ansible-core 2.19.0b4__py3-none-any.whl → 2.19.0b6__py3-none-any.whl

ansible/{utils → _internal/_ssh}/_ssh_agent.py

@@ -106,21 +106,19 @@ class SshAgentFailure(RuntimeError):
 # NOTE: Classes below somewhat represent "Data Type Representations Used in the SSH Protocols"
 #       as specified by RFC4251
 
+
 @t.runtime_checkable
 class SupportsToBlob(t.Protocol):
-    def to_blob(self) -> bytes:
-        ...
+    def to_blob(self) -> bytes: ...
 
 
 @t.runtime_checkable
 class SupportsFromBlob(t.Protocol):
     @classmethod
-    def from_blob(cls, blob: memoryview | bytes) -> t.Self:
-        ...
+    def from_blob(cls, blob: memoryview | bytes) -> t.Self: ...
 
     @classmethod
-    def consume_from_blob(cls, blob: memoryview | bytes) -> tuple[t.Self, memoryview | bytes]:
-        ...
+    def consume_from_blob(cls, blob: memoryview | bytes) -> tuple[t.Self, memoryview | bytes]: ...
 
 
 def _split_blob(blob: memoryview | bytes, length: int) -> tuple[memoryview | bytes, memoryview | bytes]:
@@ -304,10 +302,12 @@ class PrivateKeyMsg(Msg):
                 return EcdsaPrivateKeyMsg(
                     getattr(KeyAlgo, f'ECDSA{key_size}'),
                     unicode_string(f'nistp{key_size}'),
-                    binary_string(private_key.public_key().public_bytes(
-                        encoding=serialization.Encoding.X962,
-                        format=serialization.PublicFormat.UncompressedPoint
-                    )),
+                    binary_string(
+                        private_key.public_key().public_bytes(
+                            encoding=serialization.Encoding.X962,
+                            format=serialization.PublicFormat.UncompressedPoint,
+                        )
+                    ),
                     mpint(ecdsa_pn.private_value),
                 )
             case Ed25519PrivateKey():
@@ -318,7 +318,7 @@ class PrivateKeyMsg(Msg):
                 private_bytes = private_key.private_bytes(
                     encoding=serialization.Encoding.Raw,
                     format=serialization.PrivateFormat.Raw,
-                    encryption_algorithm=serialization.NoEncryption()
+                    encryption_algorithm=serialization.NoEncryption(),
                 )
                 return Ed25519PrivateKeyMsg(
                     KeyAlgo.ED25519,
@@ -376,14 +376,14 @@ class Ed25519PrivateKeyMsg(PrivateKeyMsg):
 @dataclasses.dataclass
 class PublicKeyMsg(Msg):
     @staticmethod
-    def get_dataclass(
-            type: KeyAlgo
-    ) -> type[t.Union[
+    def get_dataclass(type: KeyAlgo) -> type[
+        t.Union[
             RSAPublicKeyMsg,
             EcdsaPublicKeyMsg,
             Ed25519PublicKeyMsg,
-            DSAPublicKeyMsg
-    ]]:
+            DSAPublicKeyMsg,
+        ]
+    ]:
         match type:
             case KeyAlgo.RSA:
                 return RSAPublicKeyMsg
@@ -401,29 +401,14 @@ class PublicKeyMsg(Msg):
         type: KeyAlgo = self.type
         match type:
             case KeyAlgo.RSA:
-                return RSAPublicNumbers(
-                    self.e,
-                    self.n
-                ).public_key()
+                return RSAPublicNumbers(self.e, self.n).public_key()
             case KeyAlgo.ECDSA256 | KeyAlgo.ECDSA384 | KeyAlgo.ECDSA521:
                 curve = _ECDSA_KEY_TYPE[KeyAlgo(type)]
-                return EllipticCurvePublicKey.from_encoded_point(
-                    curve(),
-                    self.Q
-                )
+                return EllipticCurvePublicKey.from_encoded_point(curve(), self.Q)
             case KeyAlgo.ED25519:
-                return Ed25519PublicKey.from_public_bytes(
-                    self.enc_a
-                )
+                return Ed25519PublicKey.from_public_bytes(self.enc_a)
             case KeyAlgo.DSA:
-                return DSAPublicNumbers(
-                    self.y,
-                    DSAParameterNumbers(
-                        self.p,
-                        self.q,
-                        self.g
-                    )
-                ).public_key()
+                return DSAPublicNumbers(self.y, DSAParameterNumbers(self.p, self.q, self.g)).public_key()
             case _:
                 raise NotImplementedError(type)
 
