ansible-core 2.19.1rc1__py3-none-any.whl → 2.19.2rc1__py3-none-any.whl

ansible/executor/play_iterator.py

@@ -574,7 +574,7 @@ class PlayIterator:
         Given the current HostState state, determines if the current block, or any child blocks,
         are in rescue mode.
         """
-        if state.run_state == IteratingStates.TASKS and state.get_current_block().rescue:
+        if state.run_state in (IteratingStates.TASKS, IteratingStates.HANDLERS) and state.get_current_block().rescue:
             return True
         if state.tasks_child_state is not None:
             return self.is_any_block_rescuing(state.tasks_child_state)

ansible/module_utils/ansible_release.py

@@ -17,6 +17,6 @@
 
 from __future__ import annotations
 
-__version__ = '2.19.1rc1'
+__version__ = '2.19.2rc1'
 __author__ = 'Ansible, Inc.'
 __codename__ = "What Is and What Should Never Be"

ansible/plugins/filter/core.py

@@ -221,6 +221,7 @@ def regex_search(value, regex, *args, **kwargs):
             return items
 
 
+@accept_args_markers
 def ternary(value, true_val, false_val, none_val=None):
     """  value ? true_val : false_val """
     if value is None and none_val is not None:

ansible/release.py

@@ -17,6 +17,6 @@
 
 from __future__ import annotations
 
-__version__ = '2.19.1rc1'
+__version__ = '2.19.2rc1'
 __author__ = 'Ansible, Inc.'
 __codename__ = "What Is and What Should Never Be"

{ansible_core-2.19.1rc1.dist-info → ansible_core-2.19.2rc1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ansible-core
-Version: 2.19.1rc1
+Version: 2.19.2rc1
 Summary: Radically simple IT automation
 Author: Ansible Project
 Project-URL: Homepage, https://ansible.com/

