From 7fd37ea247ba351b541d472cbedefc60fb98473f Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sat, 20 Apr 2024 09:39:42 +0200
Subject: [PATCH] inventory plugins: make wrapping variables as unsafe smarter
 to avoid triggering an AWX bug (#8225)

Make wrapping variables as unsafe smarter to avoid triggering an AWX bug.
---
 .github/BOTMETA.yml                    |  5 ++--
 changelogs/fragments/8225-unsafe.yml   |  2 ++
 plugins/inventory/cobbler.py           |  3 +-
 plugins/inventory/gitlab_runners.py    |  3 +-
 plugins/inventory/icinga2.py           |  3 +-
 plugins/inventory/linode.py            |  3 +-
 plugins/inventory/lxd.py               |  2 +-
 plugins/inventory/nmap.py              |  3 +-
 plugins/inventory/online.py            |  3 +-
 plugins/inventory/opennebula.py        |  3 +-
 plugins/inventory/proxmox.py           |  2 +-
 plugins/inventory/scaleway.py          |  2 +-
 plugins/inventory/stackpath_compute.py |  3 +-
 plugins/inventory/virtualbox.py        |  3 +-
 plugins/inventory/xen_orchestra.py     |  2 +-
 plugins/plugin_utils/unsafe.py         | 41 ++++++++++++++++++++++++++
 16 files changed, 68 insertions(+), 15 deletions(-)
 create mode 100644 changelogs/fragments/8225-unsafe.yml
 create mode 100644 plugins/plugin_utils/unsafe.py

diff --git a/.github/BOTMETA.yml b/.github/BOTMETA.yml
index 64cbc7021b..4089e300db 100644
--- a/.github/BOTMETA.yml
+++ b/.github/BOTMETA.yml
@@ -1445,6 +1445,8 @@ files:
     ignore: matze
     labels: zypper
     maintainers: $team_suse
+  $plugin_utils/unsafe.py:
+    maintainers: felixfontein
   $tests/a_module.py:
     maintainers: felixfontein
   $tests/fqdn_valid.py:
@@ -1501,7 +1503,6 @@ macros:
   becomes: plugins/become
   caches: plugins/cache
   callbacks: plugins/callback
-  cliconfs: plugins/cliconf
   connections: plugins/connection
   doc_fragments: plugins/doc_fragments
   filters: plugins/filter
@@ -1509,7 +1510,7 @@ macros:
   lookups: plugins/lookup
   module_utils: plugins/module_utils
   modules: plugins/modules
-  terminals: plugins/terminal
+  plugin_utils: plugins/plugin_utils
   tests: plugins/test
   team_ansible_core:
   team_aix: MorrisA bcoca d-little flynn1973 gforster kairoaraujo marvin-sinister mator molekuul ramooncamacho wtcross
diff --git a/changelogs/fragments/8225-unsafe.yml b/changelogs/fragments/8225-unsafe.yml
new file mode 100644
index 0000000000..496797ef74
--- /dev/null
+++ b/changelogs/fragments/8225-unsafe.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - "inventory plugins - add unsafe wrapper to avoid marking strings that do not contain ``{`` or ``}`` as unsafe, to work around a bug in AWX ((https://github.com/ansible-collections/community.general/issues/8212, https://github.com/ansible-collections/community.general/pull/8225)."
diff --git a/plugins/inventory/cobbler.py b/plugins/inventory/cobbler.py
index 8ca36f4264..cdef9944a0 100644
--- a/plugins/inventory/cobbler.py
+++ b/plugins/inventory/cobbler.py
@@ -117,7 +117,8 @@ from ansible.errors import AnsibleError
 from ansible.module_utils.common.text.converters import to_text
 from ansible.plugins.inventory import BaseInventoryPlugin, Cacheable, to_safe_group_name
 from ansible.module_utils.six import text_type
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
+
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 # xmlrpc
 try:
diff --git a/plugins/inventory/gitlab_runners.py b/plugins/inventory/gitlab_runners.py
index 536f4bb1b8..bd29e8d310 100644
--- a/plugins/inventory/gitlab_runners.py
+++ b/plugins/inventory/gitlab_runners.py
@@ -83,7 +83,8 @@ keyed_groups:
 from ansible.errors import AnsibleError, AnsibleParserError
 from ansible.module_utils.common.text.converters import to_native
 from ansible.plugins.inventory import BaseInventoryPlugin, Constructable
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
+
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 try:
     import gitlab
diff --git a/plugins/inventory/icinga2.py b/plugins/inventory/icinga2.py
index 6746bb8e0f..d1f2bc617f 100644
--- a/plugins/inventory/icinga2.py
+++ b/plugins/inventory/icinga2.py
@@ -102,7 +102,8 @@ from ansible.errors import AnsibleParserError
 from ansible.plugins.inventory import BaseInventoryPlugin, Constructable
 from ansible.module_utils.urls import open_url
 from ansible.module_utils.six.moves.urllib.error import HTTPError
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
+
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 
 class InventoryModule(BaseInventoryPlugin, Constructable):
diff --git a/plugins/inventory/linode.py b/plugins/inventory/linode.py
index fc79f12c5f..e161e086e5 100644
--- a/plugins/inventory/linode.py
+++ b/plugins/inventory/linode.py
@@ -122,7 +122,8 @@ compose:
 