@@ -437,32 +422,32 @@ class PublicKeyMsg(Msg):
                     mpint(dsa_pn.parameter_numbers.p),
                     mpint(dsa_pn.parameter_numbers.q),
                     mpint(dsa_pn.parameter_numbers.g),
-                    mpint(dsa_pn.y)
+                    mpint(dsa_pn.y),
                 )
             case EllipticCurvePublicKey():
                 return EcdsaPublicKeyMsg(
                     getattr(KeyAlgo, f'ECDSA{public_key.curve.key_size}'),
                     unicode_string(f'nistp{public_key.curve.key_size}'),
-                    binary_string(public_key.public_bytes(
-                        encoding=serialization.Encoding.X962,
-                        format=serialization.PublicFormat.UncompressedPoint
-                    ))
+                    binary_string(
+                        public_key.public_bytes(
+                            encoding=serialization.Encoding.X962,
+                            format=serialization.PublicFormat.UncompressedPoint,
+                        )
+                    ),
                 )
             case Ed25519PublicKey():
                 return Ed25519PublicKeyMsg(
                     KeyAlgo.ED25519,
-                    binary_string(public_key.public_bytes(
-                        encoding=serialization.Encoding.Raw,
-                        format=serialization.PublicFormat.Raw,
-                    ))
+                    binary_string(
+                        public_key.public_bytes(
+                            encoding=serialization.Encoding.Raw,
+                            format=serialization.PublicFormat.Raw,
+                        )
+                    ),
                 )
             case RSAPublicKey():
                 rsa_pn: RSAPublicNumbers = public_key.public_numbers()
-                return RSAPublicKeyMsg(
-                    KeyAlgo.RSA,
-                    mpint(rsa_pn.e),
-                    mpint(rsa_pn.n)
-                )
+                return RSAPublicKeyMsg(KeyAlgo.RSA, mpint(rsa_pn.e), mpint(rsa_pn.n))
             case _:
                 raise NotImplementedError(public_key)
 
@@ -473,10 +458,7 @@ class PublicKeyMsg(Msg):
         msg.comments = unicode_string('')
         k = msg.to_blob()
         digest.update(k)
-        return binascii.b2a_base64(
-            digest.digest(),
-            newline=False
-        ).rstrip(b'=').decode('utf-8')
+        return binascii.b2a_base64(digest.digest(), newline=False).rstrip(b'=').decode('utf-8')
 
 
 @dataclasses.dataclass(order=True, slots=True)
@@ -519,9 +501,7 @@ class KeyList(Msg):
 
     def __post_init__(self) -> None:
         if self.nkeys != len(self.keys):
-            raise SshAgentFailure(
-                "agent: invalid number of keys received for identities list"
-            )
+            raise SshAgentFailure("agent: invalid number of keys received for identities list")
 
 
 @dataclasses.dataclass(order=True, slots=True)
@@ -535,8 +515,7 @@ class PublicKeyMsgList(Msg):
         return len(self.keys)
 
     @classmethod
-    def from_blob(cls, blob: memoryview | bytes) -> t.Self:
-        ...
+    def from_blob(cls, blob: memoryview | bytes) -> t.Self: ...
 
     @classmethod
     def consume_from_blob(cls, blob: memoryview | bytes) -> tuple[t.Self, memoryview | bytes]:
@@ -546,22 +525,16 @@ class PublicKeyMsgList(Msg):
             key_blob, key_blob_length, comment_blob = cls._consume_field(blob)
 
             peek_key_algo, _length, _blob = cls._consume_field(key_blob)
-            pub_key_msg_cls = PublicKeyMsg.get_dataclass(
-                KeyAlgo(bytes(peek_key_algo).decode('utf-8'))
-            )
+            pub_key_msg_cls = PublicKeyMsg.get_dataclass(KeyAlgo(bytes(peek_key_algo).decode('utf-8')))
 
