ansible-core 2.19.0b4__py3-none-any.whl → 2.19.0b5__py3-none-any.whl

ansible/cli/doc.py

@@ -9,12 +9,14 @@ from __future__ import annotations
 # ansible.cli needs to be imported first, to ensure the source bin/* scripts run that code first
 from ansible.cli import CLI
 
+import collections.abc
 import importlib
 import pkgutil
 import os
 import os.path
 import re
 import textwrap
+import typing as t
 
 import yaml
 
@@ -35,7 +37,7 @@ from ansible.parsing.plugin_docs import read_docstub
 from ansible.parsing.yaml.dumper import AnsibleDumper
 from ansible.parsing.yaml.loader import AnsibleLoader
 from ansible._internal._yaml._loader import AnsibleInstrumentedLoader
-from ansible.plugins.list import list_plugins
+from ansible.plugins.list import _list_plugins_with_info, _PluginDocMetadata
 from ansible.plugins.loader import action_loader, fragment_loader
 from ansible.utils.collection_loader import AnsibleCollectionConfig, AnsibleCollectionRef
 from ansible.utils.collection_loader._collection_finder import _get_collection_name_from_path
@@ -44,6 +46,7 @@ from ansible.utils.display import Display
 from ansible.utils.plugin_docs import get_plugin_docs, get_docstring, get_versioned_doclink
 from ansible.template import trust_as_template
 from ansible._internal import _json
+from ansible._internal._templating import _jinja_plugins
 
 display = Display()
 
@@ -788,35 +791,47 @@ class DocCLI(CLI, RoleMixin):
         return coll_filter
 
     def _list_plugins(self, plugin_type, content):
-
-        results = {}
-        self.plugins = {}
-        loader = DocCLI._prep_loader(plugin_type)
+        DocCLI._prep_loader(plugin_type)
 
         coll_filter = self._get_collection_filter()
-        self.plugins.update(list_plugins(plugin_type, coll_filter))
+        plugins = _list_plugins_with_info(plugin_type, coll_filter)
+
+        # Remove the internal ansible._protomatter plugins if getting all plugins
+        if not coll_filter:
+            plugins = {k: v for k, v in plugins.items() if not k.startswith('ansible._protomatter.')}
 
         # get appropriate content depending on option
         if content == 'dir':
-            results = self._get_plugin_list_descriptions(loader)
+            results = self._get_plugin_list_descriptions(plugins)
         elif content == 'files':
-            results = {k: self.plugins[k][0] for k in self.plugins.keys()}
+            results = {k: v.path for k, v in plugins.items()}
         else:
-            results = {k: {} for k in self.plugins.keys()}
+            results = {k: {} for k in plugins.keys()}
             self.plugin_list = set()  # reset for next iteration
 
         return results
 
-    def _get_plugins_docs(self, plugin_type, names, fail_ok=False, fail_on_errors=True):
-
+    def _get_plugins_docs(self, plugin_type: str, names: collections.abc.Iterable[str], fail_ok: bool = False, fail_on_errors: bool = True) -> dict[str, dict]:
         loader = DocCLI._prep_loader(plugin_type)
 
+        if plugin_type in ('filter', 'test'):
+            jinja2_builtins = _jinja_plugins.get_jinja_builtin_plugin_descriptions(plugin_type)
+            jinja2_builtins.update({name.split('.')[-1]: value for name, value in jinja2_builtins.items()})  # add short-named versions for lookup
+        else:
+            jinja2_builtins = {}
+
         # get the docs for plugins in the command line list
         plugin_docs = {}
         for plugin in names:
-            doc = {}
+            doc: dict[str, t.Any] = {}
             try:
-                doc, plainexamples, returndocs, metadata = get_plugin_docs(plugin, plugin_type, loader, fragment_loader, (context.CLIARGS['verbosity'] > 0))
+                doc, plainexamples, returndocs, metadata = self._get_plugin_docs_with_jinja2_builtins(
+                    plugin,
+                    plugin_type,
+                    loader,
+                    fragment_loader,
+                    jinja2_builtins,
+                )
             except AnsiblePluginNotFound as e:
                 display.warning(to_native(e))
                 continue
@@ -853,6 +868,39 @@ class DocCLI(CLI, RoleMixin):
 
