ansible-core 2.19.0b3__py3-none-any.whl → 2.19.0b5__py3-none-any.whl

ansible/_internal/_json/__init__.py

@@ -1,6 +1,6 @@
 """Internal utilities for serialization and deserialization."""
 
-# DTFIX-RELEASE: most of this isn't JSON specific, find a better home
+# DTFIX-FUTURE: most of this isn't JSON specific, find a better home
 
 from __future__ import annotations
 
@@ -144,20 +144,20 @@ class AnsibleVariableVisitor:
             value = self._template_engine.transform(value)
             value_type = type(value)
 
-        # DTFIX-RELEASE: need to handle native copy for keys too
+        # DTFIX3: need to handle native copy for keys too
         if self.convert_to_native_values and isinstance(value, _datatag.AnsibleTaggedObject):
             value = value._native_copy()
             value_type = type(value)
 
         result: _T
 
-        # DTFIX-RELEASE: the visitor is ignoring dict/mapping keys except for debugging and schema-aware checking, it should be doing type checks on keys
-        #                keep in mind the allowed types for keys is a more restrictive set than for values (str and taggged str only, not EncryptedString)
-        # DTFIX-RELEASE: some type lists being consulted (the ones from datatag) are probably too permissive, and perhaps should not be dynamic
+        # DTFIX3: the visitor is ignoring dict/mapping keys except for debugging and schema-aware checking, it should be doing type checks on keys
+        #                keep in mind the allowed types for keys is a more restrictive set than for values (str and tagged str only, not EncryptedString)
+        # DTFIX5: some type lists being consulted (the ones from datatag) are probably too permissive, and perhaps should not be dynamic
 
         if (result := self._early_visit(value, value_type)) is not _sentinel:
             pass
-        # DTFIX-RELEASE: de-duplicate and optimize; extract inline generator expressions and fallback function or mapping for native type calculation?
+        # DTFIX7: de-duplicate and optimize; extract inline generator expressions and fallback function or mapping for native type calculation?
         elif value_type in _ANSIBLE_ALLOWED_MAPPING_VAR_TYPES:  # check mappings first, because they're also collections
             with self:  # supports StateTrackingMixIn
                 result = AnsibleTagHelper.tag_copy(value, ((k, self._visit(k, v)) for k, v in value.items()), value_type=value_type)

ansible/_internal/_json/_profiles/_cache_persistence.py

@@ -46,6 +46,8 @@ class _Profile(_profiles._JSONSerializationProfile):
             _datetime.datetime: _datatag.AnsibleSerializableDateTime,
         }
 
+        cls.handle_key = cls._handle_key_str_fallback  # legacy stdlib-compatible key behavior
+
 
 class Encoder(_profiles.AnsibleProfileJSONEncoder):
     _profile = _Profile

ansible/_internal/_json/_profiles/_inventory_legacy.py

@@ -12,7 +12,7 @@ from . import _legacy
 class _InventoryVariableVisitor(_legacy._LegacyVariableVisitor, _json.StateTrackingMixIn):
     """State-tracking visitor implementation that only applies trust to `_meta.hostvars` and `vars` inventory values."""
 
-    # DTFIX-RELEASE: does the variable visitor need to support conversion of sequence/mapping for inventory?
+    # DTFIX5: does the variable visitor need to support conversion of sequence/mapping for inventory?
 
     @property
     def _allow_trust(self) -> bool:

ansible/_internal/_json/_profiles/_legacy.py

@@ -152,9 +152,11 @@ class _Profile(_profiles._JSONSerializationProfile["Encoder", "Decoder"]):
             '__ansible_vault': cls.deserialize_vault,
         }
 
+        cls.handle_key = cls._handle_key_str_fallback  # type: ignore[method-assign]  # legacy stdlib-compatible key behavior
+
     @classmethod
     def pre_serialize(cls, encoder: Encoder, o: _t.Any) -> _t.Any:
-        # DTFIX-RELEASE: these conversion args probably aren't needed
+        # DTFIX7: these conversion args probably aren't needed
         avv = cls.visitor_type(invert_trust=True, convert_mapping_to_dict=True, convert_sequence_to_list=True, convert_custom_scalars=True)
 
         return avv.visit(o)
@@ -165,16 +167,6 @@ class _Profile(_profiles._JSONSerializationProfile["Encoder", "Decoder"]):
 
         return avv.visit(o)
 
