ansible-core 2.17.13rc1__py3-none-any.whl → 2.17.14rc1__py3-none-any.whl

ansible/module_utils/ansible_release.py

@@ -17,6 +17,6 @@
 
 from __future__ import annotations
 
-__version__ = '2.17.13rc1'
+__version__ = '2.17.14rc1'
 __author__ = 'Ansible, Inc.'
 __codename__ = "Gallows Pole"

ansible/release.py

@@ -17,6 +17,6 @@
 
 from __future__ import annotations
 
-__version__ = '2.17.13rc1'
+__version__ = '2.17.14rc1'
 __author__ = 'Ansible, Inc.'
 __codename__ = "Gallows Pole"

{ansible_core-2.17.13rc1.dist-info → ansible_core-2.17.14rc1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ansible-core
-Version: 2.17.13rc1
+Version: 2.17.14rc1
 Summary: Radically simple IT automation
 Home-page: https://ansible.com/
 Author: Ansible, Inc.

{ansible_core-2.17.13rc1.dist-info → ansible_core-2.17.14rc1.dist-info}/RECORD

@@ -3,7 +3,7 @@ ansible/__main__.py,sha256=EnLcULXNtSXkuJ8igEHPPLBTZKAwqXv4PvMEhvzp2Oo,1430
 ansible/constants.py,sha256=vRwEcoynqtuKDPKsxKUY94XzrTSV3J0y1slb907DioU,9140
 ansible/context.py,sha256=oKYyfjfWpy8vDeProtqfnqSmuij_t75_5e5t0U_hQ1g,1933
 ansible/keyword_desc.yml,sha256=vE9joFgSeHR4Djl7Bd-HHVCrGByRCrTUmWYZ8LKPZKk,7412
-ansible/release.py,sha256=Q-TERToixG2swT8doxEg0dJU0XnVhrRi-6iNjeizmLk,836
+ansible/release.py,sha256=uy2FZVAk8RGRrhMFnOC8NXgkrzn3OxSZCCtWww_PpTk,836
 ansible/_vendor/__init__.py,sha256=2QBeBwT7uG7M3Aw-pIdCpt6XPtHMCpbEKfACYKA7xIg,2033
 ansible/cli/__init__.py,sha256=fzgR82NIGBH3GujIMehhAaP4KYszn4uztuCaFYRUpGk,28718
 ansible/cli/adhoc.py,sha256=quJ9WzRzf3dz_dtDGmahNMffqyNVy1jzQCMo21YL5Qg,8194
@@ -140,7 +140,7 @@ ansible/inventory/host.py,sha256=PDb5OTplhfpUIvdHiP2BckUOB1gUl302N-3sW0_sTyg,503
 ansible/inventory/manager.py,sha256=45mHgZTAkQ3IjAtrgsNzJXvynC-HIEor-JJE-V3xXN4,29454
 ansible/module_utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 ansible/module_utils/_text.py,sha256=VkWgAnSNVCbTQqZgllUObBFsH3uM4EUW5srl1UR9t1g,544
-ansible/module_utils/ansible_release.py,sha256=Q-TERToixG2swT8doxEg0dJU0XnVhrRi-6iNjeizmLk,836
+ansible/module_utils/ansible_release.py,sha256=uy2FZVAk8RGRrhMFnOC8NXgkrzn3OxSZCCtWww_PpTk,836
 ansible/module_utils/api.py,sha256=DWIuLW5gDWuyyDHLLgGnub42Qa8kagDdkf1xDeLAFl4,5784
 ansible/module_utils/basic.py,sha256=UcDamm_6bkL3HXxKvQcSUlzDOHkIlvd8AYGuqJNmZeI,86113
 ansible/module_utils/connection.py,sha256=q_BdUaST6E44ltHsWPOFOheXK9vKmzaJvP-eQOrOrmE,8394
@@ -678,14 +678,14 @@ ansible/vars/hostvars.py,sha256=o11xrzDVYn23renGbb3lx3R-nH9qOjLFju5IYJanDxg,5324
 ansible/vars/manager.py,sha256=Yuo51lu4UVfzxMS63zYtZMcI8iFYgLXtg0p8fnq3Y7E,38871
 ansible/vars/plugins.py,sha256=RsRU9fiLcJwPIAyTYnmVZglsiEOMCIgQskflavE-XnE,4546
 ansible/vars/reserved.py,sha256=Tsc4m2UwVce3dOvSWrjT2wB3lpNJtUyNZn45zNhsW0I,2869
-ansible_core-2.17.13rc1.data/scripts/ansible-test,sha256=dyY2HtRZotRQO3b89HGXY_KnJgBvgsm4eLIe4B2LUoA,1637
-ansible_core-2.17.13rc1.dist-info/licenses/COPYING,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+ansible_core-2.17.14rc1.data/scripts/ansible-test,sha256=dyY2HtRZotRQO3b89HGXY_KnJgBvgsm4eLIe4B2LUoA,1637
+ansible_core-2.17.14rc1.dist-info/licenses/COPYING,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
 ansible_test/__init__.py,sha256=20VPOj11c6Ut1Av9RaurgwJvFhMqkWG3vAvcCbecNKw,66
 ansible_test/_data/ansible.cfg,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 ansible_test/_data/coveragerc,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 ansible_test/_data/completion/docker.txt,sha256=ddsWorTETn1pF9n5coT-tVRC1Hizf9vp6_q0t28S3I0,642
