WIP

4 weeks ago · b64e8cb519
parent 21e002af2d
commit b64e8cb519
8 changed files with 90 additions and 65 deletions
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -24,54 +24,6 @@ jobs:
      fail-fast: false
      matrix:
        include:
          - name: Ans_27_210
            tox_env: py27-mode_ansible-ansible2.10
          - name: Ans_27_4
            tox_env: py27-mode_ansible-ansible4
          - name: Ans_36_210
            python_version: '3.6'
            tox_env: py36-mode_ansible-ansible2.10
          - name: Ans_36_4
            python_version: '3.6'
            tox_env: py36-mode_ansible-ansible4
          - name: Ans_311_210
            python_version: '3.11'
            tox_env: py311-mode_ansible-ansible2.10
          - name: Ans_311_3
            python_version: '3.11'
            tox_env: py311-mode_ansible-ansible3
          - name: Ans_311_4
            python_version: '3.11'
            tox_env: py311-mode_ansible-ansible4
          - name: Ans_311_5
            python_version: '3.11'
            tox_env: py311-mode_ansible-ansible5
          - name: Ans_313_6
            python_version: '3.13'
            tox_env: py313-mode_ansible-ansible6
          - name: Ans_313_7
            python_version: '3.13'
            tox_env: py313-mode_ansible-ansible7
          - name: Ans_313_8
            python_version: '3.13'
            tox_env: py313-mode_ansible-ansible8
          - name: Ans_313_9
            python_version: '3.13'
            tox_env: py313-mode_ansible-ansible9
          - name: Ans_313_10
            python_version: '3.13'
            tox_env: py313-mode_ansible-ansible10
          - name: Van_313_10
            python_version: '3.13'
            tox_env: py313-mode_ansible-ansible10-strategy_linear
          - name: Mito_27
            tox_env: py27-mode_mitogen
          - name: Mito_36
            python_version: '3.6'
            tox_env: py36-mode_mitogen
          - name: Mito_313
            python_version: '3.13'
            tox_env: py313-mode_mitogen
--- a/ansible_mitogen/transport_config.py
+++ b/ansible_mitogen/transport_config.py
@ -450,19 +450,7 @@ class PlayContextSpec(Spec):
        return self._become_option('become_user')
    def become_pass(self):
-        # become_pass is owned/provided by the active become plugin. However
+        return optional_secret(self._become_option('become_pass'))
        # PlayContext is intertwined with it. Known complications
        # - ansible_become_password is higher priority than ansible_become_pass,
        #   `play_context.become_pass` doesn't obey this (atleast with Mitgeon).
        # - `meta: reset_connection` runs `connection.reset()` but
        #   `ansible_mitogen.connection.Connection.reset()` recreates the
        #   connection object, setting `connection.become = None`.
        become_plugin = self._connection.become
        try:
            become_pass = become_plugin.get_option('become_pass', playcontext=self._play_context)
        except AttributeError:
            become_pass = self._play_context.become_pass
        return optional_secret(become_pass)
    def password(self):
        return optional_secret(self._connection_option('password'))
--- a/tests/ansible/hosts/default.hosts
+++ b/tests/ansible/hosts/default.hosts
@ -33,6 +33,7 @@ ansible_host=localhost
 ansible_user="{{ lookup('pipe', 'whoami') }}"
 [tt_become_by_inv]
 tt-become-pass              ansible_become=true ansible_become_pass="{{ 'pw_required_password' | trim }}" ansible_become_user=mitogen__pw_required
 tt-become-user              ansible_become=true ansible_become_user="{{ 'root' | trim }}"
 [tt_become_by_inv:vars]
--- a/tests/ansible/integration/become/templated_by_inv.yml
+++ b/tests/ansible/integration/become/templated_by_inv.yml
@ -4,6 +4,10 @@
  tasks:
    - meta: reset_connection
    - name: Templated become in inventory
      vars:
        expected_become_users:
          tt-become-pass: mitogen__pw_required
          tt-become-user: root
      command:
        cmd: whoami
      changed_when: false
@ -11,4 +15,4 @@
      register: become_templated_by_inv_whoami
      failed_when:
        - become_templated_by_inv_whoami is failed
-          or become_templated_by_inv_whoami.stdout != 'root'
+          or become_templated_by_inv_whoami.stdout != expected_become_users[inventory_hostname]
--- a/tests/ansible/integration/become/templated_by_play_keywords.yml
+++ b/tests/ansible/integration/become/templated_by_play_keywords.yml
@ -5,7 +5,8 @@
  become_user: "{{ 'root' | trim }}"
  tasks:
    - meta: reset_connection
-    - name: Templated become by play keywords
+
    - name: Templated become by play keywords, no password
      command:
        cmd: whoami
