/transport_config.py

@@ -450,19 +450,7 @@ def become_user(self):
         return self._become_option('become_user')
 
     def become_pass(self):
-        # become_pass is owned/provided by the active become plugin. However
-        # PlayContext is intertwined with it. Known complications
-        # - ansible_become_password is higher priority than ansible_become_pass,
-        #   `play_context.become_pass` doesn't obey this (atleast with Mitgeon).
-        # - `meta: reset_connection` runs `connection.reset()` but
-        #   `ansible_mitogen.connection.Connection.reset()` recreates the
-        #   connection object, setting `connection.become = None`.
-        become_plugin = self._connection.become
-        try:
-            become_pass = become_plugin.get_option('become_pass', playcontext=self._play_context)
-        except AttributeError:
-            become_pass = self._play_context.become_pass
-        return optional_secret(become_pass)
+        return optional_secret(self._become_option('become_pass'))
 
     def password(self):
         return optional_secret(self._connection_option('password'))

docs/changelog.rst

@@ -24,6 +24,8 @@ In progress (unreleased)
 * :gh:issue:`905` :mod:`ansible_mitogen`: Support templated SSH command
   arguments (e.g. ``ansible_ssh_args``, ``ansible_ssh_extra_args``).
 * :gh:issue:`692` tests: Fix and re-enable several sudo tests
+* :gh:issue:`1083` :mod:`ansible_mitogen`: Support templated become password
+  (e.g. ``ansible_become_pass``, ``ansible_sudo_pass``)
 
 
 v0.3.14 (2024-10-16)

tests/ansible/hosts/default.hosts

@@ -33,6 +33,7 @@ ansible_host=localhost
 ansible_user="{{ lookup('pipe', 'whoami') }}"
 
 [tt_become_by_inv]
+tt-become-pass              ansible_become=true ansible_become_pass="{{ 'pw_required_password' | trim }}" ansible_become_user=mitogen__pw_required
 tt-become-user              ansible_become=true ansible_become_user="{{ 'root' | trim }}"
 
 [tt_become_by_inv:vars]

tests/ansible/integration/become/templated_by_inv.yml

@@ -2,13 +2,29 @@
   hosts: tt_become_by_inv
   gather_facts: false
   tasks:
+    - name: Gather facts (avoiding any unprivileged become)
+      vars:
+        ansible_become: false
+      setup:
+
     - meta: reset_connection
+
     - name: Templated become in inventory
+      vars:
+        expected_become_users:
+          tt-become-pass: mitogen__pw_required
+          tt-become-user: root
       command:
         cmd: whoami
       changed_when: false
       check_mode: false
       register: become_templated_by_inv_whoami
       failed_when:
         - become_templated_by_inv_whoami is failed
-          or become_templated_by_inv_whoami.stdout != 'root'
+          or become_templated_by_inv_whoami.stdout != expected_become_users[inventory_hostname]
+      when:
+        # https://github.com/ansible/ansible/pull/70785
+        - ansible_become_user in ['root']
+          or ansible_facts.distribution not in ["MacOSX"]
+          or ansible_version.full is version("2.11", ">=", strict=True)
+          or is_mitogen

tests/ansible/integration/become/templated_by_play_keywords.yml

@@ -5,7 +5,8 @@
   become_user: "{{ 'root' | trim }}"
   tasks:
     - meta: reset_connection
-    - name: Templated become by play keywords
+
+    - name: Templated become by play keywords, no password
       command:
         cmd: whoami
       changed_when: false
@@ -14,3 +15,33 @@
       failed_when:
         - become_templated_by_play_keywords_whoami is failed
           or become_templated_by_play_keywords_whoami.stdout != 'root'
+
+- name: integration/become/templated_by_play_keywords.yml
+  hosts: tt_become_bare
+  gather_facts: false
+  become: true
+  become_user: "{{ 'mitogen__pw_required' | trim }}"
+  vars:
+    ansible_become_pass: "{{ 'pw_required_password' | trim }}"
+  tasks:
+    - name: Gather facts (avoiding any unprivileged become)
+      vars:
+        ansible_become: false
+      setup:
+
+    - meta: reset_connection
+
+    - name: Templated become by play keywords, password
+      command:
+        cmd: whoami
+      changed_when: false
+      check_mode: false
+      register: become_templated_by_play_keywords_password_whoami
+      failed_when:
+        - become_templated_by_play_keywords_password_whoami is failed
+          or become_templated_by_play_keywords_password_whoami.stdout != 'mitogen__pw_required'
+      when:
+        # https://github.com/ansible/ansible/pull/70785
+        - ansible_facts.distribution not in ["MacOSX"]
+          or ansible_version.full is version("2.11", ">=", strict=True)
+          or is_mitogen