-    @classmethod
-    def handle_key(cls, k: _t.Any) -> _t.Any:
-        if isinstance(k, str):
-            return k
-
-        # DTFIX-RELEASE: decide if this is a deprecation warning, error, or what?
-        #  Non-string variable names have been disallowed by set_fact and other things since at least 2021.
-        # DTFIX-RELEASE: document why this behavior is here, also verify the legacy tagless use case doesn't need this same behavior
-        return str(k)
-
 
 class Encoder(_profiles.AnsibleProfileJSONEncoder):
     _profile = _Profile

ansible/_internal/_ssh/_agent_launch.py

@@ -0,0 +1,91 @@
+from __future__ import annotations
+
+import atexit
+import os
+import subprocess
+
+from ansible import constants as C
+from ansible._internal._errors import _alarm_timeout
+from ansible._internal._ssh._ssh_agent import SshAgentClient
+from ansible.cli import display
+from ansible.errors import AnsibleError
+from ansible.module_utils.common.process import get_bin_path
+
+_SSH_AGENT_STDOUT_READ_TIMEOUT = 5  # seconds
+
+
+def launch_ssh_agent() -> None:
+    """If configured via `SSH_AGENT`, launch an ssh-agent for Ansible's use and/or verify access to an existing one."""
+    try:
+        _launch_ssh_agent()
+    except Exception as ex:
+        raise AnsibleError("Failed to launch ssh agent.") from ex
+
+
+def _launch_ssh_agent() -> None:
+    ssh_agent_cfg = C.config.get_config_value('SSH_AGENT')
+
+    match ssh_agent_cfg:
+        case 'none':
+            display.debug('SSH_AGENT set to none')
+            return
+        case 'auto':
+            try:
+                ssh_agent_bin = get_bin_path(C.config.get_config_value('SSH_AGENT_EXECUTABLE'))
+            except ValueError as e:
+                raise AnsibleError('SSH_AGENT set to auto, but cannot find ssh-agent binary.') from e
+
+            ssh_agent_dir = os.path.join(C.DEFAULT_LOCAL_TMP, 'ssh_agent')
+            os.mkdir(ssh_agent_dir, 0o700)
+            sock = os.path.join(ssh_agent_dir, 'agent.sock')
+            display.vvv('SSH_AGENT: starting...')
+
+            try:
+                p = subprocess.Popen(
+                    [ssh_agent_bin, '-D', '-s', '-a', sock],
+                    stdin=subprocess.PIPE,
+                    stdout=subprocess.PIPE,
+                    stderr=subprocess.PIPE,
+                    text=True,
+                )
+            except OSError as e:
+                raise AnsibleError('Could not start ssh-agent.') from e
+
+            atexit.register(p.terminate)
+
+            help_text = f'The ssh-agent {ssh_agent_bin!r} might be an incompatible agent.'
+            expected_stdout = 'SSH_AUTH_SOCK'
+
+            try:
+                with _alarm_timeout.AnsibleTimeoutError.alarm_timeout(_SSH_AGENT_STDOUT_READ_TIMEOUT):
+                    stdout = p.stdout.read(len(expected_stdout))
+            except _alarm_timeout.AnsibleTimeoutError as e:
+                display.error_as_warning(
+                    msg=f'Timed out waiting for expected stdout {expected_stdout!r} from ssh-agent.',
+                    exception=e,
+                    help_text=help_text,
+                )
+            else:
+                if stdout != expected_stdout:
+                    display.warning(
+                        msg=f'The ssh-agent output {stdout!r} did not match expected {expected_stdout!r}.',
+                        help_text=help_text,
+                    )
+
+            if p.poll() is not None:
+                raise AnsibleError(
+                    message='The ssh-agent terminated prematurely.',
+                    help_text=f'{help_text}\n\nReturn Code: {p.returncode}\nStandard Error:\n{p.stderr.read()}',
+                )
+
+            display.vvv(f'SSH_AGENT: ssh-agent[{p.pid}] started and bound to {sock}')
+        case _:
+            sock = ssh_agent_cfg
+
+    try:
+        with SshAgentClient(sock) as client:
+            client.list()
+    except Exception as e:
+        raise AnsibleError(f'Could not communicate with ssh-agent using auth sock {sock!r}.') from e
+
+    os.environ['SSH_AUTH_SOCK'] = os.environ['ANSIBLE_SSH_AGENT'] = sock

ansible/{utils → _internal/_ssh}/_ssh_agent.py

@@ -106,21 +106,19 @@ class SshAgentFailure(RuntimeError):
 # NOTE: Classes below somewhat represent "Data Type Representations Used in the SSH Protocols"
 #       as specified by RFC4251
 
+
 @t.runtime_checkable
 class SupportsToBlob(t.Protocol):
-    def to_blob(self) -> bytes:
-        ...
+    def to_blob(self) -> bytes: ...
 
