redhat_subscription fails when password starting with exclamation mark gets handed over from environment file

mschreie commented 1 year ago

Summary

subscription_manager with username / password authentication fails in rare circumstances To make it fail:

password must start with exclamation mark
password must be set within a file which gets handed over with -e@file.yml
fails with ansible-navigator as well as with ansible-playbook but reproducably

Issue Type

Bug Report

Component Name

redhat_subscription

Ansible Version

ansible --version
ansible [core 2.13.4]
  config file = /home/mschreie/projects/playbook-rhaap/ansible.cfg
  configured module search path = ['/home/mschreie/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/mschreie/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.10 (main, Feb  9 2022, 00:00:00) [GCC 11.2.1 20220127 (Red Hat 11.2.1-9)]
  jinja version = 3.0.3
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general

# /home/mschreie/.ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.general 6.1.0

Configuration

$ ansible-config dump --only-changed
GALAXY_SERVER_LIST(/home/mschreie/projects/playbook-rhaap/ansible.cfg) = ['automation_hub', 'community_galaxy']

OS / Environment

cat /etc/rele NAME="Red Hat Enterprise Linux" VERSION="9.0 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.0" PLATFORM_ID="platform:el9" PRETTY_NAME="Red Hat Enterprise Linux 9.0 (Plow)" ANSI_COLOR="0;31" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/9/" BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" REDHAT_BUGZILLA_PRODUCT_VERSION=9.0 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="9.0" Red Hat Enterprise Linux release 9.0 (Plow) Red Hat Enterprise Linux release 9.0 (Plow) cpe:/o:redhat:enterprise_linux:9::baseos

Steps to Reproduce

Playbook to be used:

---
- name: subscribe playbook
  hosts: some_unsubscribed_rhel8_host
  remote_user: root

  tasks:
  - name: register on RHN
    community.general.redhat_subscription:
      username: "{{ rhsm_username }}"
      password: "{{ rhsm_password }}"
      auto_attach: true
      pool_ids:
        - "{{ rhsm_poolid | default (omit) }}"
    vars:
      rhsm_username: "mschreie"
      rhsm_password: "!mypassword"
      rhsm_poolid: "2c9xxxxxx"
    register: subscribe

  - name: debug
    ansible.builtin.debug:
      var: subscribe

myvar.yml to be used:

---
rhsm_username: 'mschreie'
rhsm_password: '!mypassword'
rhsm_poolid: '2c9xxxxxx'

Hint: poolid and password is not the original password. Working commands:

ansible-playbook -vvv subscribe.yml -i inventory

ansible-playbook -vvv subscribe.yml -i inventory  -e rhsm_password='!mypassword'

ansible-playbook -vvv subscribe.yml -i inventory  -e rhsm_password='!mypassword' -e rhsm_username=mschreie -e rhsm_poolid=2c9xxxxxx

NOT working command:

ansible-playbook -vvv subscribe.yml -i inventory  -e @myvar.yml

This command comes back with "permission denied"

Expected Results

I expect that the command works even if the password starts with an exclamation mark.

Actual Results

permission denied - i don't have the output at hand at this very moment....

Code of Conduct

[X] I agree to follow the Ansible Code of Conduct

ansibullbot commented 1 year ago

Files identified in the description: None

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 1 year ago

Files identified in the description:

plugins/modules/redhat_subscription.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 1 year ago

cc @alikins @barnabycourt @kahowell click here for bot help

ptoscano commented 1 year ago

Hm interesting behaviour, I don't see what could be wrong. Could you please attach the (redacted of credentials, of course) output of ansible-playbook -vv?

Also, can you please try replacing the redhat_subscription task in your playbook with debug, and check what's the output? I'm thinking about something like

---
- name: subscribe playbook
  hosts: some_unsubscribed_rhel8_host
  remote_user: root

  tasks:
  - name: register on RHN
    debug:
      var: rhsm_password
    vars:
      rhsm_username: "mschreie"
      rhsm_password: "!mypassword"
      rhsm_poolid: "2c9xxxxxx"
    register: subscribe

If you run ansible-playbook -vvv subscribe.yml -i inventory -e @myvar.yml, do you get the right output for the rhsm_password variable?

ansibullbot commented 1 year ago

cc @cnsnyder click here for bot help

ansible-collections / community.general