ansible-core 2.19.0b4__py3-none-any.whl → 2.19.0b5__py3-none-any.whl

ansible/executor/powershell/bootstrap_wrapper.ps1

@@ -18,10 +18,32 @@ foreach ($obj in $code.params.PSObject.Properties) {
     $splat[$obj.Name] = $obj.Value
 }
 
-$cmd = [System.Management.Automation.Language.Parser]::ParseInput(
-    $code.script,
-    "$($code.name).ps1", # Name is used in stack traces.
-    [ref]$null,
-    [ref]$null).GetScriptBlock()
+$filePath = $null
+try {
+    $cmd = if ($ExecutionContext.SessionState.LanguageMode -eq 'FullLanguage') {
+        # In FLM we can just invoke the code as a scriptblock without touching the
+        # disk.
+        [System.Management.Automation.Language.Parser]::ParseInput(
+            $code.script,
+            "$($code.name).ps1", # Name is used in stack traces.
+            [ref]$null,
+            [ref]$null).GetScriptBlock()
+    }
+    else {
+        # CLM needs to execute code from a file for it to run in FLM when trusted.
+        # Set-Item on 5.1 doesn't have a way to use UTF-8 without a BOM but luckily
+        # New-Item does that by default for both 5.1 and 7. We need to ensure we
+        # use UTF-8 without BOM so the signature is correct.
+        $filePath = Join-Path -Path $env:TEMP -ChildPath "$($code.name)-$(New-Guid).ps1"
+        $null = New-Item -Path $filePath -Value $code.script -ItemType File -Force
+
+        $filePath
+    }
 
-$input | & $cmd @splat
+    $input | & $cmd @splat
+}
+finally {
+    if ($filePath -and (Test-Path -LiteralPath $filePath)) {
+        Remove-Item -LiteralPath $filePath -Force
+    }
+}

ansible/executor/powershell/coverage_wrapper.ps1

@@ -28,8 +28,12 @@ $Host.Runspace.Debugger.SetDebugMode([DebugModes]::RemoteScript)
 Function New-CoverageBreakpointsForScriptBlock {
     Param (
         [Parameter(Mandatory)]
-        [ScriptBlock]
-        $ScriptBlock,
+        [string]
+        $ScriptName,
+
+        [Parameter(Mandatory)]
+        [ScriptBlockAst]
+        $ScriptBlockAst,
 
         [Parameter(Mandatory)]
         [String]
@@ -39,7 +43,7 @@ Function New-CoverageBreakpointsForScriptBlock {
     $predicate = {
         $args[0] -is [CommandBaseAst]
     }
-    $scriptCmds = $ScriptBlock.Ast.FindAll($predicate, $true)
+    $scriptCmds = $ScriptBlockAst.FindAll($predicate, $true)
 
     # Create an object that tracks the Ansible path of the file and the breakpoints that have been set in it
     $info = [PSCustomObject]@{
@@ -68,7 +72,7 @@ Function New-CoverageBreakpointsForScriptBlock {
         }
 
         # Action is explicitly $null as it will slow down the runtime quite dramatically.
-        $b = $lineCtor.Invoke(@($ScriptBlock.File, $cmd.Extent.StartLineNumber, $cmd.Extent.StartColumnNumber, $null))
+        $b = $lineCtor.Invoke(@($ScriptName, $cmd.Extent.StartLineNumber, $cmd.Extent.StartColumnNumber, $null))
         $info.Breakpoints.Add($b)
     }
 