{ansible_core-2.19.1rc1.dist-info → ansible_core-2.19.2rc1.dist-info}/RECORD

@@ -3,7 +3,7 @@ ansible/__main__.py,sha256=24j-7-YT4lZ2fmV80JD-VRoYBnxR7YoP_VP-orJtDt0,796
 ansible/constants.py,sha256=qef45QpHi-yFFMvllvNKmqFpXdKKr304e5fEZnjgwZc,7989
 ansible/context.py,sha256=oKYyfjfWpy8vDeProtqfnqSmuij_t75_5e5t0U_hQ1g,1933
 ansible/keyword_desc.yml,sha256=5rGCsr-0B8w2D67qBD6q_2WFxfqj9ieb0V_2J-dZJ5E,7547
-ansible/release.py,sha256=jhEMR7ymedaoxKinJzbCkbP8rou9FlQe1kzwG1uWZ-8,855
+ansible/release.py,sha256=JLb_BEVsdGYnLJUp7vyx1FkTEnTJunGAJYEFt-RZrhU,855
 ansible/_internal/__init__.py,sha256=J3yCEAZoJLwxHMPEIWHwX6seRTCQ4Sr7cfHSw11ik9k,2208
 ansible/_internal/_collection_proxy.py,sha256=V3Zns3jdWR1hTP6q4mrNWoIKL67ayiQFPDOb6F7igsc,1228
 ansible/_internal/_event_formatting.py,sha256=cHMsuYi6v2W3fgEYdKLSe8O34kW5bZE26zyj7FOt268,4222
@@ -101,7 +101,7 @@ ansible/errors/__init__.py,sha256=W1s19PaheqXMI2yKnZCuaKKjSAJRPgU1_xF2_J9B1NU,16
 ansible/executor/__init__.py,sha256=mRvbCJPA-_veSG5ka3v04G5vsarLVDeB3EWFsu6geSI,749
 ansible/executor/interpreter_discovery.py,sha256=UWeAxnHknJCci2gG3zt6edx5Nj4WbHYfJVcmW_DzItY,3858
 ansible/executor/module_common.py,sha256=sXMOvKj_9ubeBaCPVBHh76uHaRYZm-8mOhsSG55aXQ8,60450
-ansible/executor/play_iterator.py,sha256=OY0W7x3F7VUQCjWIogkPqhvm7SFnxOXR5anlqJjHeHY,32282
+ansible/executor/play_iterator.py,sha256=ybui896hQFJ4wLsYC3fZoJY4KEsX69QkCoMfomQyEqE,32310
 ansible/executor/playbook_executor.py,sha256=5wjvqw22RG4g_JlYDQnLFrUEa8aYQBWdgKhEpNonhKQ,14806
 ansible/executor/stats.py,sha256=Rw-Q73xYvXnYOt-LJFnHAR03NvVR3ESgbMkHnVGhIPI,3180
 ansible/executor/task_executor.py,sha256=irbdKCK6BZfBVn00nbvNMZJOltAUum5ykuqpAHh40-U,61437
@@ -211,7 +211,7 @@ ansible/inventory/host.py,sha256=cZw906LeMYe6oF3ZxW6K2HWoW2Qc0jxHssg_C8cRumE,493
 ansible/inventory/manager.py,sha256=fxg2sq7s-VBJnn9TvJCgv-xvYIu0DLJTix_y3w0wLcc,31811
 ansible/module_utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 ansible/module_utils/_text.py,sha256=VkWgAnSNVCbTQqZgllUObBFsH3uM4EUW5srl1UR9t1g,544
-ansible/module_utils/ansible_release.py,sha256=jhEMR7ymedaoxKinJzbCkbP8rou9FlQe1kzwG1uWZ-8,855
+ansible/module_utils/ansible_release.py,sha256=JLb_BEVsdGYnLJUp7vyx1FkTEnTJunGAJYEFt-RZrhU,855
 ansible/module_utils/api.py,sha256=8BmCzQtp9rClsLGlDn4I9iJrUFLCdnoEIxYX59_IL9c,5756
 ansible/module_utils/basic.py,sha256=hoGCYYxypID_5wdpwkSAhMTb5Mfkr9x0RKsJaSHMwSA,90113
 ansible/module_utils/connection.py,sha256=ZwtQEs-TtT-XecoEmFWiDevSkJLIj348YkiW6PP7G9E,7471
@@ -583,7 +583,7 @@ ansible/plugins/filter/combinations.yml,sha256=LttrIICjapNtZHWnvJD-C9Pv3PIKP16i8
 ansible/plugins/filter/combine.yml,sha256=QH2zy4qr9wPpEyr-XKmphbls60M4ZSdAkj7r3cuvC3Q,1671