 
 @t.runtime_checkable
 class SupportsFromBlob(t.Protocol):
     @classmethod
-    def from_blob(cls, blob: memoryview | bytes) -> t.Self:
-        ...
+    def from_blob(cls, blob: memoryview | bytes) -> t.Self: ...
 
     @classmethod
-    def consume_from_blob(cls, blob: memoryview | bytes) -> tuple[t.Self, memoryview | bytes]:
-        ...
+    def consume_from_blob(cls, blob: memoryview | bytes) -> tuple[t.Self, memoryview | bytes]: ...
 
 
 def _split_blob(blob: memoryview | bytes, length: int) -> tuple[memoryview | bytes, memoryview | bytes]:
@@ -304,10 +302,12 @@ class PrivateKeyMsg(Msg):
                 return EcdsaPrivateKeyMsg(
                     getattr(KeyAlgo, f'ECDSA{key_size}'),
                     unicode_string(f'nistp{key_size}'),
-                    binary_string(private_key.public_key().public_bytes(
-                        encoding=serialization.Encoding.X962,
-                        format=serialization.PublicFormat.UncompressedPoint
-                    )),
+                    binary_string(
+                        private_key.public_key().public_bytes(
+                            encoding=serialization.Encoding.X962,
+                            format=serialization.PublicFormat.UncompressedPoint,
+                        )
+                    ),
                     mpint(ecdsa_pn.private_value),
                 )
             case Ed25519PrivateKey():
@@ -318,7 +318,7 @@ class PrivateKeyMsg(Msg):
                 private_bytes = private_key.private_bytes(
                     encoding=serialization.Encoding.Raw,
                     format=serialization.PrivateFormat.Raw,
-                    encryption_algorithm=serialization.NoEncryption()
+                    encryption_algorithm=serialization.NoEncryption(),
                 )
                 return Ed25519PrivateKeyMsg(
                     KeyAlgo.ED25519,
@@ -376,14 +376,14 @@ class Ed25519PrivateKeyMsg(PrivateKeyMsg):
 @dataclasses.dataclass
 class PublicKeyMsg(Msg):
     @staticmethod
-    def get_dataclass(
-            type: KeyAlgo
-    ) -> type[t.Union[
+    def get_dataclass(type: KeyAlgo) -> type[
+        t.Union[
             RSAPublicKeyMsg,
             EcdsaPublicKeyMsg,
             Ed25519PublicKeyMsg,
-            DSAPublicKeyMsg
-    ]]:
+            DSAPublicKeyMsg,
+        ]
+    ]:
         match type:
             case KeyAlgo.RSA:
                 return RSAPublicKeyMsg
@@ -401,29 +401,14 @@ class PublicKeyMsg(Msg):
         type: KeyAlgo = self.type
         match type:
             case KeyAlgo.RSA:
-                return RSAPublicNumbers(
-                    self.e,
-                    self.n
-                ).public_key()
+                return RSAPublicNumbers(self.e, self.n).public_key()
             case KeyAlgo.ECDSA256 | KeyAlgo.ECDSA384 | KeyAlgo.ECDSA521:
                 curve = _ECDSA_KEY_TYPE[KeyAlgo(type)]
-                return EllipticCurvePublicKey.from_encoded_point(
-                    curve(),
-                    self.Q
-                )
+                return EllipticCurvePublicKey.from_encoded_point(curve(), self.Q)
             case KeyAlgo.ED25519:
-                return Ed25519PublicKey.from_public_bytes(
-                    self.enc_a
-                )
+                return Ed25519PublicKey.from_public_bytes(self.enc_a)
             case KeyAlgo.DSA:
-                return DSAPublicNumbers(
-                    self.y,
-                    DSAParameterNumbers(
-                        self.p,
-                        self.q,
-                        self.g
-                    )
-                ).public_key()
+                return DSAPublicNumbers(self.y, DSAParameterNumbers(self.p, self.q, self.g)).public_key()
             case _:
                 raise NotImplementedError(type)
 