         return plugin_docs
 
+    def _get_plugin_docs_with_jinja2_builtins(
+        self,
+        plugin_name: str,
+        plugin_type: str,
+        loader: t.Any,
+        fragment_loader: t.Any,
+        jinja_builtins: dict[str, str],
+    ) -> tuple[dict, str | None, dict | None, dict | None]:
+        try:
+            return get_plugin_docs(plugin_name, plugin_type, loader, fragment_loader, (context.CLIARGS['verbosity'] > 0))
+        except Exception:
+            if (desc := jinja_builtins.get(plugin_name, ...)) is not ...:
+                short_name = plugin_name.split('.')[-1]
+                long_name = f'ansible.builtin.{short_name}'
+                # Dynamically build a doc stub for any Jinja2 builtin plugin we haven't
+                # explicitly documented.
+                doc = dict(
+                    collection='ansible.builtin',
+                    plugin_name=long_name,
+                    filename='',
+                    short_description=desc,
+                    description=[
+                        desc,
+                        '',
+                        f"This is the Jinja builtin {plugin_type} plugin {short_name!r}.",
+                        f"See: U(https://jinja.palletsprojects.com/en/stable/templates/#jinja-{plugin_type}s.{short_name})",
+                    ],
+                )
+
+                return doc, None, None, None
+
+            raise
+
     def _get_roles_path(self):
         """
          Add any 'roles' subdir in playbook dir to the roles search path.
@@ -1001,10 +1049,10 @@ class DocCLI(CLI, RoleMixin):
     def get_all_plugins_of_type(plugin_type):
         loader = getattr(plugin_loader, '%s_loader' % plugin_type)
         paths = loader._get_paths_with_context()
-        plugins = {}
+        plugins = []
         for path_context in paths:
-            plugins.update(list_plugins(plugin_type))
-        return sorted(plugins.keys())
+            plugins += _list_plugins_with_info(plugin_type).keys()
+        return sorted(plugins)
 
     @staticmethod
     def get_plugin_metadata(plugin_type, plugin_name):
@@ -1101,18 +1149,20 @@ class DocCLI(CLI, RoleMixin):
 
         return text
 
-    def _get_plugin_list_descriptions(self, loader):
+    def _get_plugin_list_descriptions(self, plugins: dict[str, _PluginDocMetadata]) -> dict[str, str]:
 
         descs = {}
-        for plugin in self.plugins.keys():
+        for plugin, plugin_info in plugins.items():
             # TODO: move to plugin itself i.e: plugin.get_desc()
             doc = None
-            filename = Path(to_native(self.plugins[plugin][0]))
+
             docerror = None
-            try:
-                doc = read_docstub(filename)
-            except Exception as e:
-                docerror = e
+            if plugin_info.path:
+                filename = Path(to_native(plugin_info.path))
+                try:
+                    doc = read_docstub(filename)
+                except Exception as e:
+                    docerror = e
 
             # plugin file was empty or had error, lets try other options
             if doc is None:
@@ -1127,9 +1177,15 @@ class DocCLI(CLI, RoleMixin):
                     except Exception as e:
                         docerror = e
 
-            if docerror:
-                display.warning("%s has a documentation formatting error: %s" % (plugin, docerror))
-                continue
+                # Do a final fallback to see if the plugin is a shadowed Jinja2 plugin
+                # without any explicit documentation.
+                if doc is None and plugin_info.jinja_builtin_short_description:
+                    descs[plugin] = plugin_info.jinja_builtin_short_description
+                    continue
+
+                if docerror:
+                    display.error_as_warning(f"{plugin} has a documentation formatting error.", exception=docerror)
+                    continue
 
             if not doc or not isinstance(doc, dict):
                 desc = 'UNDOCUMENTED'
@@ -1368,7 +1424,7 @@ class DocCLI(CLI, RoleMixin):
                     try:
                         text.append(yaml_dump(doc.pop('examples'), indent=2, default_flow_style=False))
                     except Exception as e:
-                        raise AnsibleParserError("Unable to parse examples section", orig_exc=e)
+                        raise AnsibleParserError("Unable to parse examples section.") from e
 