      changed_when: false
@ -14,3 +15,26 @@
      failed_when:
        - become_templated_by_play_keywords_whoami is failed
          or become_templated_by_play_keywords_whoami.stdout != 'root'
 - name: integration/become/templated_by_play_keywords.yml
  hosts: tt_become_bare
  gather_facts: true
  become: true
  become_user: "{{ 'mitogen__pw_required' | trim }}"
  vars:
    ansible_become_pass: "{{ 'pw_required_password' | trim }}"
  tasks:
    - name: Templated become by play keywords, password
      command:
        cmd: whoami
      changed_when: false
      check_mode: false
      register: become_templated_by_play_keywords_password_whoami
      failed_when:
        - become_templated_by_play_keywords_password_whoami is failed
          or become_templated_by_play_keywords_password_whoami.stdout != 'mitogen__pw_required'
      when:
        # https://github.com/ansible/ansible/pull/70785
        - ansible_facts.distribution not in ["MacOSX"]
          or ansible_version.full is version("2.11", ">=", strict=True)
          or is_mitogen
--- a/tests/ansible/integration/become/templated_by_play_vars.yml
+++ b/tests/ansible/integration/become/templated_by_play_vars.yml
@ -5,7 +5,7 @@
    ansible_become: true
    ansible_become_user: "{{ 'root' | trim }}"
  tasks:
-    - name: Templated become by play vars
+    - name: Templated become by play vars, no password
      command:
        cmd: whoami
      changed_when: false
@ -14,3 +14,26 @@
      failed_when:
        - become_templated_by_play_vars_whoami is failed
          or become_templated_by_play_vars_whoami.stdout != 'root'
 - name: integration/become/templated_by_play_vars.yml
  hosts: tt_become_bare
  gather_facts: true
  vars:
    ansible_become: true
    ansible_become_pass: "{{ 'pw_required_password' | trim }}"
    ansible_become_user: "{{ 'mitogen__pw_required' | trim }}"
  tasks:
    - name: Templated become by play vars, password
      command:
        cmd: whoami
      changed_when: false
      check_mode: false
      register: become_templated_by_play_vars_password_whoami
      failed_when:
        - become_templated_by_play_vars_password_whoami is failed
          or become_templated_by_play_vars_password_whoami.stdout != 'mitogen__pw_required'
      when:
        # https://github.com/ansible/ansible/pull/70785
        - ansible_facts.distribution not in ["MacOSX"]
          or ansible_version.full is version("2.11", ">=", strict=True)
          or is_mitogen
--- a/tests/ansible/integration/become/templated_by_task_keywords.yml
+++ b/tests/ansible/integration/become/templated_by_task_keywords.yml
@ -25,3 +25,36 @@
      failed_when:
        - become_templated_by_task_with_delegate_to_whoami is failed
          or become_templated_by_task_with_delegate_to_whoami.stdout != 'root'
 - name: integration/become/templated_by_task_keywords.yml
  hosts: tt_become_bare
  gather_facts: false
  # FIXME Resetting the connection shouldn't require credentials
  #       https://github.com/mitogen-hq/mitogen/issues/1132
  become: true
  become_user: "{{ 'mitogen__pw_required' | trim }}"
  vars:
    ansible_become_pass: "{{ 'pw_required_password' | trim }}"
  tasks:
    - name: Reset connection to target that will be delegate_to
      meta: reset_connection
 - name: Test connection template by task keywords, with delegate_to
  hosts: test-targets[0]
  gather_facts: false
  tasks:
    - name: Templated become by task keywords, with delegate_to
      become: true
      become_user: "{{ 'mitogen__pw_required' | trim }}"
      delegate_to: "{{ groups.tt_become_bare[0] }}"
      vars:
        ansible_become_pass: "{{ 'pw_required_password' | trim }}"
      command:
        cmd: whoami
      changed_when: false
      check_mode: false
      register: become_templated_by_task_with_delegate_to_password_whoami
      failed_when:
        - become_templated_by_task_with_delegate_to_password_whoami is failed
          or become_templated_by_task_with_delegate_to_password_whoami.stdout != 'mitogen__pw_required'
--- a/tests/ansible/templates/test-targets.j2
+++ b/tests/ansible/templates/test-targets.j2
@ -45,7 +45,6 @@ tt-bare
 [tt_targets_bare:vars]
 ansible_host={{ tt.hostname }}
 ansible_port={{ tt.port }}
 ansible_python_interpreter={{ tt.python_path }}
 [tt_become_bare]
@ -59,6 +58,7 @@ ansible_python_interpreter={{ tt.python_path }}
 ansible_user=mitogen__has_sudo_nopw
 [tt_become_by_inv]
 tt-become-pass              ansible_become=true ansible_become_pass="{{ '{{' }} 'pw_required_password' | trim {{ '}}' }}" ansible_become_user=mitogen__pw_required
 tt-become-user              ansible_become=true ansible_become_user="{{ '{{' }} 'root' | trim {{ '}}' }}"
 [tt_become_by_inv:vars]