ansible-core 2.18.8__py3-none-any.whl → 2.18.9__py3-none-any.whl

ansible/module_utils/ansible_release.py

@@ -17,6 +17,6 @@
 
 from __future__ import annotations
 
-__version__ = '2.18.8'
+__version__ = '2.18.9'
 __author__ = 'Ansible, Inc.'
 __codename__ = "Fool in the Rain"

ansible/modules/dnf.py

@@ -526,7 +526,10 @@ class DnfModule(YumDnf):
                 conf.config_file_path = conf_file
 
         # Read the configuration file
-        conf.read()
+        try:
+            conf.read()
+        except dnf.exceptions.ConfigError as e:
+            self.module.fail_json(msg=f"Failed to read configuration file: {e}", conf_file=conf_file)
 
         # Turn off debug messages in the output
         conf.debuglevel = 0

ansible/modules/service_facts.py

@@ -209,8 +209,8 @@ class ServiceScanService(BaseService):
 
     def _list_openrc(self, services):
         all_services_runlevels = {}
-        rc, stdout, stderr = self.module.run_command("%s -a -s -m 2>&1 | grep '^ ' | tr -d '[]'" % self.rc_status_path, use_unsafe_shell=True)
-        rc_u, stdout_u, stderr_u = self.module.run_command("%s show -v 2>&1 | grep '|'" % self.rc_update_path, use_unsafe_shell=True)
+        dummy, stdout, dummy = self.module.run_command("%s -a -s -m 2>&1 | grep '^ ' | tr -d '[]'" % self.rc_status_path, use_unsafe_shell=True)
+        dummy, stdout_u, dummy = self.module.run_command("%s show -v 2>&1 | grep '|'" % self.rc_update_path, use_unsafe_shell=True)
         for line in stdout_u.split('\n'):
             line_data = line.split('|')
             if len(line_data) < 2:
@@ -226,8 +226,15 @@ class ServiceScanService(BaseService):
             if len(line_data) < 2:
                 continue
             service_name = line_data[0]
+            # Skip lines which are not service names
+            if service_name == "*":
+                continue
             service_state = line_data[1]
-            service_runlevels = all_services_runlevels[service_name]
+            try:
+                service_runlevels = all_services_runlevels[service_name]
+            except KeyError:
+                self.module.warn(f"Service {service_name} not found in the service list")
+                continue
             service_data = {"name": service_name, "runlevels": service_runlevels, "state": service_state, "source": "openrc"}
             services[service_name] = service_data
 

ansible/modules/user.py

@@ -1376,16 +1376,24 @@ class User(object):
                     self.module.exit_json(failed=True, msg="%s" % to_native(e))
             # get umask from /etc/login.defs and set correct home mode
             if os.path.exists(self.LOGIN_DEFS):
-                with open(self.LOGIN_DEFS, 'r') as f:
-                    for line in f:
-                        m = re.match(r'^UMASK\s+(\d+)$', line)
-                        if m:
-                            umask = int(m.group(1), 8)
+                # fallback if neither HOME_MODE nor UMASK are set;
+                # follow behaviour of useradd initializing UMASK = 022
+                mode = 0o755
+                with open(self.LOGIN_DEFS, 'r') as fh:
+                    for line in fh:
+                        # HOME_MODE has higher precedence as UMASK
+                        match = re.match(r'^HOME_MODE\s+(\d+)$', line)
+                        if match:
+                            mode = int(match.group(1), 8)
+                            break  # higher precedence
+                        match = re.match(r'^UMASK\s+(\d+)$', line)
+                        if match:
+                            umask = int(match.group(1), 8)
                             mode = 0o777 & ~umask
-                            try:
-                                os.chmod(path, mode)
-                            except OSError as e:
-                                self.module.exit_json(failed=True, msg="%s" % to_native(e))
+                try:
+                    os.chmod(path, mode)
+                except OSError as e:
+                    self.module.exit_json(failed=True, msg=to_native(e))
 
     def chown_homedir(self, uid, gid, path):
         try:

ansible/release.py

@@ -17,6 +17,6 @@
 
 from __future__ import annotations
 
-__version__ = '2.18.8'
+__version__ = '2.18.9'
 __author__ = 'Ansible, Inc.'
 __codename__ = "Fool in the Rain"

{ansible_core-2.18.8.dist-info → ansible_core-2.18.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ansible-core
-Version: 2.18.8
+Version: 2.18.9
 Summary: Radically simple IT automation
 Author: Ansible Project
 Project-URL: Homepage, https://ansible.com/