@@ -437,32 +422,32 @@ class PublicKeyMsg(Msg):
                     mpint(dsa_pn.parameter_numbers.p),
                     mpint(dsa_pn.parameter_numbers.q),
                     mpint(dsa_pn.parameter_numbers.g),
-                    mpint(dsa_pn.y)
+                    mpint(dsa_pn.y),
                 )
             case EllipticCurvePublicKey():
                 return EcdsaPublicKeyMsg(
                     getattr(KeyAlgo, f'ECDSA{public_key.curve.key_size}'),
                     unicode_string(f'nistp{public_key.curve.key_size}'),
-                    binary_string(public_key.public_bytes(
-                        encoding=serialization.Encoding.X962,
-                        format=serialization.PublicFormat.UncompressedPoint
-                    ))
+                    binary_string(
+                        public_key.public_bytes(
+                            encoding=serialization.Encoding.X962,
+                            format=serialization.PublicFormat.UncompressedPoint,
+                        )
+                    ),
                 )
             case Ed25519PublicKey():
                 return Ed25519PublicKeyMsg(
                     KeyAlgo.ED25519,
-                    binary_string(public_key.public_bytes(
-                        encoding=serialization.Encoding.Raw,
-                        format=serialization.PublicFormat.Raw,
-                    ))
+                    binary_string(
+                        public_key.public_bytes(
+                            encoding=serialization.Encoding.Raw,
+                            format=serialization.PublicFormat.Raw,
+                        )
+                    ),
                 )
             case RSAPublicKey():
                 rsa_pn: RSAPublicNumbers = public_key.public_numbers()
-                return RSAPublicKeyMsg(
-                    KeyAlgo.RSA,
-                    mpint(rsa_pn.e),
-                    mpint(rsa_pn.n)
-                )
+                return RSAPublicKeyMsg(KeyAlgo.RSA, mpint(rsa_pn.e), mpint(rsa_pn.n))
             case _:
                 raise NotImplementedError(public_key)
 
@@ -473,10 +458,7 @@ class PublicKeyMsg(Msg):
         msg.comments = unicode_string('')
         k = msg.to_blob()
         digest.update(k)
-        return binascii.b2a_base64(
-            digest.digest(),
-            newline=False
-        ).rstrip(b'=').decode('utf-8')
+        return binascii.b2a_base64(digest.digest(), newline=False).rstrip(b'=').decode('utf-8')
 
 
 @dataclasses.dataclass(order=True, slots=True)
@@ -519,9 +501,7 @@ class KeyList(Msg):
 
     def __post_init__(self) -> None:
         if self.nkeys != len(self.keys):
-            raise SshAgentFailure(
-                "agent: invalid number of keys received for identities list"
-            )
+            raise SshAgentFailure("agent: invalid number of keys received for identities list")
 
 
 @dataclasses.dataclass(order=True, slots=True)
@@ -535,8 +515,7 @@ class PublicKeyMsgList(Msg):
         return len(self.keys)
 
     @classmethod
-    def from_blob(cls, blob: memoryview | bytes) -> t.Self:
-        ...
+    def from_blob(cls, blob: memoryview | bytes) -> t.Self: ...
 
     @classmethod
     def consume_from_blob(cls, blob: memoryview | bytes) -> tuple[t.Self, memoryview | bytes]:
@@ -546,22 +525,16 @@ class PublicKeyMsgList(Msg):
             key_blob, key_blob_length, comment_blob = cls._consume_field(blob)
 
             peek_key_algo, _length, _blob = cls._consume_field(key_blob)
-            pub_key_msg_cls = PublicKeyMsg.get_dataclass(
-                KeyAlgo(bytes(peek_key_algo).decode('utf-8'))
-            )
+            pub_key_msg_cls = PublicKeyMsg.get_dataclass(KeyAlgo(bytes(peek_key_algo).decode('utf-8')))
 
