Templating: make sure only one variable results are cached (#67429)

* Make sure only one variable results are cached.

* Add changelog.

* Add test.

changelogs/fragments/67429-jinja2-caching.yml

@@ -0,0 +1,2 @@
+bugfixes:
+- "Templating - Ansible was caching results of Jinja2 expressions in some cases where these expressions could have dynamic results, like password generation (https://github.com/ansible/ansible/issues/34144)."

lib/ansible/template/__init__.py

@@ -628,7 +628,7 @@ def template(self, variable, convert_bare=False, preserve_trailing_newlines=True
                         # we only cache in the case where we have a single variable
                         # name, to make sure we're not putting things which may otherwise
                         # be dynamic in the cache (filters, lookups, etc.)
-                        if cache:
+                        if cache and only_one:
                             self._cached_result[sha1_hash] = result
 
                 return result

test/integration/targets/templating_lookups/template_lookups/tasks/main.yml

@@ -71,3 +71,18 @@
 - name: set with_dict
   shell: echo "{{ item.key + '=' + item.value  }}"
   with_dict: "{{ mydict }}"
+
+# BUG #34144 bad template caching
+
+- name: generate two random passwords
+  set_fact:
+    password1: "{{ lookup('password', '/dev/null length=20') }}"
+    password2: "{{ lookup('password', '/dev/null length=20') }}"
+    # If the passwords are generated randomly, the chance that they
+    # coincide is neglectable (< 1e-18 assuming 120 bits of randomness
+    # per password).
+
+- name: make sure passwords are not the same
+  assert:
+    that:
+      - password1 != password2