{ansible_core-2.18.8.dist-info → ansible_core-2.18.9.dist-info}/RECORD

@@ -3,7 +3,7 @@ ansible/__main__.py,sha256=24j-7-YT4lZ2fmV80JD-VRoYBnxR7YoP_VP-orJtDt0,796
 ansible/constants.py,sha256=dSgbrzNsmhYc4GQOWZvRm4XKgf--_MUWcMa_9_7l5Pc,9757
 ansible/context.py,sha256=oKYyfjfWpy8vDeProtqfnqSmuij_t75_5e5t0U_hQ1g,1933
 ansible/keyword_desc.yml,sha256=xD-MRMB8mSRaj2ADwRnjIEbOwJKbc6BYadouGPfS0mI,7462
-ansible/release.py,sha256=9gq7Q1GbBxC3GTVQHdxbwP6GkRpZWnuB_EVmsfq6wVc,836
+ansible/release.py,sha256=4LCba40y5QHx9pqj1DjRXtC5vNhixn7NpXSoEakcIJ8,836
 ansible/_vendor/__init__.py,sha256=2QBeBwT7uG7M3Aw-pIdCpt6XPtHMCpbEKfACYKA7xIg,2033
 ansible/cli/__init__.py,sha256=e0KjeLfG1Ketbwl-uOmQ-zXoq3_El80LnHTGu80d1gs,28111
 ansible/cli/adhoc.py,sha256=quJ9WzRzf3dz_dtDGmahNMffqyNVy1jzQCMo21YL5Qg,8194
@@ -141,7 +141,7 @@ ansible/inventory/host.py,sha256=PDb5OTplhfpUIvdHiP2BckUOB1gUl302N-3sW0_sTyg,503
 ansible/inventory/manager.py,sha256=45mHgZTAkQ3IjAtrgsNzJXvynC-HIEor-JJE-V3xXN4,29454
 ansible/module_utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 ansible/module_utils/_text.py,sha256=VkWgAnSNVCbTQqZgllUObBFsH3uM4EUW5srl1UR9t1g,544
-ansible/module_utils/ansible_release.py,sha256=9gq7Q1GbBxC3GTVQHdxbwP6GkRpZWnuB_EVmsfq6wVc,836
+ansible/module_utils/ansible_release.py,sha256=4LCba40y5QHx9pqj1DjRXtC5vNhixn7NpXSoEakcIJ8,836
 ansible/module_utils/api.py,sha256=r4wd6XZGhUnxMF416Ry6ebgq8BIhjCPSPOvO2ZtrYxE,5785
 ansible/module_utils/basic.py,sha256=fogfpo_l7JtS34WvgwwOebmPfMhFjQaJN5CwjKgUJVE,86291
 ansible/module_utils/connection.py,sha256=8TviwCucQ7d_JILwaUHE4tCuNfR3U1WFkmxLMxWa8Rw,7671
@@ -295,7 +295,7 @@ ansible/modules/cron.py,sha256=qR5ePdI3GZQeBSCn9YqxTxWlNEblCaTFnBRZqLjtnPo,26353
 ansible/modules/deb822_repository.py,sha256=SLJM8bBLc70WYu3-OA67wd5hMft3pznYAMIidYOtmUU,15791
 ansible/modules/debconf.py,sha256=Y49U5pM6UpKvYAvDbOhYe6kmQFAaxjl7YoYnPrOaGGU,9362
 ansible/modules/debug.py,sha256=BFbzrU_vl-Try5DuLV20_sLgqxEJlPV9uOrgAtby2e8,2908
-ansible/modules/dnf.py,sha256=rsb28kjMMnTu-rPW0Pdnbs2RPyvfdhWgXeUORUSgzEI,52288
+ansible/modules/dnf.py,sha256=NsraDYODkJAS2BgaHwBa866qk1Qg8bQ0rXgq_4rHWRM,52455
 ansible/modules/dnf5.py,sha256=VZ5KpEO1lZScawgmnsrdd2FVW2vyRpg4dikXvWcD6pA,30288
 ansible/modules/dpkg_selections.py,sha256=lTWBhmVFrf6PsV4_BoR23wVTJOloCH1YNPcAn0m7DTY,2805
 ansible/modules/expect.py,sha256=O4emRoJ09i3OLmVX5j84WHkGKWg6bMytYpZlExOrSmc,9369
@@ -332,7 +332,7 @@ ansible/modules/replace.py,sha256=L7JI3VFY4NKPlQAt2s27sngHBFSGLVG_l2sWUqwekck,11
 ansible/modules/rpm_key.py,sha256=BXFIAY6FOxA5LCvu6RaneVPqzVqptF5hdWmFdJQ63Bg,9325
 ansible/modules/script.py,sha256=bcn4C3BuCvwEE1Ebc7IA5NGOjEcmkiAkx8jBDjQyOAw,4410
 ansible/modules/service.py,sha256=kLRfjE2Ns99FwoY8gh5i283ArBGVcWXIjrxd3PsDHtw,62341
-ansible/modules/service_facts.py,sha256=9AmYTye-EfpArLolOJoIFTQB7MdzaH7e0TB0UKXRacM,18389
+ansible/modules/service_facts.py,sha256=WMhBOCjGxq8rjWED0N5Sv5Y4o306OXnUsiu7-q1VPGw,18668
 ansible/modules/set_fact.py,sha256=iT7kQWXdUoSYWue66dmqYDUW74s_wUlO7dixnawPkgs,5721
 ansible/modules/set_stats.py,sha256=RlZZuMJ4aW1Z8Eba7s-yDlBxHnXS12OmYoiWOooyDzY,2641
 ansible/modules/setup.py,sha256=OyJ3aXrbVW5ybwpyIiA-MzS2PeX_XGK7VpG9saHpjFY,11034
@@ -347,7 +347,7 @@ ansible/modules/tempfile.py,sha256=lA9e8lyFXf9J5ud0R6Jkt8sIFyRcOwzhc9Jz-5_HOZQ,3
 ansible/modules/template.py,sha256=D1sm36GB_mEimH0CfWq1cJ4w1eRvpcsHwZ-ufVzC_Gs,4537
 ansible/modules/unarchive.py,sha256=wdSOFKhZqbAFq5j_tBZtUSamfr_EEW6_cTZDw-erMjs,45405
 ansible/modules/uri.py,sha256=UCANRxecG45I4HGtj1AX9k0I01w8dfTplWksejLHrIg,27846
-ansible/modules/user.py,sha256=0lEGObBxw_SfjJGJGi2sk6-V8Rwkvt1VfhdfWhuWyrA,123562
+ansible/modules/user.py,sha256=tQK7ZloLNe485D-FD0ZQsDNhxjOVDlbvs6kqYW2pSh0,123973