 from ansible.errors import AnsibleError
 from ansible.plugins.inventory import BaseInventoryPlugin, Constructable, Cacheable
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
+
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 
 try:
diff --git a/plugins/inventory/lxd.py b/plugins/inventory/lxd.py
index c803f47ddc..cf64f4ee8c 100644
--- a/plugins/inventory/lxd.py
+++ b/plugins/inventory/lxd.py
@@ -175,7 +175,7 @@ from ansible.module_utils.six import raise_from
 from ansible.errors import AnsibleError, AnsibleParserError
 from ansible.module_utils.six.moves.urllib.parse import urlencode
 from ansible_collections.community.general.plugins.module_utils.lxd import LXDClient, LXDClientException
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 try:
     import ipaddress
diff --git a/plugins/inventory/nmap.py b/plugins/inventory/nmap.py
index 3a28007a31..2ca474a1ff 100644
--- a/plugins/inventory/nmap.py
+++ b/plugins/inventory/nmap.py
@@ -126,7 +126,8 @@ from ansible.errors import AnsibleParserError
 from ansible.module_utils.common.text.converters import to_native, to_text
 from ansible.plugins.inventory import BaseInventoryPlugin, Constructable, Cacheable
 from ansible.module_utils.common.process import get_bin_path
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
+
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 
 class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
diff --git a/plugins/inventory/online.py b/plugins/inventory/online.py
index b3a9ecd379..9355d9d414 100644
--- a/plugins/inventory/online.py
+++ b/plugins/inventory/online.py
@@ -68,7 +68,8 @@ from ansible.plugins.inventory import BaseInventoryPlugin
 from ansible.module_utils.common.text.converters import to_text
 from ansible.module_utils.ansible_release import __version__ as ansible_version
 from ansible.module_utils.six.moves.urllib.parse import urljoin
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
+
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 
 class InventoryModule(BaseInventoryPlugin):
diff --git a/plugins/inventory/opennebula.py b/plugins/inventory/opennebula.py
index 3babfa2324..b097307c39 100644
--- a/plugins/inventory/opennebula.py
+++ b/plugins/inventory/opennebula.py
@@ -97,7 +97,8 @@ except ImportError:
 from ansible.errors import AnsibleError
 from ansible.plugins.inventory import BaseInventoryPlugin, Constructable
 from ansible.module_utils.common.text.converters import to_native
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
+
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 from collections import namedtuple
 import os
diff --git a/plugins/inventory/proxmox.py b/plugins/inventory/proxmox.py
index ed55ef1b6a..774833c488 100644
--- a/plugins/inventory/proxmox.py
+++ b/plugins/inventory/proxmox.py
@@ -226,9 +226,9 @@ from ansible.module_utils.common.text.converters import to_native
 from ansible.module_utils.six import string_types
 from ansible.module_utils.six.moves.urllib.parse import urlencode
 from ansible.utils.display import Display
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
 
