From 97621852db237c71e611b33e52e6c48138c3574f Mon Sep 17 00:00:00 2001
From: Trishna Guha <trishnaguha17@gmail.com>
Date: Fri, 4 Jan 2019 16:29:36 +0530
Subject: [PATCH] add privileged role validation for nxos become (#50312)

Signed-off-by: Trishna Guha <trishnaguha17@gmail.com>
---
 lib/ansible/plugins/terminal/nxos.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/lib/ansible/plugins/terminal/nxos.py b/lib/ansible/plugins/terminal/nxos.py
index b31927b4cd3..dbeab1f3ffc 100644
--- a/lib/ansible/plugins/terminal/nxos.py
+++ b/lib/ansible/plugins/terminal/nxos.py
@@ -64,6 +64,9 @@ class TerminalModule(TerminalBase):
         if '15' in out:
             return
 
+        if self.validate_user_role():
+            return
+
         cmd = {u'command': u'enable'}
         if passwd:
             cmd[u'prompt'] = to_text(r"(?i)[\r\n]?Password: $", errors='surrogate_or_strict')
@@ -98,3 +101,16 @@ class TerminalModule(TerminalBase):
                 self._exec_cli_command(cmd)
         except AnsibleConnectionFailure:
             raise AnsibleConnectionFailure('unable to set terminal parameters')
+
+    def validate_user_role(self):
+        user = self._connection._play_context.remote_user
+
+        out = self._exec_cli_command('show user-account %s' % user)
+        out = to_text(out, errors='surrogate_then_replace').strip()
+
+        match = re.search(r'roles:(.+)$', out, re.M)
+        if match:
+            roles = match.group(1).split()
+            if 'network-admin' in roles:
+                return True
+            return False