             _fv, comment_blob_length, blob = cls._consume_field(comment_blob)
-            key_plus_comment = (
-                prev_blob[4: (4 + key_blob_length) + (4 + comment_blob_length)]
-            )
+            key_plus_comment = prev_blob[4 : (4 + key_blob_length) + (4 + comment_blob_length)]
 
             args.append(pub_key_msg_cls.from_blob(key_plus_comment))
         return cls(args), b""
 
     @staticmethod
-    def _consume_field(
-            blob: memoryview | bytes
-    ) -> tuple[memoryview | bytes, uint32, memoryview | bytes]:
+    def _consume_field(blob: memoryview | bytes) -> tuple[memoryview | bytes, uint32, memoryview | bytes]:
         length = uint32.from_blob(blob[:4])
         blob = blob[4:]
         data, rest = _split_blob(blob, length)
@@ -581,10 +554,10 @@ class SshAgentClient:
         return self
 
     def __exit__(
-            self,
-            exc_type: type[BaseException] | None,
-            exc_value: BaseException | None,
-            traceback: types.TracebackType | None
+        self,
+        exc_type: type[BaseException] | None,
+        exc_value: BaseException | None,
+        traceback: types.TracebackType | None,
     ) -> None:
         self.close()
 
@@ -598,34 +571,25 @@ class SshAgentClient:
         return resp
 
     def remove_all(self) -> None:
-        self.send(
-            ProtocolMsgNumbers.SSH_AGENTC_REMOVE_ALL_IDENTITIES.to_blob()
-        )
+        self.send(ProtocolMsgNumbers.SSH_AGENTC_REMOVE_ALL_IDENTITIES.to_blob())
 
     def remove(self, public_key: CryptoPublicKey) -> None:
         key_blob = PublicKeyMsg.from_public_key(public_key).to_blob()
-        self.send(
-            ProtocolMsgNumbers.SSH_AGENTC_REMOVE_IDENTITY.to_blob() +
-            uint32(len(key_blob)).to_blob() + key_blob
-        )
+        self.send(ProtocolMsgNumbers.SSH_AGENTC_REMOVE_IDENTITY.to_blob() + uint32(len(key_blob)).to_blob() + key_blob)
 
     def add(
-            self,
-            private_key: CryptoPrivateKey,
-            comments: str | None = None,
-            lifetime: int | None = None,
-            confirm: bool | None = None,
+        self,
+        private_key: CryptoPrivateKey,
+        comments: str | None = None,
+        lifetime: int | None = None,
+        confirm: bool | None = None,
     ) -> None:
         key_msg = PrivateKeyMsg.from_private_key(private_key)
         key_msg.comments = unicode_string(comments or '')
         if lifetime:
-            key_msg.constraints += constraints(
-                [ProtocolMsgNumbers.SSH_AGENT_CONSTRAIN_LIFETIME]
-            ).to_blob() + uint32(lifetime).to_blob()
+            key_msg.constraints += constraints([ProtocolMsgNumbers.SSH_AGENT_CONSTRAIN_LIFETIME]).to_blob() + uint32(lifetime).to_blob()
         if confirm:
-            key_msg.constraints += constraints(
-                [ProtocolMsgNumbers.SSH_AGENT_CONSTRAIN_CONFIRM]
-            ).to_blob()
+            key_msg.constraints += constraints([ProtocolMsgNumbers.SSH_AGENT_CONSTRAIN_CONFIRM]).to_blob()
 
         if key_msg.constraints:
             msg = ProtocolMsgNumbers.SSH_AGENTC_ADD_ID_CONSTRAINED.to_blob()
@@ -638,9 +602,7 @@ class SshAgentClient:
         req = ProtocolMsgNumbers.SSH_AGENTC_REQUEST_IDENTITIES.to_blob()
         r = memoryview(bytearray(self.send(req)))
         if r[0] != ProtocolMsgNumbers.SSH_AGENT_IDENTITIES_ANSWER:
-            raise SshAgentFailure(
-                'agent: non-identities answer received for identities list'
-            )
+            raise SshAgentFailure('agent: non-identities answer received for identities list')
         return KeyList.from_blob(r[1:])
 
     def __contains__(self, public_key: CryptoPublicKey) -> bool:
@@ -649,7 +611,7 @@ class SshAgentClient:
 