@@ -102,11 +106,16 @@ try {
     $coveragePathFilter = $PathFilter.Split(":", [StringSplitOptions]::RemoveEmptyEntries)
     $breakpointInfo = @(
         foreach ($scriptName in @($ModuleName; $actionParams.PowerShellModules)) {
-            $scriptInfo = Get-AnsibleScript -Name $scriptName -IncludeScriptBlock
+            # We don't use -IncludeScriptBlock as the script might be untrusted
+            # and will run under CLM. While we recreate the ScriptBlock here it
+            # is only to get the AST that contains the statements and their
+            # line numbers to create the breakpoint info for.
+            $scriptInfo = Get-AnsibleScript -Name $scriptName
 
             if (Compare-PathFilterPattern -Patterns $coveragePathFilter -Path $scriptInfo.Path) {
                 $covParams = @{
-                    ScriptBlock = $scriptInfo.ScriptBlock
+                    ScriptName = $scriptInfo.Name
+                    ScriptBlockAst = [ScriptBlock]::Create($scriptInfo.Script).Ast
                     AnsiblePath = $scriptInfo.Path
                 }
                 New-CoverageBreakpointsForScriptBlock @covParams

ansible/executor/powershell/exec_wrapper.ps1

@@ -9,6 +9,7 @@ using namespace System.Linq
 using namespace System.Management.Automation
 using namespace System.Management.Automation.Language
 using namespace System.Management.Automation.Security
+using namespace System.Reflection
 using namespace System.Security.Cryptography
 using namespace System.Text
 
@@ -53,6 +54,10 @@ begin {
     $ErrorActionPreference = "Stop"
     $ProgressPreference = "SilentlyContinue"
 
+    if ($PSCommandPath -and (Test-Path -LiteralPath $PSCommandPath)) {
+        Remove-Item -LiteralPath $PSCommandPath -Force
+    }
+
     # Try and set the console encoding to UTF-8 allowing Ansible to read the
     # output of the wrapper as UTF-8 bytes.
     try {
@@ -89,6 +94,9 @@ begin {
     }
 
     # $Script:AnsibleManifest = @{}  # Defined in process/end.
+    $Script:AnsibleShouldConstrain = [SystemPolicy]::GetSystemLockdownPolicy() -eq 'Enforce'
+    $Script:AnsibleTrustedHashList = [HashSet[string]]::new([StringComparer]::OrdinalIgnoreCase)
+    $Script:AnsibleUnsupportedHashList = [HashSet[string]]::new([StringComparer]::OrdinalIgnoreCase)
     $Script:AnsibleWrapperWarnings = [List[string]]::new()
     $Script:AnsibleTempPath = @(
         # Wrapper defined tmpdir
@@ -110,6 +118,8 @@ begin {
             $false
         }
     } | Select-Object -First 1
+    $Script:AnsibleTempScripts = [List[string]]::new()
+    $Script:AnsibleClrFacadeSet = $false
 
     Function Convert-JsonObject {
         param(
@@ -147,7 +157,11 @@ begin {
 
             [Parameter()]
             [switch]
-            $IncludeScriptBlock
+            $IncludeScriptBlock,
+
+            [Parameter()]
+            [switch]
+            $SkipHashCheck
         )
 
         if (-not $Script:AnsibleManifest.scripts.Contains($Name)) {
@@ -172,11 +186,93 @@ begin {
                 [ref]$null).GetScriptBlock()
         }
 
