* Add support for Windows App Control/WDAC
Adds preview support for Windows App Control, formerly known as WDAC.
This is a tech preview feature and is designed to test out improvements
needed in future versions of Ansible.
* Use psd1 and parse it through the Ast to avoid any unexpected execution results
* Add tests for various manifest permutations
* Ignore test shebang failure
* Apply suggestions from code review
Co-authored-by: Matt Davis <6775756+nitzmahone@users.noreply.github.com>
* Use more flexible test expectations
* Add type annotations for shell functions
---------
Co-authored-by: Matt Davis <6775756+nitzmahone@users.noreply.github.com>
* ansible-test - Improve deprecated checking type inference
Also disabled the ``bad-super-call`` pylint rule due to false positives.
* Add type comment support
* Try without using register_transform
For calling setup_test_user, which adds a user to the system (and thus requiring
root):
- become
- become_su
- become_sudo
- slurp
And also:
- apt, which installs/removes system packages
- deb822_repository, which adds/removes apt repos
- hardware_facts calls losetup, which requires root
- package_facts, which installs/removes system packages
Co-authored-by: Lee Garrett <lgarrett@rocketjump.eu>
Fix the logic for a constructable inventory `keyed_groups` entry to use
the `default_value` if the ``key` expression result is `None` or `omit`
and not just an empty string. This bug was introduced with the changes
in data tagging and goes back to the original behaviour.
Co-authored-by: Sloane Hertel <19572925+s-hertel@users.noreply.github.com>
* template module - render `None` as empty string
* Update changelogs/fragments/template-none.yml
Co-authored-by: Matt Davis <6775756+nitzmahone@users.noreply.github.com>
---------
Co-authored-by: Matt Davis <6775756+nitzmahone@users.noreply.github.com>
* remove dead config comment noise
* update `list` typed config defaults to be lists
* fix tag preservation/propagation in config
* numerous other ensure_type bugfixes
* 100% unit test coverage of ensure_type
* emit warnings on template_default failures
* fix unhandled exception in convert_bool on unhashable inputs
Co-authored-by: Matt Clay <matt@mystile.com>
---------
Co-authored-by: Matt Clay <matt@mystile.com>
* See changelog fragment for most changes.
* Defer early config warnings until display is functioning, eliminating related fallback display logic.
* Added more type annotations and docstrings.
* ansible-test - pylint sanity for deprecations improved.
* Refactored inline legacy resolutions in PluginLoader.
Co-authored-by: Matt Clay <matt@mystile.com>
* Implement TaskResult backward compatibility for callbacks
* general API cleanup
* misc deprecations
Co-authored-by: Matt Clay <matt@mystile.com>
* fix v2_on_any deprecation exclusion for base
---------
Co-authored-by: Matt Clay <matt@mystile.com>
* Fix test_range_templating on 32-bit architectures
32-bit archtectures like i386, armel, armhf will fail with the error
ansible._internal._templating._errors.AnsibleTemplatePluginRuntimeError: The
filter plugin 'ansible.builtin.random' failed: Python int too large to convert
to C ssize_t
So just pick sys.maxsize (2**31 - 1) so it works on 32 bit machines.
---------
Co-authored-by: Lee Garrett <lgarrett@rocketjump.eu>
Co-authored-by: Matt Clay <matt@mystile.com>
* Use `_UNSET` instead of allowing `ellipsis`
* Fix deprecation warning pre-check
* Deprecation warnings from modules can now be disabled.
* Deprecation warnings from modules get the "can be disabled" notice.
* Include help text in pre-display fatal errors
* Simplify lookup warning/debug messaging
* Fix return type of `timedout` test plugin
* Use `object` for `_UNSET`
* Remove obsolete `convert_data` tests
* Remove unnecessary template from test
* Improve legacy YAML objects backward compat
* Fix templar backward compat for None overrides
* Added support for URL-safe decoding into b64decode
* Added support for URL-safe encoding into b64encode
Fixes: #84147
Signed-off-by: Abhijeet Kasurde <Akasurde@redhat.com>
* Add ssh-agent launching, and ssh-agent python client
* Move things around, is this better??
* docs
* postpone creating dir after bin lookup
* fix method name
* changelog ssh agent
* address reviews
* fix typing
* do not redefine public_key
* typing
* more typing
* Catch OSError when starting ssh agent
* likely copy pasted old code
* var type fix
* why is this needed?
ci_complete
* ignoring the change for now
* write out pub key file atomically
* defensive timeout for the socket
* _populate_agent docstring
* do not allow setting these in config
* check expected length before slicing blobs
* test all key types
* remove lock/unlock functionality
* docstring
* private _ssh_agent
* .