 ansible/plugins/filter/comment.yml,sha256=nJVzBF2Qiwa-qQRioJK42cbWt3Rb5LYmfvGPhrhU8Rc,2139
 ansible/plugins/filter/commonpath.yml,sha256=SPx3fPy4GPJaKmY2S8aJI1I800FOgErYAKVXV1etp1Q,696
-ansible/plugins/filter/core.py,sha256=S0kKl61FiCIsySHYAIZ_B60fVVrkYZ5Ljyi1iwzS8ww,27372
+ansible/plugins/filter/core.py,sha256=iMvK6wfEnQ53nBZos9boI72rExGeQn8ImgA3AW_E2-w,27393
 ansible/plugins/filter/dict2items.yml,sha256=A3gL25dyGrSqP44PtqQgg6paUnwReAzC7Brkqel-39E,1523
 ansible/plugins/filter/difference.yml,sha256=YJnJJMYejCcBaNgxFBhYj-z6OysRHmss1gUgrIJBQFk,1091
 ansible/plugins/filter/dirname.yml,sha256=Z7p7ay8s3_Zee6gIu7qr4wUC-an7lwLwuoVmgHQCKyg,820
@@ -789,12 +789,12 @@ ansible/vars/hostvars.py,sha256=cRK_4dssUwIN4aDxxYXEj7KzTazrykQ4PbJotne5oJc,4364
 ansible/vars/manager.py,sha256=1SNGcwMTT7m8aPC45DHdkOZRtnf7OEcuExBtocJusq4,28023
 ansible/vars/plugins.py,sha256=8svEABS2yBPzEdymdsrZ-0D70boUoCNvcgkWasvtVNo,4533
 ansible/vars/reserved.py,sha256=NgxlMBm_tloqDVb5TEX4eGhpYsz_AO6-Fmyi3kJpIFk,3107
-ansible_core-2.19.1rc1.dist-info/licenses/COPYING,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-ansible_core-2.19.1rc1.dist-info/licenses/licenses/Apache-License.txt,sha256=y16Ofl9KOYjhBjwULGDcLfdWBfTEZRXnduOspt-XbhQ,11325
-ansible_core-2.19.1rc1.dist-info/licenses/licenses/BSD-3-Clause.txt,sha256=la0N3fE3Se8vBiuvUcFKA8b-E41G7flTic6P8CkUroE,1548
-ansible_core-2.19.1rc1.dist-info/licenses/licenses/MIT-license.txt,sha256=jLXp2XurnyZKbye40g9tfmLGtVlxh3pPD4n8xNqX8xc,1023
-ansible_core-2.19.1rc1.dist-info/licenses/licenses/PSF-license.txt,sha256=g7BC_H1qyg8Q1o5F76Vrm8ChSWYI5-dyj-CdGlNKBUo,2484
-ansible_core-2.19.1rc1.dist-info/licenses/licenses/simplified_bsd.txt,sha256=8R5R7R7sOa0h1Fi6RNgFgHowHBfun-OVOMzJ4rKAk2w,1237
+ansible_core-2.19.2rc1.dist-info/licenses/COPYING,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+ansible_core-2.19.2rc1.dist-info/licenses/licenses/Apache-License.txt,sha256=y16Ofl9KOYjhBjwULGDcLfdWBfTEZRXnduOspt-XbhQ,11325
+ansible_core-2.19.2rc1.dist-info/licenses/licenses/BSD-3-Clause.txt,sha256=la0N3fE3Se8vBiuvUcFKA8b-E41G7flTic6P8CkUroE,1548
+ansible_core-2.19.2rc1.dist-info/licenses/licenses/MIT-license.txt,sha256=jLXp2XurnyZKbye40g9tfmLGtVlxh3pPD4n8xNqX8xc,1023
+ansible_core-2.19.2rc1.dist-info/licenses/licenses/PSF-license.txt,sha256=g7BC_H1qyg8Q1o5F76Vrm8ChSWYI5-dyj-CdGlNKBUo,2484
+ansible_core-2.19.2rc1.dist-info/licenses/licenses/simplified_bsd.txt,sha256=8R5R7R7sOa0h1Fi6RNgFgHowHBfun-OVOMzJ4rKAk2w,1237
 ansible_test/__init__.py,sha256=20VPOj11c6Ut1Av9RaurgwJvFhMqkWG3vAvcCbecNKw,66
 ansible_test/_data/ansible.cfg,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 ansible_test/_data/coveragerc,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -854,7 +854,7 @@ ansible_test/_internal/connections.py,sha256=_wKp7ercAJlJxuB6nXGChqdIC2PGQRuwg8g