-        [PSCustomObject]@{
+        $outputValue = [PSCustomObject]@{
             Name = $Name
             Script = $scriptContents
             Path = $scriptInfo.path
             ScriptBlock = $sbk
+            ShouldConstrain = $false
+        }
+
+        if (-not $Script:AnsibleShouldConstrain) {
+            $outputValue
+            return
+        }
+
+        if (-not $SkipHashCheck) {
+            $sha256 = [SHA256]::Create()
+            $scriptHash = [BitConverter]::ToString($sha256.ComputeHash($scriptBytes)).Replace("-", "")
+            $sha256.Dispose()
+
+            if ($Script:AnsibleUnsupportedHashList.Contains($scriptHash)) {
+                $err = [ErrorRecord]::new(
+                    [Exception]::new("Provided script for '$Name' is marked as unsupported in CLM mode."),
+                    "ScriptUnsupported",
+                    [ErrorCategory]::SecurityError,
+                    $Name)
+                $PSCmdlet.ThrowTerminatingError($err)
+            }
+            elseif ($Script:AnsibleTrustedHashList.Contains($scriptHash)) {
+                $outputValue
+                return
+            }
+        }
+
+        # If we have reached here we are running in a locked down environment
+        # and the script is not trusted in the signed hashlists. Check if it
+        # contains the authenticode signature and verify that using PowerShell.
+        # [SystemPolicy]::GetFilePolicyEnforcement(...) is a new API but only
+        # present in Server 2025+ so we need to rely on the known behaviour of
+        # Get-Command to fail with CommandNotFoundException if the script is
+        # not allowed to run.
+        $outputValue.ShouldConstrain = $true
+        if ($scriptContents -like "*`r`n# SIG # Begin signature block`r`n*") {
+            Set-WinPSDefaultFileEncoding
+
+            # If the script is manually signed we need to ensure the signature
+            # is valid and trusted by the OS policy.
+            # We must use '.ps1' so the ExternalScript WDAC check will apply.
+            $tmpFile = [Path]::Combine($Script:AnsibleTempPath, "ansible-tmp-$([Guid]::NewGuid()).ps1")
+            try {
+                [File]::WriteAllBytes($tmpFile, $scriptBytes)
+                $cmd = Get-Command -Name $tmpFile -CommandType ExternalScript -ErrorAction Stop
+
+                # Get-Command caches the file contents after loading which we
+                # use to verify it was not modified before the signature check.
+                $expectedScript = $cmd.OriginalEncoding.GetString($scriptBytes)
+                if ($expectedScript -ne $cmd.ScriptContents) {
+                    $err = [ErrorRecord]::new(
+                        [Exception]::new("Script has been modified during signature check."),
+                        "ScriptModifiedTrusted",
+                        [ErrorCategory]::SecurityError,
+                        $Name)
+                    $PSCmdlet.ThrowTerminatingError($err)
+                }
+
+                $outputValue.ShouldConstrain = $false
+            }
+            catch [CommandNotFoundException] {
+                $null = $null  # No-op but satisfies the linter.
+            }
+            finally {
+                if (Test-Path -LiteralPath $tmpFile) {
+                    Remove-Item -LiteralPath $tmpFile -Force
+                }
+            }
+        }
+
+        if ($outputValue.ShouldConstrain -and $IncludeScriptBlock) {
+            # If the script is untrusted and a scriptblock was requested we
+            # error out as the sbk would have run in FLM.
+            $err = [ErrorRecord]::new(
+                [Exception]::new("Provided script for '$Name' is not trusted to run."),
+                "ScriptNotTrusted",
+                [ErrorCategory]::SecurityError,
+                $Name)
+            $PSCmdlet.ThrowTerminatingError($err)
+        }
+        else {
+            $outputValue
         }
     }
 
@@ -223,7 +319,7 @@ begin {
             $IncludeScriptBlock
         )
 
-        $sbk = Get-AnsibleScript -Name exec_wrapper.ps1 -IncludeScriptBlock:$IncludeScriptBlock
+        $scriptInfo = Get-AnsibleScript -Name exec_wrapper.ps1 -IncludeScriptBlock:$IncludeScriptBlock
         $params = @{
             # TempPath may contain env vars that change based on the runtime
             # environment. Ensure we use that and not the $script:AnsibleTempPath
@@ -244,8 +340,7 @@ begin {
         }
 
         [PSCustomObject]@{
-            Script = $sbk.Script
-            ScriptBlock = $sbk.ScriptBlock
+            ScriptInfo = $scriptInfo
             Parameters = $params
             InputData = $inputData
         }
@@ -279,11 +374,16 @@ begin {
 