 
 @functools.cache
-def _key_data_into_crypto_objects(key_data: bytes, passphrase: bytes | None) -> tuple[CryptoPrivateKey, CryptoPublicKey, str]:
+def key_data_into_crypto_objects(key_data: bytes, passphrase: bytes | None) -> tuple[CryptoPrivateKey, CryptoPublicKey, str]:
     private_key = serialization.ssh.load_ssh_private_key(key_data, passphrase)
     public_key = private_key.public_key()
     fingerprint = PublicKeyMsg.from_public_key(public_key).fingerprint

ansible/_internal/_templating/__init__.py

@@ -1,10 +1,12 @@
 from __future__ import annotations
 
-from jinja2 import __version__ as _jinja2_version
+import importlib.metadata
+
+jinja2_version = importlib.metadata.version('jinja2')
 
 # DTFIX-FUTURE: sanity test to ensure this doesn't drift from requirements
 _MINIMUM_JINJA_VERSION = (3, 1)
-_CURRENT_JINJA_VERSION = tuple(map(int, _jinja2_version.split('.', maxsplit=2)[:2]))
+_CURRENT_JINJA_VERSION = tuple(map(int, jinja2_version.split('.', maxsplit=2)[:2]))
 
 if _CURRENT_JINJA_VERSION < _MINIMUM_JINJA_VERSION:
-    raise RuntimeError(f'Jinja version {".".join(map(str, _MINIMUM_JINJA_VERSION))} or higher is required (current version {_jinja2_version}).')
+    raise RuntimeError(f'Jinja version {".".join(map(str, _MINIMUM_JINJA_VERSION))} or higher is required (current version {jinja2_version}).')

ansible/_internal/_templating/_datatag.py

@@ -60,6 +60,7 @@ class DeprecatedAccessAuditContext(NotifiableAccessContextBase):
                 date=item.deprecated.date,
                 obj=item.template,
                 deprecator=item.deprecated.deprecator,
+                formatted_traceback=item.deprecated.formatted_traceback,
             )
 
         return result
@@ -79,7 +80,7 @@ class DeprecatedAccessAuditContext(NotifiableAccessContextBase):
             # DTFIX-FUTURE: ascend the template stack to try and find the nearest string source template
             origin = Origin.get_tag(template)
 
-            # DTFIX-RELEASE: this should probably use a synthesized description value on the tag
+            # DTFIX-FUTURE: this should probably use a synthesized description value on the tag
             #              it is reachable from the data_tagging_controller test: ../playbook_output_validator/filter.py actual_stdout.txt actual_stderr.txt
             # -[DEPRECATION WARNING]: `something_old` is deprecated, don't use it! This feature will be removed in version 1.2.3.
             # +[DEPRECATION WARNING]: While processing '<<container>>': `something_old` is deprecated, don't use it! This feature will be removed in ...

ansible/_internal/_templating/_engine.py

@@ -75,7 +75,7 @@ class TemplateOptions:
     value_for_omit: object = Omit
     escape_backslashes: bool = True
     preserve_trailing_newlines: bool = True
-    # DTFIX-RELEASE: these aren't really overrides anymore, rename the dataclass and this field
+    # DTFIX-FUTURE: these aren't really overrides anymore, rename the dataclass and this field
     #                also mention in docstring this has no effect unless used to template a string
     overrides: TemplateOverrides = TemplateOverrides.DEFAULT
 
@@ -122,7 +122,6 @@ class TemplateEngine:
         return new_engine
 
     def extend(self, marker_behavior: MarkerBehavior | None = None) -> t.Self:
-        # DTFIX-RELEASE: bikeshed name, supported features
         new_templar = type(self)(
             loader=self._loader,
             variables=self._variables,
@@ -187,7 +186,7 @@ class TemplateEngine:
     @property
     def available_variables(self) -> dict[str, t.Any] | ChainMap[str, t.Any]:
         """Available variables this instance will use when templating."""
-        # DTFIX-RELEASE: ensure that we're always accessing this as a shallow container-level snapshot, and eliminate uses of anything
+        # DTFIX3: ensure that we're always accessing this as a shallow container-level snapshot, and eliminate uses of anything
         #  that directly mutates this value. _new_context may resolve this for us?
         if self._variables is None:
             self._variables = self._variables_factory() if self._variables_factory else {}
@@ -235,7 +234,7 @@ class TemplateEngine:
 
