StackStorm
diff --git a/‎CHANGELOG.rst
+14-9 b/‎CHANGELOG.rst
+14-9
diff --git a/‎contrib/runners/local_runner/local_runner/local_runner.py
+37-4 b/‎contrib/runners/local_runner/local_runner/local_runner.py
+37-4
diff --git a/‎contrib/runners/local_runner/local_runner/runner.yaml
+12 b/‎contrib/runners/local_runner/local_runner/runner.yaml
+12
diff --git a/‎contrib/runners/local_runner/tests/integration/test_localrunner.py
+82 b/‎contrib/runners/local_runner/tests/integration/test_localrunner.py
+82
diff --git a/‎contrib/runners/remote_command_runner/remote_command_runner/remote_command_runner.py
+1 b/‎contrib/runners/remote_command_runner/remote_command_runner/remote_command_runner.py
+1
diff --git a/‎contrib/runners/remote_command_runner/remote_command_runner/runner.yaml
+6 b/‎contrib/runners/remote_command_runner/remote_command_runner/runner.yaml
+6
diff --git a/‎contrib/runners/remote_script_runner/remote_script_runner/remote_script_runner.py
+1 b/‎contrib/runners/remote_script_runner/remote_script_runner/remote_script_runner.py
+1
diff --git a/‎contrib/runners/remote_script_runner/remote_script_runner/runner.yaml
+6 b/‎contrib/runners/remote_script_runner/remote_script_runner/runner.yaml
+6
diff --git a/‎lint-configs/python/.flake8
+1-1 b/‎lint-configs/python/.flake8
+1-1
diff --git a/‎st2actions/tests/unit/test_parallel_ssh.py
+31 b/‎st2actions/tests/unit/test_parallel_ssh.py
+31
diff --git a/‎st2api/st2api/controllers/v1/actionexecutions.py
+1-1 b/‎st2api/st2api/controllers/v1/actionexecutions.py
+1-1
@@ -35,6 +35,11 @@ Added
   common code inside a ``lib`` directory inside a pack (with an ``__init__.py`` inside ``lib``
   directory to declare it a python package). You can then import the common code in sensors and
   actions. Please refer to documentation for samples and guidelines. #3490
+* Add support for password protected sudo to the local and remote runner. Password can be provided
+  via the new ``sudo_password`` runner parameter. (new feature) #3867
+* Add new ``--tail`` flag to the ``st2 run`` / ``st2 action execute`` and ``st2 execution re-run``
+  CLI command. When this flag is provided, new execution will automatically be followed and tailed
+  after it has been scheduled. (new feature) #3867
 
 Changed
 ~~~~~~~
@@ -61,16 +66,16 @@ Changed
   ``AUDIT``. #3845
 * Mask values in an Inquiry response displayed to the user that were marked as "secret" in the
   inquiry's response schema. #3825
-* Added the ability of ``st2 key load`` to load keys from both JSON and YAML files.
-  Files can now contain a single KeyValuePair, or an array of KeyValuePairs.
-  Added the ability of ``st2 key load`` to load non-string values (hashes, arrays,
-  integers, booleans) and convert them to JSON before going into the datastore,
-  this conversion requires the user passing in the ``-c/--convert`` flag.
-  Updated ``st2 key load`` to load all properties of a key/value pair, now
-  secret values can be loaded. (improvement) #3815
+* Add the ability of ``st2 key load`` to load keys from both JSON and YAML files. Files can now
+  contain a single KeyValuePair, or an array of KeyValuePairs. (improvement) #3815
+* Add the ability of ``st2 key load`` to load non-string values (objects, arrays, integers,
+  booleans) and convert them to JSON before going into the datastore, this conversion requires the
+  user passing in the ``-c/--convert`` flag. (improvement) #3815
+* Update ``st2 key load`` to load all properties of a key/value pair, now secret values can be
+  loaded. (improvement) #3815
 
   Contributed by Nick Maludy (Encore Technologies).