         $isBasicUtil = $false
         $csharpModules = foreach ($moduleName in $Name) {
-            (Get-AnsibleScript -Name $moduleName).Script
+            $scriptInfo = Get-AnsibleScript -Name $moduleName
 
+            if ($scriptInfo.ShouldConstrain) {
+                throw "C# module util '$Name' is not trusted and cannot be loaded."
+            }
             if ($moduleName -eq 'Ansible.Basic.cs') {
                 $isBasicUtil = $true
             }
+
+            $scriptInfo.Script
         }
 
         $fakeModule = [PSCustomObject]@{
@@ -303,6 +403,112 @@ begin {
         }
     }
 
+    Function Import-SignedHashList {
+        [CmdletBinding()]
+        param (
+            [Parameter(Mandatory, ValueFromPipeline)]
+            [string]
+            $Name
+        )
+
+        process {
+            try {
+                # We skip the hash check to ensure we verify based on the
+                # authenticode signature and not whether it's trusted by an
+                # existing signed hash list.
+                $scriptInfo = Get-AnsibleScript -Name $Name -SkipHashCheck
+                if ($scriptInfo.ShouldConstrain) {
+                    throw "script is not signed or not trusted to run."
+                }
+
+                $hashListAst = [Parser]::ParseInput(
+                    $scriptInfo.Script,
+                    $Name,
+                    [ref]$null,
+                    [ref]$null)
+                $manifestAst = $hashListAst.Find({ $args[0] -is [HashtableAst] }, $false)
+                if ($null -eq $manifestAst) {
+                    throw "expecting a single hashtable in the signed manifest."
+                }
+
+                $out = $manifestAst.SafeGetValue()
+                if (-not $out.Contains('Version')) {
+                    throw "expecting hash list to contain 'Version' key."
+                }
+                if ($out.Version -ne 1) {
+                    throw "unsupported hash list Version $($out.Version), expecting 1."
+                }
+
+                if (-not $out.Contains('HashList')) {
+                    throw "expecting hash list to contain 'HashList' key."
+                }
+
+                $out.HashList | ForEach-Object {
+                    if ($_ -isnot [hashtable] -or -not $_.ContainsKey('Hash') -or $_.Hash -isnot [string] -or $_.Hash.Length -ne 64) {
+                        throw "expecting hash list to contain hashtable with Hash key with a value of a SHA256 strings."
+                    }
+
+                    if ($_.Mode -eq 'Trusted') {
+                        $null = $Script:AnsibleTrustedHashList.Add($_.Hash)
+                    }
+                    elseif ($_.Mode -eq 'Unsupported') {
+                        # Allows us to provide a better error when trying to run
+                        # something in CLM that is marked as unsupported.
+                        $null = $Script:AnsibleUnsupportedHashList.Add($_.Hash)
+                    }
+                    else {
+                        throw "expecting hash list entry for $($_.Hash) to contain a mode of 'Trusted' or 'Unsupported' but got '$($_.Mode)'."
+                    }
+                }
+            }
+            catch {
+                $_.ErrorDetails = [ErrorDetails]::new("Failed to process signed manifest '$Name': $_")
+                $PSCmdlet.WriteError($_)
+            }
+        }
+    }
+
+    Function New-TempAnsibleFile {
+        [OutputType([string])]
+        [CmdletBinding()]
+        param (
+            [Parameter(Mandatory)]
+            [string]
+            $FileName,
+
+            [Parameter(Mandatory)]
+            [string]
+            $Content
+        )
+
+        $name = [Path]::GetFileNameWithoutExtension($FileName)
+        $ext = [Path]::GetExtension($FileName)
+        $newName = "$($name)-$([Guid]::NewGuid())$ext"
+
+        $path = Join-Path -Path $Script:AnsibleTempPath $newName
+        Set-WinPSDefaultFileEncoding
+        [File]::WriteAllText($path, $Content, [UTF8Encoding]::new($false))
+
+        $path
+    }
+
+    Function Set-WinPSDefaultFileEncoding {
+        [CmdletBinding()]
+        param ()
+
+        # WinPS defaults to the locale encoding when loading a script from the
+        # file path but in Ansible we expect it to always be UTF-8 without a
+        # BOM. This lazily sets an internal field so pwsh reads it as UTF-8.
+        # If we don't do this then scripts saved as UTF-8 on the Ansible
+        # controller will not run as expected.
+        if ($PSVersionTable.PSVersion -lt '6.0' -and -not $Script:AnsibleClrFacadeSet) {
+            $clrFacade = [PSObject].Assembly.GetType('System.Management.Automation.ClrFacade')
+            $defaultEncodingField = $clrFacade.GetField('_defaultEncoding', [BindingFlags]'NonPublic, Static')
+            $defaultEncodingField.SetValue($null, [UTF8Encoding]::new($false))
+            $Script:AnsibleClrFacadeSet = $true
+        }
+    }
+
     Function Write-AnsibleErrorJson {
         [CmdletBinding()]
         param (
@@ -414,6 +620,10 @@ begin {
             $Script:AnsibleManifest = $Manifest
         }
 