     def template(
         self,
-        variable: t.Any,  # DTFIX-RELEASE: once we settle the new/old API boundaries, rename this (here and in other methods)
+        variable: t.Any,  # DTFIX-FUTURE: once we settle the new/old API boundaries, rename this (here and in other methods)
         *,
         options: TemplateOptions = TemplateOptions.DEFAULT,
         mode: TemplateMode = TemplateMode.DEFAULT,

ansible/_internal/_templating/_jinja_bits.py

@@ -19,7 +19,7 @@ from jinja2.compiler import Frame
 from jinja2.lexer import TOKEN_VARIABLE_BEGIN, TOKEN_VARIABLE_END, TOKEN_STRING, Lexer
 from jinja2.nativetypes import NativeCodeGenerator
 from jinja2.nodes import Const, EvalContext
-from jinja2.runtime import Context
+from jinja2.runtime import Context, Macro
 from jinja2.sandbox import ImmutableSandboxedEnvironment
 from jinja2.utils import missing, LRUCache
 
@@ -49,6 +49,7 @@ from ._jinja_common import (
     TruncationMarker,
     validate_arg_type,
     JinjaCallContext,
+    _SandboxMode,
 )
 from ._jinja_plugins import JinjaPluginIntercept, _query, _lookup, _now, _wrap_plugin_output, get_first_marker_arg, _DirectCall, _jinja_const_template_warning
 from ._lazy_containers import (
@@ -71,6 +72,11 @@ from ansible.vars.hostvars import HostVars, HostVarsVars
 from ...module_utils.datatag import native_type_name
 
 JINJA2_OVERRIDE = '#jinja2:'
+"""
+String values prefixed with this sequence are interpreted as templates, even without template delimiters.
+The values following this prefix up to the first newline are parsed as Jinja2 template overrides.
+To include this literal value at the start of a string, a space or other character must precede it.
+"""
 
 display = Display()
 
@@ -304,7 +310,7 @@ class AnsibleTemplate(Template):
     _python_source_temp_path: pathlib.Path | None = None
 
     def __del__(self):
-        # DTFIX-RELEASE: this still isn't working reliably; something else must be keeping the template object alive
+        # DTFIX-FUTURE: this still isn't working reliably; something else must be keeping the template object alive
         if self._python_source_temp_path:
             self._python_source_temp_path.unlink(missing_ok=True)
 
@@ -497,7 +503,7 @@ def create_template_error(ex: Exception, variable: t.Any, is_expression: bool) -
     return exception_to_raise
 
 
-# DTFIX-RELEASE: implement CapturedExceptionMarker deferral support on call (and lookup), filter/test plugins, etc.
+# DTFIX3: implement CapturedExceptionMarker deferral support on call (and lookup), filter/test plugins, etc.
 #                also update the protomatter integration test once this is done (the test was written differently since this wasn't done yet)
 
 _BUILTIN_FILTER_ALIASES: dict[str, str] = {}
@@ -583,10 +589,17 @@ class AnsibleEnvironment(ImmutableSandboxedEnvironment):
 
             return template_obj
 
+    def is_safe_attribute(self, obj: t.Any, attr: str, value: t.Any) -> bool:
+        # deprecated: description="remove relaxed template sandbox mode support" core_version="2.23"
+        if _TemplateConfig.sandbox_mode == _SandboxMode.ALLOW_UNSAFE_ATTRIBUTES:
+            return True
+
+        return super().is_safe_attribute(obj, attr, value)
+
     @property
     def lexer(self) -> AnsibleLexer:
         """Return/cache an AnsibleLexer with settings from the current AnsibleEnvironment"""
-        # DTFIX-RELEASE: optimization - we should pre-generate the default cached lexer before forking, not leave it to chance (e.g. simple playbooks)
+        # DTFIX-FUTURE: optimization - we should pre-generate the default cached lexer before forking, not leave it to chance (e.g. simple playbooks)
         key = tuple(getattr(self, name) for name in _TEMPLATE_OVERRIDE_FIELD_NAMES)
 
         lex = self._lexer_cache.get(key)
@@ -610,7 +623,7 @@ class AnsibleEnvironment(ImmutableSandboxedEnvironment):
         Without this, `_wrap_filter` will wrap `args` and `kwargs` in templating lazy containers.
         This provides consistency with plugin output handling by preventing auto-templating of trusted templates passed in native containers.
         """
-        # DTFIX-RELEASE: need better logic to handle non-list/non-dict inputs for args/kwargs
+        # DTFIX-FUTURE: need better logic to handle non-list/non-dict inputs for args/kwargs
         args = _AnsibleLazyTemplateMixin._try_create(list(args or []), LazyOptions.SKIP_TEMPLATES)
         kwargs = _AnsibleLazyTemplateMixin._try_create(kwargs, LazyOptions.SKIP_TEMPLATES)
 