 ansible/modules/validate_argument_spec.py,sha256=XbWlUr4ElgLfdxo3qCN7M-IES_X2iTl3AgawzCOMQpo,3042
 ansible/modules/wait_for.py,sha256=rsx_PR73-BRImLNErVUM1o9wRdPlXkGu5y6FhJ8wLcY,27355
 ansible/modules/wait_for_connection.py,sha256=8ySz5bhK7LGSaT_7Jzk3jvACcnngyR2g_ziyFLKk6Rk,3367
@@ -687,11 +687,11 @@ ansible/vars/hostvars.py,sha256=o11xrzDVYn23renGbb3lx3R-nH9qOjLFju5IYJanDxg,5324
 ansible/vars/manager.py,sha256=JF2KTL4iYSbcdnFNjhQPktwH05YhWJhTWtjSlF0qg9E,31260
 ansible/vars/plugins.py,sha256=PocWZPMqFl1LoNgWlGFNxwg9nZnUzhQmlXO4g7bcP2A,4503
 ansible/vars/reserved.py,sha256=Tsc4m2UwVce3dOvSWrjT2wB3lpNJtUyNZn45zNhsW0I,2869
-ansible_core-2.18.8.dist-info/licenses/COPYING,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-ansible_core-2.18.8.dist-info/licenses/licenses/Apache-License.txt,sha256=y16Ofl9KOYjhBjwULGDcLfdWBfTEZRXnduOspt-XbhQ,11325
-ansible_core-2.18.8.dist-info/licenses/licenses/MIT-license.txt,sha256=jLXp2XurnyZKbye40g9tfmLGtVlxh3pPD4n8xNqX8xc,1023
-ansible_core-2.18.8.dist-info/licenses/licenses/PSF-license.txt,sha256=g7BC_H1qyg8Q1o5F76Vrm8ChSWYI5-dyj-CdGlNKBUo,2484
-ansible_core-2.18.8.dist-info/licenses/licenses/simplified_bsd.txt,sha256=8R5R7R7sOa0h1Fi6RNgFgHowHBfun-OVOMzJ4rKAk2w,1237
+ansible_core-2.18.9.dist-info/licenses/COPYING,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+ansible_core-2.18.9.dist-info/licenses/licenses/Apache-License.txt,sha256=y16Ofl9KOYjhBjwULGDcLfdWBfTEZRXnduOspt-XbhQ,11325
+ansible_core-2.18.9.dist-info/licenses/licenses/MIT-license.txt,sha256=jLXp2XurnyZKbye40g9tfmLGtVlxh3pPD4n8xNqX8xc,1023
+ansible_core-2.18.9.dist-info/licenses/licenses/PSF-license.txt,sha256=g7BC_H1qyg8Q1o5F76Vrm8ChSWYI5-dyj-CdGlNKBUo,2484
+ansible_core-2.18.9.dist-info/licenses/licenses/simplified_bsd.txt,sha256=8R5R7R7sOa0h1Fi6RNgFgHowHBfun-OVOMzJ4rKAk2w,1237
 ansible_test/__init__.py,sha256=20VPOj11c6Ut1Av9RaurgwJvFhMqkWG3vAvcCbecNKw,66
 ansible_test/_data/ansible.cfg,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 ansible_test/_data/coveragerc,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -751,7 +751,7 @@ ansible_test/_internal/connections.py,sha256=-gK9FqvmpsjENdYNkvWgFgqYHJSS_F2XkvQ
 ansible_test/_internal/constants.py,sha256=Zwgp8wtUuge_8xMPg0pDUt58fBd9KA7YEPTQqAQv8ac,1969
 ansible_test/_internal/containers.py,sha256=TrkHL4ntmb7HrmD55BzSdqF35s7oFKu0vCywpWfRt-k,34137
 ansible_test/_internal/content_config.py,sha256=QKR_XVBgYRNZL-XawF2pN2ERTZ6lSm1AJg9ZQRD6IHE,5588
-ansible_test/_internal/core_ci.py,sha256=pyiwFG_TgDSQw34qW-PG8T2VYS6XxiF0zOEWGYXRRek,17309
+ansible_test/_internal/core_ci.py,sha256=9RQU92QfSlEPcf9Wet8c3UWmZGrkmZCMQrT1h51iQuk,17976
 ansible_test/_internal/coverage_util.py,sha256=6SFmRqRPiv5l5Aj3VV1PtnHIgM5CNVvsWrilUch1NtY,9407
 ansible_test/_internal/data.py,sha256=OFDpRa47yqBqQO1aSvTZVQQpScHvBHsr861586MQEUI,11184
 ansible_test/_internal/delegation.py,sha256=D8hluDQf_YN3DtVG_8HW0iumRBY3gjp_zP-rlc3VNY4,13418
@@ -761,7 +761,7 @@ ansible_test/_internal/encoding.py,sha256=4GAcVhcswUJW77XSBTLRIP7ll6kT9J-yIBtVsF
 ansible_test/_internal/executor.py,sha256=KW5yI-f-giErQ077MTj707fTtFkf_Kr8IV_Nr36NNmc,2959
 ansible_test/_internal/git.py,sha256=njtciWq2DlzZ1DAkQi08HRRP-TgH0mgeGZsWcsJGctI,4366
 ansible_test/_internal/host_configs.py,sha256=ElAo2t3kSyb7bShqBENiHH0oEe-8Am8JXG9xY5l7HY4,18634
-ansible_test/_internal/host_profiles.py,sha256=Y2_LM5nH_J0Yb0Cq9CX8D0VSM2JHJWY6Xs-ZUFX-opU,65629
+ansible_test/_internal/host_profiles.py,sha256=pTKpncORGaRPaDPE-dDVXlSus2CkbrjkM66cxNG5KH8,65721
 ansible_test/_internal/http.py,sha256=ENuIPnBXIuvgDSxC-r5eOxfGzscxB6MOVJzT4OQXQSA,3864
 ansible_test/_internal/init.py,sha256=f2ZN7F-FyjMgN73SUgxwbVtWNhkJv7BIlZ-q4ALHyjM,505
 ansible_test/_internal/inventory.py,sha256=c79s-xc1uv2nD7rPISv0JKkKspY-X2-kHoozF2R4e1Q,5408
