ICX connection/elevation fails due to different password prompt

[sjwk]

SUMMARY

My ICX switches currently have a configuration setting aaa authentication enable default enable, which changes the enable prompt. Removing the configuration entry fixes the issue, but would be nice if the module handled both 'Password:' and 'Enable Password' prompts.

ISSUE TYPE

• Bug Report

COMPONENT NAME

All icx_ modules

ANSIBLE VERSION

ansible [core 2.13.3]
  config file = /usr/local/foo/ansible/ansible.cfg
  configured module search path = ['/home/foo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/foo/ansible/lib/python3.8/site-packages/ansible
  ansible collection location = /usr/local/foo/ansible/collections
  executable location = /usr/local/foo/ansible/bin/ansible
  python version = 3.8.10 (default, Nov 14 2022, 12:59:47) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# /usr/local/foo/ansible/lib/python3.8/site-packages/ansible_collections
Collection        Version
----------------- -------
community.network 4.0.1

# /usr/local/foo/ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.network 5.0.0

CONFIGURATION

ANSIBLE_NOCOWS(/usr/local/foo/ansible/ansible.cfg) = True
COLLECTIONS_PATHS(/usr/local/foo/ansible/ansible.cfg) = ['/usr/local/foo/ansible/collections']
DEFAULT_DEBUG(env: ANSIBLE_DEBUG) = False
DEFAULT_HOST_LIST(/usr/local/foo/ansible/ansible.cfg) = ['/usr/local/foo/ansible/hosts']
DEFAULT_KEEP_REMOTE_FILES(env: ANSIBLE_KEEP_REMOTE_FILES) = False
DEFAULT_LOG_PATH(env: ANSIBLE_LOG_PATH) = /home/foo/ansible.log
DEFAULT_REMOTE_USER(/usr/local/foo/ansible/ansible.cfg) = ansdeploy
DEFAULT_ROLES_PATH(/usr/local/foo/ansible/ansible.cfg) = ['/usr/local/foo/ansible/roles']
HOST_KEY_CHECKING(/usr/local/foo/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/usr/local/foo/ansible/ansible.cfg) = auto

OS / ENVIRONMENT

Ruckus ICX switches running OS 08.0.95bcT211

STEPS TO REPRODUCE

Ruckus config contains:

aaa authentication enable default enable
aaa authentication login default local
enable super-user-password .....
username foo password .....

Ansible playbook configured with:

ansible_connection: ansible.netcommon.network_cli
ansible_network_os: community.network.icx
ansible_user: foo
ansible_password: #####
ansible_become: yes
ansible_become_method: enable
ansible_become_password: #####

  - name: Gather facts
    community.network.icx_facts:
      gather_subset: all

Running the above times out. I had one switch configured slightly differently which worked. Eventually found that with the configuration line to use the enable password (1st line) present, the prompt for the password was different (this may also be the case if other authentication options are chosen):

# Without the aaa authentication enable default enable
(ansible) foo@titan:~/ansible$ ssh foo@test.switch
Password:
SSH@test>ena
Password:
SSH@test#
# With the aaa authentication enable default enable
(ansible) foo@titan:~/ansible$ ssh foo@test.switch
Password:
SSH@test>ena
Enable Password:

EXPECTED RESULTS

To run the task

ACTUAL RESULTS

To timeout and not run the task

It may be that the Ruckus configuration is superfluous - certainly without the line it still authenticates with the user password and accepts the specific enable password to go into enable mode.

[Andersson007]

@sjwk hello, thanks for reporting the issue!

@commscope @sushma-alethea as you mentioned as its maintainers, would you like to take a look?

If anyone else wants to fix it, here's the Quick-start dev guide that can help.
Stuff in this collection needs more maintainers, so if you're interested, feel free to pick things up!
We'd be happy to assist along the way.

[sjwk]

When I have some time I will look into the dev guide, never actually submitted any PRs before and don't have an environment set up, but something I'd be interested in learning.

In the meantime, I've located where the issue is, and worked around it - although my 'fix' is more of a kludge and doesn't scale well, so I'll look at some other network modules and see if they have a better model.

In community/network/plugins/terminal/icx.py I found the regexp used to match the password prompt, originally:
cmd[u'prompt'] = to_text(r"[\r\n](?:Local_)?[Pp]assword: ?$", errors='surrogate_or_strict')
and updated it to:
cmd[u'prompt'] = to_text(r"[\r\n](?:Enable )?(?:Local_)?[Pp]assword: ?$", errors='surrogate_or_strict')

It seems to work in my test case, but doesn't seem the most efficient way to do it, and if other settings require different password prompts, wouldn't scale well to keep adding more options to the password prompt expression.

[Andersson007]

When I have some time I will look into the dev guide, never actually submitted any PRs before and don't have an environment set up, but something I'd be interested in learning.

In the meantime, I've located where the issue is, and worked around it - although my 'fix' is more of a kludge and doesn't scale well, so I'll look at some other network modules and see if they have a better model.

In community/network/plugins/terminal/icx.py I found the regexp used to match the password prompt, originally: cmd[u'prompt'] = to_text(r"[\r\n](?:Local_)?[Pp]assword: ?$", errors='surrogate_or_strict') and updated it to: cmd[u'prompt'] = to_text(r"[\r\n](?:Enable )?(?:Local_)?[Pp]assword: ?$", errors='surrogate_or_strict')

It seems to work in my test case, but doesn't seem the most efficient way to do it, and if other settings require different password prompts, wouldn't scale well to keep adding more options to the password prompt expression.

cool, thanks for your interest! i'm not a network engineer and not a spec in the underlying technology used by the modules but i can help with general contribution related stuff.
Feel free to ask any questions (fyi i won't be available from tomorrow until next Wednesday/Thursday, i'll reply after that).