         return text
 
@@ -1406,7 +1462,7 @@ class DocCLI(CLI, RoleMixin):
                 try:
                     text.append('\t' + C.config.get_deprecated_msg_from_config(doc['deprecated'], True, collection_name=collection_name))
                 except KeyError as e:
-                    raise AnsibleError("Invalid deprecation documentation structure", orig_exc=e)
+                    raise AnsibleError("Invalid deprecation documentation structure.") from e
             else:
                 text.append("%s" % doc['deprecated'])
             del doc['deprecated']

ansible/cli/inventory.py

@@ -164,7 +164,7 @@ class InventoryCLI(CLI):
             import yaml
             from ansible.parsing.yaml.dumper import AnsibleDumper
 
-            # DTFIX-RELEASE: need shared infra to smuggle custom kwargs to dumpers, since yaml.dump cannot (as of PyYAML 6.0.1)
+            # DTFIX0: need shared infra to smuggle custom kwargs to dumpers, since yaml.dump cannot (as of PyYAML 6.0.1)
             dumper = functools.partial(AnsibleDumper, dump_vault_tags=True)
             results = to_text(yaml.dump(stuff, Dumper=dumper, default_flow_style=False, allow_unicode=True))
         elif context.CLIARGS['toml']:

ansible/compat/importlib_resources.py

@@ -3,17 +3,14 @@
 
 from __future__ import annotations
 
-import sys
+from ansible.utils.display import Display as _Display
 
-HAS_IMPORTLIB_RESOURCES = False
+from importlib.resources import files  # pylint: disable=unused-import
 
-if sys.version_info < (3, 10):
-    try:
-        from importlib_resources import files  # type: ignore[import]  # pylint: disable=unused-import
-    except ImportError:
-        files = None  # type: ignore[assignment]
-    else:
-        HAS_IMPORTLIB_RESOURCES = True
-else:
-    from importlib.resources import files
-    HAS_IMPORTLIB_RESOURCES = True
+HAS_IMPORTLIB_RESOURCES = True
+
+_Display().deprecated(
+    msg="The `ansible.compat.importlib_resources` module is deprecated.",
+    help_text="Use `importlib.resources` from the Python standard library instead.",
+    version="2.23",
+)

ansible/config/base.yml

@@ -1335,6 +1335,7 @@ DISPLAY_TRACEBACK:
     - error
     - warning
     - deprecated
+    - deprecated_value
     - always
     - never
   version_added: "2.19"
@@ -1961,6 +1962,14 @@ SSH_AGENT:
   env: [{name: ANSIBLE_SSH_AGENT}]
   ini: [{key: ssh_agent, section: connection}]
   version_added: '2.19'
+SSH_AGENT_EXECUTABLE:
+  name: Executable to start for the ansible-managed SSH agent
+  description: When ``SSH_AGENT`` is ``auto``, the path or name of the ssh agent executable to start.
+  default: ssh-agent
+  type: str
+  env: [ { name: ANSIBLE_SSH_AGENT_EXECUTABLE } ]
+  ini: [ { key: ssh_agent_executable, section: connection } ]
+  version_added: '2.19'
 SSH_AGENT_KEY_LIFETIME:
   name: Set a maximum lifetime when adding identities to an agent
   description: For keys inserted into an agent defined by ``SSH_AGENT``, define a lifetime, in seconds, that the key may remain
@@ -2035,6 +2044,19 @@ TASK_TIMEOUT:
   - {key: task_timeout, section: defaults}
   type: integer
   version_added: '2.10'
+_TEMPLAR_SANDBOX_MODE:
+  name: Control Jinja template sandbox behavior
+  default: default
+  description:
+    - The default Jinja sandbox behavior blocks template access to all `_` prefixed object attributes and known collection mutation methods (e.g., `dict.clear()`, `list.append()`).
+  type: choices
+  choices:
+    - default
+    - allow_unsafe_attributes
+  env: [{name: _ANSIBLE_TEMPLAR_SANDBOX_MODE}]
+  deprecated:
+    why: controlling sandbox behavior is a temporary workaround
+    version: '2.23'
 _TEMPLAR_UNKNOWN_TYPE_CONVERSION:
   name: Templar unknown type conversion behavior
   default: warning

ansible/errors/__init__.py

@@ -3,20 +3,18 @@
 
 from __future__ import annotations
 
+import collections.abc as _c
 import enum
-import traceback
-import sys
 import types
 import typing as t
 