 ansible_test/_data/completion/network.txt,sha256=BxVN0UxlVkRUrPi9MBArQOe6nR8exaow0oCAznUdfKQ,100
-ansible_test/_data/completion/remote.txt,sha256=cEpnoSjuxrIk8rgxRninhOjtWrYJ3UergVZA29Xibfk,918
+ansible_test/_data/completion/remote.txt,sha256=Diq2dsppMJCspO6m_eVJy3xdSKHCQwgoCVauyfIVtbw,914
 ansible_test/_data/completion/windows.txt,sha256=LunFLE7xMeoS9TVDuE58nUBVzsz-Wh-9wfL80mGiUmo,147
 ansible_test/_data/playbooks/posix_coverage_setup.yml,sha256=PgQNVzVTsNmfnu0sT2SAYiWtkMSOppfmh0oVmAsb7TQ,594
 ansible_test/_data/playbooks/posix_coverage_teardown.yml,sha256=xHci5QllwJymFtig-hsOXm-Wdrxz063JH14aIyRXhyc,212
@@ -741,7 +741,7 @@ ansible_test/_internal/connections.py,sha256=-gK9FqvmpsjENdYNkvWgFgqYHJSS_F2XkvQ
 ansible_test/_internal/constants.py,sha256=djMgWI_xR1Yg6M9Au8dEtao6yTYIzeLA-Ctxb1sKnHg,2056
 ansible_test/_internal/containers.py,sha256=8uRbrDtQKJznPYHbrCDuxZI0teyhcL8qT3mAO2M_DU8,33905
 ansible_test/_internal/content_config.py,sha256=QKR_XVBgYRNZL-XawF2pN2ERTZ6lSm1AJg9ZQRD6IHE,5588
-ansible_test/_internal/core_ci.py,sha256=pyiwFG_TgDSQw34qW-PG8T2VYS6XxiF0zOEWGYXRRek,17309
+ansible_test/_internal/core_ci.py,sha256=9RQU92QfSlEPcf9Wet8c3UWmZGrkmZCMQrT1h51iQuk,17976
 ansible_test/_internal/coverage_util.py,sha256=p8zcoN6DyyNcLWHzAOtGMeN_6BHTCD1jR9Hm-g-IPIY,9332
 ansible_test/_internal/data.py,sha256=OFDpRa47yqBqQO1aSvTZVQQpScHvBHsr861586MQEUI,11184
 ansible_test/_internal/delegation.py,sha256=D8hluDQf_YN3DtVG_8HW0iumRBY3gjp_zP-rlc3VNY4,13418
@@ -751,7 +751,7 @@ ansible_test/_internal/encoding.py,sha256=E61EfXbQw0uQoFhbN3SYx3Oy_1tAMCPAAvY9hk
 ansible_test/_internal/executor.py,sha256=KW5yI-f-giErQ077MTj707fTtFkf_Kr8IV_Nr36NNmc,2959
 ansible_test/_internal/git.py,sha256=njtciWq2DlzZ1DAkQi08HRRP-TgH0mgeGZsWcsJGctI,4366
 ansible_test/_internal/host_configs.py,sha256=0S6EfSE2QMkOi4-ySxM6A4hlGxfb3aSjJKUHOC4wiwM,18283
-ansible_test/_internal/host_profiles.py,sha256=vvkstqitZwxE1TCShJmsot_trcmWl45TyG5sBazpFrE,65489
+ansible_test/_internal/host_profiles.py,sha256=auM8hVRk-1lxNlM1llz6BlOJv5lft2dfBfO1kFnt1Iw,65581
 ansible_test/_internal/http.py,sha256=ENuIPnBXIuvgDSxC-r5eOxfGzscxB6MOVJzT4OQXQSA,3864
 ansible_test/_internal/init.py,sha256=f2ZN7F-FyjMgN73SUgxwbVtWNhkJv7BIlZ-q4ALHyjM,505
 ansible_test/_internal/inventory.py,sha256=c79s-xc1uv2nD7rPISv0JKkKspY-X2-kHoozF2R4e1Q,5408
@@ -760,7 +760,7 @@ ansible_test/_internal/junit_xml.py,sha256=5op7cjGK7Et0OSjcAAuUEqNWNAv5ZoNI0rkLx
 ansible_test/_internal/locale_util.py,sha256=tjRbwKmgMQc1ysIhvP8yBhFcNA-2UCaWfQBDgrRFUxU,2161
 ansible_test/_internal/metadata.py,sha256=c9ThXPUlgeKYhaTUmfCSS4INRNQ1JhN2KEOVaX3m1Gk,4791
 ansible_test/_internal/payload.py,sha256=1Pw05OEHvP3LMQnoLXch8631c94YMklWlpDn0CvQECw,8012
-ansible_test/_internal/provisioning.py,sha256=9Zl3xQqljx0MGDTp55Q4LZPWQ7Afj5K87cGsXzPGS5Y,7320
+ansible_test/_internal/provisioning.py,sha256=owGvyyBmMjtdAw0x41X9qYtOJnkvskpQRcpJ-pmLwlo,7409
 ansible_test/_internal/pypi_proxy.py,sha256=1y21FjIyzXMdbFFWiOQWr3BocxXTsavw_NCagSkD0uM,6019
 ansible_test/_internal/python_requirements.py,sha256=tilVPxEthIWBYd7PGx89cVyYX_Ahy9CVxlJ10PfkzUU,15672
 ansible_test/_internal/ssh.py,sha256=WeVvn3ReHmjg6Im5BdSBRl1YIj1lOmi71jO9T5fTkik,10781
@@ -768,12 +768,12 @@ ansible_test/_internal/target.py,sha256=Whtb_n0jn4zbiMmX7je5jewgzsRczfXRm_ndYtjT
 ansible_test/_internal/test.py,sha256=znQmGjKACqDU8T0EAPqcv2qyy0J7M2w4OmyYhwHLqT0,14515
 ansible_test/_internal/thread.py,sha256=WQoZ2q2ljmEkKHRDkIqwxW7eZbkCKDrG3YZfcaxHzHw,2596
 ansible_test/_internal/timeout.py,sha256=hT-LirImhAh1iCGIh8JpmECXsiGu6Zetw8BWl1iBIC8,4050