@@ -630,7 +643,7 @@ class AnsibleEnvironment(ImmutableSandboxedEnvironment):
         Without this, `_wrap_test` will wrap `args` and `kwargs` in templating lazy containers.
         This provides consistency with plugin output handling by preventing auto-templating of trusted templates passed in native containers.
         """
-        # DTFIX-RELEASE: need better logic to handle non-list/non-dict inputs for args/kwargs
+        # DTFIX-FUTURE: need better logic to handle non-list/non-dict inputs for args/kwargs
         args = _AnsibleLazyTemplateMixin._try_create(list(args or []), LazyOptions.SKIP_TEMPLATES)
         kwargs = _AnsibleLazyTemplateMixin._try_create(kwargs, LazyOptions.SKIP_TEMPLATES)
 
@@ -701,7 +714,6 @@ class AnsibleEnvironment(ImmutableSandboxedEnvironment):
         # this code is complemented by our tweaked CodeGenerator _output_const_repr that ensures that literal constants
         # in templates aren't double-repr'd in the generated code
         if len(node_list) == 1:
-            # DTFIX-RELEASE: determine if we should do managed access here (we *should* have hit them all during templating/resolve, but ?)
             return node_list[0]
 
         # In order to ensure that all markers are tripped, do a recursive finalize before we repr (otherwise we can end up
@@ -787,11 +799,14 @@ class AnsibleEnvironment(ImmutableSandboxedEnvironment):
             # Performing either before calling them will interfere with that processing.
             return super().call(__context, __obj, *args, **kwargs)
 
-        if (first_marker := get_first_marker_arg(args, kwargs)) is not None:
+        # Jinja's generated macro code handles Markers, so pre-emptive raise on Marker args and lazy retrieval should be disabled for the macro invocation.
+        is_macro = isinstance(__obj, Macro)
+
+        if not is_macro and (first_marker := get_first_marker_arg(args, kwargs)) is not None:
             return first_marker
 
         try:
-            with JinjaCallContext(accept_lazy_markers=False):
+            with JinjaCallContext(accept_lazy_markers=is_macro):
                 call_res = super().call(__context, __obj, *lazify_container_args(args), **lazify_container_kwargs(kwargs))
 
                 if __obj is range:
@@ -814,7 +829,7 @@ _sentinel: t.Final[object] = object()
 
 
 @_DirectCall.mark
-def _undef(hint=None):
+def _undef(hint: str | None = None) -> UndefinedMarker:
     """Jinja2 global function (undef) for creating getting a `UndefinedMarker` instance, optionally with a custom hint."""
     validate_arg_type('hint', hint, (str, type(None)))
 
@@ -856,9 +871,6 @@ def _flatten_and_lazify_vars(mapping: c.Mapping) -> t.Iterable[c.Mapping]:
         for m in mapping.maps:
             yield from _flatten_and_lazify_vars(m)
     elif mapping_type is _AnsibleLazyTemplateDict:
-        if not mapping:
-            # DTFIX-RELEASE: handle or remove?
-            raise Exception("we didn't think it was possible to have an empty lazy here...")
         yield mapping
     elif mapping_type in (dict, _AnsibleTaggedDict):
         # don't propagate empty dictionary layers
@@ -882,10 +894,6 @@ def _new_context(
     layers = []
 
     if jinja_locals:
-        # DTFIX-RELEASE: if we can't trip this in coverage, kill it off?
-        if type(jinja_locals) is not dict:  # pylint: disable=unidiomatic-typecheck
-            raise NotImplementedError("locals must be a dict")
-
         # Omit values set to Jinja's internal `missing` sentinel; they are locals that have not yet been
         # initialized in the current context, and should not be exposed to child contexts. e.g.: {% import 'a' as b with context %}.
         # The `b` local will be `missing` in the `a` context and should not be propagated as a local to the child context we're creating.
@@ -978,7 +986,7 @@ def _finalize_list(o: t.Any, mode: FinalizeMode) -> t.Iterator[t.Any]:
 
