diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:04:41 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:04:41 +0000 |
| commit | 975f66f2eebe9dadba04f275774d4ab83f74cf25 (patch) | |
| tree | 89bd26a93aaae6a25749145b7e4bca4a1e75b2be /ansible_collections/community/general/plugins/become | |
| parent | Initial commit. (diff) | |
| download | ansible-975f66f2eebe9dadba04f275774d4ab83f74cf25.tar.xz ansible-975f66f2eebe9dadba04f275774d4ab83f74cf25.zip | |
Adding upstream version 7.7.0+dfsg.upstream/7.7.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ansible_collections/community/general/plugins/become')
9 files changed, 949 insertions, 0 deletions
diff --git a/ansible_collections/community/general/plugins/become/doas.py b/ansible_collections/community/general/plugins/become/doas.py new file mode 100644 index 000000000..69e730aad --- /dev/null +++ b/ansible_collections/community/general/plugins/become/doas.py @@ -0,0 +1,127 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2018, Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = ''' + name: doas + short_description: Do As user + description: + - This become plugins allows your remote/login user to execute commands as another user via the doas utility. + author: Ansible Core Team + options: + become_user: + description: User you 'become' to execute the task + ini: + - section: privilege_escalation + key: become_user + - section: doas_become_plugin + key: user + vars: + - name: ansible_become_user + - name: ansible_doas_user + env: + - name: ANSIBLE_BECOME_USER + - name: ANSIBLE_DOAS_USER + become_exe: + description: Doas executable + default: doas + ini: + - section: privilege_escalation + key: become_exe + - section: doas_become_plugin + key: executable + vars: + - name: ansible_become_exe + - name: ansible_doas_exe + env: + - name: ANSIBLE_BECOME_EXE + - name: ANSIBLE_DOAS_EXE + become_flags: + description: Options to pass to doas + default: '' + ini: + - section: privilege_escalation + key: become_flags + - section: doas_become_plugin + key: flags + vars: + - name: ansible_become_flags + - name: ansible_doas_flags + env: + - name: ANSIBLE_BECOME_FLAGS + - name: ANSIBLE_DOAS_FLAGS + become_pass: + description: password for doas prompt + required: false + vars: + - name: ansible_become_password + - name: ansible_become_pass + - name: ansible_doas_pass + env: + - name: ANSIBLE_BECOME_PASS + - name: ANSIBLE_DOAS_PASS + ini: + - section: doas_become_plugin + key: password + prompt_l10n: + description: + - List of localized strings to match for prompt detection + - If empty we'll use the built in one + default: [] + ini: + - section: doas_become_plugin + key: localized_prompts + vars: + - name: ansible_doas_prompt_l10n + env: + - name: ANSIBLE_DOAS_PROMPT_L10N +''' + +import re + +from ansible.module_utils.common.text.converters import to_bytes +from ansible.plugins.become import BecomeBase + + +class BecomeModule(BecomeBase): + + name = 'community.general.doas' + + # messages for detecting prompted password issues + fail = ('Permission denied',) + missing = ('Authorization required',) + + def check_password_prompt(self, b_output): + ''' checks if the expected password prompt exists in b_output ''' + + # FIXME: more accurate would be: 'doas (%s@' % remote_user + # however become plugins don't have that information currently + b_prompts = [to_bytes(p) for p in self.get_option('prompt_l10n')] or [br'doas \(', br'Password:'] + b_prompt = b"|".join(b_prompts) + + return bool(re.match(b_prompt, b_output)) + + def build_become_command(self, cmd, shell): + super(BecomeModule, self).build_become_command(cmd, shell) + + if not cmd: + return cmd + + self.prompt = True + + become_exe = self.get_option('become_exe') + + flags = self.get_option('become_flags') + if not self.get_option('become_pass') and '-n' not in flags: + flags += ' -n' + + become_user = self.get_option('become_user') + user = '-u %s' % (become_user) if become_user else '' + + success_cmd = self._build_success_command(cmd, shell, noexe=True) + executable = getattr(shell, 'executable', shell.SHELL_FAMILY) + + return '%s %s %s %s -c %s' % (become_exe, flags, user, executable, success_cmd) diff --git a/ansible_collections/community/general/plugins/become/dzdo.py b/ansible_collections/community/general/plugins/become/dzdo.py new file mode 100644 index 000000000..a358e84e3 --- /dev/null +++ b/ansible_collections/community/general/plugins/become/dzdo.py @@ -0,0 +1,97 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2018, Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = ''' + name: dzdo + short_description: Centrify's Direct Authorize + description: + - This become plugins allows your remote/login user to execute commands as another user via the dzdo utility. + author: Ansible Core Team + options: + become_user: + description: User you 'become' to execute the task + ini: + - section: privilege_escalation + key: become_user + - section: dzdo_become_plugin + key: user + vars: + - name: ansible_become_user + - name: ansible_dzdo_user + env: + - name: ANSIBLE_BECOME_USER + - name: ANSIBLE_DZDO_USER + become_exe: + description: Dzdo executable + default: dzdo + ini: + - section: privilege_escalation + key: become_exe + - section: dzdo_become_plugin + key: executable + vars: + - name: ansible_become_exe + - name: ansible_dzdo_exe + env: + - name: ANSIBLE_BECOME_EXE + - name: ANSIBLE_DZDO_EXE + become_flags: + description: Options to pass to dzdo + default: -H -S -n + ini: + - section: privilege_escalation + key: become_flags + - section: dzdo_become_plugin + key: flags + vars: + - name: ansible_become_flags + - name: ansible_dzdo_flags + env: + - name: ANSIBLE_BECOME_FLAGS + - name: ANSIBLE_DZDO_FLAGS + become_pass: + description: Options to pass to dzdo + required: false + vars: + - name: ansible_become_password + - name: ansible_become_pass + - name: ansible_dzdo_pass + env: + - name: ANSIBLE_BECOME_PASS + - name: ANSIBLE_DZDO_PASS + ini: + - section: dzdo_become_plugin + key: password +''' + +from ansible.plugins.become import BecomeBase + + +class BecomeModule(BecomeBase): + + name = 'community.general.dzdo' + + # messages for detecting prompted password issues + fail = ('Sorry, try again.',) + + def build_become_command(self, cmd, shell): + super(BecomeModule, self).build_become_command(cmd, shell) + + if not cmd: + return cmd + + becomecmd = self.get_option('become_exe') + + flags = self.get_option('become_flags') + if self.get_option('become_pass'): + self.prompt = '[dzdo via ansible, key=%s] password:' % self._id + flags = '%s -p "%s"' % (flags.replace('-n', ''), self.prompt) + + become_user = self.get_option('become_user') + user = '-u %s' % (become_user) if become_user else '' + + return ' '.join([becomecmd, flags, user, self._build_success_command(cmd, shell)]) diff --git a/ansible_collections/community/general/plugins/become/ksu.py b/ansible_collections/community/general/plugins/become/ksu.py new file mode 100644 index 000000000..fa2f66864 --- /dev/null +++ b/ansible_collections/community/general/plugins/become/ksu.py @@ -0,0 +1,121 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2018, Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = ''' + name: ksu + short_description: Kerberos substitute user + description: + - This become plugins allows your remote/login user to execute commands as another user via the ksu utility. + author: Ansible Core Team + options: + become_user: + description: User you 'become' to execute the task + ini: + - section: privilege_escalation + key: become_user + - section: ksu_become_plugin + key: user + vars: + - name: ansible_become_user + - name: ansible_ksu_user + env: + - name: ANSIBLE_BECOME_USER + - name: ANSIBLE_KSU_USER + required: true + become_exe: + description: Su executable + default: ksu + ini: + - section: privilege_escalation + key: become_exe + - section: ksu_become_plugin + key: executable + vars: + - name: ansible_become_exe + - name: ansible_ksu_exe + env: + - name: ANSIBLE_BECOME_EXE + - name: ANSIBLE_KSU_EXE + become_flags: + description: Options to pass to ksu + default: '' + ini: + - section: privilege_escalation + key: become_flags + - section: ksu_become_plugin + key: flags + vars: + - name: ansible_become_flags + - name: ansible_ksu_flags + env: + - name: ANSIBLE_BECOME_FLAGS + - name: ANSIBLE_KSU_FLAGS + become_pass: + description: ksu password + required: false + vars: + - name: ansible_ksu_pass + - name: ansible_become_pass + - name: ansible_become_password + env: + - name: ANSIBLE_BECOME_PASS + - name: ANSIBLE_KSU_PASS + ini: + - section: ksu_become_plugin + key: password + prompt_l10n: + description: + - List of localized strings to match for prompt detection + - If empty we'll use the built in one + default: [] + ini: + - section: ksu_become_plugin + key: localized_prompts + vars: + - name: ansible_ksu_prompt_l10n + env: + - name: ANSIBLE_KSU_PROMPT_L10N +''' + +import re + +from ansible.module_utils.common.text.converters import to_bytes +from ansible.plugins.become import BecomeBase + + +class BecomeModule(BecomeBase): + + name = 'community.general.ksu' + + # messages for detecting prompted password issues + fail = ('Password incorrect',) + missing = ('No password given',) + + def check_password_prompt(self, b_output): + ''' checks if the expected password prompt exists in b_output ''' + + prompts = self.get_option('prompt_l10n') or ["Kerberos password for .*@.*:"] + b_prompt = b"|".join(to_bytes(p) for p in prompts) + + return bool(re.match(b_prompt, b_output)) + + def build_become_command(self, cmd, shell): + + super(BecomeModule, self).build_become_command(cmd, shell) + + # Prompt handling for ``ksu`` is more complicated, this + # is used to satisfy the connection plugin + self.prompt = True + + if not cmd: + return cmd + + exe = self.get_option('become_exe') + + flags = self.get_option('become_flags') + user = self.get_option('become_user') + return '%s %s %s -e %s ' % (exe, user, flags, self._build_success_command(cmd, shell)) diff --git a/ansible_collections/community/general/plugins/become/machinectl.py b/ansible_collections/community/general/plugins/become/machinectl.py new file mode 100644 index 000000000..461a3f635 --- /dev/null +++ b/ansible_collections/community/general/plugins/become/machinectl.py @@ -0,0 +1,132 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2018, Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = ''' + name: machinectl + short_description: Systemd's machinectl privilege escalation + description: + - This become plugins allows your remote/login user to execute commands as another user via the machinectl utility. + author: Ansible Core Team + options: + become_user: + description: User you 'become' to execute the task + default: '' + ini: + - section: privilege_escalation + key: become_user + - section: machinectl_become_plugin + key: user + vars: + - name: ansible_become_user + - name: ansible_machinectl_user + env: + - name: ANSIBLE_BECOME_USER + - name: ANSIBLE_MACHINECTL_USER + become_exe: + description: Machinectl executable + default: machinectl + ini: + - section: privilege_escalation + key: become_exe + - section: machinectl_become_plugin + key: executable + vars: + - name: ansible_become_exe + - name: ansible_machinectl_exe + env: + - name: ANSIBLE_BECOME_EXE + - name: ANSIBLE_MACHINECTL_EXE + become_flags: + description: Options to pass to machinectl + default: '' + ini: + - section: privilege_escalation + key: become_flags + - section: machinectl_become_plugin + key: flags + vars: + - name: ansible_become_flags + - name: ansible_machinectl_flags + env: + - name: ANSIBLE_BECOME_FLAGS + - name: ANSIBLE_MACHINECTL_FLAGS + become_pass: + description: Password for machinectl + required: false + vars: + - name: ansible_become_password + - name: ansible_become_pass + - name: ansible_machinectl_pass + env: + - name: ANSIBLE_BECOME_PASS + - name: ANSIBLE_MACHINECTL_PASS + ini: + - section: machinectl_become_plugin + key: password + notes: + - When not using this plugin with user C(root), it only works correctly with a polkit rule which will alter + the behaviour of machinectl. This rule must alter the prompt behaviour to ask directly for the user credentials, + if the user is allowed to perform the action (take a look at the examples section). + If such a rule is not present the plugin only work if it is used in context with the root user, + because then no further prompt will be shown by machinectl. +''' + +EXAMPLES = r''' +# A polkit rule needed to use the module with a non-root user. +# See the Notes section for details. +60-machinectl-fast-user-auth.rules: | + polkit.addRule(function(action, subject) { + if(action.id == "org.freedesktop.machine1.host-shell" && subject.isInGroup("wheel")) { + return polkit.Result.AUTH_SELF_KEEP; + } + }); +''' + +from re import compile as re_compile + +from ansible.plugins.become import BecomeBase +from ansible.module_utils._text import to_bytes + + +ansi_color_codes = re_compile(to_bytes(r'\x1B\[[0-9;]+m')) + + +class BecomeModule(BecomeBase): + + name = 'community.general.machinectl' + + prompt = 'Password: ' + fail = ('==== AUTHENTICATION FAILED ====',) + success = ('==== AUTHENTICATION COMPLETE ====',) + + @staticmethod + def remove_ansi_codes(line): + return ansi_color_codes.sub(b"", line) + + def build_become_command(self, cmd, shell): + super(BecomeModule, self).build_become_command(cmd, shell) + + if not cmd: + return cmd + + become = self.get_option('become_exe') + + flags = self.get_option('become_flags') + user = self.get_option('become_user') + return '%s -q shell %s %s@ %s' % (become, flags, user, self._build_success_command(cmd, shell)) + + def check_success(self, b_output): + b_output = self.remove_ansi_codes(b_output) + return super().check_success(b_output) + + def check_incorrect_password(self, b_output): + b_output = self.remove_ansi_codes(b_output) + return super().check_incorrect_password(b_output) + + def check_missing_password(self, b_output): + b_output = self.remove_ansi_codes(b_output) + return super().check_missing_password(b_output) diff --git a/ansible_collections/community/general/plugins/become/pbrun.py b/ansible_collections/community/general/plugins/become/pbrun.py new file mode 100644 index 000000000..7d1437191 --- /dev/null +++ b/ansible_collections/community/general/plugins/become/pbrun.py @@ -0,0 +1,105 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2018, Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = ''' + name: pbrun + short_description: PowerBroker run + description: + - This become plugins allows your remote/login user to execute commands as another user via the pbrun utility. + author: Ansible Core Team + options: + become_user: + description: User you 'become' to execute the task + default: '' + ini: + - section: privilege_escalation + key: become_user + - section: pbrun_become_plugin + key: user + vars: + - name: ansible_become_user + - name: ansible_pbrun_user + env: + - name: ANSIBLE_BECOME_USER + - name: ANSIBLE_PBRUN_USER + become_exe: + description: Sudo executable + default: pbrun + ini: + - section: privilege_escalation + key: become_exe + - section: pbrun_become_plugin + key: executable + vars: + - name: ansible_become_exe + - name: ansible_pbrun_exe + env: + - name: ANSIBLE_BECOME_EXE + - name: ANSIBLE_PBRUN_EXE + become_flags: + description: Options to pass to pbrun + default: '' + ini: + - section: privilege_escalation + key: become_flags + - section: pbrun_become_plugin + key: flags + vars: + - name: ansible_become_flags + - name: ansible_pbrun_flags + env: + - name: ANSIBLE_BECOME_FLAGS + - name: ANSIBLE_PBRUN_FLAGS + become_pass: + description: Password for pbrun + required: false + vars: + - name: ansible_become_password + - name: ansible_become_pass + - name: ansible_pbrun_pass + env: + - name: ANSIBLE_BECOME_PASS + - name: ANSIBLE_PBRUN_PASS + ini: + - section: pbrun_become_plugin + key: password + wrap_exe: + description: Toggle to wrap the command pbrun calls in 'shell -c' or not + default: false + type: bool + ini: + - section: pbrun_become_plugin + key: wrap_execution + vars: + - name: ansible_pbrun_wrap_execution + env: + - name: ANSIBLE_PBRUN_WRAP_EXECUTION +''' + +from ansible.plugins.become import BecomeBase + + +class BecomeModule(BecomeBase): + + name = 'community.general.pbrun' + + prompt = 'Password:' + + def build_become_command(self, cmd, shell): + super(BecomeModule, self).build_become_command(cmd, shell) + + if not cmd: + return cmd + + become_exe = self.get_option('become_exe') + + flags = self.get_option('become_flags') + become_user = self.get_option('become_user') + user = '-u %s' % (become_user) if become_user else '' + noexe = not self.get_option('wrap_exe') + + return ' '.join([become_exe, flags, user, self._build_success_command(cmd, shell, noexe=noexe)]) diff --git a/ansible_collections/community/general/plugins/become/pfexec.py b/ansible_collections/community/general/plugins/become/pfexec.py new file mode 100644 index 000000000..392ee961f --- /dev/null +++ b/ansible_collections/community/general/plugins/become/pfexec.py @@ -0,0 +1,105 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2018, Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = ''' + name: pfexec + short_description: profile based execution + description: + - This become plugins allows your remote/login user to execute commands as another user via the pfexec utility. + author: Ansible Core Team + options: + become_user: + description: + - User you 'become' to execute the task + - This plugin ignores this setting as pfexec uses it's own C(exec_attr) to figure this out, + but it is supplied here for Ansible to make decisions needed for the task execution, like file permissions. + default: root + ini: + - section: privilege_escalation + key: become_user + - section: pfexec_become_plugin + key: user + vars: + - name: ansible_become_user + - name: ansible_pfexec_user + env: + - name: ANSIBLE_BECOME_USER + - name: ANSIBLE_PFEXEC_USER + become_exe: + description: Sudo executable + default: pfexec + ini: + - section: privilege_escalation + key: become_exe + - section: pfexec_become_plugin + key: executable + vars: + - name: ansible_become_exe + - name: ansible_pfexec_exe + env: + - name: ANSIBLE_BECOME_EXE + - name: ANSIBLE_PFEXEC_EXE + become_flags: + description: Options to pass to pfexec + default: -H -S -n + ini: + - section: privilege_escalation + key: become_flags + - section: pfexec_become_plugin + key: flags + vars: + - name: ansible_become_flags + - name: ansible_pfexec_flags + env: + - name: ANSIBLE_BECOME_FLAGS + - name: ANSIBLE_PFEXEC_FLAGS + become_pass: + description: pfexec password + required: false + vars: + - name: ansible_become_password + - name: ansible_become_pass + - name: ansible_pfexec_pass + env: + - name: ANSIBLE_BECOME_PASS + - name: ANSIBLE_PFEXEC_PASS + ini: + - section: pfexec_become_plugin + key: password + wrap_exe: + description: Toggle to wrap the command pfexec calls in 'shell -c' or not + default: false + type: bool + ini: + - section: pfexec_become_plugin + key: wrap_execution + vars: + - name: ansible_pfexec_wrap_execution + env: + - name: ANSIBLE_PFEXEC_WRAP_EXECUTION + notes: + - This plugin ignores I(become_user) as pfexec uses it's own C(exec_attr) to