Fix `ansible -K` become_pass regression (#69629)

* Fix `ansible -K` become_pass regression

Change:
- This fixes a breaking change introduced in
  2165f9ac40

Test Plan:
- Local VM for now, with plans to add an integration test for -K going
  forward.

Tickets:
Refs #69244

lib/ansible/executor/task_executor.py

@@ -1010,16 +1010,19 @@ class TaskExecutor:
 
         task_keys = self._task.dump_attrs()
 
-        # set options with 'templated vars' specific to this plugin and dependant ones
+        # set options with 'templated vars' specific to this plugin and dependent ones
         self._connection.set_options(task_keys=task_keys, var_options=options)
         varnames.extend(self._set_plugin_options('shell', variables, templar, task_keys))
 
         if self._connection.become is not None:
-
+            if self._play_context.become_pass:
-            varnames.extend(self._set_plugin_options('become', variables, templar, task_keys))
                 # FIXME: eventually remove from task and play_context, here for backwards compat
                 # keep out of play objects to avoid accidental disclosure, only become plugin should have
-            task_keys['become_pass'] = self._connection.become.get_option('become_pass')
+                # The become pass is already in the play_context if given on
+                # the CLI (-K). Make the plugin aware of it in this case.
+                task_keys['become_pass'] = self._play_context.become_pass
+
+            varnames.extend(self._set_plugin_options('become', variables, templar, task_keys))
 
             # FOR BACKWARDS COMPAT:
             for option in ('become_user', 'become_flags', 'become_exe', 'become_pass'):

test/integration/targets/cli/aliases

@@ -1,2 +1,5 @@
+destructive
+needs/root
+needs/ssh
 needs/target/setup_pexpect
 shippable/posix/group3

test/integration/targets/cli/setup.yml

@@ -1,4 +1,42 @@
 - hosts: localhost
-  gather_facts: no
+  gather_facts: yes
   roles:
     - setup_pexpect
+
+  tasks:
+    - name: Test ansible-playbook and ansible with -K
+      block:
+        - name: Create user to connect as
+          user:
+            name: cliuser1
+            shell: /bin/bash
+            groups: wheel
+            append: yes
+            password: "{{ 'secretpassword' | password_hash('sha512', 'mysecretsalt') }}"
+        - name: Create user to become
+          user:
+            name: cliuser2
+            shell: /bin/bash
+            password: "{{ 'secretpassword' | password_hash('sha512', 'mysecretsalt') }}"
+        # Sometimes this file doesn't get removed, and we need it gone to ssh
+        - name: Remove /run/nologin
+          file:
+            path: /run/nologin
+            state: absent
+        # Make Ansible run Python to run Ansible
+        - name: Run the test
+          shell: python test_k_and_K.py {{ ansible_python_interpreter }}
+      always:
+        - name: Remove users
+          user:
+            name: "{{ item }}"
+            state: absent
+          with_items:
+            - cliuser1
+            - cliuser2
+      # For now, we don't test this everywhere, because `user` works differently
+      # on some platforms, as does sudo/sudoers. On Fedora, we can just add
+      # the user to 'wheel' and things magically work.
+      # TODO: In theory, we should test this with all the different 'become'
+      # plugins in base.
+      when: ansible_distribution == 'Fedora'

test/integration/targets/cli/test_k_and_K.py

@@ -0,0 +1,27 @@
+#!/usr/bin/env python
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import sys
+
+import pexpect
+
+os.environ['ANSIBLE_NOCOLOR'] = '1'
+
+out = pexpect.run(
+    'ansible -c ssh -i localhost, -u cliuser1 -e ansible_python_interpreter={0} '
+    '-m command -a whoami -Kkb --become-user cliuser2 localhost'.format(sys.argv[1]),
+    events={
+        'SSH password:': 'secretpassword\n',
+        'BECOME password': 'secretpassword\n',
+    },
+    timeout=10
+)
+
+print(out)
+
+assert b'cliuser2' in out