             _fv, comment_blob_length, blob = cls._consume_field(comment_blob)
-            key_plus_comment = (
-                prev_blob[4: (4 + key_blob_length) + (4 + comment_blob_length)]
-            )
+            key_plus_comment = prev_blob[4 : (4 + key_blob_length) + (4 + comment_blob_length)]
 
             args.append(pub_key_msg_cls.from_blob(key_plus_comment))
         return cls(args), b""
 
     @staticmethod
-    def _consume_field(
-            blob: memoryview | bytes
-    ) -> tuple[memoryview | bytes, uint32, memoryview | bytes]:
+    def _consume_field(blob: memoryview | bytes) -> tuple[memoryview | bytes, uint32, memoryview | bytes]:
         length = uint32.from_blob(blob[:4])
         blob = blob[4:]
         data, rest = _split_blob(blob, length)
@@ -581,10 +554,10 @@ class SshAgentClient:
         return self
 
     def __exit__(
-            self,
-            exc_type: type[BaseException] | None,
-            exc_value: BaseException | None,
-            traceback: types.TracebackType | None
+        self,
+        exc_type: type[BaseException] | None,
+        exc_value: BaseException | None,
+        traceback: types.TracebackType | None,
     ) -> None:
         self.close()
 
@@ -598,34 +571,25 @@ class SshAgentClient:
         return resp
 
     def remove_all(self) -> None:
-        self.send(
-            ProtocolMsgNumbers.SSH_AGENTC_REMOVE_ALL_IDENTITIES.to_blob()
-        )
+        self.send(ProtocolMsgNumbers.SSH_AGENTC_REMOVE_ALL_IDENTITIES.to_blob())
 
     def remove(self, public_key: CryptoPublicKey) -> None:
         key_blob = PublicKeyMsg.from_public_key(public_key).to_blob()
-        self.send(
-            ProtocolMsgNumbers.SSH_AGENTC_REMOVE_IDENTITY.to_blob() +
-            uint32(len(key_blob)).to_blob() + key_blob
-        )
+        self.send(ProtocolMsgNumbers.SSH_AGENTC_REMOVE_IDENTITY.to_blob() + uint32(len(key_blob)).to_blob() + key_blob)
 
     def add(
-            self,
-            private_key: CryptoPrivateKey,
-            comments: str | None = None,
-            lifetime: int | None = None,
-            confirm: bool | None = None,
+        self,
+        private_key: CryptoPrivateKey,
+        comments: str | None = None,
+        lifetime: int | None = None,
+        confirm: bool | None = None,
     ) -> None:
         key_msg = PrivateKeyMsg.from_private_key(private_key)
         key_msg.comments = unicode_string(comments or '')
         if lifetime:
-            key_msg.constraints += constraints(
-                [ProtocolMsgNumbers.SSH_AGENT_CONSTRAIN_LIFETIME]
-            ).to_blob() + uint32(lifetime).to_blob()
+            key_msg.constraints += constraints([ProtocolMsgNumbers.SSH_AGENT_CONSTRAIN_LIFETIME]).to_blob() + uint32(lifetime).to_blob()
         if confirm:
-            key_msg.constraints += constraints(
-                [ProtocolMsgNumbers.SSH_AGENT_CONSTRAIN_CONFIRM]
-            ).to_blob()
+            key_msg.constraints += constraints([ProtocolMsgNumbers.SSH_AGENT_CONSTRAIN_CONFIRM]).to_blob()
 
         if key_msg.constraints:
             msg = ProtocolMsgNumbers.SSH_AGENTC_ADD_ID_CONSTRAINED.to_blob()
@@ -638,9 +602,7 @@ class SshAgentClient:
         req = ProtocolMsgNumbers.SSH_AGENTC_REQUEST_IDENTITIES.to_blob()
         r = memoryview(bytearray(self.send(req)))
         if r[0] != ProtocolMsgNumbers.SSH_AGENT_IDENTITIES_ANSWER:
-            raise SshAgentFailure(
-                'agent: non-identities answer received for identities list'
-            )
+            raise SshAgentFailure('agent: non-identities answer received for identities list')
         return KeyList.from_blob(r[1:])
 
     def __contains__(self, public_key: CryptoPublicKey) -> bool:
@@ -649,7 +611,7 @@ class SshAgentClient:
 