-ansible_test/_internal/util.py,sha256=1_yTfH0t0dfa77EZvY1wnkQ6rgTdSRUQL9oCuRWrD00,37832
+ansible_test/_internal/util.py,sha256=dkDOAbm3e9IxvMDTta23hCxlca3dpq10pVP2QK-clmc,37859
 ansible_test/_internal/util_common.py,sha256=W5mkR0sevcyMWsMPYcpxRN-b8It8N9g6PqkophHCI9U,17385
 ansible_test/_internal/venv.py,sha256=k7L9_Ocpsdwp4kQFLF59BVguymd2nqJ-bLHH1NlMET0,5521
-ansible_test/_internal/ci/__init__.py,sha256=QOaC_8_wUzqFEbsFCXYAnElWoUo6gB40CXvP9RJ-Iyo,7738
-ansible_test/_internal/ci/azp.py,sha256=YTTDiAX26kskOP2RSZtu_bIQKIK_grMbGesOsS_55QA,10137
-ansible_test/_internal/ci/local.py,sha256=E4nnerMKdBoVEbsT8IBkl0nSdXyxO2gT8WAaxyzA1EY,6739
+ansible_test/_internal/ci/__init__.py,sha256=wFAyQVsPJbHEI94EN3F3yLBP8aZ4Zlm4U1jka0U8Z8M,4683
+ansible_test/_internal/ci/azp.py,sha256=i2Th7ZWJhefYR2oxcsK8ZlU11xXtMbCJBjBQa3kAj_8,10104
+ansible_test/_internal/ci/local.py,sha256=Yd2fqBs9KcbnF-TEx9PyEslCNF69WNUlM5Bm3-vzq9c,9905
 ansible_test/_internal/classification/__init__.py,sha256=ZhYq3YHtd5iO8yFWcnWqwg_JIGWOYHmFoxwoUzKrZmM,34199
 ansible_test/_internal/classification/common.py,sha256=jd5VLRegcOX-GNTZqN_7PBzwKF6akFQYsPEltfynGtU,894
 ansible_test/_internal/classification/csharp.py,sha256=3QpVZjamTTG7h86oeVm7d4UMbyojPbBALHVqCpxS1ic,3241
@@ -959,7 +959,7 @@ ansible_test/_util/target/pytest/plugins/ansible_pytest_collections.py,sha256=vn
 ansible_test/_util/target/pytest/plugins/ansible_pytest_coverage.py,sha256=RAEMJ4N88UhwlCcD3gRG78ERb12uW2FMYI4j1tOiEhU,1546
 ansible_test/_util/target/sanity/compile/compile.py,sha256=iTRgiZHNO8DwjSqHBw8gPBbFtWnr-Zbd_ybymeazdtA,1302
 ansible_test/_util/target/sanity/import/importer.py,sha256=BLQN6NmdaMgbI6mu_AdkL4AeD5LxYUi-JXEBGJTuhnU,25148
-ansible_test/_util/target/setup/bootstrap.sh,sha256=X95GFGRuW9cPBMUgZDH4L_0QMWnrOoqBjCRl0L3rt3M,13299
+ansible_test/_util/target/setup/bootstrap.sh,sha256=ZXMU6ps2bfZYnumw7OZ-4Zbr7erVsBf6qqSb95ZGsOo,12848
 ansible_test/_util/target/setup/check_systemd_cgroup_v1.sh,sha256=Aq0T62x_KLtkGaWzYqWjvhchTqYFflrTbQET3h6xrT0,395
 ansible_test/_util/target/setup/probe_cgroups.py,sha256=wUHvjW_GXpcyMGw308w26T09cOtBW5EU7i9WagGDQ7o,659
 ansible_test/_util/target/setup/quiet_pip.py,sha256=d3bvh9k2XI_z8-vb3ZoI4lwL8LaFkwvjJE7PpApBlcw,1979
@@ -980,8 +980,8 @@ ansible_test/config/cloud-config-vultr.ini.template,sha256=XLKHk3lg_8ReQMdWfZzhh
 ansible_test/config/config.yml,sha256=wb3knoBmZewG3GWOMnRHoVPQWW4vPixKLPMNS6vJmTc,2620
 ansible_test/config/inventory.networking.template,sha256=bFNSk8zNQOaZ_twaflrY0XZ9mLwUbRLuNT0BdIFwvn4,1335
 ansible_test/config/inventory.winrm.template,sha256=1QU8W-GFLnYEw8yY9bVIvUAVvJYPM3hyoijf6-M7T00,1098
-ansible_core-2.17.13rc1.dist-info/METADATA,sha256=g1dSnlWTSzMpDIuKRw4a-nUOCVnCiqVlGzL-8GYLIPM,6991
-ansible_core-2.17.13rc1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-ansible_core-2.17.13rc1.dist-info/entry_points.txt,sha256=0mpmsrIhODChxKl3eS-NcVQCaMetBn8KdPLtVxQgR64,453
-ansible_core-2.17.13rc1.dist-info/top_level.txt,sha256=IFbRLjAvih1DYzJWg3_F6t4sCzEMxRO7TOMNs6GkYHo,21
-ansible_core-2.17.13rc1.dist-info/RECORD,,
+ansible_core-2.17.14rc1.dist-info/METADATA,sha256=gQ_JZpOu3czuT-G_edIR9-z4GPZRlOREJsByiU_IQqM,6991
+ansible_core-2.17.14rc1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+ansible_core-2.17.14rc1.dist-info/entry_points.txt,sha256=0mpmsrIhODChxKl3eS-NcVQCaMetBn8KdPLtVxQgR64,453
+ansible_core-2.17.14rc1.dist-info/top_level.txt,sha256=IFbRLjAvih1DYzJWg3_F6t4sCzEMxRO7TOMNs6GkYHo,21
+ansible_core-2.17.14rc1.dist-info/RECORD,,

