From 635fd95283ccc4fc97a6a90a994ebc79efe46af3 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Wed, 6 Nov 2024 14:55:12 -0800
Subject: [PATCH] Deprecate AGNOSTIC_BECOME_PROMPT

Fixes: #81501

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
---
 changelogs/fragments/become_prompt.yml        |  3 ++
 lib/ansible/cli/__init__.py                   | 11 ++++-
 lib/ansible/config/base.yml                   |  8 +++-
 .../integration/targets/become_prompt/aliases |  6 +++
 .../targets/become_prompt/runme.sh            |  5 +++
 .../targets/become_prompt/setup.yml           | 42 +++++++++++++++++++
 .../become_prompt/test-become-prompt.py       | 28 +++++++++++++
 7 files changed, 101 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/fragments/become_prompt.yml
 create mode 100644 test/integration/targets/become_prompt/aliases
 create mode 100755 test/integration/targets/become_prompt/runme.sh
 create mode 100644 test/integration/targets/become_prompt/setup.yml
 create mode 100644 test/integration/targets/become_prompt/test-become-prompt.py

diff --git a/changelogs/fragments/become_prompt.yml b/changelogs/fragments/become_prompt.yml
new file mode 100644
index 00000000000..73b2599247b
--- /dev/null
+++ b/changelogs/fragments/become_prompt.yml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - become - deprecate AGNOSTIC_BECOME_PROMPT (https://github.com/ansible/ansible/issues/81501).
diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py
index 03a2b3e854a..11b402ea1ae 100644
--- a/lib/ansible/cli/__init__.py
+++ b/lib/ansible/cli/__init__.py
@@ -324,7 +324,16 @@ class CLI(ABC):
         becomepass = None
         become_prompt = ''
 
-        become_prompt_method = "BECOME" if C.AGNOSTIC_BECOME_PROMPT else op['become_method'].upper()
+        if C.AGNOSTIC_BECOME_PROMPT:
+            become_prompt_method = "BECOME"
+        else:
+            display.deprecated(
+                'The setting AGNOSTIC_BECOME_PROMPT to False is deprecated and no longer used. '
+                'Ensure that you have configured any interactive script to accept "BECOME" '
+                'to identify become password prompt.',
+                version='2.22'
+            )
+            become_prompt_method = op['become_method'].upper()
 
         try:
             become_prompt = "%s password: " % become_prompt_method
diff --git a/lib/ansible/config/base.yml b/lib/ansible/config/base.yml
index f0d6f2b684f..eeb32d7ed76 100644
--- a/lib/ansible/config/base.yml
+++ b/lib/ansible/config/base.yml
@@ -153,12 +153,18 @@ AGNOSTIC_BECOME_PROMPT:
   name: Display an agnostic become prompt
   default: True
   type: boolean
-  description: Display an agnostic become prompt instead of displaying a prompt containing the command line supplied become method.
+  description:
+    - If set to True, any become password prompt will begin with "BECOME" instead of user provided become_method in uppercase.
+    - This allows a simplified and become method agnostic way of identifying the need for entering the password.
   env: [{name: ANSIBLE_AGNOSTIC_BECOME_PROMPT}]
   ini:
     - {key: agnostic_become_prompt, section: privilege_escalation}
   yaml: {key: privilege_escalation.agnostic_become_prompt}
   version_added: "2.5"
+  deprecated:
+    why: The value "BECOME" at the start of the become password prompt is default now.
+    version: "2.22"
+    alternatives: Modify any user scripts to identify "BECOME" as become password prompt for interaction.
 CACHE_PLUGIN:
   name: Persistent Cache plugin
   default: memory
diff --git a/test/integration/targets/become_prompt/aliases b/test/integration/targets/become_prompt/aliases
new file mode 100644
index 00000000000..e85a92fb25a
--- /dev/null
+++ b/test/integration/targets/become_prompt/aliases
@@ -0,0 +1,6 @@
+destructive
+needs/root
+needs/ssh
+needs/target/setup_pexpect
+shippable/posix/group5
+context/controller
diff --git a/test/integration/targets/become_prompt/runme.sh b/test/integration/targets/become_prompt/runme.sh
new file mode 100755
index 00000000000..16300a05d70
--- /dev/null
+++ b/test/integration/targets/become_prompt/runme.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -eux
+
+ANSIBLE_ROLES_PATH=../ ansible-playbook setup.yml
diff --git a/test/integration/targets/become_prompt/setup.yml b/test/integration/targets/become_prompt/setup.yml
new file mode 100644
index 00000000000..3681a995891
--- /dev/null
+++ b/test/integration/targets/become_prompt/setup.yml
@@ -0,0 +1,42 @@
+- hosts: localhost
+  gather_facts: yes
+  roles:
+    - setup_pexpect
+
+  tasks:
+    - name: Test ansible-playbook with AGNOSTIC_BECOME_PROMPT=False
+      block:
+        - name: Create user to connect as
+          user:
+            name: cliuser1
+            shell: /bin/bash
+            groups: wheel
+            append: yes
+            password: "{{ 'secretpassword' | password_hash('sha512', 'mysecretsalt') }}"
+        - name: Create user to become
+          user:
+            name: cliuser2
+            shell: /bin/bash
+            password: "{{ 'secretpassword' | password_hash('sha512', 'mysecretsalt') }}"
+        # Sometimes this file doesn't get removed, and we need it gone to ssh
+        - name: Remove /run/nologin
+          file:
+            path: /run/nologin
+            state: absent
+        # Make Ansible run Python to run Ansible
+        - name: Run the test
+          shell: python test-become-prompt.py {{ ansible_python_interpreter }}
+      always:
+        - name: Remove users
+          user:
+            name: "{{ item }}"
+            state: absent
+          with_items:
+            - cliuser1
+            - cliuser2
+      # For now, we don't test this everywhere, because `user` works differently
+      # on some platforms, as does sudo/sudoers. On Fedora, we can just add
+      # the user to 'wheel' and things magically work.
+      # TODO: In theory, we should test this with all the different 'become'
+      # plugins in base.
+      when: ansible_distribution == 'Fedora'
diff --git a/test/integration/targets/become_prompt/test-become-prompt.py b/test/integration/targets/become_prompt/test-become-prompt.py
new file mode 100644
index 00000000000..da76e8f883f
--- /dev/null
+++ b/test/integration/targets/become_prompt/test-become-prompt.py
@@ -0,0 +1,28 @@
+#!/usr/bin/env python
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import annotations
+
+import os
+import sys
+
+import pexpect
+
+
+os.environ['ANSIBLE_AGNOSTIC_BECOME_PROMPT'] = 'False'
+
+out = pexpect.run(
+    'ansible -c ssh -i localhost, -u cliuser1 -e ansible_python_interpreter={0} '
+    '-m command -a whoami -Kkb --become-user cliuser2 localhost'.format(sys.argv[1]),
+    events={
+        'SSH password:': 'secretpassword\n',
+        'SUDO password': 'secretpassword\n',
+    },
+    timeout=10
+)
+
+print(out)
+
+assert b'The setting AGNOSTIC_BECOME_PROMPT to False' in out
+
+