 ansible_test/_internal/constants.py,sha256=qgVmng71FWdsIZXgUaQUEZfB9V0GC4jjhYbSp4pzA_M,1970
 ansible_test/_internal/containers.py,sha256=iOqs3Bi9127cl7h7kIPw-mo3tbM-7JAkmOwB-9ESvRE,34138
 ansible_test/_internal/content_config.py,sha256=qbYoSKOBT-X7FhSCuVkYzgiIz5H4MIbua3DxcN-gYdA,5589
-ansible_test/_internal/core_ci.py,sha256=7ejW10CQuf1aRE64HX2tdON2cbhIRSsYsLSThdXQcHo,17310
+ansible_test/_internal/core_ci.py,sha256=GSRt726aNL167p3LWLWum36EFhYhOaRvJGOjzHi7J1g,17977
 ansible_test/_internal/coverage_util.py,sha256=NnlgbpJ47h2oaAc5m3QyVs65GOq-cuRR9gEVV1ZE4rI,9408
 ansible_test/_internal/data.py,sha256=8APH-Bm6CeFO9ngWgZC8IxHeFzlxn0OQd6D5G1msSZU,11185
 ansible_test/_internal/debugging.py,sha256=bL2mT7AHiKGSmZp2lZVDWDpkeMdOg3HgCZW1m1qTaYc,15563
@@ -865,7 +865,7 @@ ansible_test/_internal/encoding.py,sha256=ymPqkmgg7mXUkW6MOARx0cYanX9TLLnu_NXp6n
 ansible_test/_internal/executor.py,sha256=-SSTYgKckI-dWltBWt67zTU6zO7NVu_O3pgFiJG4DeQ,2960
 ansible_test/_internal/git.py,sha256=TkYoTZ8CKWlP8dZZmThzzT1myItdP7_LseZ_2BMnIMA,4367
 ansible_test/_internal/host_configs.py,sha256=fuY7CAhM8Ky3cPcVhHe28Kwzuokzyg9lvr7GVL3o2Bo,18635
-ansible_test/_internal/host_profiles.py,sha256=q6xZfaTS3wXPQUh90rHn1lQ3YJLTTm0xCh3Z-dilHZQ,74374
+ansible_test/_internal/host_profiles.py,sha256=i7qp8CBV94dK_8o7GrU-jMrofHkJAvDzGGaIMGjGj1Y,74466
 ansible_test/_internal/http.py,sha256=P_C5n8hSZ3Q1zA08smmJCh2LvOoaflGasEqnLXZP0L0,3865
 ansible_test/_internal/init.py,sha256=-OdOvJ3Fz4Sx2aTG9qq7ekKsbVVTqOvRqetOqjOvA6w,506
 ansible_test/_internal/inventory.py,sha256=8Ajk67x5a8zt1bgvT8IrR9kCuEXXfkMxO2_ioFtlgh4,7074
@@ -875,7 +875,7 @@ ansible_test/_internal/locale_util.py,sha256=tjRbwKmgMQc1ysIhvP8yBhFcNA-2UCaWfQB
 ansible_test/_internal/metadata.py,sha256=HWM-sQT-ovt2lwTSK1xN8-IYHWrB5joVY4BRh7HHHC0,7036
 ansible_test/_internal/payload.py,sha256=F9sLPiTw-zNq0-zU-L_RIYOsXZmA3nsLWha2W2MoeEs,8013
 ansible_test/_internal/processes.py,sha256=H3n7jOGzvWdeTxsTWFx4TPIjSpt40g0T6j0wvYdOsWY,2231
-ansible_test/_internal/provisioning.py,sha256=BIe-zIbGxFtqtaW8Cagk0cRybYthUIeGfKgmrwSwK2g,7492
+ansible_test/_internal/provisioning.py,sha256=kStzjL6EYfuf_R9Xi91TO8S0fqqD7pZaj-Lt9hMjh4Y,7581
 ansible_test/_internal/pypi_proxy.py,sha256=N9_kuBk6Bko3e8dKC1zi4UfhU0untpQgOK2W984GT_0,6020
 ansible_test/_internal/python_requirements.py,sha256=0tXTRO9m8q5ORaM6lELal5n8VEqlD1f16OrN8m7C_w8,16038
 ansible_test/_internal/ssh.py,sha256=7gTyNiwszPwFSM4aYT4YtAWfAR4lYLnOi7dpnv0SqwA,10635
@@ -883,12 +883,12 @@ ansible_test/_internal/target.py,sha256=3W4J6T79Pv2kB6KOpC_lRq2qZFS7L6GobByyVshy
 ansible_test/_internal/test.py,sha256=q17SmItAsiBWrSilDBZFSEBugv9QNsG5HzFOAFXcyh4,14516