ansible_test/_data/completion/remote.txt

@@ -2,7 +2,7 @@ alpine/3.19 python=3.11 become=doas_sudo provider=aws arch=x86_64
 alpine become=doas_sudo provider=aws arch=x86_64
 fedora/39 python=3.12 become=sudo provider=aws arch=x86_64
 fedora become=sudo provider=aws arch=x86_64
-freebsd/13.3 python=3.9,3.11 python_dir=/usr/local/bin become=su_sudo provider=aws arch=x86_64
+freebsd/13.5 python=3.11 python_dir=/usr/local/bin become=su_sudo provider=aws arch=x86_64
 freebsd/14.1 python=3.9,3.11 python_dir=/usr/local/bin become=su_sudo provider=aws arch=x86_64
 freebsd python_dir=/usr/local/bin become=su_sudo provider=aws arch=x86_64
 macos/14.3 python=3.11 python_dir=/usr/local/bin become=sudo provider=parallels arch=x86_64

ansible_test/_internal/ci/__init__.py

@@ -2,22 +2,13 @@
 from __future__ import annotations
 
 import abc
-import base64
+import dataclasses
+import datetime
 import json
-import os
+import pathlib
 import tempfile
 import typing as t
 
-from ..encoding import (
-    to_bytes,
-    to_text,
-)
-
-from ..io import (
-    read_text_file,
-    write_text_file,
-)
-
 from ..config import (
     CommonConfig,
     TestConfig,
@@ -33,6 +24,65 @@ from ..util import (
 )
 
 
+@dataclasses.dataclass(frozen=True, kw_only=True)
+class AuthContext:
+    """Information about the request to which authentication will be applied."""
+
+    stage: str
+    provider: str
+    request_id: str
+
+
+class AuthHelper:
+    """Authentication helper."""
+
+    NAMESPACE: t.ClassVar = 'ci@core.ansible.com'
+
+    def __init__(self, key_file: pathlib.Path) -> None:
+        self.private_key_file = pathlib.Path(str(key_file).removesuffix('.pub'))
+        self.public_key_file = pathlib.Path(f'{self.private_key_file}.pub')
+
+    def sign_request(self, request: dict[str, object], context: AuthContext) -> None:
+        """Sign the given auth request using the provided context."""
+        request.update(
+            stage=context.stage,
+            provider=context.provider,
+            request_id=context.request_id,
+            timestamp=datetime.datetime.now(tz=datetime.timezone.utc).replace(microsecond=0).isoformat(),
+        )
+
+        with tempfile.TemporaryDirectory() as temp_dir:
+            payload_path = pathlib.Path(temp_dir) / 'auth.json'
+            payload_path.write_text(json.dumps(request, sort_keys=True))
+
+            cmd = ['ssh-keygen', '-q', '-Y', 'sign', '-f', str(self.private_key_file), '-n', self.NAMESPACE, str(payload_path)]
+            raw_command(cmd, capture=False, interactive=True)
+
+            signature_path = pathlib.Path(f'{payload_path}.sig')
+            signature = signature_path.read_text()
+
+        request.update(signature=signature)
+
+
+class GeneratingAuthHelper(AuthHelper, metaclass=abc.ABCMeta):
+    """Authentication helper which generates a key pair on demand."""
+
+    def __init__(self) -> None:
+        super().__init__(pathlib.Path('~/.ansible/test/ansible-core-ci').expanduser())
+
+    def sign_request(self, request: dict[str, object], context: AuthContext) -> None:
+        if not self.private_key_file.exists():
+            self.generate_key_pair()
+
+        super().sign_request(request, context)
+
+    def generate_key_pair(self) -> None:
+        """Generate key pair."""
+        self.private_key_file.parent.mkdir(parents=True, exist_ok=True)
+
+        raw_command(['ssh-keygen', '-q', '-f', str(self.private_key_file), '-N', ''], capture=True)
+
+
 class ChangeDetectionNotSupported(ApplicationError):
     """Exception for cases where change detection is not supported."""
 
@@ -74,8 +124,8 @@ class CIProvider(metaclass=abc.ABCMeta):
         """Return True if Ansible Core CI is supported."""
 
     @abc.abstractmethod
-    def prepare_core_ci_auth(self) -> dict[str, t.Any]:
-        """Return authentication details for Ansible Core CI."""
+    def prepare_core_ci_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        """Prepare an Ansible Core CI request using the given config and context."""
 
