diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index cc20f04a..2f9bcf22 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -24,54 +24,6 @@ jobs: fail-fast: false matrix: include: - - name: Ans_27_210 - tox_env: py27-mode_ansible-ansible2.10 - - name: Ans_27_4 - tox_env: py27-mode_ansible-ansible4 - - - name: Ans_36_210 - python_version: '3.6' - tox_env: py36-mode_ansible-ansible2.10 - - name: Ans_36_4 - python_version: '3.6' - tox_env: py36-mode_ansible-ansible4 - - - name: Ans_311_210 - python_version: '3.11' - tox_env: py311-mode_ansible-ansible2.10 - - name: Ans_311_3 - python_version: '3.11' - tox_env: py311-mode_ansible-ansible3 - - name: Ans_311_4 - python_version: '3.11' - tox_env: py311-mode_ansible-ansible4 - - name: Ans_311_5 - python_version: '3.11' - tox_env: py311-mode_ansible-ansible5 - - name: Ans_313_6 - python_version: '3.13' - tox_env: py313-mode_ansible-ansible6 - - name: Ans_313_7 - python_version: '3.13' - tox_env: py313-mode_ansible-ansible7 - - name: Ans_313_8 - python_version: '3.13' - tox_env: py313-mode_ansible-ansible8 - - name: Ans_313_9 - python_version: '3.13' - tox_env: py313-mode_ansible-ansible9 - - name: Ans_313_10 - python_version: '3.13' - tox_env: py313-mode_ansible-ansible10 - - name: Van_313_10 - python_version: '3.13' - tox_env: py313-mode_ansible-ansible10-strategy_linear - - - name: Mito_27 - tox_env: py27-mode_mitogen - - name: Mito_36 - python_version: '3.6' - tox_env: py36-mode_mitogen - name: Mito_313 python_version: '3.13' tox_env: py313-mode_mitogen diff --git a/ansible_mitogen/transport_config.py b/ansible_mitogen/transport_config.py index 770c1997..c2976365 100644 --- a/ansible_mitogen/transport_config.py +++ b/ansible_mitogen/transport_config.py @@ -450,19 +450,7 @@ class PlayContextSpec(Spec): return self._become_option('become_user') def become_pass(self): - # become_pass is owned/provided by the active become plugin. However - # PlayContext is intertwined with it. Known complications - # - ansible_become_password is higher priority than ansible_become_pass, - # `play_context.become_pass` doesn't obey this (atleast with Mitgeon). - # - `meta: reset_connection` runs `connection.reset()` but - # `ansible_mitogen.connection.Connection.reset()` recreates the - # connection object, setting `connection.become = None`. - become_plugin = self._connection.become - try: - become_pass = become_plugin.get_option('become_pass', playcontext=self._play_context) - except AttributeError: - become_pass = self._play_context.become_pass - return optional_secret(become_pass) + return optional_secret(self._become_option('become_pass')) def password(self): return optional_secret(self._connection_option('password')) diff --git a/tests/ansible/hosts/default.hosts b/tests/ansible/hosts/default.hosts index 2edb9d0e..58e003b0 100644 --- a/tests/ansible/hosts/default.hosts +++ b/tests/ansible/hosts/default.hosts @@ -33,6 +33,7 @@ ansible_host=localhost ansible_user="{{ lookup('pipe', 'whoami') }}" [tt_become_by_inv] +tt-become-pass ansible_become=true ansible_become_pass="{{ 'pw_required_password' | trim }}" ansible_become_user=mitogen__pw_required tt-become-user ansible_become=true ansible_become_user="{{ 'root' | trim }}" [tt_become_by_inv:vars] diff --git a/tests/ansible/integration/become/templated_by_inv.yml b/tests/ansible/integration/become/templated_by_inv.yml index 98b68f05..4377c9ef 100644 --- a/tests/ansible/integration/become/templated_by_inv.yml +++ b/tests/ansible/integration/become/templated_by_inv.yml @@ -4,6 +4,10 @@ tasks: - meta: reset_connection - name: Templated become in inventory + vars: + expected_become_users: + tt-become-pass: mitogen__pw_required + tt-become-user: root command: cmd: whoami changed_when: false @@ -11,4 +15,4 @@ register: become_templated_by_inv_whoami failed_when: - become_templated_by_inv_whoami is failed - or become_templated_by_inv_whoami.stdout != 'root' + or become_templated_by_inv_whoami.stdout != expected_become_users[inventory_hostname] diff --git a/tests/ansible/integration/become/templated_by_play_keywords.yml b/tests/ansible/integration/become/templated_by_play_keywords.yml index e588c18f..7b8dd59c 100644 --- a/tests/ansible/integration/become/templated_by_play_keywords.yml +++ b/tests/ansible/integration/become/templated_by_play_keywords.yml @@ -5,7 +5,8 @@ become_user: "{{ 'root' | trim }}" tasks: - meta: reset_connection - - name: Templated become by play keywords + + - name: Templated become by play keywords, no password command: cmd: whoami changed_when: false @@ -14,3 +15,26 @@ failed_when: - become_templated_by_play_keywords_whoami is failed or