 ansible_test/_internal/thread.py,sha256=XN9jshWoLPdqTMDjcOQxGk9691FnjUo1K_5UhcRy-O8,2633
 ansible_test/_internal/timeout.py,sha256=KOYPTjgsAX4N2q-4Qn5vFpCWJWBT9YtQCpsU7ZIBvro,4073
-ansible_test/_internal/util.py,sha256=qL7q6KWWqvJiM7Joxh12YfIZ0ClcZcKDGxROHP33VNY,39573
+ansible_test/_internal/util.py,sha256=BELYusenCvkpKJ136STWQsoAFttIJL5-erAud8JAVaE,39600
 ansible_test/_internal/util_common.py,sha256=sw8ySIrPKCTK4AH8naulDXPU7kabSHD2EJMMhQ5G1o8,17814
 ansible_test/_internal/venv.py,sha256=eb5RfjapntulFMTIQieyx8QdHo2LJfjgZY_wx3_htMw,5522
-ansible_test/_internal/ci/__init__.py,sha256=sZNgkICN4RRFy4Nn-ZB6dCm6Ui9d_xIrrjgaIzZ_VyI,7739
-ansible_test/_internal/ci/azp.py,sha256=IFNjhv3TljiPtRQqwQfggNYekMfsWx9c5_2XdU6adMg,10137
-ansible_test/_internal/ci/local.py,sha256=KT20UotPRg9lhfNJ-cA-LsV6risdKTZ5_zK6rIldm54,6740
+ansible_test/_internal/ci/__init__.py,sha256=wNgXvmq517FQPVQIW5HeUuuFBNjBAshcNoPEO8I6jDQ,4684
+ansible_test/_internal/ci/azp.py,sha256=pdMf4sgHVB8wsusY_9FTxPkhw_7Qnc9qQWgJgBZlf2w,10104
+ansible_test/_internal/ci/local.py,sha256=YnpfQfvheLNwV6rzb_YElASy-S-tH0zhOXtVtABNAUs,9906
 ansible_test/_internal/classification/__init__.py,sha256=8Hzmr2pqAMR7sibHNDub1YGkcnLJzb4I_3MqeZbpJzw,34143
 ansible_test/_internal/classification/common.py,sha256=WWM6LRHcO29nRorSLveSzRLIarb5-dPbwHCf8Qd1xvU,895
 ansible_test/_internal/classification/csharp.py,sha256=EM7yxfbwnHsKFjjpiQUTsZcPY567qmue1eXR3GI5JJE,3242
@@ -1091,8 +1091,8 @@ ansible_test/config/cloud-config-vultr.ini.template,sha256=XLKHk3lg_8ReQMdWfZzhh
 ansible_test/config/config.yml,sha256=1zdGucnIl6nIecZA7ISIANvqXiHWqq6Dthsk_6MUwNc,2642
 ansible_test/config/inventory.networking.template,sha256=bFNSk8zNQOaZ_twaflrY0XZ9mLwUbRLuNT0BdIFwvn4,1335
 ansible_test/config/inventory.winrm.template,sha256=1QU8W-GFLnYEw8yY9bVIvUAVvJYPM3hyoijf6-M7T00,1098
-ansible_core-2.19.1rc1.dist-info/METADATA,sha256=2FB5aucw77dtspB-6Skdengg8F7RJC6RtmqLguVq0Lw,7733
-ansible_core-2.19.1rc1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-ansible_core-2.19.1rc1.dist-info/entry_points.txt,sha256=S9yJij5Im6FgRQxzkqSCnPQokC7PcWrDW_NSygZczJU,451
-ansible_core-2.19.1rc1.dist-info/top_level.txt,sha256=IFbRLjAvih1DYzJWg3_F6t4sCzEMxRO7TOMNs6GkYHo,21
-ansible_core-2.19.1rc1.dist-info/RECORD,,
+ansible_core-2.19.2rc1.dist-info/METADATA,sha256=GKPO88evKJ7s3y_H_Fe-y94ganzsioNiAqMnw7Do05c,7733
+ansible_core-2.19.2rc1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+ansible_core-2.19.2rc1.dist-info/entry_points.txt,sha256=S9yJij5Im6FgRQxzkqSCnPQokC7PcWrDW_NSygZczJU,451
+ansible_core-2.19.2rc1.dist-info/top_level.txt,sha256=IFbRLjAvih1DYzJWg3_F6t4sCzEMxRO7TOMNs6GkYHo,21
+ansible_core-2.19.2rc1.dist-info/RECORD,,

