Fix inline vaults for plugins in ensure_type (ansible#67492)

* Fix implicit string - only looked right because of the vault __repr__
* Add tests for strings and implicit strings

(cherry picked from commit 8eb00dd)

changelogs/fragments/67492-fix-decrypting-str-types-for-plugins.yaml

@@ -0,0 +1,2 @@
+bugfixes:
+  - plugins - Allow ensure_type to decrypt the value for string types (and implicit string types) when value is an inline vault.

lib/ansible/config/manager.py

@@ -145,13 +145,13 @@ def ensure_type(value, value_type, origin=None):
                 errmsg = 'pathlist'
 
         elif value_type in ('str', 'string'):
-            if isinstance(value, string_types):
+            if isinstance(value, (string_types, AnsibleVaultEncryptedUnicode)):
                 value = unquote(to_text(value, errors='surrogate_or_strict'))
             else:
                 errmsg = 'string'
 
         # defaults to string type
-        elif isinstance(value, string_types):
+        elif isinstance(value, (string_types, AnsibleVaultEncryptedUnicode)):
             value = unquote(to_text(value, errors='surrogate_or_strict'))
 
         if errmsg:

test/units/config/test_manager.py

@@ -131,3 +131,15 @@ def decrypt(self, value):
         actual_value, actual_origin = self.manager._loop_entries({'name': vault_var}, [{'name': 'name'}])
         assert actual_value == "vault text"
         assert actual_origin == "name"
+
+    @pytest.mark.parametrize("value_type", ("str", "string", None))
+    def test_ensure_type_with_vaulted_str(self, value_type):
+        class MockVault:
+            def decrypt(self, value):
+                return value
+
+        vault_var = AnsibleVaultEncryptedUnicode(b"vault text")
+        vault_var.vault = MockVault()
+
+        actual_value = ensure_type(vault_var, value_type)
+        assert actual_value == "vault text"