+        if ($Script:AnsibleShouldConstrain) {
+            $Script:AnsibleManifest.signed_hashlist | Import-SignedHashList
+        }
+
         $actionInfo = Get-NextAnsibleAction
         $actionParams = $actionInfo.Parameters
 
@@ -500,5 +710,8 @@ end {
     }
     finally {
         $actionPipeline.Dispose()
+        if ($Script:AnsibleTempScripts) {
+            Remove-Item -LiteralPath $Script:AnsibleTempScripts -Force -ErrorAction Ignore
+        }
     }
 }

ansible/executor/powershell/module_manifest.py

@@ -30,6 +30,7 @@ from ansible.plugins.loader import ps_module_utils_loader
 class _ExecManifest:
     scripts: dict[str, _ScriptInfo] = dataclasses.field(default_factory=dict)
     actions: list[_ManifestAction] = dataclasses.field(default_factory=list)
+    signed_hashlist: list[str] = dataclasses.field(default_factory=list)
 
 
 @dataclasses.dataclass(frozen=True, kw_only=True)
@@ -54,6 +55,11 @@ class PSModuleDepFinder(object):
     def __init__(self) -> None:
         # This is also used by validate-modules to get a module's required utils in base and a collection.
         self.scripts: dict[str, _ScriptInfo] = {}
+        self.signed_hashlist: set[str] = set()
+
+        if builtin_hashlist := _get_powershell_signed_hashlist():
+            self.signed_hashlist.add(builtin_hashlist.path)
+            self.scripts[builtin_hashlist.path] = builtin_hashlist
 
         self._util_deps: dict[str, set[str]] = {}
 
@@ -119,6 +125,15 @@ class PSModuleDepFinder(object):
         lines = module_data.split(b'\n')
         module_utils: set[tuple[str, str, bool]] = set()
 
+        if fqn and fqn.startswith("ansible_collections."):
+            submodules = fqn.split('.')
+            collection_name = '.'.join(submodules[:3])
+
+            collection_hashlist = _get_powershell_signed_hashlist(collection_name)
+            if collection_hashlist and collection_hashlist.path not in self.signed_hashlist:
+                self.signed_hashlist.add(collection_hashlist.path)
+                self.scripts[collection_hashlist.path] = collection_hashlist
+
         if powershell:
             checks = [
                 # PS module contains '#Requires -Module Ansible.ModuleUtils.*'
@@ -315,6 +330,10 @@ def _bootstrap_powershell_script(
         )
     )
 