ansible_test/_internal/ci/__init__.py

@@ -3,22 +3,13 @@
 from __future__ import annotations
 
 import abc
-import base64
+import dataclasses
+import datetime
 import json
-import os
+import pathlib
 import tempfile
 import typing as t
 
-from ..encoding import (
-    to_bytes,
-    to_text,
-)
-
-from ..io import (
-    read_text_file,
-    write_text_file,
-)
-
 from ..config import (
     CommonConfig,
     TestConfig,
@@ -34,6 +25,65 @@ from ..util import (
 )
 
 
+@dataclasses.dataclass(frozen=True, kw_only=True)
+class AuthContext:
+    """Information about the request to which authentication will be applied."""
+
+    stage: str
+    provider: str
+    request_id: str
+
+
+class AuthHelper:
+    """Authentication helper."""
+
+    NAMESPACE: t.ClassVar = 'ci@core.ansible.com'
+
+    def __init__(self, key_file: pathlib.Path) -> None:
+        self.private_key_file = pathlib.Path(str(key_file).removesuffix('.pub'))
+        self.public_key_file = pathlib.Path(f'{self.private_key_file}.pub')
+
+    def sign_request(self, request: dict[str, object], context: AuthContext) -> None:
+        """Sign the given auth request using the provided context."""
+        request.update(
+            stage=context.stage,
+            provider=context.provider,
+            request_id=context.request_id,
+            timestamp=datetime.datetime.now(tz=datetime.timezone.utc).replace(microsecond=0).isoformat(),
+        )
+
+        with tempfile.TemporaryDirectory() as temp_dir:
+            payload_path = pathlib.Path(temp_dir) / 'auth.json'
+            payload_path.write_text(json.dumps(request, sort_keys=True))
+
+            cmd = ['ssh-keygen', '-q', '-Y', 'sign', '-f', str(self.private_key_file), '-n', self.NAMESPACE, str(payload_path)]
+            raw_command(cmd, capture=False, interactive=True)
+
+            signature_path = pathlib.Path(f'{payload_path}.sig')
+            signature = signature_path.read_text()
+
+        request.update(signature=signature)
+
+
+class GeneratingAuthHelper(AuthHelper, metaclass=abc.ABCMeta):
+    """Authentication helper which generates a key pair on demand."""
+
+    def __init__(self) -> None:
+        super().__init__(pathlib.Path('~/.ansible/test/ansible-core-ci').expanduser())
+
+    def sign_request(self, request: dict[str, object], context: AuthContext) -> None:
+        if not self.private_key_file.exists():
+            self.generate_key_pair()
+
+        super().sign_request(request, context)
+
+    def generate_key_pair(self) -> None:
+        """Generate key pair."""
+        self.private_key_file.parent.mkdir(parents=True, exist_ok=True)
+
+        raw_command(['ssh-keygen', '-q', '-f', str(self.private_key_file), '-N', ''], capture=True)
+
+
 class ChangeDetectionNotSupported(ApplicationError):
     """Exception for cases where change detection is not supported."""
 
@@ -75,8 +125,8 @@ class CIProvider(metaclass=abc.ABCMeta):
         """Return True if Ansible Core CI is supported."""
 
     @abc.abstractmethod
-    def prepare_core_ci_auth(self) -> dict[str, t.Any]:
-        """Return authentication details for Ansible Core CI."""
+    def prepare_core_ci_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        """Prepare an Ansible Core CI request using the given config and context."""
 
     @abc.abstractmethod
     def get_git_details(self, args: CommonConfig) -> t.Optional[dict[str, t.Any]]:
@@ -101,119 +151,3 @@ def get_ci_provider() -> CIProvider:
         display.info('Detected CI provider: %s' % provider.name)
 