-from collections.abc import Sequence
-
 from json import JSONDecodeError
 
 from ansible.module_utils.common.text.converters import to_text
 from ..module_utils.datatag import native_type_name
 from ansible._internal._datatag import _tags
-from .._internal._errors import _utils
+from .._internal._errors import _error_utils
+from ansible.module_utils._internal import _text_utils
 
 if t.TYPE_CHECKING:
     from ansible.plugins import loader as _t_loader
@@ -73,7 +71,7 @@ class AnsibleError(Exception):
             message = str(message)
 
         if self._default_message and message:
-            message = _utils.concat_message(self._default_message, message)
+            message = _text_utils.concat_message(self._default_message, message)
         elif self._default_message:
             message = self._default_message
         elif not message:
@@ -108,12 +106,10 @@ class AnsibleError(Exception):
     @property
     def message(self) -> str:
         """
-        If `include_cause_message` is False, return the original message.
-        Otherwise, return the original message with cause message(s) appended, stopping on (and including) the first non-AnsibleError.
-        The recursion is due to `AnsibleError.__str__` calling this method, which uses `str` on child exceptions to create the cause message.
-        Recursion stops on the first non-AnsibleError since those exceptions do not implement the custom `__str__` behavior.
+        Return the original message with cause message(s) appended.
+        The cause will not be followed on any `AnsibleError` with `_include_cause_message=False`.
         """
-        return _utils.get_chained_message(self)
+        return _error_utils.format_exception_message(self)
 
     @message.setter
     def message(self, val) -> None:
@@ -121,8 +117,8 @@ class AnsibleError(Exception):
 
     @property
     def _formatted_source_context(self) -> str | None:
-        with _utils.RedactAnnotatedSourceContext.when(not self._show_content):
-            if source_context := _utils.SourceContext.from_value(self.obj):
+        with _error_utils.RedactAnnotatedSourceContext.when(not self._show_content):
+            if source_context := _error_utils.SourceContext.from_value(self.obj):
                 return str(source_context)
 
         return None
@@ -238,8 +234,20 @@ class AnsibleModuleError(AnsibleRuntimeError):
     """A module failed somehow."""
 
 
-class AnsibleConnectionFailure(AnsibleRuntimeError):
-    """The transport / connection_plugin had a fatal error."""
+class AnsibleConnectionFailure(AnsibleRuntimeError, _error_utils.ContributesToTaskResult):
+    """
+    The transport / connection_plugin had a fatal error.
+
+    This exception provides a result dictionary via the ContributesToTaskResult mixin.
+    """
+
+    @property
+    def result_contribution(self) -> t.Mapping[str, object]:
+        return dict(unreachable=True)
+
+    @property
+    def omit_failed_key(self) -> bool:
+        return True
 
 
 class AnsibleAuthenticationFailure(AnsibleConnectionFailure):
@@ -319,7 +327,7 @@ class AnsibleFileNotFound(AnsibleRuntimeError):
         else:
             message += "Could not find file"
 
-        if self.paths and isinstance(self.paths, Sequence):
+        if self.paths and isinstance(self.paths, _c.Sequence):
             searched = to_text('\n\t'.join(self.paths))
             if message:
                 message += "\n"
@@ -331,47 +339,76 @@ class AnsibleFileNotFound(AnsibleRuntimeError):
                                                   suppress_extended_error=suppress_extended_error, orig_exc=orig_exc)
 
 
-# These Exceptions are temporary, using them as flow control until we can get a better solution.
-# DO NOT USE as they will probably be removed soon.
-# We will port the action modules in our tree to use a context manager instead.
-class AnsibleAction(AnsibleRuntimeError):
+class AnsibleAction(AnsibleRuntimeError, _error_utils.ContributesToTaskResult):
     """Base Exception for Action plugin flow control."""
 