@@ -770,7 +770,7 @@ ansible_test/_internal/junit_xml.py,sha256=5op7cjGK7Et0OSjcAAuUEqNWNAv5ZoNI0rkLx
 ansible_test/_internal/locale_util.py,sha256=tjRbwKmgMQc1ysIhvP8yBhFcNA-2UCaWfQBDgrRFUxU,2161
 ansible_test/_internal/metadata.py,sha256=c9ThXPUlgeKYhaTUmfCSS4INRNQ1JhN2KEOVaX3m1Gk,4791
 ansible_test/_internal/payload.py,sha256=1Pw05OEHvP3LMQnoLXch8631c94YMklWlpDn0CvQECw,8012
-ansible_test/_internal/provisioning.py,sha256=9Zl3xQqljx0MGDTp55Q4LZPWQ7Afj5K87cGsXzPGS5Y,7320
+ansible_test/_internal/provisioning.py,sha256=owGvyyBmMjtdAw0x41X9qYtOJnkvskpQRcpJ-pmLwlo,7409
 ansible_test/_internal/pypi_proxy.py,sha256=g2FbZh1ZaLWgj_mfgGNSynMX76s4F4DUKMOYavsWIuA,6019
 ansible_test/_internal/python_requirements.py,sha256=x9u_9ABfvRx-aeQ-oyoTmlF78mmJ483wBGjxT5PuJfA,15205
 ansible_test/_internal/ssh.py,sha256=WeVvn3ReHmjg6Im5BdSBRl1YIj1lOmi71jO9T5fTkik,10781
@@ -778,12 +778,12 @@ ansible_test/_internal/target.py,sha256=Whtb_n0jn4zbiMmX7je5jewgzsRczfXRm_ndYtjT
 ansible_test/_internal/test.py,sha256=znQmGjKACqDU8T0EAPqcv2qyy0J7M2w4OmyYhwHLqT0,14515
 ansible_test/_internal/thread.py,sha256=WQoZ2q2ljmEkKHRDkIqwxW7eZbkCKDrG3YZfcaxHzHw,2596
 ansible_test/_internal/timeout.py,sha256=X8LxoMSU85lw4MszfEljaG6V7Aff4Btveg3r89Fe25U,4052
-ansible_test/_internal/util.py,sha256=o8efNGzuieD3mf3B7Ash1r25dEcePB7L-HOwu5EPFto,38908
+ansible_test/_internal/util.py,sha256=VLPU4b0sEvb7fZ8pimnJS--5_fjQnrVmckRvm88dEuA,38935
 ansible_test/_internal/util_common.py,sha256=wSygjQRWlkFNpqQnPSSXnz_3Cr0pWrPvCP-6lMdfuAk,17490
 ansible_test/_internal/venv.py,sha256=k7L9_Ocpsdwp4kQFLF59BVguymd2nqJ-bLHH1NlMET0,5521
-ansible_test/_internal/ci/__init__.py,sha256=QOaC_8_wUzqFEbsFCXYAnElWoUo6gB40CXvP9RJ-Iyo,7738
-ansible_test/_internal/ci/azp.py,sha256=DwSL1UiPwmfHYOBNMs4e3iN7tonPneod7Dw1BycnfNM,10136
-ansible_test/_internal/ci/local.py,sha256=E4nnerMKdBoVEbsT8IBkl0nSdXyxO2gT8WAaxyzA1EY,6739
+ansible_test/_internal/ci/__init__.py,sha256=wFAyQVsPJbHEI94EN3F3yLBP8aZ4Zlm4U1jka0U8Z8M,4683
+ansible_test/_internal/ci/azp.py,sha256=voqqYVP9OEccLIsx_Y9RyUCR9pL8xz3uu91hwGDac8w,10103
+ansible_test/_internal/ci/local.py,sha256=Yd2fqBs9KcbnF-TEx9PyEslCNF69WNUlM5Bm3-vzq9c,9905
 ansible_test/_internal/classification/__init__.py,sha256=LVyApjvPsofXjdDaHrXnWl71Z61k5jFJYN3WrBeeFDs,34142
 ansible_test/_internal/classification/common.py,sha256=jd5VLRegcOX-GNTZqN_7PBzwKF6akFQYsPEltfynGtU,894
 ansible_test/_internal/classification/csharp.py,sha256=3QpVZjamTTG7h86oeVm7d4UMbyojPbBALHVqCpxS1ic,3241
@@ -985,8 +985,8 @@ ansible_test/config/cloud-config-vultr.ini.template,sha256=XLKHk3lg_8ReQMdWfZzhh
 ansible_test/config/config.yml,sha256=1zdGucnIl6nIecZA7ISIANvqXiHWqq6Dthsk_6MUwNc,2642
 ansible_test/config/inventory.networking.template,sha256=bFNSk8zNQOaZ_twaflrY0XZ9mLwUbRLuNT0BdIFwvn4,1335
 ansible_test/config/inventory.winrm.template,sha256=1QU8W-GFLnYEw8yY9bVIvUAVvJYPM3hyoijf6-M7T00,1098
-ansible_core-2.18.8.dist-info/METADATA,sha256=syPAmnkZT9EKQc_Kgn9-d4RDe6MjgwGvtVdi9IdsIeg,7690
-ansible_core-2.18.8.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-ansible_core-2.18.8.dist-info/entry_points.txt,sha256=S9yJij5Im6FgRQxzkqSCnPQokC7PcWrDW_NSygZczJU,451
-ansible_core-2.18.8.dist-info/top_level.txt,sha256=IFbRLjAvih1DYzJWg3_F6t4sCzEMxRO7TOMNs6GkYHo,21
-ansible_core-2.18.8.dist-info/RECORD,,
+ansible_core-2.18.9.dist-info/METADATA,sha256=or0oMRYNJRtAUc9Ub0ngf6X2I9R3SXKvDSQ1-g-4srU,7690
+ansible_core-2.18.9.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+ansible_core-2.18.9.dist-info/entry_points.txt,sha256=S9yJij5Im6FgRQxzkqSCnPQokC7PcWrDW_NSygZczJU,451
+ansible_core-2.18.9.dist-info/top_level.txt,sha256=IFbRLjAvih1DYzJWg3_F6t4sCzEMxRO7TOMNs6GkYHo,21
+ansible_core-2.18.9.dist-info/RECORD,,