     return provider
-
-
-class AuthHelper(metaclass=abc.ABCMeta):
-    """Public key based authentication helper for Ansible Core CI."""
-
-    def sign_request(self, request: dict[str, t.Any]) -> None:
-        """Sign the given auth request and make the public key available."""
-        payload_bytes = to_bytes(json.dumps(request, sort_keys=True))
-        signature_raw_bytes = self.sign_bytes(payload_bytes)
-        signature = to_text(base64.b64encode(signature_raw_bytes))
-
-        request.update(signature=signature)
-
-    def initialize_private_key(self) -> str:
-        """
-        Initialize and publish a new key pair (if needed) and return the private key.
-        The private key is cached across ansible-test invocations, so it is only generated and published once per CI job.
-        """
-        path = os.path.expanduser('~/.ansible-core-ci-private.key')
-
-        if os.path.exists(to_bytes(path)):
-            private_key_pem = read_text_file(path)
-        else:
-            private_key_pem = self.generate_private_key()
-            write_text_file(path, private_key_pem)
-
-        return private_key_pem
-
-    @abc.abstractmethod
-    def sign_bytes(self, payload_bytes: bytes) -> bytes:
-        """Sign the given payload and return the signature, initializing a new key pair if required."""
-
-    @abc.abstractmethod
-    def publish_public_key(self, public_key_pem: str) -> None:
-        """Publish the given public key."""
-
-    @abc.abstractmethod
-    def generate_private_key(self) -> str:
-        """Generate a new key pair, publishing the public key and returning the private key."""
-
-
-class CryptographyAuthHelper(AuthHelper, metaclass=abc.ABCMeta):
-    """Cryptography based public key based authentication helper for Ansible Core CI."""
-
-    def sign_bytes(self, payload_bytes: bytes) -> bytes:
-        """Sign the given payload and return the signature, initializing a new key pair if required."""
-        # import cryptography here to avoid overhead and failures in environments which do not use/provide it
-        from cryptography.hazmat.backends import default_backend
-        from cryptography.hazmat.primitives import hashes
-        from cryptography.hazmat.primitives.asymmetric import ec
-        from cryptography.hazmat.primitives.serialization import load_pem_private_key
-
-        private_key_pem = self.initialize_private_key()
-        private_key = load_pem_private_key(to_bytes(private_key_pem), None, default_backend())
-
-        assert isinstance(private_key, ec.EllipticCurvePrivateKey)
-
-        signature_raw_bytes = private_key.sign(payload_bytes, ec.ECDSA(hashes.SHA256()))
-
-        return signature_raw_bytes
-
-    def generate_private_key(self) -> str:
-        """Generate a new key pair, publishing the public key and returning the private key."""
-        # import cryptography here to avoid overhead and failures in environments which do not use/provide it
-        from cryptography.hazmat.backends import default_backend
-        from cryptography.hazmat.primitives import serialization
-        from cryptography.hazmat.primitives.asymmetric import ec
-
-        private_key = ec.generate_private_key(ec.SECP384R1(), default_backend())
-        public_key = private_key.public_key()
-
-        private_key_pem = to_text(private_key.private_bytes(  # type: ignore[attr-defined]  # documented method, but missing from type stubs
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PrivateFormat.PKCS8,
-            encryption_algorithm=serialization.NoEncryption(),
-        ))
-
-        public_key_pem = to_text(public_key.public_bytes(
-            encoding=serialization.Encoding.PEM,
-            format=serialization.PublicFormat.SubjectPublicKeyInfo,
-        ))
-
-        self.publish_public_key(public_key_pem)
-
-        return private_key_pem
-
-
-class OpenSSLAuthHelper(AuthHelper, metaclass=abc.ABCMeta):
-    """OpenSSL based public key based authentication helper for Ansible Core CI."""
-
-    def sign_bytes(self, payload_bytes: bytes) -> bytes:
-        """Sign the given payload and return the signature, initializing a new key pair if required."""
-        private_key_pem = self.initialize_private_key()
-
-        with tempfile.NamedTemporaryFile() as private_key_file:
-            private_key_file.write(to_bytes(private_key_pem))
-            private_key_file.flush()
-
-            with tempfile.NamedTemporaryFile() as payload_file:
-                payload_file.write(payload_bytes)
-                payload_file.flush()
-
-                with tempfile.NamedTemporaryFile() as signature_file:
-                    raw_command(['openssl', 'dgst', '-sha256', '-sign', private_key_file.name, '-out', signature_file.name, payload_file.name], capture=True)
-                    signature_raw_bytes = signature_file.read()
-
-        return signature_raw_bytes
-
-    def generate_private_key(self) -> str:
-        """Generate a new key pair, publishing the public key and returning the private key."""
-        private_key_pem = raw_command(['openssl', 'ecparam', '-genkey', '-name', 'secp384r1', '-noout'], capture=True)[0]
-        public_key_pem = raw_command(['openssl', 'ec', '-pubout'], data=private_key_pem, capture=True)[0]
-
-        self.publish_public_key(public_key_pem)
-
-        return private_key_pem

ansible_test/_internal/ci/azp.py

@@ -31,9 +31,10 @@ from ..util import (
 )
 
 from . import (
+    AuthContext,
     ChangeDetectionNotSupported,
     CIProvider,
-    CryptographyAuthHelper,
+    GeneratingAuthHelper,
 )
 
