[stable-2.17] debconf: set empty password value (#84034)

Fixes: #83214 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> (cherry picked from commit 79e8c4c26c)
4 weeks ago · 92ee1fa499
parent f7be90626d
commit 92ee1fa499
4 changed files with 153 additions and 41 deletions
--- a/changelogs/fragments/debconf_empty_password.yml
+++ b/changelogs/fragments/debconf_empty_password.yml
@ -0,0 +1,3 @@
+---
+bugfixes:
+  - debconf - set empty password values (https://github.com/ansible/ansible/issues/83214).
--- a/lib/ansible/modules/debconf.py
+++ b/lib/ansible/modules/debconf.py
@ -134,21 +134,24 @@ def get_password_value(module, pkg, question, vtype):
    cmd = [getsel]
    rc, out, err = module.run_command(cmd)
    if rc != 0:
-        module.fail_json(msg="Failed to get the value '%s' from '%s'" % (question, pkg))
+        module.fail_json(msg=f"Failed to get the value '{question}' from '{pkg}': {err}")

-    desired_line = None
    for line in out.split("\n"):
-        if line.startswith(pkg):
-            desired_line = line
-            break
-
-    if not desired_line:
-        module.fail_json(msg="Failed to find the value '%s' from '%s'" % (question, pkg))
-
-    (dpkg, dquestion, dvtype, dvalue) = desired_line.split()
-    if dquestion == question and dvtype == vtype:
-        return dvalue
-    return ''
+        if not line.startswith(pkg):
+            continue
+
+        # line is a collection of tab separated values
+        fields = line.split('\t')
+        if len(fields) <= 3:
+            # No password found, return a blank password
+            return ''
+        try:
+            if fields[1] == question and fields[2] == vtype:
+                # If correct question and question type found, return password value
+                return fields[3]
+        except IndexError:
+            # Fail safe
+            return ''


 def get_selections(module, pkg):
--- a/test/integration/targets/debconf/tasks/main.yml
+++ b/test/integration/targets/debconf/tasks/main.yml
@ -1,21 +1,7 @@
 # Test code for the debconf module.
-# (c) 2017, James Tanner <tanner.jc@gmail.com>
-
-# This file is part of Ansible
-#
-# Ansible is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# Ansible is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
-
+# Copyright: (c) 2017, James Tanner <tanner.jc@gmail.com>
+# Copyright: Contributors to the Ansible project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 ##
 ## debconf query
 ##
@ -23,16 +9,16 @@
 - block:
    - name: query the tzdata package
      debconf:
-          name: tzdata
+        name: tzdata
      register: debconf_test0

    - name: validate results for test 0
      assert:
-          that:
-              - 'debconf_test0.changed is defined'
-              - 'debconf_test0.current is defined'
-              - '"tzdata/Zones/Etc" in debconf_test0.current'
-              - 'debconf_test0.current["tzdata/Zones/Etc"] == "UTC"'
+        that:
+          - 'debconf_test0.changed is defined'
+          - 'debconf_test0.current is defined'
+          - '"tzdata/Zones/Etc" in debconf_test0.current'
+          - 'debconf_test0.current["tzdata/Zones/Etc"] == "UTC"'

    - name: install debconf-utils
      apt:
@ -46,12 +32,13 @@
        question: ddclient/password
        value: "MySecretValue"
        vtype: password
+      no_log: false
      register: debconf_test1

    - name: validate results for test 1
      assert:
-          that:
-              - debconf_test1.changed
+        that:
+          - debconf_test1.changed

    - name: Change password again
      debconf:
@ -59,13 +46,69 @@
        question: ddclient/password
        value: "MySecretValue"
        vtype: password
-      no_log: yes
+      no_log: false
      register: debconf_test2

    - name: validate results for test 1
      assert:
-          that:
-              - not debconf_test2.changed
+        that:
+          - not debconf_test2.changed
+
+    - name: Check if empty password is set
+      debconf:
+        name: ddclient2
+        question: ddclient/password
+        value: ""
+        vtype: password
+      no_log: false
+      register: debconf_test1
+
+    - name: validate if password is set to empty value
+      assert:
+        that:
+          - debconf_test1.changed
+
+    - name: Change empty password again (idempotency)
+      debconf:
+        name: ddclient2
+        question: ddclient/password
+        value: "MySecretValue"
+        vtype: password
+      no_log: false
+      register: debconf_test2
+
+    - name: validate if the empty password is changed to the given value
+      assert:
+        that:
+          - debconf_test2.changed
+
+    - name: Set different question for same package name
+      debconf:
+        name: ddclient2
+        question: ddclient/password1
+        value: "Sample"
+        vtype: password
+      no_log: false
+      register: debconf_test1
+
+    - name: validate if different question for same package name is set
+      assert:
+        that:
+          - debconf_test1.changed
+
+    - name: Set different question for same package name again (idempotency)
+      debconf:
+        name: ddclient2
+        question: ddclient/password1
+        value: "Sample"
+        vtype: password
+      no_log: false
+      register: debconf_test2
+
+    - name: validate if different question for same package name is set (idempotency)
+      assert:
+        that:
+          - not debconf_test2.changed

    - name: Multiselect value
      debconf:
--- a/test/units/modules/test_debconf.py
+++ b/test/units/modules/test_debconf.py
@ -0,0 +1,63 @@
+# Copyright: Contributors to the Ansible project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+from __future__ import annotations
+
+import pytest
+
+from ansible.modules.debconf import get_password_value
+
+
+password_testdata = [
+    pytest.param(
+        (
+            "ddclient2	ddclient/password1	password	Sample",
+            "ddclient2",
+            "ddclient/password1",
+            "password",
+        ),
+        "Sample",
+        id="valid_password",
+    ),
+    pytest.param(
+        (
+            "ddclient2	ddclient/password1	password",
+            "ddclient2",
+            "ddclient/password1",
+            "password",
+        ),
+        '',
+        id="invalid_password",
+    ),
+    pytest.param(
+        (
+            "ddclient2	ddclient/password	password",
+            "ddclient2",
+            "ddclient/password1",
+            "password",
+        ),
+        '',
+        id="invalid_password_none",
+    ),
+    pytest.param(
+        (
+            "ddclient2	ddclient/password",
+            "ddclient2",
+            "ddclient/password",
+            "password",
+        ),
+        '',
+        id="invalid_line",
+    ),
+]
+
+
+@pytest.mark.parametrize("test_input,expected", password_testdata)
+def test_get_password_value(mocker, test_input, expected):
+    module = mocker.MagicMock()
+    mocker.patch.object(
+        module, "get_bin_path", return_value="/usr/bin/debconf-get-selections"
+    )
+    mocker.patch.object(module, "run_command", return_value=(0, test_input[0], ""))
+
+    res = get_password_value(module, *test_input[1:])
+    assert res == expected