     @abc.abstractmethod
     def get_git_details(self, args: CommonConfig) -> t.Optional[dict[str, t.Any]]:
@@ -100,119 +150,3 @@ def get_ci_provider() -> CIProvider:
         display.info('Detected CI provider: %s' % provider.name)
 
     return provider
-
-
-class AuthHelper(metaclass=abc.ABCMeta):
-    """Public key based authentication helper for Ansible Core CI."""
-
-    def sign_request(self, request: dict[str, t.Any]) -> None:
-        """Sign the given auth request and make the public key available."""
-        payload_bytes = to_bytes(json.dumps(request, sort_keys=True))
-        signature_raw_bytes = self.sign_bytes(payload_bytes)
-        signature = to_text(base64.b64encode(signature_raw_bytes))
-
-        request.update(signature=signature)
-
-    def initialize_private_key(self) -> str:
-        """
-        Initialize and publish a new key pair (if needed) and return the private key.
-        The private key is cached across ansible-test invocations, so it is only generated and published once per CI job.
-        """
-        path = os.path.expanduser('~/.ansible-core-ci-private.key')
-
-        if os.path.exists(to_bytes(path)):
-            private_key_pem = read_text_file(path)
-        else:
-            private_key_pem = self.generate_private_key()
-            write_text_file(path, private_key_pem)
-
-        return private_key_pem
-
-    @abc.abstractmethod
-    def sign_bytes(self, payload_bytes: bytes) -> bytes:
-        """Sign the given payload and return the signature, initializing a new key pair if required."""
-
-    @abc.abstractmethod
-    def publish_public_key(self, public_key_pem: str) -> None:
-        """Publish the given public key."""
-
-    @abc.abstractmethod
-    def generate_private_key(self) -> str:
-        """Generate a new key pair, publishing the public key and returning the private key."""
-
-
-class CryptographyAuthHelper(AuthHelper, metaclass=abc.ABCMeta):
-    """Cryptography based public key based authentication helper for Ansible Core CI."""
-
-    def sign_bytes(self, payload_bytes: bytes) -> bytes:
-        """Sign the given payload and return the signature, initializing a new key pair if required."""
-        # import cryptography here to avoid overhead and failures in environments which do not use/provide it
-        from cryptography.hazmat.backends import default_backend
-        from cryptography.hazmat.primitives import hashes
-        from cryptography.hazmat.primitives.asymmetric import ec
-        from cryptography.hazmat.primitives.serialization import load_pem_private_key
-
-        private_key_pem = self.initialize_private_key()
-        private_key = load_pem_private_key(to_bytes(private_key_pem), None, default_backend())
-
-        assert isinstance(private_key, ec.EllipticCurvePrivateKey)
-
-        signature_raw_bytes = private_key.sign(payload_bytes, ec.ECDSA(hashes.SHA256()))
-
-        return signature_raw_bytes
-
-    def generate_private_key(self) -> str:
-        """Generate a new key pair, publishing the public key and returning the private key."""
-        # import cryptography here to avoid overhead and failures in environments which do not use/provide it
-        from cryptography.hazmat.backends import default_backend
-        from cryptography.hazmat.primitives import serialization
-        from cryptography.hazmat.primitives.asymmetric import ec
-
-        private_key = ec.generate_private_key(ec.SECP384R1(), default_backend())
-        public_key = private_key.public_key()
-
-        private_key_pem = to_text(private_key.private_bytes(  # type: ignore[attr-defined]  # documented method, but missing from type stubs
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PrivateFormat.PKCS8,
-            encryption_algorithm=serialization.NoEncryption(),
-        ))
-
-        public_key_pem = to_text(public_key.public_bytes(
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PublicFormat.SubjectPublicKeyInfo,
-        ))
-
-        self.publish_public_key(public_key_pem)
-
-        return private_key_pem
-
-
-class OpenSSLAuthHelper(AuthHelper, metaclass=abc.ABCMeta):
-    """OpenSSL based public key based authentication helper for Ansible Core CI."""
-
-    def sign_bytes(self, payload_bytes: bytes) -> bytes:
-        """Sign the given payload and return the signature, initializing a new key pair if required."""
-        private_key_pem = self.initialize_private_key()
-
-        with tempfile.NamedTemporaryFile() as private_key_file:
-            private_key_file.write(to_bytes(private_key_pem))
-            private_key_file.flush()
-
-            with tempfile.NamedTemporaryFile() as payload_file:
-                payload_file.write(payload_bytes)
-                payload_file.flush()
-
-                with tempfile.NamedTemporaryFile() as signature_file:
-                    raw_command(['openssl', 'dgst', '-sha256', '-sign', private_key_file.name, '-out', signature_file.name, payload_file.name], capture=True)
-                    signature_raw_bytes = signature_file.read()
-
-        return signature_raw_bytes
-
-    def generate_private_key(self) -> str:
-        """Generate a new key pair, publishing the public key and returning the private key."""
-        private_key_pem = raw_command(['openssl', 'ecparam', '-genkey', '-name', 'secp384r1', '-noout'], capture=True)[0]
-        public_key_pem = raw_command(['openssl', 'ec', '-pubout'], data=private_key_pem, capture=True)[0]
-
-        self.publish_public_key(public_key_pem)
-
-        return private_key_pem

ansible_test/_internal/ci/azp.py

@@ -30,9 +30,10 @@ from ..util import (
 )
 
 from . import (
+    AuthContext,
     ChangeDetectionNotSupported,
     CIProvider,
-    CryptographyAuthHelper,
+    GeneratingAuthHelper,
 )
 
 CODE = 'azp'
@@ -111,10 +112,11 @@ class AzurePipelines(CIProvider):
         """Return True if Ansible Core CI is supported."""
         return True
 