ansible_test/_internal/ci/__init__.py

@@ -2,22 +2,13 @@
 from __future__ import annotations
 
 import abc
-import base64
+import dataclasses
+import datetime
 import json
-import os
+import pathlib
 import tempfile
 import typing as t
 
-from ..encoding import (
-    to_bytes,
-    to_text,
-)
-
-from ..io import (
-    read_text_file,
-    write_text_file,
-)
-
 from ..config import (
     CommonConfig,
     TestConfig,
@@ -33,6 +24,65 @@ from ..util import (
 )
 
 
+@dataclasses.dataclass(frozen=True, kw_only=True)
+class AuthContext:
+    """Information about the request to which authentication will be applied."""
+
+    stage: str
+    provider: str
+    request_id: str
+
+
+class AuthHelper:
+    """Authentication helper."""
+
+    NAMESPACE: t.ClassVar = 'ci@core.ansible.com'
+
+    def __init__(self, key_file: pathlib.Path) -> None:
+        self.private_key_file = pathlib.Path(str(key_file).removesuffix('.pub'))
+        self.public_key_file = pathlib.Path(f'{self.private_key_file}.pub')
+
+    def sign_request(self, request: dict[str, object], context: AuthContext) -> None:
+        """Sign the given auth request using the provided context."""
+        request.update(
+            stage=context.stage,
+            provider=context.provider,
+            request_id=context.request_id,
+            timestamp=datetime.datetime.now(tz=datetime.timezone.utc).replace(microsecond=0).isoformat(),
+        )
+
+        with tempfile.TemporaryDirectory() as temp_dir:
+            payload_path = pathlib.Path(temp_dir) / 'auth.json'
+            payload_path.write_text(json.dumps(request, sort_keys=True))
+
+            cmd = ['ssh-keygen', '-q', '-Y', 'sign', '-f', str(self.private_key_file), '-n', self.NAMESPACE, str(payload_path)]
+            raw_command(cmd, capture=False, interactive=True)
+
+            signature_path = pathlib.Path(f'{payload_path}.sig')
+            signature = signature_path.read_text()
+
+        request.update(signature=signature)
+
+
+class GeneratingAuthHelper(AuthHelper, metaclass=abc.ABCMeta):
+    """Authentication helper which generates a key pair on demand."""
+
+    def __init__(self) -> None:
+        super().__init__(pathlib.Path('~/.ansible/test/ansible-core-ci').expanduser())
+
+    def sign_request(self, request: dict[str, object], context: AuthContext) -> None:
+        if not self.private_key_file.exists():
+            self.generate_key_pair()
+
+        super().sign_request(request, context)
+
+    def generate_key_pair(self) -> None:
+        """Generate key pair."""
+        self.private_key_file.parent.mkdir(parents=True, exist_ok=True)
+
+        raw_command(['ssh-keygen', '-q', '-f', str(self.private_key_file), '-N', ''], capture=True)
+
+
 class ChangeDetectionNotSupported(ApplicationError):
     """Exception for cases where change detection is not supported."""
 
@@ -74,8 +124,8 @@ class CIProvider(metaclass=abc.ABCMeta):
         """Return True if Ansible Core CI is supported."""
 
     @abc.abstractmethod
-    def prepare_core_ci_auth(self) -> dict[str, t.Any]:
-        """Return authentication details for Ansible Core CI."""
+    def prepare_core_ci_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        """Prepare an Ansible Core CI request using the given config and context."""
 
