From 8784469b4c541ed06448e7645200d4b1e8d3a101 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Thu, 31 Oct 2024 08:27:37 -0700
Subject: encrypt: raise error on passing unsupported passlib hashtype (#84186)

* Raise an AnsibleFilterError when unsupported passlib hashtype is
  provided in do_encrypt.

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
---
 changelogs/fragments/passlib.yml                    |  3 +++
 lib/ansible/plugins/filter/core.py                  | 15 ++-------------
 test/integration/targets/filter_core/tasks/main.yml |  8 +++-----
 test/sanity/ignore.txt                              |  1 -
 4 files changed, 8 insertions(+), 19 deletions(-)
 create mode 100644 changelogs/fragments/passlib.yml

diff --git a/changelogs/fragments/passlib.yml b/changelogs/fragments/passlib.yml
new file mode 100644
index 0000000000..b6bf883ae6
--- /dev/null
+++ b/changelogs/fragments/passlib.yml
@@ -0,0 +1,3 @@
+---
+removed_features:
+  - encrypt - passing unsupported passlib hashtype now raises AnsibleFilterError.
diff --git a/lib/ansible/plugins/filter/core.py b/lib/ansible/plugins/filter/core.py
index e0deea7e80..0e0b4275de 100644
--- a/lib/ansible/plugins/filter/core.py
+++ b/lib/ansible/plugins/filter/core.py
@@ -286,26 +286,15 @@ def get_encrypted_password(password, hashtype='sha512', salt=None, salt_size=Non
 
     hashtype = passlib_mapping.get(hashtype, hashtype)
 
-    unknown_passlib_hashtype = False
     if PASSLIB_AVAILABLE and hashtype not in passlib_mapping and hashtype not in passlib_mapping.values():
-        unknown_passlib_hashtype = True
-        display.deprecated(
-            f"Checking for unsupported password_hash passlib hashtype '{hashtype}'. "
-            "This will be an error in the future as all supported hashtypes must be documented.",
-            version='2.19'
-        )
+        raise AnsibleFilterError(f"{hashtype} is not in the list of supported passlib algorithms: {', '.join(passlib_mapping)}")
 
     try:
         return do_encrypt(password, hashtype, salt=salt, salt_size=salt_size, rounds=rounds, ident=ident)
     except AnsibleError as e:
         reraise(AnsibleFilterError, AnsibleFilterError(to_native(e), orig_exc=e), sys.exc_info()[2])
     except Exception as e:
-        if unknown_passlib_hashtype:
-            # This can occur if passlib.hash has the hashtype attribute, but it has a different signature than the valid choices.
-            # In 2.19 this will replace the deprecation warning above and the extra exception handling can be deleted.
-            choices = ', '.join(passlib_mapping)
-            raise AnsibleFilterError(f"{hashtype} is not in the list of supported passlib algorithms: {choices}") from e
-        raise
+        raise AnsibleFilterError(f"Failed to encrypt the password due to: {e}")
 
 
 def to_uuid(string, namespace=UUID_NAMESPACE_ANSIBLE):
diff --git a/test/integration/targets/filter_core/tasks/main.yml b/test/integration/targets/filter_core/tasks/main.yml
index 8b325a9327..947fc6c2d2 100644
--- a/test/integration/targets/filter_core/tasks/main.yml
+++ b/test/integration/targets/filter_core/tasks/main.yml
@@ -468,12 +468,12 @@
 - name: Verify password_hash
   assert:
     that:
-      - "'what in the WORLD is up?'|password_hash|length == 120 or 'what in the WORLD is up?'|password_hash|length == 106"
+      - "'what in the WORLD is up?'|password_hash|length in (120, 106)"
       # This throws a vastly different error on py2 vs py3, so we just check
       # that it's a failure, not a substring of the exception.
       - password_hash_1 is failed
       - password_hash_2 is failed
-      - "'not support' in password_hash_2.msg"
+      - "'is not in the list of supported passlib algorithms' in password_hash_2.msg"
 
 - name: test using passlib with an unsupported hash type
   set_fact:
@@ -483,9 +483,7 @@
 
 - assert:
     that:
-      - unsupported_hash_type.msg == msg
-  vars:
-    msg: "msdcc is not in the list of supported passlib algorithms: md5, blowfish, sha256, sha512"
+      - "'msdcc is not in the list of supported passlib algorithms' in unsupported_hash_type.msg"
 
 - name: Verify to_uuid throws on weird namespace
   set_fact:
diff --git a/test/sanity/ignore.txt b/test/sanity/ignore.txt
index 2466a64221..5736094ef8 100644
--- a/test/sanity/ignore.txt
+++ b/test/sanity/ignore.txt
@@ -156,7 +156,6 @@ lib/ansible/plugins/action/copy.py pylint:undefined-variable
 test/integration/targets/module_utils/library/test_optional.py pylint:used-before-assignment
 test/support/windows-integration/plugins/action/win_copy.py pylint:undefined-variable
 lib/ansible/plugins/connection/__init__.py pylint:ansible-deprecated-version
-lib/ansible/plugins/filter/core.py pylint:ansible-deprecated-version
 lib/ansible/vars/manager.py pylint:ansible-deprecated-version
 test/units/module_utils/basic/test_exit_json.py mypy-3.13:assignment
 test/units/module_utils/basic/test_exit_json.py mypy-3.13:misc
-- 
cgit v1.2.3