# Verify passwordful su behaviour

- name: integration/become/su_password.yml
  hosts: test-targets
  become_method: su
  tasks:

    - name: Ensure su password absent but required.
      shell: whoami
      become: true
      become_user: mitogen__user1
      register: out
      ignore_errors: true
      when: is_mitogen

    - assert:
        that:
        - out.failed
        - (
            ('password is required' in out.msg) or
            ('password is required' in out.module_stderr)
          )
        fail_msg: |
          out={{ out }}
      when: is_mitogen


    - name: Ensure password su incorrect.
      shell: whoami
      become: true
      become_user: mitogen__user1
      register: out
      vars:
        ansible_become_pass: nopes
      ignore_errors: true
      when: is_mitogen

    - assert:
        that: |
          out.failed and (
            ('Incorrect su password' in out.msg) or
            ('su password is incorrect' in out.msg)
          )
        fail_msg: |
          out={{ out }}
      when: is_mitogen

    - name: Ensure password su with chdir succeeds
      shell: whoami
      args:
        chdir: ~mitogen__user1
      become: true
      become_user: mitogen__user1
      register: out
      vars:
        ansible_become_pass: user1_password
      when:
        # CI containers lack `setfacl` for unpriv -> unpriv
        # https://github.com/mitogen-hq/mitogen/issues/1118
        - is_mitogen
          or (ansible_facts.distribution in ["MacOSX"]
              and ansible_version.full is version("2.11", ">=", strict=True))

    - assert:
        that:
          - out.stdout == 'mitogen__user1'
        fail_msg: |
          out={{ out }}
      when:
        # CI containers lack `setfacl` for unpriv -> unpriv
        # https://github.com/mitogen-hq/mitogen/issues/1118
        - is_mitogen
          or (ansible_facts.distribution in ["MacOSX"]
              and ansible_version.full is version("2.11", ">=", strict=True))

    - name: Ensure password su without chdir succeeds
      shell: whoami
      become: true
      become_user: mitogen__user1
      register: out
      vars:
        ansible_become_pass: user1_password
      when:
        # CI containers lack `setfacl` for unpriv -> unpriv
        # https://github.com/mitogen-hq/mitogen/issues/1118
        - is_mitogen
          or (ansible_facts.distribution in ["MacOSX"]
              and ansible_version.full is version("2.11", ">=", strict=True))

    - assert:
        that:
          - out.stdout == 'mitogen__user1'
        fail_msg: |
          out={{ out }}
      when:
        # CI containers lack `setfacl` for unpriv -> unpriv
        # https://github.com/mitogen-hq/mitogen/issues/1118
        - is_mitogen
          or (ansible_facts.distribution in ["MacOSX"]
              and ansible_version.full is version("2.11", ">=", strict=True))

  tags:
    - su
    - su_password