-    def prepare_core_ci_auth(self) -> dict[str, t.Any]:
-        """Return authentication details for Ansible Core CI."""
+    def prepare_core_ci_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
         try:
-            request = dict(
+            request: dict[str, object] = dict(
+                type="azp:ssh",
+                config=config,
                 org_name=os.environ['SYSTEM_COLLECTIONURI'].strip('/').split('/')[-1],
                 project_name=os.environ['SYSTEM_TEAMPROJECT'],
                 build_id=int(os.environ['BUILD_BUILDID']),
@@ -123,13 +125,9 @@ class AzurePipelines(CIProvider):
         except KeyError as ex:
             raise MissingEnvironmentVariable(name=ex.args[0]) from None
 
-        self.auth.sign_request(request)
+        self.auth.sign_request(request, context)
 
-        auth = dict(
-            azp=request,
-        )
-
-        return auth
+        return request
 
     def get_git_details(self, args: CommonConfig) -> t.Optional[dict[str, t.Any]]:
         """Return details about git in the current environment."""
@@ -143,14 +141,14 @@ class AzurePipelines(CIProvider):
         return details
 
 
-class AzurePipelinesAuthHelper(CryptographyAuthHelper):
-    """
-    Authentication helper for Azure Pipelines.
-    Based on cryptography since it is provided by the default Azure Pipelines environment.
-    """
+class AzurePipelinesAuthHelper(GeneratingAuthHelper):
+    """Authentication helper for Azure Pipelines."""
+
+    def generate_key_pair(self) -> None:
+        super().generate_key_pair()
+
+        public_key_pem = self.public_key_file.read_text()
 
-    def publish_public_key(self, public_key_pem: str) -> None:
-        """Publish the given public key."""
         try:
             agent_temp_directory = os.environ['AGENT_TEMPDIRECTORY']
         except KeyError as ex:

ansible_test/_internal/ci/local.py

@@ -1,10 +1,12 @@
 """Support code for working without a supported CI provider."""
 from __future__ import annotations
 
-import os
+import abc
+import inspect
 import platform
 import random
 import re
+import pathlib
 import typing as t
 
 from ..config import (
@@ -23,11 +25,14 @@ from ..git import (
 from ..util import (
     ApplicationError,
     display,
+    get_subclasses,
     is_binary_file,
     SubprocessError,
 )
 
 from . import (
+    AuthContext,
+    AuthHelper,
     CIProvider,
 )
 
@@ -119,34 +124,20 @@ class Local(CIProvider):
 
     def supports_core_ci_auth(self) -> bool:
         """Return True if Ansible Core CI is supported."""
-        path = self._get_aci_key_path()
-        return os.path.exists(path)
+        return Authenticator.available()
 
-    def prepare_core_ci_auth(self) -> dict[str, t.Any]:
-        """Return authentication details for Ansible Core CI."""
-        path = self._get_aci_key_path()
-        auth_key = read_text_file(path).strip()
+    def prepare_core_ci_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        if not (authenticator := Authenticator.load()):
+            raise ApplicationError('Ansible Core CI authentication has not been configured.')
 
-        request = dict(
-            key=auth_key,
-            nonce=None,
-        )
+        display.info(f'Using {authenticator} for Ansible Core CI.', verbosity=1)
 
-        auth = dict(
-            remote=request,
-        )
-
-        return auth
+        return authenticator.prepare_auth_request(config, context)
 
     def get_git_details(self, args: CommonConfig) -> t.Optional[dict[str, t.Any]]:
         """Return details about git in the current environment."""
         return None  # not yet implemented for local
 
-    @staticmethod
-    def _get_aci_key_path() -> str:
-        path = os.path.expanduser('~/.ansible-core-ci.key')
-        return path
-
 
 class InvalidBranch(ApplicationError):
     """Exception for invalid branch specification."""
@@ -213,3 +204,108 @@ class LocalChanges:
             return True
 
         return False
+
+
+class Authenticator(metaclass=abc.ABCMeta):
+    """Base class for authenticators."""
+
+    @staticmethod
+    def list() -> list[type[Authenticator]]:
+        """List all authenticators in priority order."""
+        return sorted((sc for sc in get_subclasses(Authenticator) if not inspect.isabstract(sc)), key=lambda obj: obj.priority())
+
+    @staticmethod
+    def load() -> Authenticator | None:
+        """Load an authenticator instance, returning None if not configured."""
+        for implementation in Authenticator.list():
+            if implementation.config_file().exists():
+                return implementation()
+
+        return None
+
+    @staticmethod
+    def available() -> bool:
+        """Return True if an authenticator is available, otherwise False."""
+        return bool(Authenticator.load())
+
+    @classmethod
+    @abc.abstractmethod
+    def priority(cls) -> int:
+        """Priority used to determine which authenticator is tried first, from lowest to highest."""
+
+    @classmethod
+    @abc.abstractmethod
+    def config_file(cls) -> pathlib.Path:
+        """Path to the config file for this authenticator."""
+
+    @abc.abstractmethod
+    def prepare_auth_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        """Prepare an authenticated Ansible Core CI request using the given config and context."""
+
+    def __str__(self) -> str:
+        return self.__class__.__name__
+
+
+class PasswordAuthenticator(Authenticator):
+    """Authenticate using a password."""
+
+    @classmethod
+    def priority(cls) -> int:
+        return 200
+
+    @classmethod
+    def config_file(cls) -> pathlib.Path:
+        return pathlib.Path('~/.ansible-core-ci.key').expanduser()
+
+    def prepare_auth_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        parts = self.config_file().read_text().strip().split(maxsplit=1)
+
+        if len(parts) == 1:  # temporary backward compatibility for legacy API keys
+            request = dict(
+                config=config,
+                auth=dict(
+                    remote=dict(
+                        key=parts[0],
+                    ),
+                ),
+            )
+
+            return request
+
+        username, password = parts
+
+        request = dict(
+            type="remote:password",
+            config=config,
+            username=username,
+            password=password,
+        )
+
+        return request
+
+
+class SshAuthenticator(Authenticator):
+    """Authenticate using an SSH key."""
+
+    @classmethod
+    def priority(cls) -> int:
+        return 100
+
+    @classmethod
+    def config_file(cls) -> pathlib.Path:
+        return pathlib.Path('~/.ansible-core-ci.auth').expanduser()
+
+    def prepare_auth_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        parts = self.config_file().read_text().strip().split(maxsplit=1)
+        username, key_file = parts
+
+        request: dict[str, object] = dict(
+            type="remote:ssh",
+            config=config,
+            username=username,
+        )
+
+        auth_helper = AuthHelper(pathlib.Path(key_file).expanduser())
+        auth_helper.sign_request(request, context)
+
+        return request