     @abc.abstractmethod
     def get_git_details(self, args: CommonConfig) -> t.Optional[dict[str, t.Any]]:
@@ -100,119 +150,3 @@ def get_ci_provider() -> CIProvider:
         display.info('Detected CI provider: %s' % provider.name)
 
     return provider
-
-
-class AuthHelper(metaclass=abc.ABCMeta):
-    """Public key based authentication helper for Ansible Core CI."""
-
-    def sign_request(self, request: dict[str, t.Any]) -> None:
-        """Sign the given auth request and make the public key available."""
-        payload_bytes = to_bytes(json.dumps(request, sort_keys=True))
-        signature_raw_bytes = self.sign_bytes(payload_bytes)
-        signature = to_text(base64.b64encode(signature_raw_bytes))
-
-        request.update(signature=signature)
-
-    def initialize_private_key(self) -> str:
-        """
-        Initialize and publish a new key pair (if needed) and return the private key.
-        The private key is cached across ansible-test invocations, so it is only generated and published once per CI job.
-        """
-        path = os.path.expanduser('~/.ansible-core-ci-private.key')
-
-        if os.path.exists(to_bytes(path)):
-            private_key_pem = read_text_file(path)
-        else:
-            private_key_pem = self.generate_private_key()
-            write_text_file(path, private_key_pem)
-
-        return private_key_pem
-
-    @abc.abstractmethod
-    def sign_bytes(self, payload_bytes: bytes) -> bytes:
-        """Sign the given payload and return the signature, initializing a new key pair if required."""
-
-    @abc.abstractmethod
-    def publish_public_key(self, public_key_pem: str) -> None:
-        """Publish the given public key."""
-
-    @abc.abstractmethod
-    def generate_private_key(self) -> str:
-        """Generate a new key pair, publishing the public key and returning the private key."""
-
-
-class CryptographyAuthHelper(AuthHelper, metaclass=abc.ABCMeta):
-    """Cryptography based public key based authentication helper for Ansible Core CI."""
-
-    def sign_bytes(self, payload_bytes: bytes) -> bytes:
-        """Sign the given payload and return the signature, initializing a new key pair if required."""
-        # import cryptography here to avoid overhead and failures in environments which do not use/provide it
-        from cryptography.hazmat.backends import default_backend
-        from cryptography.hazmat.primitives import hashes
-        from cryptography.hazmat.primitives.asymmetric import ec
-        from cryptography.hazmat.primitives.serialization import load_pem_private_key
-
-        private_key_pem = self.initialize_private_key()
-        private_key = load_pem_private_key(to_bytes(private_key_pem), None, default_backend())
-
-        assert isinstance(private_key, ec.EllipticCurvePrivateKey)
-
-        signature_raw_bytes = private_key.sign(payload_bytes, ec.ECDSA(hashes.SHA256()))
-
-        return signature_raw_bytes
-
-    def generate_private_key(self) -> str:
-        """Generate a new key pair, publishing the public key and returning the private key."""
-        # import cryptography here to avoid overhead and failures in environments which do not use/provide it
-        from cryptography.hazmat.backends import default_backend
-        from cryptography.hazmat.primitives import serialization
-        from cryptography.hazmat.primitives.asymmetric import ec
-
-        private_key = ec.generate_private_key(ec.SECP384R1(), default_backend())
-        public_key = private_key.public_key()
-
-        private_key_pem = to_text(private_key.private_bytes(  # type: ignore[attr-defined]  # documented method, but missing from type stubs
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PrivateFormat.PKCS8,
-            encryption_algorithm=serialization.NoEncryption(),
-        ))
-
-        public_key_pem = to_text(public_key.public_bytes(
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PublicFormat.SubjectPublicKeyInfo,
-        ))
-
-        self.publish_public_key(public_key_pem)
-
-        return private_key_pem
-
-
-class OpenSSLAuthHelper(AuthHelper, metaclass=abc.ABCMeta):
-    """OpenSSL based public key based authentication helper for Ansible Core CI."""
-
-    def sign_bytes(self, payload_bytes: bytes) -> bytes:
-        """Sign the given payload and return the signature, initializing a new key pair if required."""
-        private_key_pem = self.initialize_private_key()
-
-        with tempfile.NamedTemporaryFile() as private_key_file:
-            private_key_file.write(to_bytes(private_key_pem))
-            private_key_file.flush()
-
-            with tempfile.NamedTemporaryFile() as payload_file:
-                payload_file.write(payload_bytes)
-                payload_file.flush()
-
-                with tempfile.NamedTemporaryFile() as signature_file:
-                    raw_command(['openssl', 'dgst', '-sha256', '-sign', private_key_file.name, '-out', signature_file.name, payload_file.name], capture=True)
-                    signature_raw_bytes = signature_file.read()
-
-        return signature_raw_bytes
-
-    def generate_private_key(self) -> str:
-        """Generate a new key pair, publishing the public key and returning the private key."""
-        private_key_pem = raw_command(['openssl', 'ecparam', '-genkey', '-name', 'secp384r1', '-noout'], capture=True)[0]
-        public_key_pem = raw_command(['openssl', 'ec', '-pubout'], data=private_key_pem, capture=True)[0]
-
-        self.publish_public_key(public_key_pem)
-
-        return private_key_pem

ansible_test/_internal/ci/azp.py

@@ -30,9 +30,10 @@ from ..util import (
 )
 
 from . import (
+    AuthContext,
     ChangeDetectionNotSupported,
     CIProvider,
-    CryptographyAuthHelper,
+    GeneratingAuthHelper,
 )
 
 CODE = 'azp'
@@ -111,10 +112,11 @@ class AzurePipelines(CIProvider):
         """Return True if Ansible Core CI is supported."""
         return True
 