 
 @functools.cache
-def _key_data_into_crypto_objects(key_data: bytes, passphrase: bytes | None) -> tuple[CryptoPrivateKey, CryptoPublicKey, str]:
+def key_data_into_crypto_objects(key_data: bytes, passphrase: bytes | None) -> tuple[CryptoPrivateKey, CryptoPublicKey, str]:
     private_key = serialization.ssh.load_ssh_private_key(key_data, passphrase)
     public_key = private_key.public_key()
     fingerprint = PublicKeyMsg.from_public_key(public_key).fingerprint

ansible/_internal/_templating/__init__.py

@@ -1,10 +1,12 @@
 from __future__ import annotations
 
-from jinja2 import __version__ as _jinja2_version
+import importlib.metadata
+
+jinja2_version = importlib.metadata.version('jinja2')
 
 # DTFIX-FUTURE: sanity test to ensure this doesn't drift from requirements
 _MINIMUM_JINJA_VERSION = (3, 1)
-_CURRENT_JINJA_VERSION = tuple(map(int, _jinja2_version.split('.', maxsplit=2)[:2]))
+_CURRENT_JINJA_VERSION = tuple(map(int, jinja2_version.split('.', maxsplit=2)[:2]))
 
 if _CURRENT_JINJA_VERSION < _MINIMUM_JINJA_VERSION:
-    raise RuntimeError(f'Jinja version {".".join(map(str, _MINIMUM_JINJA_VERSION))} or higher is required (current version {_jinja2_version}).')
+    raise RuntimeError(f'Jinja version {".".join(map(str, _MINIMUM_JINJA_VERSION))} or higher is required (current version {jinja2_version}).')

ansible/_internal/_templating/_datatag.py

@@ -60,6 +60,7 @@ class DeprecatedAccessAuditContext(NotifiableAccessContextBase):
                 date=item.deprecated.date,
                 obj=item.template,
                 deprecator=item.deprecated.deprecator,
+                formatted_traceback=item.deprecated.formatted_traceback,
             )
 
         return result
@@ -79,7 +80,7 @@ class DeprecatedAccessAuditContext(NotifiableAccessContextBase):
             # DTFIX-FUTURE: ascend the template stack to try and find the nearest string source template
             origin = Origin.get_tag(template)
 
-            # DTFIX-RELEASE: this should probably use a synthesized description value on the tag
+            # DTFIX-FUTURE: this should probably use a synthesized description value on the tag
             #              it is reachable from the data_tagging_controller test: ../playbook_output_validator/filter.py actual_stdout.txt actual_stderr.txt
             # -[DEPRECATION WARNING]: `something_old` is deprecated, don't use it! This feature will be removed in version 1.2.3.
             # +[DEPRECATION WARNING]: While processing '<<container>>': `something_old` is deprecated, don't use it! This feature will be removed in ...

ansible/_internal/_templating/_engine.py

@@ -75,7 +75,7 @@ class TemplateOptions:
     value_for_omit: object = Omit
     escape_backslashes: bool = True
     preserve_trailing_newlines: bool = True
-    # DTFIX-RELEASE: these aren't really overrides anymore, rename the dataclass and this field
+    # DTFIX-FUTURE: these aren't really overrides anymore, rename the dataclass and this field
     #                also mention in docstring this has no effect unless used to template a string
     overrides: TemplateOverrides = TemplateOverrides.DEFAULT
 
@@ -122,7 +122,6 @@ class TemplateEngine:
         return new_engine
 
     def extend(self, marker_behavior: MarkerBehavior | None = None) -> t.Self:
-        # DTFIX-RELEASE: bikeshed name, supported features
         new_templar = type(self)(
             loader=self._loader,
             variables=self._variables,
@@ -187,7 +186,7 @@ class TemplateEngine:
     @property
     def available_variables(self) -> dict[str, t.Any] | ChainMap[str, t.Any]:
         """Available variables this instance will use when templating."""
-        # DTFIX-RELEASE: ensure that we're always accessing this as a shallow container-level snapshot, and eliminate uses of anything
+        # DTFIX3: ensure that we're always accessing this as a shallow container-level snapshot, and eliminate uses of anything
         #  that directly mutates this value. _new_context may resolve this for us?
         if self._variables is None:
             self._variables = self._variables_factory() if self._variables_factory else {}
@@ -235,7 +234,7 @@ class TemplateEngine:
 