ansible_test/_internal/core_ci.py

@@ -41,6 +41,7 @@ from .config import (
 )
 
 from .ci import (
+    AuthContext,
     get_ci_provider,
 )
 
@@ -67,6 +68,10 @@ class Resource(metaclass=abc.ABCMeta):
     def persist(self) -> bool:
         """True if the resource is persistent, otherwise false."""
 
+    @abc.abstractmethod
+    def get_config(self, core_ci: AnsibleCoreCI) -> dict[str, object]:
+        """Return the configuration for this resource."""
+
 
 @dataclasses.dataclass(frozen=True)
 class VmResource(Resource):
@@ -91,6 +96,16 @@ class VmResource(Resource):
         """True if the resource is persistent, otherwise false."""
         return True
 
+    def get_config(self, core_ci: AnsibleCoreCI) -> dict[str, object]:
+        """Return the configuration for this resource."""
+        return dict(
+            type="vm",
+            platform=self.platform,
+            version=self.version,
+            architecture=self.architecture,
+            public_key=core_ci.ssh_key.pub_contents,
+        )
+
 
 @dataclasses.dataclass(frozen=True)
 class CloudResource(Resource):
@@ -111,6 +126,12 @@ class CloudResource(Resource):
         """True if the resource is persistent, otherwise false."""
         return False
 
+    def get_config(self, core_ci: AnsibleCoreCI) -> dict[str, object]:
+        """Return the configuration for this resource."""
+        return dict(
+            type="cloud",
+        )
+
 
 class AnsibleCoreCI:
     """Client for Ansible Core CI services."""
@@ -188,7 +209,7 @@ class AnsibleCoreCI:
             display.info(f'Skipping started {self.label} instance.', verbosity=1)
             return None
 
-        return self._start(self.ci_provider.prepare_core_ci_auth())
+        return self._start()
 
     def stop(self) -> None:
         """Stop instance."""
@@ -287,26 +308,25 @@ class AnsibleCoreCI:
     def _uri(self) -> str:
         return f'{self.endpoint}/{self.stage}/{self.provider}/{self.instance_id}'
 
-    def _start(self, auth) -> dict[str, t.Any]:
+    def _start(self) -> dict[str, t.Any]:
         """Start instance."""
         display.info(f'Initializing new {self.label} instance using: {self._uri}', verbosity=1)
 
-        data = dict(
-            config=dict(
-                platform=self.platform,
-                version=self.version,
-                architecture=self.arch,
-                public_key=self.ssh_key.pub_contents,
-            )
+        config = self.resource.get_config(self)
+
+        context = AuthContext(
+            request_id=self.instance_id,
+            stage=self.stage,
+            provider=self.provider,
         )
 
-        data.update(auth=auth)
+        request = self.ci_provider.prepare_core_ci_request(config, context)
 
         headers = {
             'Content-Type': 'application/json',
         }
 
-        response = self._start_endpoint(data, headers)
+        response = self._start_endpoint(request, headers)
 
         self.started = True
         self._save()

ansible_test/_internal/host_profiles.py

@@ -245,6 +245,9 @@ class HostProfile(t.Generic[THostConfig], metaclass=abc.ABCMeta):
         self.cache: dict[str, t.Any] = {}
         """Cache that must not be persisted across delegation."""
 
+    def pre_provision(self) -> None:
+        """Pre-provision the host profile."""
+
     def provision(self) -> None:
         """Provision the host before delegation."""
 
@@ -328,8 +331,8 @@ class RemoteProfile(SshTargetHostProfile[TRemoteConfig], metaclass=abc.ABCMeta):
         """The saved Ansible Core CI state."""
         self.state['core_ci'] = value
 
-    def provision(self) -> None:
-        """Provision the host before delegation."""
+    def pre_provision(self) -> None:
+        """Pre-provision the host before delegation."""
         self.core_ci = self.create_core_ci(load=True)
         self.core_ci.start()
 

ansible_test/_internal/provisioning.py

@@ -129,6 +129,9 @@ def prepare_profiles(
 
         ExitHandler.register(functools.partial(cleanup_profiles, host_state))
 
+        for pre_profile in host_state.profiles:
+            pre_profile.pre_provision()
+
         def provision(profile: HostProfile) -> None:
             """Provision the given profile."""
             profile.provision()

ansible_test/_internal/util.py

@@ -638,6 +638,7 @@ def common_environment() -> dict[str, str]:
     optional = (
         'LD_LIBRARY_PATH',
         'SSH_AUTH_SOCK',
+        'SSH_SK_PROVIDER',
         # MacOS High Sierra Compatibility
         # http://sealiesoftware.com/blog/archive/2017/6/5/Objective-C_and_fork_in_macOS_1013.html
         # Example configuration for macOS:

ansible_test/_util/target/setup/bootstrap.sh

@@ -2,6 +2,24 @@
 
 set -eu
 
+retry_init()
+{
+    attempt=0
+}
+
+retry_or_fail()
+{
+    attempt=$((attempt + 1))
+
+    if [ $attempt -gt 5 ]; then
+      echo "Failed to install packages. Giving up."
+      exit 1
+    fi
+
+    echo "Failed to install packages. Sleeping before trying again..."
+    sleep 10
+}
+
 remove_externally_managed_marker()
 {
     "${python_interpreter}" -c '
@@ -26,13 +44,13 @@ install_ssh_keys()
         echo "${ssh_private_key}" > "${ssh_private_key_path}"
 