-  
+
 Fixed
 ~~~~~
 
@@ -215,7 +220,7 @@ Fixed
 Changed
 ~~~~~~~
 
-* Minor language and style tidy up of help strings and error messages #3782 
+* Minor language and style tidy up of help strings and error messages. #3782
 
 2.4.1 - September 12, 2017
 --------------------------
 
@@ -14,6 +14,7 @@
 # limitations under the License.
 
 import os
+import re
 import pwd
 import uuid
 import functools
@@ -52,6 +53,7 @@
 
 # constants to lookup in runner_parameters.
 RUNNER_SUDO = 'sudo'
+RUNNER_SUDO_PASSWORD = 'sudo_password'
 RUNNER_ON_BEHALF_USER = 'user'
 RUNNER_COMMAND = 'cmd'
 RUNNER_CWD = 'cwd'
@@ -84,6 +86,7 @@ def pre_run(self):
         super(LocalShellRunner, self).pre_run()
 
         self._sudo = self.runner_parameters.get(RUNNER_SUDO, False)
+        self._sudo_password = self.runner_parameters.get(RUNNER_SUDO_PASSWORD, None)
         self._on_behalf_user = self.context.get(RUNNER_ON_BEHALF_USER, LOGGED_USER_USERNAME)
         self._user = cfg.CONF.system_user.user
         self._cwd = self.runner_parameters.get(RUNNER_CWD, None)
@@ -105,7 +108,8 @@ def run(self, action_parameters):
                                         user=self._user,
                                         env_vars=env_vars,
                                         sudo=self._sudo,
-                                        timeout=self._timeout)
+                                        timeout=self._timeout,
+                                        sudo_password=self._sudo_password)
         else:
             script_action = True
             script_local_path_abs = self.entry_point
@@ -121,13 +125,16 @@ def run(self, action_parameters):
                                        env_vars=env_vars,
                                        sudo=self._sudo,
                                        timeout=self._timeout,
-                                       cwd=self._cwd)
+                                       cwd=self._cwd,
+                                       sudo_password=self._sudo_password)
 
         args = action.get_full_command_string()
+        sanitized_args = action.get_sanitized_full_command_string()
 
         # For consistency with the old Fabric based runner, make sure the file is executable
         if script_action:
             args = 'chmod +x %s ; %s' % (script_local_path_abs, args)
+            sanitized_args = 'chmod +x %s ; %s' % (script_local_path_abs, sanitized_args)
 
         env = os.environ.copy()
 
@@ -140,7 +147,7 @@ def run(self, action_parameters):
 
         LOG.info('Executing action via LocalRunner: %s', self.runner_id)
         LOG.info('[Action info] name: %s, Id: %s, command: %s, user: %s, sudo: %s' %
-                 (action.name, action.action_exec_id, args, action.user, action.sudo))
+                 (action.name, action.action_exec_id, sanitized_args, action.user, action.sudo))
 
         stdout = StringIO()
         stderr = StringIO()
@@ -155,6 +162,17 @@ def run(self, action_parameters):
         read_and_store_stderr = make_read_and_store_stream_func(execution_db=self.execution,
             action_db=self.action, store_data_func=store_execution_stderr_line)
 
+        # If sudo password is provided, pass it to the subprocess via stdin>
+        # Note: We don't need to explicitly escape the argument because we pass command as a list
+        # to subprocess.Popen and all the arguments are escaped by the function.
+        if self._sudo_password:
+            LOG.debug('Supplying sudo password via stdin')
+            echo_process = subprocess.Popen(['echo', self._sudo_password + '\n'],
+                                            stdout=subprocess.PIPE)
+            stdin = echo_process.stdout
+        else:
+            stdin = None
+
         # Make sure os.setsid is called on each spawned process so that all processes
         # are in the same group.
 
@@ -164,7 +182,8 @@ def run(self, action_parameters):
         # Ideally os.killpg should have done the trick but for some reason that failed.
         # Note: pkill will set the returncode to 143 so we don't need to explicitly set
         # it to some non-zero value.
-        exit_code, stdout, stderr, timed_out = shell.run_command(cmd=args, stdin=None,
+        exit_code, stdout, stderr, timed_out = shell.run_command(cmd=args,
+                                                                 stdin=stdin,
                                                                  stdout=subprocess.PIPE,
                                                                  stderr=subprocess.PIPE,
                                                                  shell=True,
@@ -184,6 +203,20 @@ def run(self, action_parameters):
             error = 'Action failed to complete in %s seconds' % (self._timeout)
             exit_code = -1 * exit_code_constants.SIGKILL_EXIT_CODE
 
+        # Detect if user provided an invalid sudo password or sudo is not configured for that user
+        if self._sudo_password:
+            if re.search('sudo: \d+ incorrect password attempts', stderr):
+                match = re.search('\[sudo\] password for (.+?)\:', stderr)
+
+                if match:
+                    username = match.groups()[0]
+                else:
+                    username = 'unknown'
+
+                error = ('Invalid sudo password provided or sudo is not configured for this user '
+                        '(%s)' % (username))
+                exit_code = -1
+
         succeeded = (exit_code == exit_code_constants.SUCCESS_EXIT_CODE)
 
         result = {
 
@@ -23,6 +23,12 @@
       default: false
       description: The command will be executed with sudo.
       type: boolean
+    sudo_password:
+      default: null
+      description: Sudo password. To be used when paswordless sudo is not allowed.
