From a7231c220378554d44a611000bde2af2883fe064 Mon Sep 17 00:00:00 2001
From: Brian Coca <brian.coca+git@gmail.com>
Date: Wed, 2 Sep 2015 11:31:39 -0400
Subject: [PATCH] actually implemented flags correctly for all priv escalation
 methods

---
 lib/ansible/constants.py                 |  2 +-
 lib/ansible/playbook/play_context.py     | 13 +++++++------
 test/units/playbook/test_play_context.py |  2 +-
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/lib/ansible/constants.py b/lib/ansible/constants.py
index 7b31069d562..e23e99f551f 100644
--- a/lib/ansible/constants.py
+++ b/lib/ansible/constants.py
@@ -162,7 +162,7 @@ DEFAULT_SELINUX_SPECIAL_FS = get_config(p, 'selinux', 'special_context_filesyste
 DEFAULT_SU                = get_config(p, DEFAULTS, 'su', 'ANSIBLE_SU', False, boolean=True)
 DEFAULT_SU_USER           = get_config(p, DEFAULTS, 'su_user', 'ANSIBLE_SU_USER', 'root')
 DEFAULT_SU_EXE            = get_config(p, DEFAULTS, 'su_exe', 'ANSIBLE_SU_EXE', None)
-DEFAULT_SU_FLAGS          = get_config(p, DEFAULTS, 'su_flags', 'ANSIBLE_SU_FLAGS', '')
+DEFAULT_SU_FLAGS          = get_config(p, DEFAULTS, 'su_flags', 'ANSIBLE_SU_FLAGS', None)
 DEFAULT_ASK_SU_PASS       = get_config(p, DEFAULTS, 'ask_su_pass', 'ANSIBLE_ASK_SU_PASS', False, boolean=True)
 DEFAULT_SUDO              = get_config(p, DEFAULTS, 'sudo', 'ANSIBLE_SUDO', False, boolean=True)
 DEFAULT_SUDO_USER         = get_config(p, DEFAULTS, 'sudo_user',        'ANSIBLE_SUDO_USER',        'root')
diff --git a/lib/ansible/playbook/play_context.py b/lib/ansible/playbook/play_context.py
index 7ffea25f1fd..355efbaf26e 100644
--- a/lib/ansible/playbook/play_context.py
+++ b/lib/ansible/playbook/play_context.py
@@ -345,6 +345,13 @@ class PlayContext(Base):
                   getattr(C, 'DEFAULT_%s_EXE' % self.become_method.upper(), None) or \
                   self.become_method
 
+            # set flags to use for the privilege escalation method, with various overrides
+            flags = self.become_flags or \
+                    getattr(self, '%s_flags' % self.become_method, None) or \
+                    C.DEFAULT_BECOME_FLAGS or \
+                    getattr(C, 'DEFAULT_%s_FLAGS' % self.become_method.upper(), None) or \
+                    ''
+
             if self.become_method == 'sudo':
                 # Rather than detect if sudo wants a password this time, -k makes sudo always ask for
                 # a password if one is required. Passing a quoted compound command to sudo (or sudo -s)
@@ -352,7 +359,6 @@ class PlayContext(Base):
                 # string to the user's shell.  We loop reading output until we see the randomly-generated
                 # sudo prompt set with the -p option.
                 prompt = '[sudo via ansible, key=%s] password: ' % randbits
-                flags = self.become_flags or self.sudo_flags or C.DEFAULT_SUDO_FLAGS
 
                 # force quick error if password is required but not supplied, should prevent sudo hangs.
                 if not self.become_pass:
@@ -367,18 +373,15 @@ class PlayContext(Base):
                     return bool(SU_PROMPT_LOCALIZATIONS_RE.match(data))
 
                 prompt = detect_su_prompt
-                flags = self.become_flags or self.su_flags or ''
                 becomecmd = '%s %s %s -c "%s -c %s"' % (exe, flags, self.become_user, executable, success_cmd)
 
             elif self.become_method == 'pbrun':
 
                 prompt='assword:'
-                flags = self.become_flags or ''
                 becomecmd = '%s -b %s -u %s %s' % (exe, flags, self.become_user, success_cmd)
 
             elif self.become_method == 'pfexec':
 
-                flags = self.become_flags or ''
                 # No user as it uses it's own exec_attr to figure it out
                 becomecmd = '%s %s "%s"' % (exe, flags, success_cmd)
 
@@ -386,14 +389,12 @@ class PlayContext(Base):
                 raise AnsibleError("'runas' is not yet implemented")
                 #TODO: figure out prompt
                 # this is not for use with winrm plugin but if they ever get ssh native on windoez
-                flags = self.become_flags or ''
                 becomecmd = '%s %s /user:%s "%s"' % (exe, flags, self.become_user, success_cmd)
 
             elif self.become_method == 'doas':
 
                 prompt = 'Password:'
                 exe = self.become_exe or 'doas'
-                flags = self.become_flags or ''
 
                 if not self.become_pass:
                     flags += ' -n '
diff --git a/test/units/playbook/test_play_context.py b/test/units/playbook/test_play_context.py
index ac47d06f683..dcfc6df5392 100644
--- a/test/units/playbook/test_play_context.py
+++ b/test/units/playbook/test_play_context.py
@@ -118,7 +118,7 @@ class TestPlayContext(unittest.TestCase):
         sudo_exe    = C.DEFAULT_SUDO_EXE or 'sudo'
         sudo_flags  = C.DEFAULT_SUDO_FLAGS + " -n "
         su_exe      = C.DEFAULT_SU_EXE or 'su'
-        su_flags    = C.DEFAULT_SU_FLAGS
+        su_flags    = C.DEFAULT_SU_FLAGS or ''
         pbrun_exe   = 'pbrun'
         pbrun_flags = ''
         pfexec_exe   = 'pfexec'