* launch agent in cli and ansible_ssh_*
* additional info for ssh-agent comment
* Add tests for remove and remove_all
* comment on os.rename
* hopefully mitigate agent startup/delays problems
* exceptions
* unused import
* fix sanity
* perf
---------
Co-authored-by: Matt Martz <matt@sivel.net>
* Git allows embedding username and password in repo URL for
https authentication. This may lead to exposing the user sensitive
information to logs and unautheticated users.
Adding no_log will partially solve this.
* Added documentation warning user about URL embedded with username
and password.
* Added logic to remember user sensitive information for later sanitization
Fixes: #84557
Signed-off-by: Abhijeet Kasurde <Akasurde@redhat.com>
* Clean up interpreter discovery
- Deprecated `auto_legacy` and `auto_legacy_silent`
- Removed obsolete platform fallback config and logic
- Replaced unit tests with integration tests
- Increased test coverage
Fixes the coverage collection for Windows and async tasks. This ensures
the async task still has access to the PSHost so that it can access the
runspace debugger tasks on the host.
Updates the Windows exec runner in preparation for the WDAC changes.
This new process is designed to improve the way modules are run by
Windows and expose common functionality to run PowerShell code in a
common environment. It also includes futher changes to improve the error
handling to make it easier to see where an error occurred in the running
code.
* Fix apt and dpkg_selections tests
The tests now support aarch64.
They also have reduced dependencies on URLs hosted on third-party servers.
* Skip tests on unsupported platforms
* Use same package version for both tests
* Fix multi-arch support for Ubuntu 22.04
* uri: form location correctly from relative redirect
Previously, the original URL would be combined with the relative location incorrectly, especially for URL of any complexity.
Add simple tests demonstrating the problem that fail without the fix
* fix pylint error, import the method similar to other uri methods
* add changelog fragment
Signed-off-by: Abhijeet Kasurde <Akasurde@redhat.com>
Refactor the async wrapper and watchdog scripts for Windows. This
attempts to avoid WMI on connection plugins that allow breaking away
from a job like winrm and ssh as an optimisation and changes how WMI is
used so that we can get the error details on a failed process more
easily.
These changes are being made also in preparation for the WDAC
implementation that requires this new execution model where input needs
to be provided through stdin.
This patch marks the `ansible.module_utils.compat.datetime` module as deprecated, including `UTC`, `utcfromtimestamp()` and `utcnow` shims that it provides, scheduling its removal for v2.21.
It also replaces any uses of the compatibility helpers with non-deprecated calls to CPython stdlib.
PR #81874
Co-authored-by: Matt Clay <matt@mystile.com>
Prevents `Group state for \"customenvgroup\" not found` error which may
or may not be a regression in dnf5. Just name groups/envs uniquely to
workaround the issue.
Removes the use of pexpect in the winrm connection plugin and rely on
just subprocess. In the past pexpect was used for macOS compatibility so
that it could handle the TTY prompt but after testing it seems like
subprocess with `start_new_session=True` is enough to get it reading
from stdin on all platforms. This simplifies the code as there's no
longer an optional library changing how things are called and will work
out of the box.
* Simplify conditional for service_facts integration test
This test requires systemd, so just test for that. Also fixes running this on
Debian testing/unstable releases, where ansible_distribution_version is "n/a".
* Clean up after service_facts integration test
* Simplify set_fact in interpreter_discovery_python test
Those vars are always set, either to something discovered, or "n/a". There are
no evaluations against the value "unknown".
* interpreter_discovery_python: Fix Debian test
Debian doesn't set VERSION_ID in /etc/os-release on pre-releases, see
https://bugs.debian.org/1008735
ansible 2.17 onwards does not support python 2.7 anyway.
* fix deb822_repository integration test failure on Debian
* Fix integration test hostname for Debian
* Fix integration test mount_facts
Some VMs might only have a single mount point, so they only have a single UUID.
* Add package deps for integration test subversion
/usr/bin/htpasswd is shipped in apache2-utils and needed by the main playbook.
* Fix integration test "service" on Debian sid
Debian sid does not set ansible_distribution_version, as such any tests assuming
it's a numeric value will fail. Since this is ancient test code that predates
ansible_service_mgr, remove the error-prone heuristic and rely on that var
instead.
* Fix service integration tests not running on *BSD
---------
Co-authored-by: Lee Garrett <lgarrett@rocketjump.eu>
No the file name that caused the error will be apparent
---------
Signed-off-by: Abhijeet Kasurde <Akasurde@redhat.com>
Co-authored-by: Abhijeet Kasurde <Akasurde@redhat.com>
* Fixed various become-related issues in `local` connection plugin.