     def template(
         self,
-        variable: t.Any,  # DTFIX-RELEASE: once we settle the new/old API boundaries, rename this (here and in other methods)
+        variable: t.Any,  # DTFIX-FUTURE: once we settle the new/old API boundaries, rename this (here and in other methods)
         *,
         options: TemplateOptions = TemplateOptions.DEFAULT,
         mode: TemplateMode = TemplateMode.DEFAULT,

ansible/_internal/_templating/_jinja_bits.py

@@ -49,6 +49,7 @@ from ._jinja_common import (
     TruncationMarker,
     validate_arg_type,
     JinjaCallContext,
+    _SandboxMode,
 )
 from ._jinja_plugins import JinjaPluginIntercept, _query, _lookup, _now, _wrap_plugin_output, get_first_marker_arg, _DirectCall, _jinja_const_template_warning
 from ._lazy_containers import (
@@ -71,6 +72,11 @@ from ansible.vars.hostvars import HostVars, HostVarsVars
 from ...module_utils.datatag import native_type_name
 
 JINJA2_OVERRIDE = '#jinja2:'
+"""
+String values prefixed with this sequence are interpreted as templates, even without template delimiters.
+The values following this prefix up to the first newline are parsed as Jinja2 template overrides.
+To include this literal value at the start of a string, a space or other character must precede it.
+"""
 
 display = Display()
 
@@ -304,7 +310,7 @@ class AnsibleTemplate(Template):
     _python_source_temp_path: pathlib.Path | None = None
 
     def __del__(self):
-        # DTFIX-RELEASE: this still isn't working reliably; something else must be keeping the template object alive
+        # DTFIX-FUTURE: this still isn't working reliably; something else must be keeping the template object alive
         if self._python_source_temp_path:
             self._python_source_temp_path.unlink(missing_ok=True)
 
@@ -497,7 +503,7 @@ def create_template_error(ex: Exception, variable: t.Any, is_expression: bool) -
     return exception_to_raise
 
 
-# DTFIX-RELEASE: implement CapturedExceptionMarker deferral support on call (and lookup), filter/test plugins, etc.
+# DTFIX3: implement CapturedExceptionMarker deferral support on call (and lookup), filter/test plugins, etc.
 #                also update the protomatter integration test once this is done (the test was written differently since this wasn't done yet)
 
 _BUILTIN_FILTER_ALIASES: dict[str, str] = {}
@@ -583,10 +589,17 @@ class AnsibleEnvironment(ImmutableSandboxedEnvironment):
 
             return template_obj
 
+    def is_safe_attribute(self, obj: t.Any, attr: str, value: t.Any) -> bool:
+        # deprecated: description="remove relaxed template sandbox mode support" core_version="2.23"
+        if _TemplateConfig.sandbox_mode == _SandboxMode.ALLOW_UNSAFE_ATTRIBUTES:
+            return True
+
+        return super().is_safe_attribute(obj, attr, value)
+
     @property
     def lexer(self) -> AnsibleLexer:
         """Return/cache an AnsibleLexer with settings from the current AnsibleEnvironment"""
-        # DTFIX-RELEASE: optimization - we should pre-generate the default cached lexer before forking, not leave it to chance (e.g. simple playbooks)
+        # DTFIX-FUTURE: optimization - we should pre-generate the default cached lexer before forking, not leave it to chance (e.g. simple playbooks)
         key = tuple(getattr(self, name) for name in _TEMPLATE_OVERRIDE_FIELD_NAMES)
 
         lex = self._lexer_cache.get(key)
@@ -610,7 +623,7 @@ class AnsibleEnvironment(ImmutableSandboxedEnvironment):
         Without this, `_wrap_filter` will wrap `args` and `kwargs` in templating lazy containers.
         This provides consistency with plugin output handling by preventing auto-templating of trusted templates passed in native containers.
         """
-        # DTFIX-RELEASE: need better logic to handle non-list/non-dict inputs for args/kwargs
+        # DTFIX-FUTURE: need better logic to handle non-list/non-dict inputs for args/kwargs
         args = _AnsibleLazyTemplateMixin._try_create(list(args or []), LazyOptions.SKIP_TEMPLATES)
         kwargs = _AnsibleLazyTemplateMixin._try_create(kwargs, LazyOptions.SKIP_TEMPLATES)
 