 
 def _maybe_finalize_scalar(o: t.Any) -> t.Any:
-    # DTFIX-RELEASE: this should check all supported scalar subclasses, not just JSON ones (also, does the JSON serializer handle these cases?)
+    # DTFIX5: this should check all supported scalar subclasses, not just JSON ones (also, does the JSON serializer handle these cases?)
     for target_type in _json_subclassable_scalar_types:
         if not isinstance(o, target_type):
             continue
@@ -1028,7 +1036,7 @@ def _finalize_collection(
 
 def _finalize_template_result(o: t.Any, mode: FinalizeMode) -> t.Any:
     """Recurse the template result, rendering any encountered templates, converting containers to non-lazy versions."""
-    # DTFIX-RELEASE: add tests to ensure this method doesn't drift from allowed types
+    # DTFIX5: add tests to ensure this method doesn't drift from allowed types
     o_type = type(o)
 
     # DTFIX-FUTURE: provide an optional way to check for trusted templates leaking out of templating (injected, but not passed through templar.template)
@@ -1045,7 +1053,7 @@ def _finalize_template_result(o: t.Any, mode: FinalizeMode) -> t.Any:
     if o_type in _FINALIZE_FAST_PATH_EXACT_ITERABLE_TYPES:  # silently convert known sequence types to list
         return _finalize_collection(o, mode, _finalize_list, list)
 
-    if o_type in Marker.concrete_subclasses:  # this early return assumes handle_marker follows our variable type rules
+    if o_type in Marker._concrete_subclasses:  # this early return assumes handle_marker follows our variable type rules
         return TemplateContext.current().templar.marker_behavior.handle_marker(o)
 
     if mode is not FinalizeMode.TOP_LEVEL:  # unsupported type (do not raise)

ansible/_internal/_templating/_jinja_common.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import abc
 import collections.abc as c
+import enum
 import inspect
 import itertools
 import typing as t
@@ -9,7 +10,7 @@ import typing as t
 from jinja2 import UndefinedError, StrictUndefined, TemplateRuntimeError
 from jinja2.utils import missing
 
-from ansible.module_utils.common.messages import ErrorSummary, Detail
+from ...module_utils._internal import _messages
 from ansible.constants import config
 from ansible.errors import AnsibleUndefinedVariable, AnsibleTypeError
 from ansible._internal._errors._handler import ErrorHandler
@@ -24,10 +25,16 @@ from ...module_utils.datatag import native_type_name
 _patch_jinja()  # apply Jinja2 patches before types are declared that are dependent on the changes
 
 
+class _SandboxMode(enum.Enum):
+    DEFAULT = enum.auto()
+    ALLOW_UNSAFE_ATTRIBUTES = enum.auto()
+
+
 class _TemplateConfig:
     allow_embedded_templates: bool = config.get_config_value("ALLOW_EMBEDDED_TEMPLATES")
     allow_broken_conditionals: bool = config.get_config_value('ALLOW_BROKEN_CONDITIONALS')
     jinja_extensions: list[str] = config.get_config_value('DEFAULT_JINJA2_EXTENSIONS')
+    sandbox_mode: _SandboxMode = _SandboxMode.__members__[config.get_config_value('_TEMPLAR_SANDBOX_MODE').upper()]
 
     unknown_type_encountered_handler = ErrorHandler.from_config('_TEMPLAR_UNKNOWN_TYPE_ENCOUNTERED')
     unknown_type_conversion_handler = ErrorHandler.from_config('_TEMPLAR_UNKNOWN_TYPE_CONVERSION')
@@ -55,7 +62,7 @@ class Marker(StrictUndefined, Tripwire):
 
     __slots__ = ('_marker_template_source',)
 
-    concrete_subclasses: t.ClassVar[set[type[Marker]]] = set()
+    _concrete_subclasses: t.ClassVar[set[type[Marker]]] = set()
 
     def __init__(
         self,
@@ -129,7 +136,7 @@ class Marker(StrictUndefined, Tripwire):
     def __init_subclass__(cls, **kwargs) -> None:
         if not inspect.isabstract(cls):
             _untaggable_types.add(cls)
-            cls.concrete_subclasses.add(cls)
+            cls._concrete_subclasses.add(cls)
 