become_templated_by_play_keywords_whoami.stdout != 'root' + +- name: integration/become/templated_by_play_keywords.yml + hosts: tt_become_bare + gather_facts: true + become: true + become_user: "{{ 'mitogen__pw_required' | trim }}" + vars: + ansible_become_pass: "{{ 'pw_required_password' | trim }}" + tasks: + - name: Templated become by play keywords, password + command: + cmd: whoami + changed_when: false + check_mode: false + register: become_templated_by_play_keywords_password_whoami + failed_when: + - become_templated_by_play_keywords_password_whoami is failed + or become_templated_by_play_keywords_password_whoami.stdout != 'mitogen__pw_required' + when: + # https://github.com/ansible/ansible/pull/70785 + - ansible_facts.distribution not in ["MacOSX"] + or ansible_version.full is version("2.11", ">=", strict=True) + or is_mitogen diff --git a/tests/ansible/integration/become/templated_by_play_vars.yml b/tests/ansible/integration/become/templated_by_play_vars.yml index 5618f7cc..ef004d97 100644 --- a/tests/ansible/integration/become/templated_by_play_vars.yml +++ b/tests/ansible/integration/become/templated_by_play_vars.yml @@ -5,7 +5,7 @@ ansible_become: true ansible_become_user: "{{ 'root' | trim }}" tasks: - - name: Templated become by play vars + - name: Templated become by play vars, no password command: cmd: whoami changed_when: false @@ -14,3 +14,26 @@ failed_when: - become_templated_by_play_vars_whoami is failed or become_templated_by_play_vars_whoami.stdout != 'root' + +- name: integration/become/templated_by_play_vars.yml + hosts: tt_become_bare + gather_facts: true + vars: + ansible_become: true + ansible_become_pass: "{{ 'pw_required_password' | trim }}" + ansible_become_user: "{{ 'mitogen__pw_required' | trim }}" + tasks: + - name: Templated become by play vars, password + command: + cmd: whoami + changed_when: false + check_mode: false + register: become_templated_by_play_vars_password_whoami + failed_when: + - become_templated_by_play_vars_password_whoami is failed + or become_templated_by_play_vars_password_whoami.stdout != 'mitogen__pw_required' + when: + # https://github.com/ansible/ansible/pull/70785 + - ansible_facts.distribution not in ["MacOSX"] + or ansible_version.full is version("2.11", ">=", strict=True) + or is_mitogen diff --git a/tests/ansible/integration/become/templated_by_task_keywords.yml b/tests/ansible/integration/become/templated_by_task_keywords.yml index 52fda111..bf891f3e 100644 --- a/tests/ansible/integration/become/templated_by_task_keywords.yml +++ b/tests/ansible/integration/become/templated_by_task_keywords.yml @@ -25,3 +25,36 @@ failed_when: - become_templated_by_task_with_delegate_to_whoami is failed or become_templated_by_task_with_delegate_to_whoami.stdout != 'root' + + +- name: integration/become/templated_by_task_keywords.yml + hosts: tt_become_bare + gather_facts: false + # FIXME Resetting the connection shouldn't require credentials + # https://github.com/mitogen-hq/mitogen/issues/1132 + become: true + become_user: "{{ 'mitogen__pw_required' | trim }}" + vars: + ansible_become_pass: "{{ 'pw_required_password' | trim }}" + tasks: + - name: Reset connection to target that will be delegate_to + meta: reset_connection + +- name: Test connection template by task keywords, with delegate_to + hosts: test-targets[0] + gather_facts: false + tasks: + - name: Templated become by task keywords, with delegate_to + become: true + become_user: "{{ 'mitogen__pw_required' | trim }}" + delegate_to: "{{ groups.tt_become_bare[0] }}" + vars: + ansible_become_pass: "{{ 'pw_required_password' | trim }}" + command: + cmd: whoami + changed_when: false + check_mode: false + register: become_templated_by_task_with_delegate_to_password_whoami + failed_when: + - become_templated_by_task_with_delegate_to_password_whoami is failed + or become_templated_by_task_with_delegate_to_password_whoami.stdout != 'mitogen__pw_required' diff --git a/tests/ansible/templates/test-targets.j2 b/tests/ansible/templates/test-targets.j2 index c0bd9cef..2eeebef7 100644 --- a/tests/ansible/templates/test-targets.j2 +++ b/tests/ansible/templates/test-targets.j2 @@ -45,7 +45,6 @@ tt-bare [tt_targets_bare:vars] ansible_host={{ tt.hostname }} -ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} [tt_become_bare] @@ -59,6 +58,7 @@ ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw [tt_become_by_inv] +tt-become-pass ansible_become=true ansible_become_pass="{{ '{{' }} 'pw_required_password' | trim {{ '}}' }}" ansible_become_user=mitogen__pw_required tt-become-user ansible_become=true ansible_become_user="{{ '{{' }} 'root' | trim {{ '}}' }}" [tt_become_by_inv:vars]