+      type: string
+      secret: true
+      required: false
     timeout:
       default: 60
       description: Action timeout in seconds. Action will get killed if it doesn't
@@ -50,6 +56,12 @@
       default: false
       description: The command will be executed with sudo.
       type: boolean
+    sudo_password:
+      default: null
+      description: Sudo password. To be used when paswordless sudo is not allowed.
+      type: string
+      required: false
+      secret: true
     timeout:
       default: 60
       description: Action timeout in seconds. Action will get killed if it doesn't
 
@@ -314,6 +314,88 @@ def test_action_stdout_and_stderr_is_stored_in_the_db_short_running_action(self,
             self.assertEqual(output_dbs[db_index_1].data, mock_stderr[0])
             self.assertEqual(output_dbs[db_index_2].data, mock_stderr[1])
 
+    def test_shell_command_sudo_password_is_passed_to_sudo_binary(self):
+        # Verify that sudo password is correctly passed to sudo binary via stdin
+        models = self.fixtures_loader.load_models(
+            fixtures_pack='generic', fixtures_dict={'actions': ['local.yaml']})
+        action_db = models['actions']['local.yaml']
+
+        sudo_passwords = [
+            'pass 1',
+            'sudopass',
+            '$sudo p@ss 2'
+        ]
+
+        cmd = ('{ read sudopass; echo $sudopass; }')
+
+        # without sudo
+        for sudo_password in sudo_passwords:
+            runner = self._get_runner(action_db, cmd=cmd)
+            runner.pre_run()
+            runner._sudo_password = sudo_password
+            status, result, _ = runner.run({})
+            runner.post_run(status, result)
+
+            self.assertEquals(status,
+                    action_constants.LIVEACTION_STATUS_SUCCEEDED)
+            self.assertEquals(result['stdout'], sudo_password)
+
+        # with sudo
+        for sudo_password in sudo_passwords:
+            runner = self._get_runner(action_db, cmd=cmd)
+            runner.pre_run()
+            runner._sudo = True
+            runner._sudo_password = sudo_password
+            status, result, _ = runner.run({})
+            runner.post_run(status, result)
+
+            self.assertEquals(status,
+                    action_constants.LIVEACTION_STATUS_SUCCEEDED)
+            self.assertEquals(result['stdout'], sudo_password)
+
+        # Verify new process which provides password via stdin to the command is created
+        with mock.patch('eventlet.green.subprocess.Popen') as mock_subproc_popen:
+            index = 0
+            for sudo_password in sudo_passwords:
+                runner = self._get_runner(action_db, cmd=cmd)
+                runner.pre_run()
+                runner._sudo = True
+                runner._sudo_password = sudo_password
+                status, result, _ = runner.run({})
+                runner.post_run(status, result)
+
+                if index == 0:
+                    call_args = mock_subproc_popen.call_args_list[index]
+                else:
+                    call_args = mock_subproc_popen.call_args_list[index * 2]
+
+                index += 1
+
+                self.assertEqual(call_args[0][0], ['echo', '%s\n' % (sudo_password)])
+
+        self.assertEqual(index, len(sudo_passwords))
+
+    def test_shell_command_invalid_stdout_password(self):
+        # Simulate message printed to stderr by sudo when invalid sudo password is provided
+        models = self.fixtures_loader.load_models(
+            fixtures_pack='generic', fixtures_dict={'actions': ['local.yaml']})
+        action_db = models['actions']['local.yaml']
+
+        cmd = ('echo  "[sudo] password for bar: Sorry, try again.\n[sudo] password for bar:'
+               ' Sorry, try again.\n[sudo] password for bar: \nsudo: 2 incorrect password '
+               'attempts" 1>&2; exit 1')
+        runner = self._get_runner(action_db, cmd=cmd)
+        runner.pre_run()
+        runner._sudo_password = 'pass'
+        status, result, _ = runner.run({})
+        runner.post_run(status, result)
+
+        expected_error = ('Invalid sudo password provided or sudo is not configured for this '
+                          'user (bar)')
+        self.assertEquals(status, action_constants.LIVEACTION_STATUS_FAILED)
+        self.assertEqual(result['error'], expected_error)
+        self.assertEquals(result['stdout'], '')
+
     @staticmethod
     def _get_runner(action_db,
                     entry_point=None,
 
@@ -70,6 +70,7 @@ def _get_remote_action(self, action_paramaters):
                                            hosts=self._hosts,
                                            parallel=self._parallel,
                                            sudo=self._sudo,
+                                           sudo_password=self._sudo_password,
                                            timeout=self._timeout,
                                            cwd=self._cwd)
 
 
@@ -68,6 +68,12 @@
       default: false
       description: The remote command will be executed with sudo.