     def __init__(self, message="", obj=None, show_content=True, suppress_extended_error=..., orig_exc=None, result=None):
-        super(AnsibleAction, self).__init__(message=message, obj=obj, show_content=show_content,
-                                            suppress_extended_error=suppress_extended_error, orig_exc=orig_exc)
-        if result is None:
-            self.result = {}
-        else:
-            self.result = result
+        super().__init__(message=message, obj=obj, show_content=show_content, suppress_extended_error=suppress_extended_error, orig_exc=orig_exc)
+
+        self._result = result or {}
+
+    @property
+    def result_contribution(self) -> _c.Mapping[str, object]:
+        return self._result
+
+    @property
+    def result(self) -> dict[str, object]:
+        """Backward compatibility property returning a mutable dictionary."""
+        return dict(self.result_contribution)
 
 
 class AnsibleActionSkip(AnsibleAction):
-    """An action runtime skip."""
+    """
+    An action runtime skip.
 
-    def __init__(self, message="", obj=None, show_content=True, suppress_extended_error=..., orig_exc=None, result=None):
-        super(AnsibleActionSkip, self).__init__(message=message, obj=obj, show_content=show_content,
-                                                suppress_extended_error=suppress_extended_error, orig_exc=orig_exc, result=result)
-        self.result.update({'skipped': True, 'msg': message})
+    This exception provides a result dictionary via the ContributesToTaskResult mixin.
+    """
+
+    @property
+    def result_contribution(self) -> _c.Mapping[str, object]:
+        return self._result | dict(
+            skipped=True,
+            msg=self.message,
+        )
+
+    @property
+    def omit_failed_key(self) -> bool:
+        return True
+
+    @property
+    def omit_exception_key(self) -> bool:
+        return True
 
 
 class AnsibleActionFail(AnsibleAction):
-    """An action runtime failure."""
+    """
+    An action runtime failure.
 
-    def __init__(self, message="", obj=None, show_content=True, suppress_extended_error=..., orig_exc=None, result=None):
-        super(AnsibleActionFail, self).__init__(message=message, obj=obj, show_content=show_content,
-                                                suppress_extended_error=suppress_extended_error, orig_exc=orig_exc, result=result)
+    This exception provides a result dictionary via the ContributesToTaskResult mixin.
+    """
+
+    @property
+    def result_contribution(self) -> _c.Mapping[str, object]:
+        return self._result | dict(
+            failed=True,
+            msg=self.message,
+        )
 
-        result_overrides = {'failed': True, 'msg': message}
-        # deprecated: description='use sys.exception()' python_version='3.11'
-        if sys.exc_info()[1]:  # DTFIX-RELEASE: remove this hack once TaskExecutor is no longer shucking AnsibleActionFail and returning its result
-            result_overrides['exception'] = traceback.format_exc()
 
-        self.result.update(result_overrides)
+class _ActionDone(AnsibleAction):
+    """
+    Imports as `_AnsibleActionDone` are deprecated. An action runtime early exit.
+
+    This exception provides a result dictionary via the ContributesToTaskResult mixin.
+    """
 
+    @property
+    def omit_failed_key(self) -> bool:
+        return not self._result.get('failed')
 
-class _AnsibleActionDone(AnsibleAction):
-    """An action runtime early exit."""
+    @property
+    def omit_exception_key(self) -> bool:
+        return not self._result.get('failed')
 
 
 class AnsiblePluginError(AnsibleError):
@@ -422,13 +459,23 @@ def __getattr__(name: str) -> t.Any:
     """Inject import-time deprecation warnings."""
     from ..utils.display import Display
 
-    if name == 'AnsibleFilterTypeError':
-        Display().deprecated(
-            msg="Importing 'AnsibleFilterTypeError' is deprecated.",
-            help_text=f"Import {AnsibleTypeError.__name__!r} instead.",
-            version="2.23",
-        )
+    match name:
+        case 'AnsibleFilterTypeError':
+            Display().deprecated(
+                msg=f"Importing {name!r} is deprecated.",
+                help_text=f"Import {AnsibleTypeError.__name__!r} instead.",
+                version="2.23",
+            )
+
+            return AnsibleTypeError
+
+        case '_AnsibleActionDone':
+            Display().deprecated(
+                msg=f"Importing {name!r} is deprecated.",
+                help_text="Return directly from action plugins instead.",
+                version="2.23",
+            )
 