-    def prepare_core_ci_auth(self) -> dict[str, t.Any]:
-        """Return authentication details for Ansible Core CI."""
+    def prepare_core_ci_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
         try:
-            request = dict(
+            request: dict[str, object] = dict(
+                type="azp:ssh",
+                config=config,
                 org_name=os.environ['SYSTEM_COLLECTIONURI'].strip('/').split('/')[-1],
                 project_name=os.environ['SYSTEM_TEAMPROJECT'],
                 build_id=int(os.environ['BUILD_BUILDID']),
@@ -123,13 +125,9 @@ class AzurePipelines(CIProvider):
         except KeyError as ex:
             raise MissingEnvironmentVariable(name=ex.args[0]) from None
 
-        self.auth.sign_request(request)
+        self.auth.sign_request(request, context)
 
-        auth = dict(
-            azp=request,
-        )
-
-        return auth
+        return request
 
     def get_git_details(self, args: CommonConfig) -> t.Optional[dict[str, t.Any]]:
         """Return details about git in the current environment."""
@@ -143,14 +141,14 @@ class AzurePipelines(CIProvider):
         return details
 
 
-class AzurePipelinesAuthHelper(CryptographyAuthHelper):
-    """
-    Authentication helper for Azure Pipelines.
-    Based on cryptography since it is provided by the default Azure Pipelines environment.
-    """
+class AzurePipelinesAuthHelper(GeneratingAuthHelper):
+    """Authentication helper for Azure Pipelines."""
+
+    def generate_key_pair(self) -> None:
+        super().generate_key_pair()
+
+        public_key_pem = self.public_key_file.read_text()
 
-    def publish_public_key(self, public_key_pem: str) -> None:
-        """Publish the given public key."""
         try:
             agent_temp_directory = os.environ['AGENT_TEMPDIRECTORY']
         except KeyError as ex:

ansible_test/_internal/ci/local.py

@@ -1,10 +1,12 @@
 """Support code for working without a supported CI provider."""
 from __future__ import annotations
 
-import os
+import abc
+import inspect
 import platform
 import random
 import re
+import pathlib
 import typing as t
 
 from ..config import (
@@ -23,11 +25,14 @@ from ..git import (
 from ..util import (
     ApplicationError,
     display,
+    get_subclasses,
     is_binary_file,
     SubprocessError,
 )
 
 from . import (
+    AuthContext,
+    AuthHelper,
     CIProvider,
 )
 
@@ -119,34 +124,20 @@ class Local(CIProvider):
 
     def supports_core_ci_auth(self) -> bool:
         """Return True if Ansible Core CI is supported."""
-        path = self._get_aci_key_path()
-        return os.path.exists(path)
+        return Authenticator.available()
 
-    def prepare_core_ci_auth(self) -> dict[str, t.Any]:
-        """Return authentication details for Ansible Core CI."""
-        path = self._get_aci_key_path()
-        auth_key = read_text_file(path).strip()
+    def prepare_core_ci_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        if not (authenticator := Authenticator.load()):
+            raise ApplicationError('Ansible Core CI authentication has not been configured.')
 
-        request = dict(
-            key=auth_key,
-            nonce=None,
-        )
+        display.info(f'Using {authenticator} for Ansible Core CI.', verbosity=1)
 
-        auth = dict(
-            remote=request,
-        )
-
-        return auth
+        return authenticator.prepare_auth_request(config, context)
 
     def get_git_details(self, args: CommonConfig) -> t.Optional[dict[str, t.Any]]:
         """Return details about git in the current environment."""
         return None  # not yet implemented for local
 
-    @staticmethod
-    def _get_aci_key_path() -> str:
-        path = os.path.expanduser('~/.ansible-core-ci.key')
-        return path
-
 
 class InvalidBranch(ApplicationError):
     """Exception for invalid branch specification."""
@@ -213,3 +204,108 @@ class LocalChanges:
             return True
 
         return False
+
+
+class Authenticator(metaclass=abc.ABCMeta):
+    """Base class for authenticators."""
+
+    @staticmethod
+    def list() -> list[type[Authenticator]]:
+        """List all authenticators in priority order."""
+        return sorted((sc for sc in get_subclasses(Authenticator) if not inspect.isabstract(sc)), key=lambda obj: obj.priority())
+
+    @staticmethod
+    def load() -> Authenticator | None:
+        """Load an authenticator instance, returning None if not configured."""
+        for implementation in Authenticator.list():
+            if implementation.config_file().exists():
+                return implementation()
+
+        return None
+
+    @staticmethod
+    def available() -> bool:
+        """Return True if an authenticator is available, otherwise False."""
+        return bool(Authenticator.load())
+
+    @classmethod
+    @abc.abstractmethod
+    def priority(cls) -> int:
+        """Priority used to determine which authenticator is tried first, from lowest to highest."""
+
+    @classmethod
+    @abc.abstractmethod
+    def config_file(cls) -> pathlib.Path:
+        """Path to the config file for this authenticator."""
+
+    @abc.abstractmethod
+    def prepare_auth_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        """Prepare an authenticated Ansible Core CI request using the given config and context."""
+
+    def __str__(self) -> str:
+        return self.__class__.__name__
+
+
+class PasswordAuthenticator(Authenticator):
+    """Authenticate using a password."""
+
+    @classmethod
+    def priority(cls) -> int:
+        return 200
+
+    @classmethod
+    def config_file(cls) -> pathlib.Path:
+        return pathlib.Path('~/.ansible-core-ci.key').expanduser()
+
+    def prepare_auth_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        parts = self.config_file().read_text().strip().split(maxsplit=1)
+
+        if len(parts) == 1:  # temporary backward compatibility for legacy API keys
+            request = dict(
+                config=config,
+                auth=dict(
+                    remote=dict(
+                        key=parts[0],
+                    ),
+                ),
+            )
+
+            return request
+
+        username, password = parts
+
+        request = dict(
+            type="remote:password",
+            config=config,
+            username=username,
+            password=password,
+        )
+
+        return request
+
+
+class SshAuthenticator(Authenticator):
+    """Authenticate using an SSH key."""
+
+    @classmethod
+    def priority(cls) -> int:
+        return 100
+
+    @classmethod
+    def config_file(cls) -> pathlib.Path:
+        return pathlib.Path('~/.ansible-core-ci.auth').expanduser()
+
+    def prepare_auth_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        parts = self.config_file().read_text().strip().split(maxsplit=1)
+        username, key_file = parts
+
+        request: dict[str, object] = dict(
+            type="remote:ssh",
+            config=config,
+            username=username,
+        )
+
+        auth_helper = AuthHelper(pathlib.Path(key_file).expanduser())
+        auth_helper.sign_request(request, context)
+
+        return request