* Fixed various issues in `sudo` and `su` become plugins.
* Added unit and integration test coverage.
Co-authored-by: Matt Clay <matt@mystile.com>
Co-authored-by: Matt Davis <nitzmahone@redhat.com>
* test: enable user test for alpine
* Disable user home update tests
* Disable some more tests which are not applicable for Alpine
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Previously, requirement version specs starting with `!=` were
incorrectly considered as pinned release requests because the
comparison was being made against a one-char string while the
operator is two-char. This patch changes the check to test against `!`
which is enough to detect this case.
Previously, the integration test depended on luck. `setuptools` used
to be bundled in Python stdlib's `ensurepip`. Python 3.12 and newer no
longer include it. This test imports `pkg_resources` that is a part of
`setuptools`, meaning that it'll run out of luck at some point, under
newer Python runtimes.
This test does not seem to be useful to us so instead of fixing it, we
remove it from the repo [[1]].
Supersedes #84681.
[1]: https://github.com/ansible/ansible/pull/84681#discussion_r1945525317
* apt-key module updates due to debian removal
Still kept for now for backwards compat, but removing from testing when not present
And adding more explicit mesasges to errors to point to new module
* added docs and error msg
* clog
* aslkdfj
* no docs to document doc changes
* also add warning to apt_repository
* clog on apt_repo too
* fix string concat
* Apply suggestions from code review
Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
---------
Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
Improves the logic for parsing CLIXML values in the stderr returned by
SSH. This fixes encoding problems by having a fallback in case the
output is not valid UTF-8. It also can now extract embedded CLIXML
sequences in all of stderr rather than just at the start.
When a user doesn't exist and user module is used to create the user and the
homedir, adduser is called which parses HOME_MODE from /etc/login.defs, and when
not set calculates the mode from UMASK from the same file.
When a user already exists without homedir, and the user module is used to add a
home dir, it incorrectly ignores HOME_MODE, resulting in a world-readable home
dir when UMASK is not set. This is for example the case in Debian trixie and
later, and likely Ubuntu 25.04 and later.
Signed-off-by: Lee Garrett <lgarrett@rocketjump.eu>
Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
prompt now only errors if stdin is specifically triggered and not due to lack of other args
fixes#84489
---------
Co-authored-by: Sloane Hertel <19572925+s-hertel@users.noreply.github.com>
Correct the test that expects an error when using ansible-vault to write against
a non-writeable dir. Skip the test as root, as root can always write.
Co-authored-by: Lee Garrett <lgarrett@rocketjump.eu>
Also remove redundant check from tqm
Now covers module output (set_fact/include_vars)
Includes play objects at any stage (tasks that error were not covered)
Added tests, moved them to role structure
Some versions and architectures come with `ca_root_nss` pre-installed.
However, at least FreeBSD 13.4 on aarch64 does not.
This change ensures the certificates will always be installed.
* ansible-test - Replace Fedora 40 with 41
Also update other distro containers to remove unnecessary packages:
* apache2
* subversion
* ruby
* Fix subversion test on Ubuntu
Also remove obsolete vars files from subversion test.
* Skip dnf test on Fedora 41+
The dnf5 test is all that is needed.
* Support dnf5 for the package test
* Extend unix-chkpwd work-around for Fedora
The test has been updated to use a custom type which does not support pickling,
instead of relying on Jinja's `Undefined` type. As of Jinja 3.1.5 that type now
supports pickle, which breaks the original implementation of the test.
gather_facts, fix network_os and smart logic and defaults
setup will be default for smart only if network_os is not set, now you get warnings and errors when missing a valid facts module for a network os
Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
* Allow user to control the trimming of blocks while templating
* Added tests
* Updated documentation and example
Fixes: #75962
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Clamp zip timestamps to representible values when unpacking zip files on
platforms that use 32-bit time_t (e.g. Debian i386). This is a
non-issue in practice (in 2024), but should allow the test suite to pass
on Debian i386.
We use a round value of 2038-01-01 00:00:00 for simplicity, and to avoid
running into timezone offsets closer to the actual limit.
MR #81520 introduced sanity-checking tests that used dates not
representable with a 32-bit time_t.
* ssh: Test reset_connection with templated ansible_ssh_executable
Add failing test to confirm subsequent fixes are necessary & sufficient.