       type: boolean
+    sudo_password:
+      default: null
+      description: Sudo password. To be used when paswordless sudo is not allowed.
+      type: string
+      required: false
+      secret: true
     timeout:
       default: 60
       description: Action timeout in seconds. Action will get killed if it doesn't
 
@@ -144,6 +144,7 @@ def _get_remote_action(self, action_parameters):
                                           hosts=self._hosts,
                                           parallel=self._parallel,
                                           sudo=self._sudo,
+                                          sudo_password=self._sudo_password,
                                           timeout=self._timeout,
                                           cwd=self._cwd)
 
 
@@ -64,6 +64,12 @@
       default: false
       description: The remote command will be executed with sudo.
       type: boolean
+    sudo_password:
+      default: null
+      description: Sudo password. To be used when paswordless sudo is not allowed.
+      type: string
+      required: false
+      secret: true
     timeout:
       default: 60
       description: Action timeout in seconds. Action will get killed if it doesn't
 
@@ -1,4 +1,4 @@
 [flake8]
 max-line-length = 100
-ignore = E128,E402
+ignore = E128,E402,E722
 exclude=*.egg/*
@@ -25,6 +25,13 @@
 import st2tests.config as tests_config
 tests_config.parse_args()
 
+MOCK_STDERR_SUDO_PASSWORD_ERROR = """
+[sudo] password for bar: Sorry, try again.\n
+[sudo] password for bar:' Sorry, try again.\n
+[sudo] password for bar: \n
+sudo: 2 incorrect password attempts
+"""
+
 
 class ParallelSSHTests(unittest2.TestCase):
 
@@ -250,3 +257,27 @@ def test_run_command_json_output_transformed_to_object(self):
         results = client.run('stuff', timeout=60)
         self.assertTrue('127.0.0.1' in results)
         self.assertDictEqual(results['127.0.0.1']['stdout'], {'foo': 'bar'})
+
+    @patch('paramiko.SSHClient', Mock)
+    @patch.object(ParamikoSSHClient, 'run', MagicMock(
+        return_value=('', MOCK_STDERR_SUDO_PASSWORD_ERROR, 0))
+    )
+    @patch.object(ParamikoSSHClient, '_is_key_file_needs_passphrase',
+                  MagicMock(return_value=False))
+    def test_run_sudo_password_user_friendly_error(self):
+        hosts = ['127.0.0.1']
+        client = ParallelSSHClient(hosts=hosts,
+                                   user='ubuntu',
+                                   pkey_file='~/.ssh/id_rsa',
+                                   connect=True,
+                                   sudo_password=True)
+        results = client.run('stuff', timeout=60)
+
+        expected_error = ('Failed executing command "stuff" on host "127.0.0.1" '
+                          'Invalid sudo password provided or sudo is not configured for '
+                          'this user (bar)')
+
+        self.assertTrue('127.0.0.1' in results)
+        self.assertEqual(results['127.0.0.1']['succeeded'], False)
+        self.assertEqual(results['127.0.0.1']['failed'], True)
+        self.assertTrue(expected_error in results['127.0.0.1']['error'])
@@ -313,7 +313,7 @@ def get_one(self, id, output_type=None, requester_user=None):
         execution_id = str(execution_db.id)
 
         query_filters = {}
-        if output_type:
+        if output_type and output_type != 'all':
             query_filters['output_type'] = output_type
 
         def existing_output_iter():