+    if hashlist := _get_powershell_signed_hashlist():
+        exec_manifest.signed_hashlist.append(hashlist.path)
+        exec_manifest.scripts[hashlist.path] = hashlist
+
     bootstrap_wrapper = _get_powershell_script("bootstrap_wrapper.ps1")
     bootstrap_input = _get_bootstrap_input(exec_manifest)
     if has_input:
@@ -339,6 +358,14 @@ def _get_powershell_script(
     if code is None:
         raise AnsibleFileNotFound(f"Could not find powershell script '{package_name}.{name}'")
 
+    try:
+        sig_data = pkgutil.get_data(package_name, f"{name}.authenticode")
+    except FileNotFoundError:
+        sig_data = None
+
+    if sig_data:
+        code = code + b"\r\n" + b"\r\n".join(sig_data.splitlines()) + b"\r\n"
+
     return code
 
 
@@ -501,6 +528,7 @@ def _create_powershell_wrapper(
     exec_manifest = _ExecManifest(
         scripts=finder.scripts,
         actions=actions,
+        signed_hashlist=list(finder.signed_hashlist),
     )
 
     return _get_bootstrap_input(
@@ -551,3 +579,27 @@ def _prepare_module_args(module_args: dict[str, t.Any], profile: str) -> dict[st
     encoder = get_module_encoder(profile, Direction.CONTROLLER_TO_MODULE)
 
     return json.loads(json.dumps(module_args, cls=encoder))
+
+
+def _get_powershell_signed_hashlist(
+    collection: str | None = None,
+) -> _ScriptInfo | None:
+    """Gets the signed hashlist script stored in either the Ansible package or for
+    the collection specified.
+
+    :param collection: The collection namespace to get the signed hashlist for or None for the builtin.
+    :return: The _ScriptInfo payload of the signed hashlist script if found, None if not.
+    """
+    resource = 'ansible.config' if collection is None else f"{collection}.meta"
+    signature_file = 'powershell_signatures.psd1'
+
+    try:
+        sig_data = pkgutil.get_data(resource, signature_file)
+    except FileNotFoundError:
+        sig_data = None
+
+    if sig_data:
+        resource_path = f"{resource}.{signature_file}"
+        return _ScriptInfo(content=sig_data, path=resource_path)
+
+    return None

ansible/executor/powershell/module_wrapper.ps1

@@ -97,6 +97,12 @@ $ps = [PowerShell]::Create()
 if ($ForModule) {
     $ps.Runspace.SessionStateProxy.SetVariable("ErrorActionPreference", "Stop")
 }
+else {
+    # For script files we want to ensure we load it as UTF-8. We don't set this
+    # for modules as they are loaded from memory whereas a script is loaded
+    # from disk as part of the script being run than by us.
+    Set-WinPSDefaultFileEncoding
+}
 
 foreach ($variable in $Variables) {
     $null = $ps.AddCommand("Set-Variable").AddParameters($variable).AddStatement()
@@ -112,12 +118,31 @@ foreach ($env in $Environment.GetEnumerator()) {
 $null = $ps.AddScript('Function Write-Host($msg) { Write-Output -InputObject $msg }').AddStatement()
 
 $scriptInfo = Get-AnsibleScript -Name $Script
+if ($scriptInfo.ShouldConstrain) {
+    # Fail if there are any module utils, in the future we may allow unsigned
+    # PowerShell utils in CLM but for now we don't.
+    if ($PowerShellModules -or $CSharpModules) {
+        throw "Cannot run untrusted PowerShell script '$Script' in ConstrainedLanguage mode with module util imports."
+    }
 