* ssh: Fix reset_connection with templated ansible_ssh_executable
Signed-off-by: Alex Willmer <alex@moreati.org.uk>
* Fix callback_default integration test for non-root users
This test compares the test output to previously collected output. However, this
previously assumed that the tests are run as root, even though needs/root in
aliases is not set.
So instead parameterize the output, and use sed to replace the value that
diverge when running it as different users.
* integration tests: Ensure temp file removal doesn't fail as non-root user
* Don't fail when ansible-galaxy integration test runs as non-root
* Update integration test callback list
---------
Co-authored-by: Lee Garrett <lgarrett@rocketjump.eu>
* Additional tests for lookup_sequence
* Follow up for https://github.com/ansible/ansible/pull/83758,
to add tests for stride parameter.
---------
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Fixes the coverage path translation for modules located in integration
test paths. Instead of trying to match by the unique temporary path name
that the module is executed as, the reporting tool will translate it to
the static path that the module is actually located under.
* integrity tests: Tag (destructive) root tests as such
- apt_key needs root to touch the apt key database
- debconf needs root to change debconf values of system packages
- gathering writes to /etc/ansible/*, writeable only to root
- group creates system groups
- noexec mounts/umounts a ramdisk
- systemd requires root to start/stop services
Mark all except noexec as "destructive" as they change the state of the system.
* integration test cron requires root, as it calls setup_cron
* integration test dpkg_selection runs dpkg as root
* integration test facts_linux_network requires root
It adds/removes IP addresses from network interfaces, requiring root for that.
* integration test package requires root
installs/removes system packages
* Integration test service requires root
Creates/starts/stops/removes systemd services
* integration test user requires root to create users
* integration tests using setup_test_user require root
---------
Co-authored-by: Lee Garrett <lgarrett@rocketjump.eu>
When detection of the current container network fails, a warning is now issued and execution continues.
This simplifies usage in cases where the current container cannot be inspected, such as when running in GitHub Codespaces.
* Update resolvelib upperbound to 2.0.0
Minor SemVer releases should not contain breaking changes
* Test the latest minor release and reduce number of resolvelib versions tested for efficiency
* Update the documentation for check_required_by
* Fix return value for check_required_by (now returns empty list on success)
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Removed deprecated pycompat24 and importlib
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Make CI green
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Ignore basic.py
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Make CI green III
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Make CI green IV
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
---------
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Several tasks within the modification_time.yml and state_link.yml task
lists have explicitly enabled diff_mode because these tests previously
assumed a diff attribute would always be returned from the file module.
While showing the deprecation message, mention the collection name
from which the module is removed.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* fixes for CVE-2024-8775
* propagate truthy `_ansible_no_log` in action result (previously superseded by task-calculated value)
* always mask entire `include_vars` action result if any file loaded had a false `show_content` flag (previously used only the flag value from the last file loaded)
* update no_log tests for CVE-2024-8775
* include validation of _ansible_no_log preservation when set by actions
* replace static values with dynamic for increased robustness to logging/display/callback changes (but still using grep counts :( )
* changelog
* use ternary, coerce to bool explicitly
variable_manager unit tests are unreachable. These tests
are already covered in integration tests.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Update triple single quotes to triple double quotes
This change was fully automated.
The updated Python files have been verified to tokenize the same as the originals, except for the expected change in quoting of strings, which were verified through literal_eval.
* Manual conversion of docstring quotes
This cleans up the implementation of the pylint sanity test and enables the docstyle extension rule `bad-docstring-quotes` for tests.
The rule will be enabled for the rest of ansible-core once automated cleanup has been performed on existing docstrings.
* Added support for testing unit tests with mypy.
* Added support for ignoring individual mypy error codes.
* Added missing assert on unit tests and marked xfail.
* Added type hints for some unit tests.
* Added ignores for unit tests not passing mypy.
* Fixed incorrect autouse argument in unit test fixtures.
* Fixed minor issues causing problems with mypy in unit tests.
* Fix installing collections|roles from git repos with GALAXY_IGNORE_CERTS
* Fix installing collections from git repos with --ignore-certs
* Update unit test
* Add test case
This greatly reduces run time on large inventories since meta tasks are
executed in the main process sequentially and just executing them is expensive.
This change avoids running the following implicit meta tasks:
* ``flush_handlers`` on hosts where no handlers are notified
* ``noop`` for the linear strategy's lockstep, instead hosts that are
not executing the current task are just not part of the current host loop
A playbook consiting of two simple plays both running on ~6000 hosts
runs in:
devel: 37s
this PR: 1.3s
Co-authored-by: Sloane Hertel <19572925+s-hertel@users.noreply.github.com>
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
Since we don't really care about the type we don't have to
query for it and just retrieve the filename value.