         # add public key to authorized_keys
-        authoried_keys_path="${HOME}/.ssh/authorized_keys"
+        authorized_keys_path="${HOME}/.ssh/authorized_keys"
 
         # the existing file is overwritten to avoid conflicts (ex: RHEL on EC2 blocks root login)
-        cat "${public_key_path}" > "${authoried_keys_path}"
-        chmod 0600 "${authoried_keys_path}"
+        cat "${public_key_path}" > "${authorized_keys_path}"
+        chmod 0600 "${authorized_keys_path}"
 
-        # add localhost's server keys to known_hosts
+        # add localhost server keys to known_hosts
         known_hosts_path="${HOME}/.ssh/known_hosts"
 
         for key in /etc/ssh/ssh_host_*_key.pub; do
@@ -64,13 +82,13 @@ install_pip() {
                 ;;
         esac
 
+        retry_init
         while true; do
             curl --silent --show-error "${pip_bootstrap_url}" -o /tmp/get-pip.py && \
             "${python_interpreter}" /tmp/get-pip.py --disable-pip-version-check --quiet && \
             rm /tmp/get-pip.py \
             && break
-            echo "Failed to install packages. Sleeping before trying again..."
-            sleep 10
+            retry_or_fail
         done
     fi
 }
@@ -99,21 +117,21 @@ bootstrap_remote_alpine()
             "
     fi
 
+    retry_init
     while true; do
         # shellcheck disable=SC2086
         apk add -q ${packages} \
         && break
-        echo "Failed to install packages. Sleeping before trying again..."
-        sleep 10
+        retry_or_fail
     done
 
     # Upgrade the `libexpat` package to ensure that an upgraded Python (`pyexpat`) continues to work.
+    retry_init
     while true; do
         # shellcheck disable=SC2086
         apk upgrade -q libexpat \
         && break
-        echo "Failed to upgrade libexpat. Sleeping before trying again..."
-        sleep 10
+        retry_or_fail
     done
 }
 
@@ -138,12 +156,12 @@ bootstrap_remote_fedora()
             "
     fi
 
+    retry_init
     while true; do
         # shellcheck disable=SC2086
         dnf install -q -y ${packages} \
         && break
-        echo "Failed to install packages. Sleeping before trying again..."
-        sleep 10
+        retry_or_fail
     done
 }
 
@@ -162,22 +180,14 @@ bootstrap_remote_freebsd()
     if [ "${controller}" ]; then
         jinja2_pkg="py${python_package_version}-jinja2"
         cryptography_pkg="py${python_package_version}-cryptography"
-        pyyaml_pkg="py${python_package_version}-yaml"
+        pyyaml_pkg="py${python_package_version}-pyyaml"
         packaging_pkg="py${python_package_version}-packaging"
 
         # Declare platform/python version combinations which do not have supporting OS packages available.
         # For these combinations ansible-test will use pip to install the requirements instead.
         case "${platform_version}/${python_version}" in
-            13.3/3.9)
-                # defaults above 'just work'TM
-                ;;
-            13.3/3.11)
-                jinja2_pkg=""  # not available
-                cryptography_pkg=""  # not available
-                pyyaml_pkg=""  # not available
-                ;;
-            14.1/3.9)
-                # defaults above 'just work'TM
+            13.5/3.11)
+                # defaults available
                 ;;
             14.1/3.11)
                 cryptography_pkg=""  # not available
@@ -203,13 +213,13 @@ bootstrap_remote_freebsd()
             "
     fi
 
+    retry_init
     while true; do
         # shellcheck disable=SC2086
         env ASSUME_ALWAYS_YES=YES pkg bootstrap && \
         pkg install -q -y ${packages} \
         && break
-        echo "Failed to install packages. Sleeping before trying again..."
-        sleep 10
+        retry_or_fail
     done
 
     install_pip
@@ -290,12 +300,12 @@ bootstrap_remote_rhel_9()
             "
     fi
 
+    retry_init
     while true; do
         # shellcheck disable=SC2086
         dnf install -q -y ${packages} \
         && break
-        echo "Failed to install packages. Sleeping before trying again..."
-        sleep 10
+        retry_or_fail
     done
 }
 
@@ -320,12 +330,12 @@ bootstrap_remote_rhel_10()
             "
     fi
 
+    retry_init
     while true; do
         # shellcheck disable=SC2086
         dnf install -q -y ${packages} \
         && break
-        echo "Failed to install packages. Sleeping before trying again..."
-        sleep 10
+        retry_or_fail
     done
 }
 
@@ -376,13 +386,13 @@ bootstrap_remote_ubuntu()
             "
     fi
 
+    retry_init
     while true; do
         # shellcheck disable=SC2086
         apt-get update -qq -y && \
         DEBIAN_FRONTEND=noninteractive apt-get install -qq -y --no-install-recommends ${packages} \
         && break
-        echo "Failed to install packages. Sleeping before trying again..."
-        sleep 10
+        retry_or_fail
     done
 }