* Fix broken, circumvented test for missing vault ids
* verify the command returns a non-zero exit code
Co-authored-by: Matt Clay <matt@mystile.com>
(cherry picked from commit fe7e68bfcb)
* fixes for CVE-2024-8775
* propagate truthy `_ansible_no_log` in action result (previously superseded by task-calculated value)
* always mask entire `include_vars` action result if any file loaded had a false `show_content` flag (previously used only the flag value from the last file loaded)
* update no_log tests for CVE-2024-8775
* include validation of _ansible_no_log preservation when set by actions
* replace static values with dynamic for increased robustness to logging/display/callback changes (but still using grep counts :( )
* changelog
* use ternary, coerce to bool explicitly
(cherry picked from commit c9ac477e53)
* user module avoid conflicts ssh pub key (#84165)
Remove pub key if we are going to generate private
fix tests for os X
(cherry picked from commit 11e4a6a722)
* old python, no f''
* Restore test import missing from backport
---------
Co-authored-by: Matt Clay <matt@mystile.com>
The shell command sometimes prints a trailing whitespace which breaks
the tests on old RHELs. This patch is supposed to fix that.
(cherry picked from commit cd74c4bcd5)
* [stable-2.14] release.py - Auto-update setuptools upper bound (#83713)
When releases are prepared, the upper bound on setuptools in pyproject.toml will be automatically updated
to the latest version available on PyPI. This version will then be tested by the package-data sanity test
during the release process and will be used to build the release.
This change ensures that a released version of ansible-core can be built in the future if a new setuptools
release includes breaking changes that would prevent building a functional package. If a downstream package
maintainer requires a newer setuptools version than the upper bound permits, they can patch pyproject.toml
as needed. Since ansible-core releases support specific Python versions, lack of support for new setuptools
releases will have no effect on support for future Python versions.
(cherry picked from commit 4e69d83fac)
* release.py - Add missing setuptools arg to prepare (#83887)
* release.py - Add missing setuptools arg to prepare
This allows the prepare command to accept the `--no-setuptools` argument.
It also fixes a traceback when using the `prepare` command.
* Use a more accurate type hint
(cherry picked from commit b544ac13ec)
* release.py - Include pyproject.toml in git add (#83892)
(cherry picked from commit e3ccdaaa2e)
* Fix installing roles containing symlinks
Fix sanitizing tarfile symlinks relative to the link directory instead of the archive
For example:
role
├── handlers
│ └── utils.yml -> ../tasks/utils/suite.yml
The link ../tasks/utils/suite.yml will resolve to a path outside of the link's directory, but within the role
role/handlers/../tasks/utils/suite.yml
the resolved path relative to the role is tasks/utils/suite.yml, but if the symlink is set to that value, tarfile would extract it from role/handlers/tasks/utils/suite.yml
* Replace overly forgiving test case with tests for a symlink in a subdirectory of the archive and a symlink in the archive dir when these are not equivalent.
* Build test case from role files to make it easier to add test cases
Fixes#82702Fixes#81965Fixes#82051
(cherry picked from commit e84240db84)
When using winrm over HTTP with message encryption enabled and a task
has timed out the connection plugin will fail to cleanup the WinRM
command. This will change that exception into a warning as a timeout is
already an exception event and a failure to clean the operation should
not override the timeout error shown.
(cherry picked from commit 8aecd1f9b2)
Set the tarfile attribute to a normalized value from unfrackpath instead
of validating path parts and omiting potentially invald parts
Allow tarfile paths/links containing '..', '$', '~' as long as the
normalized realpath is in the tarfile's role directory
(cherry picked from commit 3a42a00368)
* Allow older pickle protocols to pickle unsafe classes. Fixes#82356
* Address issues when iterating or getting single index from AnsibleUnsafeBytes. Fixes#82375
* clog frag
(cherry picked from commit afe3fc1)
* [backport-2.14] Add FreeBSD 13.2 to ansible-test (#80698)
(cherry picked from commit d12aa7f69c)
* [backport-2.14] remove Freebsd 13.1 from test matrix (#81058)
* remove Freebsd 13.1 from test matrix
fixes#80416
Co-authored-by: Matt Clay <matt@mystile.com>
(cherry picked from commit 534f688a53)
* Revert to the original Python versions for the branch
Co-authored-by: Matt Martz <matt@sivel.net>
---------
Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
Co-authored-by: Matt Martz <matt@sivel.net>
* [backport][stable-2.14] 🧪 Replace GitHub SVN integration test with local TLS
PR #82334
* Run svn integration test locally with TLS
This patch uses a `trustme` to make an ephemeral CA, and server, and
client TLS artifacts for testing. These are integrated into the Apache
web server via it's `mod_ssl`.