ansible_test/_internal/core_ci.py

@@ -41,6 +41,7 @@ from .config import (
 )
 
 from .ci import (
+    AuthContext,
     get_ci_provider,
 )
 
@@ -67,6 +68,10 @@ class Resource(metaclass=abc.ABCMeta):
     def persist(self) -> bool:
         """True if the resource is persistent, otherwise false."""
 
+    @abc.abstractmethod
+    def get_config(self, core_ci: AnsibleCoreCI) -> dict[str, object]:
+        """Return the configuration for this resource."""
+
 
 @dataclasses.dataclass(frozen=True)
 class VmResource(Resource):
@@ -91,6 +96,16 @@ class VmResource(Resource):
         """True if the resource is persistent, otherwise false."""
         return True
 
+    def get_config(self, core_ci: AnsibleCoreCI) -> dict[str, object]:
+        """Return the configuration for this resource."""
+        return dict(
+            type="vm",
+            platform=self.platform,
+            version=self.version,
+            architecture=self.architecture,
+            public_key=core_ci.ssh_key.pub_contents,
+        )
+
 
 @dataclasses.dataclass(frozen=True)
 class CloudResource(Resource):
@@ -111,6 +126,12 @@ class CloudResource(Resource):
         """True if the resource is persistent, otherwise false."""
         return False
 
+    def get_config(self, core_ci: AnsibleCoreCI) -> dict[str, object]:
+        """Return the configuration for this resource."""
+        return dict(
+            type="cloud",
+        )
+
 
 class AnsibleCoreCI:
     """Client for Ansible Core CI services."""
@@ -188,7 +209,7 @@ class AnsibleCoreCI:
             display.info(f'Skipping started {self.label} instance.', verbosity=1)
             return None
 
-        return self._start(self.ci_provider.prepare_core_ci_auth())
+        return self._start()
 
     def stop(self) -> None:
         """Stop instance."""
@@ -287,26 +308,25 @@ class AnsibleCoreCI:
     def _uri(self) -> str:
         return f'{self.endpoint}/{self.stage}/{self.provider}/{self.instance_id}'
 
-    def _start(self, auth) -> dict[str, t.Any]:
+    def _start(self) -> dict[str, t.Any]:
         """Start instance."""
         display.info(f'Initializing new {self.label} instance using: {self._uri}', verbosity=1)
 
-        data = dict(
-            config=dict(
-                platform=self.platform,
-                version=self.version,
-                architecture=self.arch,
-                public_key=self.ssh_key.pub_contents,
-            )
+        config = self.resource.get_config(self)
+
+        context = AuthContext(
+            request_id=self.instance_id,
+            stage=self.stage,
+            provider=self.provider,
         )
 
-        data.update(auth=auth)
+        request = self.ci_provider.prepare_core_ci_request(config, context)
 
         headers = {
             'Content-Type': 'application/json',
         }
 
-        response = self._start_endpoint(data, headers)
+        response = self._start_endpoint(request, headers)
 
         self.started = True
         self._save()

ansible_test/_internal/host_profiles.py

@@ -246,6 +246,9 @@ class HostProfile(t.Generic[THostConfig], metaclass=abc.ABCMeta):
         self.cache: dict[str, t.Any] = {}
         """Cache that must not be persisted across delegation."""
 
+    def pre_provision(self) -> None:
+        """Pre-provision the host profile."""
+
     def provision(self) -> None:
         """Provision the host before delegation."""
 
@@ -329,8 +332,8 @@ class RemoteProfile(SshTargetHostProfile[TRemoteConfig], metaclass=abc.ABCMeta):
         """The saved Ansible Core CI state."""
         self.state['core_ci'] = value
 
-    def provision(self) -> None:
-        """Provision the host before delegation."""
+    def pre_provision(self) -> None:
+        """Pre-provision the host before delegation."""
         self.core_ci = self.create_core_ci(load=True)
         self.core_ci.start()
 

ansible_test/_internal/provisioning.py

@@ -129,6 +129,9 @@ def prepare_profiles(
 
         ExitHandler.register(functools.partial(cleanup_profiles, host_state))
 
+        for pre_profile in host_state.profiles:
+            pre_profile.pre_provision()
+
         def provision(profile: HostProfile) -> None:
             """Provision the given profile."""
             profile.provision()

ansible_test/_internal/util.py

@@ -678,6 +678,7 @@ def common_environment() -> dict[str, str]:
     optional = (
         'LD_LIBRARY_PATH',
         'SSH_AUTH_SOCK',
+        'SSH_SK_PROVIDER',
         # MacOS High Sierra Compatibility
         # http://sealiesoftware.com/blog/archive/2017/6/5/Objective-C_and_fork_in_macOS_1013.html
         # Example configuration for macOS: