From 0525d4cf9d962151fc3ac2a5f2f6374ef382e57b Mon Sep 17 00:00:00 2001
From: Jordan Borean <jborean93@gmail.com>
Date: Tue, 10 Apr 2018 14:24:21 +1000
Subject: [PATCH] winrm: backport 2.5 added flag handler for kinit to request
 forwardable ticket when delegation is set (#38508)

* winrm: added flag handler for kinit to request forwardable ticket when delegation is set (#37815)

(cherry picked from commit 22f2388ef163e401833b666c65049aee019ce0da)

* Added changelog fragment
---
 .../fragments/winrm_kinit-delegation.yaml      |  2 ++
 lib/ansible/plugins/connection/winrm.py        | 18 ++++++++++++++----
 2 files changed, 16 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/fragments/winrm_kinit-delegation.yaml

diff --git a/changelogs/fragments/winrm_kinit-delegation.yaml b/changelogs/fragments/winrm_kinit-delegation.yaml
new file mode 100644
index 00000000000..fc590c0c5d3
--- /dev/null
+++ b/changelogs/fragments/winrm_kinit-delegation.yaml
@@ -0,0 +1,2 @@
+bugfixes:
+- winrm - when managing Kerberos tickets in Ansible, get a forwardable ticket if delegation is set (https://github.com/ansible/ansible/pull/37815)
diff --git a/lib/ansible/plugins/connection/winrm.py b/lib/ansible/plugins/connection/winrm.py
index 499dbf5cdf6..5d378dc731c 100644
--- a/lib/ansible/plugins/connection/winrm.py
+++ b/lib/ansible/plugins/connection/winrm.py
@@ -115,6 +115,7 @@ except ImportError:
 
 from ansible.errors import AnsibleError, AnsibleConnectionFailure
 from ansible.errors import AnsibleFileNotFound
+from ansible.module_utils.parsing.convert_bool import boolean
 from ansible.module_utils.six.moves.urllib.parse import urlunsplit
 from ansible.module_utils._text import to_bytes, to_native, to_text
 from ansible.module_utils.six import binary_type
@@ -269,12 +270,22 @@ class Connection(ConnectionBase):
         os.environ["KRB5CCNAME"] = krb5ccname
         krb5env = dict(KRB5CCNAME=krb5ccname)
 
+        # stores various flags to call with kinit, we currently only use this
+        # to set -f so we can get a forward-able ticket (cred delegation)
+        kinit_flags = []
+        if boolean(self.get_option('_extras').get('ansible_winrm_kerberos_delegation', False)):
+            kinit_flags.append('-f')
+
+        kinit_cmdline = [self._kinit_cmd]
+        kinit_cmdline.extend(kinit_flags)
+        kinit_cmdline.append(principal)
+
         # pexpect runs the process in its own pty so it can correctly send
         # the password as input even on MacOS which blocks subprocess from
         # doing so. Unfortunately it is not available on the built in Python
         # so we can only use it if someone has installed it
         if HAS_PEXPECT:
-            kinit_cmdline = "%s %s" % (self._kinit_cmd, principal)
+            kinit_cmdline = " ".join(kinit_cmdline)
             password = to_text(password, encoding='utf-8',
                                errors='surrogate_or_strict')
 
@@ -283,11 +294,10 @@ class Connection(ConnectionBase):
             events = {
                 ".*:": password + "\n"
             }
-            # technically this is the stdout but to match subprocess we wil call
-            # it stderr
+            # technically this is the stdout but to match subprocess we will
+            # call it stderr
             stderr, rc = pexpect.run(kinit_cmdline, withexitstatus=True, events=events, env=krb5env, timeout=60)
         else:
-            kinit_cmdline = [self._kinit_cmd, principal]
             password = to_bytes(password, encoding='utf-8',
                                 errors='surrogate_or_strict')