Allowed become_methods in ansible-lint don't match with what ansible provides

[romankuchin]

Summary

List of become_methods in ansible:

$ ansible-doc -t become -l
ansible.netcommon.enable     Switch to elevated permissions on a network device
community.general.doas       Do As user
community.general.dzdo       Centrify's Direct Authorize
community.general.ksu        Kerberos substitute user
community.general.machinectl Systemd's machinectl privilege escalation
community.general.pbrun      PowerBroker run
community.general.pfexec     profile based execution
community.general.pmrun      Privilege Manager run
community.general.sesu       CA Privileged Access Manager
community.general.sudosu     Run tasks using sudo su -
runas                        Run As user
su                           Substitute User
sudo                         Substitute User DO

What ansible-lint allows:

ansible-lint/src/ansiblelint/schemas/ansible.json

Lines 43 to 65 in 4232927

	"become_method": {
	"markdownDescription": "See [become](https://docs.ansible.com/ansible/latest/user_guide/become.html)",
	"oneOf": [
	{
	"enum": [
	"sudo",
	"su",
	"pbrun",
	"pfexec",
	"runas",
	"dzdo",
	"ksu",
	"doas",
	"machinectl"
	],
	"type": "string"
	},
	{
	"$ref": "#/$defs/full-jinja"
	}
	],
	"title": "Become Method"
	},

"oneOf": [
        {
          "enum": [
            "sudo",
            "su",
            "pbrun",
            "pfexec",
            "runas",
            "dzdo",
            "ksu",
            "doas",
            "machinectl"
          ],
          "type": "string"
        },
        {
          "$ref": "#/$defs/full-jinja"
        }
      ],

Issue Type

• Bug Report

OS / ENVIRONMENT

$ ansible-lint --version
ansible-lint 6.16.2 using ansible-core:2.13.5 ruamel-yaml:0.17.26 ruamel-yaml-clib:0.2.7

• ansible installation method: pip
• ansible-lint installation method: pip

STEPS TO REPRODUCE

Valid ansible tasks:

  - command: whoami
    become: true
    become_method: community.general.sudosu
    become_user: nessus
    register: output
  
  - debug:
      var: output

Desired Behavior

Ansible-lint doesn't generate error on above code.

Actual Behavior

$ ansible-lint playbook.yaml
schema[playbook]: {'command': 'whoami', 'become': True, 'become_method': 'community.general.sudosu', 'become_user': 'nessus', 'register': 'output'} is not valid under any of the given schemas
playbook.yaml:1  Returned errors will not include exact line numbers, but they will mention
the schema name being used as a tag, like ``schema[playbook]``,
``schema[tasks]``.

This rule is not skippable and stops further processing of the file.

If incorrect schema was picked, you might want to either:

* move the file to standard location, so its file is detected correctly.
* use ``kinds:`` option in linter config to help it pick correct file type.

If I change become_method to something that ansible-lint allows - no errors, but I need become_method: community.general.sudosu which makes impossible to use ansible-lint.

[ssbarnea]

@ajinkyau Please make a first workaround by adding the missing common values to the enum but also by changing the definition to allow a random string too.

Later, i will upgrade compat Runtime with something similar to below to allow us to retrieve the exact list of become and check from within python code if the given string is known become. Basically the schema will no longer validate the string, we will do it in python.

class Runtime:

    @cached
    def plugins(type: str) -> dict[str, str]:
       ...