Unfortunately we cannot use module_utils.urls.get_response_filename
as we don't have the response object, so just utilize
email.message.Message to parse the filename
instead of manually doing the work ourselves.
Fixes: #83690
* facts: Skip path if the distribution path is directory
Skip path if the distribution path is directory instead of file.
Handle exception raised while handling distribution path.
Fixes: #84006
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Review requests
---------
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Add a mount_facts module capable of gathering mounts skipped by default
fact gathering
* By default, collect mount facts from standard locations including
/etc/mtab, /proc/mounts, /etc/fstab, /etc/mnttab, /etc/vfstab, and on AIX,
/etc/filesystems.
When no file-based source for the current mounts can be found
(like /proc/mounts), the module falls back to using mount as a source.
This allows BSD and AIX to collect the existing mounts by default, without
causing Linux hosts to use both /proc/mounts and mount output.
* Non-standard locations and "mount" can be configured as a sources.
* Support returning an aggregate list of mount points in addition to first
found.
When there are multiple mounts for the same mount point in an
individual source, a warning is given if the include_aggregate_mounts
option is not configured.
* Add options to filter on fstypes and devices (supporting UNIX shell
wildcards).
* Support configuring a timeout and timeout behavior to make it easier
to use the module as a default facts module without risking a hang.
* Include the source and line(s) corresponding to a mount for easier
debugging.
Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
Co-authored-by: Matt Clay <matt@mystile.com>
Co-authored-by: Matt Davis <6775756+nitzmahone@users.noreply.github.com>
* Fact gathering fix 'no shm' branhc
* Use concurrent.futures instead of multiprocessing
This entirely avoids the need for fallback logic since the concurrent.futures thread pool does not depend on `/dev/shm`.
Co-authored-by: Matt Clay <matt@mystile.com>
Use the changelog sanity test requirements instead of the package-data sanity test requirements.
This enables removal of most package-data sanity test requirements, as they are no longer used by the test itself.
The additional requirements were being maintained only to provide pinned requirements for building the changelog during a release.
* add a loop_control break_when directive to break out of a loop after any item
* remove loop var as normal exit would
* example usage:
- name: generate a random password up to 10 times, until it matches the policy
set_fact:
password: "{{ lookup('password', '/dev/null', chars=character_set, length=length) }}"
loop: "{{ range(0, 10) }}"
loop_control:
break_when:
- password is match(password_policy)
Co-authored-by: s-hertel <19572925+s-hertel@users.noreply.github.com>
* Add DaemonThreadPoolExecutor impl
* Provide a simple parallel execution method with the ability to abandon timed-out operations that won't block threadpool/process shutdown, and without a dependency on /dev/shm (as multiprocessing Thread/Process pools have).
* Create module_utils/_internal to ensure that this is clearly not supported for public consumption.
* psrp - Remove extras lookups
Removed the extras variable lookups for the psrp connection plugin. All
valid options are already documented and the extras functionality is
slated to be deprecated at a future point in time. This should have
affect on existing user's playbooks.
* Fix up sanity tests and add explicit boolean conversion test
Adds the datastore details to the parser error when attempting to
include tasks that contain include_tasks without a filename set. This
change will now display the exact location of the include_tasks that
failed like any normal syntax error.
Expands the test matrix used for testing on Windows to cover the three
connection plugins we support for all the tasks. This change also
changes how raw commands are run over SSH to avoid starting a
`powershell.exe` process that was uneeded in the majority of cases used
in Ansible. This simplifies our code a bit more by removing extra
Windows specific actions in the ssh plugin and improves the efficiency
when running tasks.
* Fix up raw_params for ansible.windows modules
Fixes up the logic for detecting if using ansible.windows.win_command or
ansible.windows.win_shell with _raw_params. These two modules are
special in that they can be referenced in 4 different ways but the
ansible.windows collection specific prefix needs to be manually added to
the list.
* Fix up sanity issue
Currently we match the load name, which can be an fqcn, but most users expect the 'naked' name
Now plugins can declare that name by setting _extras_prefix property or fallback to 'non fqcn' if no extras prefix
* ssh and psrp - Support more complex chars in fetch_file
Fixes the psrp and ssh (with piped) fetch function to work with paths
that contains glob like characters in the path. For Windows this was
needed when using paths that contain `[]` in the path. For ssh this was
a problem with FreeBSD when using the piped transfer method with similar
characters.
Also tidies up the psrp logic to not inject the paths and buffer size
in the script but pass it as an object through an argument/parameter.
* Fix sanity check
Martin Krizek