figure this out. +''' + +from ansible.plugins.become import BecomeBase + + +class BecomeModule(BecomeBase): + + name = 'community.general.pfexec' + + def build_become_command(self, cmd, shell): + super(BecomeModule, self).build_become_command(cmd, shell) + + if not cmd: + return cmd + + exe = self.get_option('become_exe') + + flags = self.get_option('become_flags') + noexe = not self.get_option('wrap_exe') + return '%s %s %s' % (exe, flags, self._build_success_command(cmd, shell, noexe=noexe)) diff --git a/ansible_collections/community/general/plugins/become/pmrun.py b/ansible_collections/community/general/plugins/become/pmrun.py new file mode 100644 index 000000000..74b633f09 --- /dev/null +++ b/ansible_collections/community/general/plugins/become/pmrun.py @@ -0,0 +1,78 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2018, Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = ''' + name: pmrun + short_description: Privilege Manager run + description: + - This become plugins allows your remote/login user to execute commands as another user via the pmrun utility. + author: Ansible Core Team + options: + become_exe: + description: Sudo executable + default: pmrun + ini: + - section: privilege_escalation + key: become_exe + - section: pmrun_become_plugin + key: executable + vars: + - name: ansible_become_exe + - name: ansible_pmrun_exe + env: + - name: ANSIBLE_BECOME_EXE + - name: ANSIBLE_PMRUN_EXE + become_flags: + description: Options to pass to pmrun + default: '' + ini: + - section: privilege_escalation + key: become_flags + - section: pmrun_become_plugin + key: flags + vars: + - name: ansible_become_flags + - name: ansible_pmrun_flags + env: + - name: ANSIBLE_BECOME_FLAGS + - name: ANSIBLE_PMRUN_FLAGS + become_pass: + description: pmrun password + required: false + vars: + - name: ansible_become_password + - name: ansible_become_pass + - name: ansible_pmrun_pass + env: + - name: ANSIBLE_BECOME_PASS + - name: ANSIBLE_PMRUN_PASS + ini: + - section: pmrun_become_plugin + key: password + notes: + - This plugin ignores the become_user supplied and uses pmrun's own configuration to select the user. +''' + +from ansible.plugins.become import BecomeBase +from ansible.module_utils.six.moves import shlex_quote + + +class BecomeModule(BecomeBase): + + name = 'community.general.pmrun' + prompt = 'Enter UPM user password:' + + def build_become_command(self, cmd, shell): + super(BecomeModule, self).build_become_command(cmd, shell) + + if not cmd: + return cmd + + become = self.get_option('become_exe') + + flags = self.get_option('become_flags') + return '%s %s %s' % (become, flags, shlex_quote(self._build_success_command(cmd, shell))) diff --git a/ansible_collections/community/general/plugins/become/sesu.py b/ansible_collections/community/general/plugins/become/sesu.py new file mode 100644 index 000000000..5958c1bfc --- /dev/null +++ b/ansible_collections/community/general/plugins/become/sesu.py @@ -0,0 +1,92 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2018, Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = ''' + name: sesu + short_description: CA Privileged Access Manager + description: + - This become plugins allows your remote/login user to execute commands as another user via the sesu utility. + author: ansible (@nekonyuu) + options: + become_user: + description: User you 'become' to execute the task + default: '' + ini: + - section: privilege_escalation + key: become_user + - section: sesu_become_plugin + key: user + vars: + - name: ansible_become_user + - name: ansible_sesu_user + env: + - name: ANSIBLE_BECOME_USER + - name: ANSIBLE_SESU_USER + become_exe: + description: sesu executable + default: sesu + ini: + - section: privilege_escalation + key: become_exe + - section: sesu_become_plugin + key: executable + vars: + - name: ansible_become_exe + - name: ansible_sesu_exe + env: + - name: ANSIBLE_BECOME_EXE + - name: ANSIBLE_SESU_EXE + become_flags: + description: Options to pass to sesu + default: -H -S -n + ini: + - section: privilege_escalation + key: become_flags + - section: sesu_become_plugin + key: flags + vars: + - name: ansible_become_flags + - name: ansible_sesu_flags + env: + - name: ANSIBLE_BECOME_FLAGS + - name: ANSIBLE_SESU_FLAGS + become_pass: + description: Password to pass to sesu + required: false + vars: + - name: ansible_become_password + - name: ansible_become_pass + - name: ansible_sesu_pass + env: + - name: ANSIBLE_BECOME_PASS + - name: ANSIBLE_SESU_PASS + ini: + - section: sesu_become_plugin + key: password +''' + +from ansible.plugins.become import BecomeBase + + +class BecomeModule(BecomeBase): + + name = 'community.general.sesu' + + prompt = 'Please enter your password:' + fail = missing = ('Sorry, try again with sesu.',) + + def build_become_command(self, cmd, shell): + super(BecomeModule, self).build_become_command(cmd, shell) + + if not cmd: + return cmd + + become = self.get_option('become_exe') + + flags = self.get_option('become_flags') + user = self.get_option('become_user') + return '%s %s %s -c %s' % (become, flags, user, self._build_success_command(cmd, shell)) diff --git a/ansible_collections/community/general/plugins/become/sudosu.py b/ansible_collections/community/general/plugins/become/sudosu.py new file mode 100644 index 000000000..60bb2aa51 --- /dev/null +++ b/ansible_collections/community/general/plugins/become/sudosu.py @@ -0,0 +1,92 @@ +# -*- coding: utf-8 -*- +# Copyright (c) 2021, Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = """ + name: sudosu + short_description: Run tasks using sudo su - + description: + - This become plugin allows your remote/login user to execute commands as another user via the C(sudo) and C(su) utilities combined. + author: + - Dag Wieers (@dagwieers) + version_added: 2.4.0 + options: + become_user: + description: User you 'become' to execute the task. + default: root + ini: + - section: privilege_escalation + key: become_user + - section: sudo_become_plugin + key: user + vars: + - name: ansible_become_user + - name: ansible_sudo_user + env: + - name: ANSIBLE_BECOME_USER + - name: ANSIBLE_SUDO_USER + become_flags: + description: Options to pass to C(sudo). + default: -H -S -n + ini: + - section: privilege_escalation + key: become_flags + - section: sudo_become_plugin + key: flags + vars: + - name: ansible_become_flags + - name: ansible_sudo_flags + env: + - name: ANSIBLE_BECOME_FLAGS + - name: ANSIBLE_SUDO_FLAGS + become_pass: + description: Password to pass to C(sudo). + required: false + vars: + - name: ansible_become_password + - name: ansible_become_pass + - name: ansible_sudo_pass + env: + - name: ANSIBLE_BECOME_PASS + - name: ANSIBLE_SUDO_PASS + ini: + - section: sudo_become_plugin + key: password +""" + + +from ansible.plugins.become import BecomeBase + + +class BecomeModule(BecomeBase): + + name = 'community.general.sudosu' + + # messages for detecting prompted password issues + fail = ('Sorry, try again.',) + missing = ('Sorry, a password is required to run sudo', 'sudo: a password is required') + + def build_become_command(self, cmd, shell): + super(BecomeModule, self).build_become_command(cmd, shell) + + if not cmd: + return cmd + + becomecmd = 'sudo' + + flags = self.get_option('become_flags') or '' + prompt = '' + if self.get_option('become_pass'): + self.prompt = '[sudo via ansible, key=%s] password:' % self._id + if flags: # this could be simplified, but kept as is for now for backwards string matching + flags = flags.replace('-n', '') + prompt = '-p "%s"' % (self.prompt) + + user = self.get_option('become_user') or '' + if user: + user = '%s' % (user) + + return ' '.join([becomecmd, flags, prompt, 'su -l', user, self._build_success_command(cmd, shell)]) |