bugfix - Prevent passwordstore lookup to create subkey when create == false (#9106)

mluzarreta · felixfontein · web-flow · commit 105ae0566aa0 · 2025-02-19T21:36:29.000+01:00
Fixes #9105 Apply suggestion Co-authored-by: Felix Fontein <felix@fontein.de>
diff --git a/changelogs/fragments/9106-passwordstore-fix-subkey-creation-even-when-create-==-false.yml b/changelogs/fragments/9106-passwordstore-fix-subkey-creation-even-when-create-==-false.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - passwordstore lookup plugin - fix subkey creation even when ``create=false`` (https://github.com/ansible-collections/community.general/issues/9105, https://github.com/ansible-collections/community.general/pull/9106).
diff --git a/plugins/lookup/passwordstore.py b/plugins/lookup/passwordstore.py
@@ -572,16 +572,20 @@ def run(self, terms, variables, **kwargs):
         for term in terms:
             self.parse_params(term)   # parse the input into paramvals
             with self.opt_lock('readwrite'):
-                if self.check_pass():     # password exists
-                    if self.paramvals['overwrite']:
+                if self.check_pass():     # password file exists
+                    if self.paramvals['overwrite']:  # if "overwrite", always update password
                         with self.opt_lock('write'):
                             result.append(self.update_password())
-                    elif self.paramvals["subkey"] != "password" and not self.passdict.get(self.paramvals['subkey']):  # password exists but not the subkey
+                    elif (
+                        self.paramvals["subkey"] != "password"
+                        and not self.passdict.get(self.paramvals["subkey"])
+                        and self.paramvals["missing"] == "create"
+                    ):  # target is a subkey, this subkey is not in passdict BUT missing == create
                         with self.opt_lock('write'):
                             result.append(self.update_password())
                     else:
                         result.append(self.get_passresult())
-                else:                     # password does not exist
+                else:  # password does not exist
                     if self.paramvals['missing'] == 'create':
                         with self.opt_lock('write'):
                             if self.locked == 'write' and self.check_pass():  # lookup password again if under write lock

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+bugfixes:`
	`2`	+ - passwordstore lookup plugin - fix subkey creation even when ``create=false`` (https://github.com/ansible-collections/community.general/issues/9105, https://github.com/ansible-collections/community.general/pull/9106).