-        return AnsibleTypeError
+            return _ActionDone
 
     raise AttributeError(f'module {__name__!r} has no attribute {name!r}')

ansible/executor/module_common.py

@@ -40,6 +40,7 @@ from ansible._internal import _locking
 from ansible._internal._datatag import _utils
 from ansible.module_utils._internal import _dataclass_validation
 from ansible.module_utils.common.yaml import yaml_load
+from ansible.module_utils.datatag import deprecator_from_collection_name
 from ansible._internal._datatag._tags import Origin
 from ansible.module_utils.common.json import Direction, get_module_encoder
 from ansible.release import __version__, __author__
@@ -55,7 +56,6 @@ from ansible.template import Templar
 from ansible.utils.collection_loader._collection_finder import _get_collection_metadata, _nested_dict_get
 from ansible.module_utils._internal import _json, _ansiballz
 from ansible.module_utils import basic as _basic
-from ansible.module_utils.common import messages as _messages
 
 if t.TYPE_CHECKING:
     from ansible import template as _template
@@ -166,7 +166,7 @@ NEW_STYLE_PYTHON_MODULE_RE = re.compile(
 
 
 class ModuleDepFinder(ast.NodeVisitor):
-    # DTFIX-RELEASE: add support for ignoring imports with a "controller only" comment, this will allow replacing import_controller_module with standard imports
+    # DTFIX-FUTURE: add support for ignoring imports with a "controller only" comment, this will allow replacing import_controller_module with standard imports
     def __init__(self, module_fqn, tree, is_pkg_init=False, *args, **kwargs):
         """
         Walk the ast tree for the python module.
@@ -439,7 +439,7 @@ class ModuleUtilLocatorBase:
                 version=removal_version,
                 removed=removed,
                 date=removal_date,
-                deprecator=_messages.PluginInfo._from_collection_name(self._collection_name),
+                deprecator=deprecator_from_collection_name(self._collection_name),
             )
         if 'redirect' in routing_entry:
             self.redirected = True
@@ -618,7 +618,7 @@ class CollectionModuleUtilLocator(ModuleUtilLocatorBase):
         if pkg_path:
             origin = Origin(path=os.path.join(pkg_path, src_path))
         else:
-            # DTFIX-RELEASE: not sure if this case is even reachable
+            # DTFIX-FUTURE: not sure if this case is even reachable
             origin = Origin(description=f'<synthetic collection package for {collection_pkg_name}!r>')
 
         self.source_code = origin.tag(src)
@@ -658,7 +658,7 @@ metadata_versions: dict[t.Any, type[ModuleMetadata]] = {
 
 
 def _get_module_metadata(module: ast.Module) -> ModuleMetadata:
-    # DTFIX-RELEASE: while module metadata works, this feature isn't fully baked and should be turned off before release
+    # DTFIX2: while module metadata works, this feature isn't fully baked and should be turned off before release
     metadata_nodes: list[ast.Assign] = []
 
     for node in module.body:
@@ -928,7 +928,7 @@ class _BuiltModule:
 class _CachedModule:
     """Cached Python module created by AnsiballZ."""
 
-    # DTFIX-RELEASE: secure this (locked down pickle, don't use pickle, etc.)
+    # DTFIX5: secure this (locked down pickle, don't use pickle, etc.)
 
     zip_data: bytes
     metadata: ModuleMetadata
@@ -991,10 +991,8 @@ def _find_module_utils(
         module_substyle = 'powershell'
         b_module_data = b_module_data.replace(REPLACER_WINDOWS, b'#AnsibleRequires -PowerShell Ansible.ModuleUtils.Legacy')
     elif re.search(b'#Requires -Module', b_module_data, re.IGNORECASE) \
-            or re.search(b'#Requires -Version', b_module_data, re.IGNORECASE)\
-            or re.search(b'#AnsibleRequires -OSVersion', b_module_data, re.IGNORECASE) \
-            or re.search(b'#AnsibleRequires -Powershell', b_module_data, re.IGNORECASE) \
-            or re.search(b'#AnsibleRequires -CSharpUtil', b_module_data, re.IGNORECASE):
+            or re.search(b'#Requires -Version', b_module_data, re.IGNORECASE) \
+            or re.search(b'#AnsibleRequires -(OSVersion|PowerShell|CSharpUtil|Wrapper)', b_module_data, re.IGNORECASE):
         module_style = 'new'
         module_substyle = 'powershell'
     elif REPLACER_JSONARGS in b_module_data:

ansible/executor/powershell/async_watchdog.ps1

@@ -40,7 +40,7 @@ param([ScriptBlock]$ScriptBlock, $Param)
 & $ScriptBlock.Ast.GetScriptBlock() @Param
 '@).AddParameters(
     @{
-        ScriptBlock = $execInfo.ScriptBlock
+        ScriptBlock = $execInfo.ScriptInfo.ScriptBlock
         Param = $execInfo.Parameters
     })
 
@@ -64,7 +64,7 @@ $jobError = $null
 try {
     $jobAsyncResult = $ps.BeginInvoke($pipelineInput, $invocationSettings, $null, $null)
     $jobAsyncResult.AsyncWaitHandle.WaitOne($Timeout * 1000) > $null
-    $result.finished = 1
+    $result.finished = $true
 
     if ($jobAsyncResult.IsCompleted) {
         $jobOutput = $ps.EndInvoke($jobAsyncResult)

ansible/executor/powershell/async_wrapper.ps1

@@ -113,7 +113,7 @@ try {
     }
     $execWrapper = @{
         name = 'exec_wrapper-async.ps1'
-        script = $execAction.Script
+        script = $execAction.ScriptInfo.Script
         params = $execAction.Parameters
     } | ConvertTo-Json -Compress -Depth 99
     $asyncInput = "$execWrapper`n`0`0`0`0`n$($execAction.InputData)"
@@ -135,8 +135,8 @@ try {
     # We need to write the result file before the process is started to ensure
     # it can read the file.
     $result = @{
-        started = 1
-        finished = 0
+        started = $true
+        finished = $false
         results_file = $resultsPath
         ansible_job_id = $localJid
         _ansible_suppress_tmpdir_delete = $true

ansible/executor/powershell/become_wrapper.ps1

@@ -7,6 +7,7 @@ using namespace System.Collections
 using namespace System.Diagnostics
 using namespace System.IO
 using namespace System.Management.Automation
+using namespace System.Management.Automation.Security
 using namespace System.Net
 using namespace System.Text
 
@@ -53,7 +54,7 @@ $executablePath = Join-Path -Path $PSHome -ChildPath $executable
 $actionInfo = Get-AnsibleExecWrapper -EncodeInputOutput
 $bootstrapManifest = ConvertTo-Json -InputObject @{
     n = "exec_wrapper-become-$([Guid]::NewGuid()).ps1"
-    s = $actionInfo.Script
+    s = $actionInfo.ScriptInfo.Script
     p = $actionInfo.Parameters
 } -Depth 99 -Compress
 
@@ -68,9 +69,26 @@ $m=foreach($i in $input){
 $m=$m|ConvertFrom-Json
 $p=@{}
 foreach($o in $m.p.PSObject.Properties){$p[$o.Name]=$o.Value}
+'@
+
+if ([SystemPolicy]::GetSystemLockdownPolicy() -eq 'Enforce') {
+    # If we started in CLM we need to execute the script from a file so that
+    # PowerShell validates our exec_wrapper is trusted and will run in FLM.
+    $command += @'
+$n=Join-Path $env:TEMP $m.n
+$null=New-Item $n -Value $m.s -Type File -Force
+try{$input|&$n @p}
+finally{if(Test-Path -LiteralPath $n){Remove-Item -LiteralPath $n -Force}}
+'@
+}
+else {
+    # If we started in FLM we pass the script through stdin and execute in
+    # memory.
+    $command += @'
 $c=[System.Management.Automation.Language.Parser]::ParseInput($m.s,$m.n,[ref]$null,[ref]$null).GetScriptBlock()
-$input | & $c @p
+$input|&$c @p
 '@
+}
 
 # Strip out any leading or trailing whitespace and remove empty lines.
 $command = @(