tests/ansible/integration/become/templated_by_play_vars.yml

@@ -5,7 +5,7 @@
     ansible_become: true
     ansible_become_user: "{{ 'root' | trim }}"
   tasks:
-    - name: Templated become by play vars
+    - name: Templated become by play vars, no password
       command:
         cmd: whoami
       changed_when: false
@@ -14,3 +14,33 @@
       failed_when:
         - become_templated_by_play_vars_whoami is failed
           or become_templated_by_play_vars_whoami.stdout != 'root'
+
+- name: integration/become/templated_by_play_vars.yml
+  hosts: tt_become_bare
+  gather_facts: false
+  vars:
+    ansible_become: true
+    ansible_become_pass: "{{ 'pw_required_password' | trim }}"
+    ansible_become_user: "{{ 'mitogen__pw_required' | trim }}"
+  tasks:
+    - name: Gather facts (avoiding any unprivileged become)
+      vars:
+        ansible_become: false
+      setup:
+
+    - meta: reset_connection
+
+    - name: Templated become by play vars, password
+      command:
+        cmd: whoami
+      changed_when: false
+      check_mode: false
+      register: become_templated_by_play_vars_password_whoami
+      failed_when:
+        - become_templated_by_play_vars_password_whoami is failed
+          or become_templated_by_play_vars_password_whoami.stdout != 'mitogen__pw_required'
+      when:
+        # https://github.com/ansible/ansible/pull/70785
+        - ansible_facts.distribution not in ["MacOSX"]
+          or ansible_version.full is version("2.11", ">=", strict=True)
+          or is_mitogen

tests/ansible/integration/become/templated_by_task_keywords.yml

@@ -25,3 +25,47 @@
       failed_when:
         - become_templated_by_task_with_delegate_to_whoami is failed
           or become_templated_by_task_with_delegate_to_whoami.stdout != 'root'
+
+
+- name: integration/become/templated_by_task_keywords.yml
+  hosts: tt_become_bare
+  gather_facts: false
+  # FIXME Resetting the connection shouldn't require credentials
+  #       https://github.com/mitogen-hq/mitogen/issues/1132
+  become: true
+  become_user: "{{ 'mitogen__pw_required' | trim }}"
+  vars:
+    ansible_become_pass: "{{ 'pw_required_password' | trim }}"
+  tasks:
+    - name: Reset connection to target that will be delegate_to
+      meta: reset_connection
+
+- name: Test connection template by task keywords, with delegate_to
+  hosts: test-targets[0]
+  gather_facts: false
+  tasks:
+    - name: Gather facts (avoiding any unprivileged become)
+      delegate_to: "{{ groups.tt_become_bare[0] }}"
+      vars:
+        ansible_become: false
+      setup:
+
+    - name: Templated become by task keywords, with delegate_to
+      become: true
+      become_user: "{{ 'mitogen__pw_required' | trim }}"
+      delegate_to: "{{ groups.tt_become_bare[0] }}"
+      vars:
+        ansible_become_pass: "{{ 'pw_required_password' | trim }}"
+      command:
+        cmd: whoami
+      changed_when: false
+      check_mode: false
+      register: become_templated_by_task_with_delegate_to_password_whoami
+      failed_when:
+        - become_templated_by_task_with_delegate_to_password_whoami is failed
+          or become_templated_by_task_with_delegate_to_password_whoami.stdout != 'mitogen__pw_required'
+      when:
+        # https://github.com/ansible/ansible/pull/70785
+        - ansible_facts.distribution not in ["MacOSX"]
+          or ansible_version.full is version("2.11", ">=", strict=True)
+          or is_mitogen

tests/ansible/templates/test-targets.j2

@@ -45,7 +45,6 @@ tt-bare
 
 [tt_targets_bare:vars]
 ansible_host={{ tt.hostname }}
-ansible_port={{ tt.port }}
 ansible_python_interpreter={{ tt.python_path }}
 
 [tt_become_bare]
@@ -59,6 +58,7 @@ ansible_python_interpreter={{ tt.python_path }}
 ansible_user=mitogen__has_sudo_nopw
 
 [tt_become_by_inv]
+tt-become-pass              ansible_become=true ansible_become_pass="{{ '{{' }} 'pw_required_password' | trim {{ '}}' }}" ansible_become_user=mitogen__pw_required
 tt-become-user              ansible_become=true ansible_become_user="{{ '{{' }} 'root' | trim {{ '}}' }}"
 
 [tt_become_by_inv:vars]