@@ -630,7 +643,7 @@ class AnsibleEnvironment(ImmutableSandboxedEnvironment):
         Without this, `_wrap_test` will wrap `args` and `kwargs` in templating lazy containers.
         This provides consistency with plugin output handling by preventing auto-templating of trusted templates passed in native containers.
         """
-        # DTFIX-RELEASE: need better logic to handle non-list/non-dict inputs for args/kwargs
+        # DTFIX-FUTURE: need better logic to handle non-list/non-dict inputs for args/kwargs
         args = _AnsibleLazyTemplateMixin._try_create(list(args or []), LazyOptions.SKIP_TEMPLATES)
         kwargs = _AnsibleLazyTemplateMixin._try_create(kwargs, LazyOptions.SKIP_TEMPLATES)
 
@@ -701,7 +714,6 @@ class AnsibleEnvironment(ImmutableSandboxedEnvironment):
         # this code is complemented by our tweaked CodeGenerator _output_const_repr that ensures that literal constants
         # in templates aren't double-repr'd in the generated code
         if len(node_list) == 1:
-            # DTFIX-RELEASE: determine if we should do managed access here (we *should* have hit them all during templating/resolve, but ?)
             return node_list[0]
 
         # In order to ensure that all markers are tripped, do a recursive finalize before we repr (otherwise we can end up
@@ -856,9 +868,6 @@ def _flatten_and_lazify_vars(mapping: c.Mapping) -> t.Iterable[c.Mapping]:
         for m in mapping.maps:
             yield from _flatten_and_lazify_vars(m)
     elif mapping_type is _AnsibleLazyTemplateDict:
-        if not mapping:
-            # DTFIX-RELEASE: handle or remove?
-            raise Exception("we didn't think it was possible to have an empty lazy here...")
         yield mapping
     elif mapping_type in (dict, _AnsibleTaggedDict):
         # don't propagate empty dictionary layers
@@ -882,10 +891,6 @@ def _new_context(
     layers = []
 
     if jinja_locals:
-        # DTFIX-RELEASE: if we can't trip this in coverage, kill it off?
-        if type(jinja_locals) is not dict:  # pylint: disable=unidiomatic-typecheck
-            raise NotImplementedError("locals must be a dict")
-
         # Omit values set to Jinja's internal `missing` sentinel; they are locals that have not yet been
         # initialized in the current context, and should not be exposed to child contexts. e.g.: {% import 'a' as b with context %}.
         # The `b` local will be `missing` in the `a` context and should not be propagated as a local to the child context we're creating.
@@ -978,7 +983,7 @@ def _finalize_list(o: t.Any, mode: FinalizeMode) -> t.Iterator[t.Any]:
 
 
 def _maybe_finalize_scalar(o: t.Any) -> t.Any:
-    # DTFIX-RELEASE: this should check all supported scalar subclasses, not just JSON ones (also, does the JSON serializer handle these cases?)
+    # DTFIX5: this should check all supported scalar subclasses, not just JSON ones (also, does the JSON serializer handle these cases?)
     for target_type in _json_subclassable_scalar_types:
         if not isinstance(o, target_type):
             continue
@@ -1028,7 +1033,7 @@ def _finalize_collection(
 
 def _finalize_template_result(o: t.Any, mode: FinalizeMode) -> t.Any:
     """Recurse the template result, rendering any encountered templates, converting containers to non-lazy versions."""
-    # DTFIX-RELEASE: add tests to ensure this method doesn't drift from allowed types
+    # DTFIX5: add tests to ensure this method doesn't drift from allowed types
     o_type = type(o)
 
     # DTFIX-FUTURE: provide an optional way to check for trusted templates leaking out of templating (injected, but not passed through templar.template)
@@ -1045,7 +1050,7 @@ def _finalize_template_result(o: t.Any, mode: FinalizeMode) -> t.Any:
     if o_type in _FINALIZE_FAST_PATH_EXACT_ITERABLE_TYPES:  # silently convert known sequence types to list
         return _finalize_collection(o, mode, _finalize_list, list)
 
-    if o_type in Marker.concrete_subclasses:  # this early return assumes handle_marker follows our variable type rules
+    if o_type in Marker._concrete_subclasses:  # this early return assumes handle_marker follows our variable type rules
         return TemplateContext.current().templar.marker_behavior.handle_marker(o)
 
     if mode is not FinalizeMode.TOP_LEVEL:  # unsupported type (do not raise)