Deprecate AGNOSTIC_BECOME_PROMPT

Fixes: #81501 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2 weeks ago · 635fd95283
parent 157ef04b1e
commit 635fd95283
7 changed files with 101 additions and 2 deletions
--- a/changelogs/fragments/become_prompt.yml
+++ b/changelogs/fragments/become_prompt.yml
@ -0,0 +1,3 @@
+---
+bugfixes:
+  - become - deprecate AGNOSTIC_BECOME_PROMPT (https://github.com/ansible/ansible/issues/81501).
--- a/lib/ansible/cli/init.py
+++ b/lib/ansible/cli/init.py
@ -324,7 +324,16 @@ class CLI(ABC):
        becomepass = None
        become_prompt = ''

-        become_prompt_method = "BECOME" if C.AGNOSTIC_BECOME_PROMPT else op['become_method'].upper()
+        if C.AGNOSTIC_BECOME_PROMPT:
+            become_prompt_method = "BECOME"
+        else:
+            display.deprecated(
+                'The setting AGNOSTIC_BECOME_PROMPT to False is deprecated and no longer used. '
+                'Ensure that you have configured any interactive script to accept "BECOME" '
+                'to identify become password prompt.',
+                version='2.22'
+            )
+            become_prompt_method = op['become_method'].upper()

        try:
            become_prompt = "%s password: " % become_prompt_method
--- a/lib/ansible/config/base.yml
+++ b/lib/ansible/config/base.yml
@ -153,12 +153,18 @@ AGNOSTIC_BECOME_PROMPT:
  name: Display an agnostic become prompt
  default: True
  type: boolean
-  description: Display an agnostic become prompt instead of displaying a prompt containing the command line supplied become method.
+  description:
+    - If set to True, any become password prompt will begin with "BECOME" instead of user provided become_method in uppercase.
+    - This allows a simplified and become method agnostic way of identifying the need for entering the password.
  env: [{name: ANSIBLE_AGNOSTIC_BECOME_PROMPT}]
  ini:
    - {key: agnostic_become_prompt, section: privilege_escalation}
  yaml: {key: privilege_escalation.agnostic_become_prompt}
  version_added: "2.5"
+  deprecated:
+    why: The value "BECOME" at the start of the become password prompt is default now.
+    version: "2.22"
+    alternatives: Modify any user scripts to identify "BECOME" as become password prompt for interaction.
 CACHE_PLUGIN:
  name: Persistent Cache plugin
  default: memory
--- a/test/integration/targets/become_prompt/aliases
+++ b/test/integration/targets/become_prompt/aliases
@ -0,0 +1,6 @@
+destructive
+needs/root
+needs/ssh
+needs/target/setup_pexpect
+shippable/posix/group5
+context/controller
--- a/test/integration/targets/become_prompt/runme.sh
+++ b/test/integration/targets/become_prompt/runme.sh
@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -eux
+
+ANSIBLE_ROLES_PATH=../ ansible-playbook setup.yml
--- a/test/integration/targets/become_prompt/setup.yml
+++ b/test/integration/targets/become_prompt/setup.yml
@ -0,0 +1,42 @@
+- hosts: localhost
+  gather_facts: yes
+  roles:
+    - setup_pexpect
+
+  tasks:
+    - name: Test ansible-playbook with AGNOSTIC_BECOME_PROMPT=False
+      block:
+        - name: Create user to connect as
+          user:
+            name: cliuser1
+            shell: /bin/bash
+            groups: wheel
+            append: yes
+            password: "{{ 'secretpassword' | password_hash('sha512', 'mysecretsalt') }}"
+        - name: Create user to become
+          user:
+            name: cliuser2
+            shell: /bin/bash
+            password: "{{ 'secretpassword' | password_hash('sha512', 'mysecretsalt') }}"
+        # Sometimes this file doesn't get removed, and we need it gone to ssh
+        - name: Remove /run/nologin
+          file:
+            path: /run/nologin
+            state: absent
+        # Make Ansible run Python to run Ansible
+        - name: Run the test
+          shell: python test-become-prompt.py {{ ansible_python_interpreter }}
+      always:
+        - name: Remove users
+          user:
+            name: "{{ item }}"
+            state: absent
+          with_items:
+            - cliuser1
+            - cliuser2
+      # For now, we don't test this everywhere, because `user` works differently
+      # on some platforms, as does sudo/sudoers. On Fedora, we can just add
+      # the user to 'wheel' and things magically work.
+      # TODO: In theory, we should test this with all the different 'become'
+      # plugins in base.
+      when: ansible_distribution == 'Fedora'
--- a/test/integration/targets/become_prompt/test-become-prompt.py
+++ b/test/integration/targets/become_prompt/test-become-prompt.py
@ -0,0 +1,28 @@
+#!/usr/bin/env python
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import annotations
+
+import os
+import sys
+
+import pexpect
+
+
+os.environ['ANSIBLE_AGNOSTIC_BECOME_PROMPT'] = 'False'
+
+out = pexpect.run(
+    'ansible -c ssh -i localhost, -u cliuser1 -e ansible_python_interpreter={0} '
+    '-m command -a whoami -Kkb --become-user cliuser2 localhost'.format(sys.argv[1]),
+    events={
+        'SSH password:': 'secretpassword\n',
+        'SUDO password': 'secretpassword\n',
+    },
+    timeout=10
+)
+
+print(out)
+
+assert b'The setting AGNOSTIC_BECOME_PROMPT to False' in out
+
+