-if ($PowerShellModules) {
-    foreach ($utilName in $PowerShellModules) {
-        $utilInfo = Get-AnsibleScript -Name $utilName
+    # If the module is marked as needing to be constrained then we set the
+    # language mode to ConstrainedLanguage so that when parsed inside the
+    # Runspace it will run in CLM. We need to run it from a filepath as in
+    # CLM we cannot call the methods needed to create the ScriptBlock and we
+    # need to be in CLM to downgrade the language mode.
+    $null = $ps.AddScript('$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"').AddStatement()
+    $scriptPath = New-TempAnsibleFile -FileName $Script -Content $scriptInfo.Script
+    $null = $ps.AddCommand($scriptPath, $false).AddStatement()
+}
+else {
+    if ($PowerShellModules) {
+        foreach ($utilName in $PowerShellModules) {
+            $utilInfo = Get-AnsibleScript -Name $utilName
+            if ($utilInfo.ShouldConstrain) {
+                throw "PowerShell module util '$utilName' is not trusted and cannot be loaded."
+            }
 
-        $null = $ps.AddScript(@'
+            $null = $ps.AddScript(@'
 param ($Name, $Script)
 
 $moduleName = [System.IO.Path]::GetFileNameWithoutExtension($Name)
@@ -130,32 +155,33 @@ $sbk = [System.Management.Automation.Language.Parser]::ParseInput(
 New-Module -Name $moduleName -ScriptBlock $sbk |
     Import-Module -WarningAction SilentlyContinue -Scope Global
 '@, $true)
-        $null = $ps.AddParameters(
-            @{
-                Name = $utilName
-                Script = $utilInfo.Script
-            }
-        ).AddStatement()
+            $null = $ps.AddParameters(
+                @{
+                    Name = $utilName
+                    Script = $utilInfo.Script
+                }
+            ).AddStatement()
+        }
     }
-}
 
-if ($CSharpModules) {
-    # C# utils are process wide so just load them here.
-    Import-CSharpUtil -Name $CSharpModules
-}
+    if ($CSharpModules) {
+        # C# utils are process wide so just load them here.
+        Import-CSharpUtil -Name $CSharpModules
+    }
 
-# We invoke it through a command with useLocalScope $false to
-# ensure the code runs with it's own $script: scope. It also
-# cleans up the StackTrace on errors by not showing the stub
-# execution line and starts immediately at the module "cmd".
-$null = $ps.AddScript(@'
+    # We invoke it through a command with useLocalScope $false to
+    # ensure the code runs with it's own $script: scope. It also
+    # cleans up the StackTrace on errors by not showing the stub
+    # execution line and starts immediately at the module "cmd".
+    $null = $ps.AddScript(@'
 ${function:<AnsibleModule>} = [System.Management.Automation.Language.Parser]::ParseInput(
     $args[0],
     $args[1],
     [ref]$null,
     [ref]$null).GetScriptBlock()
 '@).AddArgument($scriptInfo.Script).AddArgument($Script).AddStatement()
-$null = $ps.AddCommand('<AnsibleModule>', $false).AddStatement()
+    $null = $ps.AddCommand('<AnsibleModule>', $false).AddStatement()
+}
 
 if ($Breakpoints) {
     $ps.Runspace.Debugger.SetBreakpoints($Breakpoints)

ansible/executor/powershell/powershell_expand_user.ps1

@@ -0,0 +1,20 @@
+# (c) 2025 Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+[CmdletBinding()]
+param (
+    [Parameter(Mandatory)]
+    [string]
+    $Path
+)
+
+$userProfile = [Environment]::GetFolderPath([Environment+SpecialFolder]::UserProfile)
+if ($Path -eq '~') {
+    $userProfile
+}
+elseif ($Path.StartsWith(('~\'))) {
+    Join-Path -Path $userProfile -ChildPath $Path.Substring(2)
+}
+else {
+    $Path
+}

ansible/executor/powershell/powershell_mkdtemp.ps1

@@ -0,0 +1,17 @@
+# (c) 2025 Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+[CmdletBinding()]
+param (
+    [Parameter(Mandatory)]
+    [string]
+    $Directory,
+
+    [Parameter(Mandatory)]
+    [string]
+    $Name
+)
+
+$path = [Environment]::ExpandEnvironmentVariables($Directory)
+$tmp = New-Item -Path $path -Name $Name -ItemType Directory
+$tmp.FullName