Resolves#82207
* Replace GitHub SVN HTTPS URL w/ localhost over TLS
This change gets rid of the need to use GitHub, which is just about to
drop support for SVN [[1]]. Moreover, it eliminates the need to use
external network for any SVN commands in the test.
[1]: https://github.blog/2023-01-20-sunsetting-subversion-support/
(cherry picked from commit dd0138ba21)
* Implement compat w/ opensuse15, centos7 & rhel7/8
* Ensure that unsafe is more difficult to lose
* Add Task.untemplated_args, and switch assert over to use it
* Don't use re in first_found, switch to using native string methods
* If nested templating results in unsafe, just error, don't continue
(cherry picked from commit 586f1924512b01305f896d9ae4732773023013a3)
* ci_complete
- Remove dependency on the htpasswd module (and thus passlib)
- Fix setup/teardown of the httpd process
- Fix cleanup of temporary directories.
(cherry picked from commit 09d943445c)
Co-authored-by: Matt Clay <matt@mystile.com>
* Python 3.11.4 introduces a new parameter 'filter' in extract and
extractall in tarfile. Handle deprecation warning message emitted
in Python 3.12.
* added probing mechanism in ansible-galaxy code to detect broken
data filter implementation in tarfile.
Fixes: #80832
(cherry picked from commit 1cc5efa)
Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
* Clean up MANIFEST.in (#80688)
* Remove unnecessary MANIFEST.in commands
This eliminates more setuptools warnings during build.
* Sort MANIFEST.in
Now that only include commands are used, the order of the commands no longer effects the build output.
(cherry picked from commit 6e325d9e4d)
* Omit hacking directory from MANIFEST.in (#81245)
* Omit `hacking` directory from `MANIFEST.in`
* Update package-data sanity test
(cherry picked from commit b93a628aed)
* Remove straight.plugin dependency (#80084)
(cherry picked from commit f587856beb)
* Update package-data sanity test (#80344)
The test no longer relies on the Makefile.
(cherry picked from commit 46362bbd27)
* Remove obsolete release bits (#80347)
Releases are now built using the `packaging/release.py` tool.
This makes the `Makefile` and associated files in `packaging/release/` and `packaging/sdist/` obsolete.
* Use --no-isolation for package-data sanity test (#80377)
The dependencies are already in the sanity test venv. This avoids use of unpinned dependencies and a dependency on a network connection.
(cherry picked from commit 7fcb9960e6)
* Set the minimum setuptools to 45.2.0 (#80649)
Also update the package-data sanity test to use the minimum setuptools version.
(cherry picked from commit 4d25e3d54f)
* Use package_data instead of include_package_data (#80652)
This resolves warnings generated by setuptools such as the following:
_Warning: Package 'ansible.galaxy.data' is absent from the `packages` configuration.
(cherry picked from commit 5ac292e12d)
* Fix os.walk issues in package-data sanity test (#80703)
* Remove `docs` and `examples` directories (#81011)
* Remove docs dir
* Updates to reflect docs removal
* Fix integration test
* Remove examples dir
* Updates to reflect examples removal
* Remove build_library and build-ansible.py
* Remove refs to build_library and build-ansible.py
* Remove obsolete template
* Remove obsolete template reference
* Remove the now obsolete rstcheck sanity test
(cherry picked from commit 72e038e823)
* Omit pre-built man pages from sdist (#81395)
Since man pages aren't accessible to users after a `pip install`, there's no need to include them in the sdist.
This change makes it trivial to build man pages from source, which makes them much easier to iterate on.
It also simplifies creation and testing of the sdist, since it no longer requires building man pages.
The new `packaging/cli-doc/build.py` script can generate both man pages and RST documentation.
This supports inclusion on the docs site without a dependency on `ansible-core` internals.
Having a single implementation for both simplifies keeping the two formats in sync.
(cherry picked from commit 691c8e8603)
Sloane Hertel