1 files changed, 15 insertions, 27 deletions

diff --git a/lib/ansible/plugins/lookup/password.py b/lib/ansible/plugins/lookup/password.py
index b08845a7..1fe97f14 100644
--- a/lib/ansible/plugins/lookup/password.py
+++ b/lib/ansible/plugins/lookup/password.py
@@ -28,23 +28,26 @@ DOCUMENTATION = """
          required: True
       encrypt:
         description:
-           - Which hash scheme to encrypt the returning password, should be one hash scheme from C(passlib.hash; md5_crypt, bcrypt, sha256_crypt, sha512_crypt).
+           - Which hash scheme to encrypt the returning password, should be one hash scheme from C(passlib.hash);
+             V(md5_crypt), V(bcrypt), V(sha256_crypt), V(sha512_crypt).
            - If not provided, the password will be returned in plain text.
            - Note that the password is always stored as plain text, only the returning password is encrypted.
            - Encrypt also forces saving the salt value for idempotence.
            - Note that before 2.6 this option was incorrectly labeled as a boolean for a long time.
       ident:
         description:
-          - Specify version of Bcrypt algorithm to be used while using C(encrypt) as C(bcrypt).
-          - The parameter is only available for C(bcrypt) - U(https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#passlib.hash.bcrypt).
+          - Specify version of Bcrypt algorithm to be used while using O(encrypt) as V(bcrypt).
+          - The parameter is only available for V(bcrypt) - U(https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#passlib.hash.bcrypt).
           - Other hash types will simply ignore this parameter.
-          - 'Valid values for this parameter are: C(2), C(2a), C(2y), C(2b).'
+          - 'Valid values for this parameter are: V(2), V(2a), V(2y), V(2b).'
         type: string
         version_added: "2.12"
       chars:
         version_added: "1.4"
         description:
           - A list of names that compose a custom character set in the generated passwords.
+          - This parameter defines the possible character sets in the resulting password, not the required character sets.
+            If you want to require certain character sets for passwords, you can use the P(community.general.random_string#lookup) lookup plugin.
           - 'By default generated passwords contain a random mix of upper and lowercase ASCII letters, the numbers 0-9, and punctuation (". , : - _").'
           - "They can be either parts of Python's string module attributes or represented literally ( :, -)."
           - "Though string modules can vary by Python version, valid values for both major releases include:
@@ -130,7 +133,7 @@ import time
 import hashlib
 
 from ansible.errors import AnsibleError, AnsibleAssertionError
-from ansible.module_utils._text import to_bytes, to_native, to_text
+from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
 from ansible.module_utils.six import string_types
 from ansible.parsing.splitter import parse_kv
 from ansible.plugins.lookup import LookupBase
@@ -364,6 +367,7 @@ class LookupModule(LookupBase):
             try:
                 # make sure only one process finishes all the job first
                 first_process, lockfile = _get_lock(b_path)
+
                 content = _read_password_file(b_path)
 
                 if content is None or b_path == to_bytes('/dev/null'):
@@ -381,34 +385,18 @@ class LookupModule(LookupBase):
                     except KeyError:
                         salt = random_salt()
 
-                ident = params['ident']
+                if not ident:
+                    ident = params['ident']
+                elif params['ident'] and ident != params['ident']:
+                    raise AnsibleError('The ident parameter provided (%s) does not match the stored one (%s).' % (ident, params['ident']))
+
                 if encrypt and not ident:
-                    changed = True
                     try:
                         ident = BaseHash.algorithms[encrypt].implicit_ident
                     except KeyError:
                         ident = None
-
-                    encrypt = params['encrypt']
-                    if encrypt and not salt:
+                    if ident:
                         changed = True
-                        try:
-                            salt = random_salt(BaseHash.algorithms[encrypt].salt_size)
-                        except KeyError:
-                            salt = random_salt()
-
-                    if not ident:
-                        ident = params['ident']
-                    elif params['ident'] and ident != params['ident']:
-                        raise AnsibleError('The ident parameter provided (%s) does not match the stored one (%s).' % (ident, params['ident']))
-
-                    if encrypt and not ident:
-                        try:
-                            ident = BaseHash.algorithms[encrypt].implicit_ident
-                        except KeyError:
-                            ident = None
-                        if ident:
-                            changed = True
 
                 if changed and b_path != to_bytes('/dev/null'):
                     content = _format_content(plaintext_password, salt, encrypt=encrypt, ident=ident)