From e5ec1ee76ccf25efa8bae0dad4237d201c63690b Mon Sep 17 00:00:00 2001
From: Jordan Borean <jborean93@gmail.com>
Date: Thu, 20 Feb 2025 05:13:29 +1000
Subject: [PATCH] Windows - Support WDAC Audit Mode (#84730)

Fix up bug when attempting to run any module on a Windows host that has
been configured with WDAC and Dynamic Code Security in audit mode. This
does not enable WDAC support with signed scripts so Ansible will still
not pass the audit events but it no longer fails to run.
---
 changelogs/fragments/win-wdac-audit.yml                  | 4 ++++
 .../powershell/Ansible.ModuleUtils.AddType.psm1          | 9 ++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/win-wdac-audit.yml

diff --git a/changelogs/fragments/win-wdac-audit.yml b/changelogs/fragments/win-wdac-audit.yml
new file mode 100644
index 00000000000..d4e6f4b8bd9
--- /dev/null
+++ b/changelogs/fragments/win-wdac-audit.yml
@@ -0,0 +1,4 @@
+bugfixes:
+  - >-
+    Windows - add support for running on system where WDAC is in audit mode with
+    ``Dynamic Code Security`` enabled.
diff --git a/lib/ansible/module_utils/powershell/Ansible.ModuleUtils.AddType.psm1 b/lib/ansible/module_utils/powershell/Ansible.ModuleUtils.AddType.psm1
index 3a1a317ec66..06042b4a3c9 100644
--- a/lib/ansible/module_utils/powershell/Ansible.ModuleUtils.AddType.psm1
+++ b/lib/ansible/module_utils/powershell/Ansible.ModuleUtils.AddType.psm1
@@ -312,7 +312,7 @@ Function Add-CSharpType {
         # fatal error.
         # https://github.com/ansible-collections/ansible.windows/issues/598
         $ignore_warnings = [System.Collections.ArrayList]@('1610')
-        $compile_units = [System.Collections.Generic.List`1[System.CodeDom.CodeSnippetCompileUnit]]@()
+        $compile_units = [System.Collections.Generic.List`1[string]]@()
         foreach ($reference in $References) {
             # scan through code and add any assemblies that match
             # //AssemblyReference -Name ... [-CLR Framework]
@@ -346,7 +346,7 @@ Function Add-CSharpType {
                 }
                 $ignore_warnings.Add($warning_id) > $null
             }
-            $compile_units.Add((New-Object -TypeName System.CodeDom.CodeSnippetCompileUnit -ArgumentList $reference)) > $null
+            $compile_units.Add($reference) > $null
 
             $type_matches = $type_pattern.Matches($reference)
             foreach ($match in $type_matches) {
@@ -381,7 +381,10 @@ Function Add-CSharpType {
 
             $null = New-Item -Path $temp_path -ItemType Directory -Force
             try {
-                $compile = $provider.CompileAssemblyFromDom($compile_parameters, $compile_units)
+                # FromSource is important, it will create the .cs files with
+                # the required extended attribute for the source to be trusted
+                # when using WDAC.
+                $compile = $provider.CompileAssemblyFromSource($compile_parameters, $compile_units)
             }
             finally {
                 # Try to delete the temp path, if this fails and we are running