     @classmethod
     def _init_class(cls):
@@ -197,8 +204,6 @@ class TruncationMarker(Marker):
     It will only be visible if the previous `Marker` was ignored/replaced instead of being tripped, which would raise an exception.
     """
 
-    # DTFIX-RELEASE: make this a singleton?
-
     __slots__ = ()
 
     def __init__(self) -> None:
@@ -252,28 +257,18 @@ class UndecryptableVaultError(_captured.AnsibleCapturedError):
 class VaultExceptionMarker(ExceptionMarker):
     """A `Marker` value that represents an error accessing a vaulted value during templating."""
 
-    __slots__ = ('_marker_undecryptable_ciphertext', '_marker_undecryptable_reason', '_marker_undecryptable_traceback')
+    __slots__ = ('_marker_undecryptable_ciphertext', '_marker_event')
 
-    def __init__(self, ciphertext: str, reason: str, traceback: str | None) -> None:
-        # DTFIX-RELEASE: when does this show up, should it contain more details?
-        #          see also CapturedExceptionMarker for a similar issue
+    def __init__(self, ciphertext: str, event: _messages.Event) -> None:
         super().__init__(hint='A vault exception marker was tripped.')
 
         self._marker_undecryptable_ciphertext = ciphertext
-        self._marker_undecryptable_reason = reason
-        self._marker_undecryptable_traceback = traceback
+        self._marker_event = event
 
     def _as_exception(self) -> Exception:
         return UndecryptableVaultError(
             obj=self._marker_undecryptable_ciphertext,
-            error_summary=ErrorSummary(
-                details=(
-                    Detail(
-                        msg=self._marker_undecryptable_reason,
-                    ),
-                ),
-                formatted_traceback=self._marker_undecryptable_traceback,
-            ),
+            event=self._marker_event,
         )
 
     def _disarm(self) -> str:
@@ -282,16 +277,12 @@ class VaultExceptionMarker(ExceptionMarker):
 
 def get_first_marker_arg(args: c.Sequence, kwargs: dict[str, t.Any]) -> Marker | None:
     """Utility method to inspect plugin args and return the first `Marker` encountered, otherwise `None`."""
-    # DTFIX-RELEASE: this may or may not need to be public API, move back to utils or once usage is wrapped in a decorator?
-    for arg in iter_marker_args(args, kwargs):
-        return arg
-
-    return None
+    # CAUTION: This function is exposed in public API as ansible.template.get_first_marker_arg.
+    return next(iter_marker_args(args, kwargs), None)
 
 
 def iter_marker_args(args: c.Sequence, kwargs: dict[str, t.Any]) -> t.Generator[Marker]:
     """Utility method to iterate plugin args and yield any `Marker` encountered."""
-    # DTFIX-RELEASE: this may or may not need to be public API, move back to utils or once usage is wrapped in a decorator?
     for arg in itertools.chain(args, kwargs.values()):
         if isinstance(arg, Marker):
             yield arg
@@ -306,7 +297,7 @@ class JinjaCallContext(NotifiableAccessContextBase):
     _mask = True
 
     def __init__(self, accept_lazy_markers: bool) -> None:
-        self._type_interest = frozenset() if accept_lazy_markers else frozenset(Marker.concrete_subclasses)
+        self._type_interest = frozenset() if accept_lazy_markers else frozenset(Marker._concrete_subclasses)
 
     def _notify(self, o: Marker) -> t.NoReturn:
         o.trip()
@@ -314,7 +305,7 @@ class JinjaCallContext(NotifiableAccessContextBase):
 
 def validate_arg_type(name: str, value: t.Any, allowed_type_or_types: type | tuple[type, ...], /) -> None:
     """Validate the type of the given argument while preserving context for Marker values."""
-    # DTFIX-RELEASE: find a home for this as a general-purpose utliity method and expose it after some API review
+    # DTFIX-FUTURE: find a home for this as a general-purpose utliity method and expose it after some API review
     if isinstance(value, allowed_type_or_types):
         return