 from ansible_collections.community.general.plugins.module_utils.version import LooseVersion
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 # 3rd party imports
 try:
diff --git a/plugins/inventory/scaleway.py b/plugins/inventory/scaleway.py
index 601129f566..dc24a17dab 100644
--- a/plugins/inventory/scaleway.py
+++ b/plugins/inventory/scaleway.py
@@ -121,10 +121,10 @@ else:
 from ansible.errors import AnsibleError
 from ansible.plugins.inventory import BaseInventoryPlugin, Constructable
 from ansible_collections.community.general.plugins.module_utils.scaleway import SCALEWAY_LOCATION, parse_pagination_link
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 from ansible.module_utils.urls import open_url
 from ansible.module_utils.common.text.converters import to_native, to_text
 from ansible.module_utils.six import raise_from
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
 
 import ansible.module_utils.six.moves.urllib.parse as urllib_parse
 
diff --git a/plugins/inventory/stackpath_compute.py b/plugins/inventory/stackpath_compute.py
index 9a556d39e0..6b48a49f12 100644
--- a/plugins/inventory/stackpath_compute.py
+++ b/plugins/inventory/stackpath_compute.py
@@ -72,7 +72,8 @@ from ansible.plugins.inventory import (
     Cacheable
 )
 from ansible.utils.display import Display
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
+
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 
 display = Display()
diff --git a/plugins/inventory/virtualbox.py b/plugins/inventory/virtualbox.py
index 8604808e15..79b04ec722 100644
--- a/plugins/inventory/virtualbox.py
+++ b/plugins/inventory/virtualbox.py
@@ -62,7 +62,8 @@ from ansible.module_utils.common.text.converters import to_bytes, to_native, to_
 from ansible.module_utils.common._collections_compat import MutableMapping
 from ansible.plugins.inventory import BaseInventoryPlugin, Constructable, Cacheable
 from ansible.module_utils.common.process import get_bin_path
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
+
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 
 class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
diff --git a/plugins/inventory/xen_orchestra.py b/plugins/inventory/xen_orchestra.py
index 96dd997701..4094af2468 100644
--- a/plugins/inventory/xen_orchestra.py
+++ b/plugins/inventory/xen_orchestra.py
@@ -82,9 +82,9 @@ from time import sleep
 
 from ansible.errors import AnsibleError
 from ansible.plugins.inventory import BaseInventoryPlugin, Constructable, Cacheable
-from ansible.utils.unsafe_proxy import wrap_var as make_unsafe
 
 from ansible_collections.community.general.plugins.module_utils.version import LooseVersion
+from ansible_collections.community.general.plugins.plugin_utils.unsafe import make_unsafe
 
 # 3rd party imports
 try:
diff --git a/plugins/plugin_utils/unsafe.py b/plugins/plugin_utils/unsafe.py
new file mode 100644
index 0000000000..1eb61bea0f
--- /dev/null
+++ b/plugins/plugin_utils/unsafe.py
@@ -0,0 +1,41 @@
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import re
+
+from ansible.module_utils.six import binary_type, text_type
+from ansible.module_utils.common._collections_compat import Mapping, Set
+from ansible.module_utils.common.collections import is_sequence
+from ansible.utils.unsafe_proxy import (
+    AnsibleUnsafe,
+    wrap_var as _make_unsafe,
+)
+
+_RE_TEMPLATE_CHARS = re.compile(u'[{}]')
+_RE_TEMPLATE_CHARS_BYTES = re.compile(b'[{}]')
+
+
+def make_unsafe(value):
+    if value is None or isinstance(value, AnsibleUnsafe):
+        return value
+
+    if isinstance(value, Mapping):
+        return dict((make_unsafe(key), make_unsafe(val)) for key, val in value.items())
+    elif isinstance(value, Set):
+        return set(make_unsafe(elt) for elt in value)
+    elif is_sequence(value):
+        return type(value)(make_unsafe(elt) for elt in value)
+    elif isinstance(value, binary_type):
+        if _RE_TEMPLATE_CHARS_BYTES.search(value):
+            value = _make_unsafe(value)
+        return value
+    elif isinstance(value, text_type):
+        if _RE_TEMPLATE_CHARS.search(value):
+            value = _make_unsafe(value)
+        return value
+
+    return value