 CODE = 'azp'
@@ -112,10 +113,11 @@ class AzurePipelines(CIProvider):
         """Return True if Ansible Core CI is supported."""
         return True
 
-    def prepare_core_ci_auth(self) -> dict[str, t.Any]:
-        """Return authentication details for Ansible Core CI."""
+    def prepare_core_ci_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
         try:
-            request = dict(
+            request: dict[str, object] = dict(
+                type="azp:ssh",
+                config=config,
                 org_name=os.environ['SYSTEM_COLLECTIONURI'].strip('/').split('/')[-1],
                 project_name=os.environ['SYSTEM_TEAMPROJECT'],
                 build_id=int(os.environ['BUILD_BUILDID']),
@@ -124,13 +126,9 @@ class AzurePipelines(CIProvider):
         except KeyError as ex:
             raise MissingEnvironmentVariable(name=ex.args[0]) from None
 
-        self.auth.sign_request(request)
+        self.auth.sign_request(request, context)
 
-        auth = dict(
-            azp=request,
-        )
-
-        return auth
+        return request
 
     def get_git_details(self, args: CommonConfig) -> t.Optional[dict[str, t.Any]]:
         """Return details about git in the current environment."""
@@ -144,14 +142,14 @@ class AzurePipelines(CIProvider):
         return details
 
 
-class AzurePipelinesAuthHelper(CryptographyAuthHelper):
-    """
-    Authentication helper for Azure Pipelines.
-    Based on cryptography since it is provided by the default Azure Pipelines environment.
-    """
+class AzurePipelinesAuthHelper(GeneratingAuthHelper):
+    """Authentication helper for Azure Pipelines."""
+
+    def generate_key_pair(self) -> None:
+        super().generate_key_pair()
+
+        public_key_pem = self.public_key_file.read_text()
 
-    def publish_public_key(self, public_key_pem: str) -> None:
-        """Publish the given public key."""
         try:
             agent_temp_directory = os.environ['AGENT_TEMPDIRECTORY']
         except KeyError as ex:

ansible_test/_internal/ci/local.py

@@ -2,10 +2,12 @@
 
 from __future__ import annotations
 
-import os
+import abc
+import inspect
 import platform
 import random
 import re
+import pathlib
 import typing as t
 
 from ..config import (
@@ -24,11 +26,14 @@ from ..git import (
 from ..util import (
     ApplicationError,
     display,
+    get_subclasses,
     is_binary_file,
     SubprocessError,
 )
 
 from . import (
+    AuthContext,
+    AuthHelper,
     CIProvider,
 )
 
@@ -120,34 +125,20 @@ class Local(CIProvider):
 
     def supports_core_ci_auth(self) -> bool:
         """Return True if Ansible Core CI is supported."""
-        path = self._get_aci_key_path()
-        return os.path.exists(path)
+        return Authenticator.available()
 
-    def prepare_core_ci_auth(self) -> dict[str, t.Any]:
-        """Return authentication details for Ansible Core CI."""
-        path = self._get_aci_key_path()
-        auth_key = read_text_file(path).strip()
+    def prepare_core_ci_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        if not (authenticator := Authenticator.load()):
+            raise ApplicationError('Ansible Core CI authentication has not been configured.')
 
-        request = dict(
-            key=auth_key,
-            nonce=None,
-        )
+        display.info(f'Using {authenticator} for Ansible Core CI.', verbosity=1)
 
-        auth = dict(
-            remote=request,
-        )
-
-        return auth
+        return authenticator.prepare_auth_request(config, context)
 
     def get_git_details(self, args: CommonConfig) -> t.Optional[dict[str, t.Any]]:
         """Return details about git in the current environment."""
         return None  # not yet implemented for local
 
-    @staticmethod
-    def _get_aci_key_path() -> str:
-        path = os.path.expanduser('~/.ansible-core-ci.key')
-        return path
-
 
 class InvalidBranch(ApplicationError):
     """Exception for invalid branch specification."""
@@ -214,3 +205,108 @@ class LocalChanges:
             return True
 
         return False
+
+
+class Authenticator(metaclass=abc.ABCMeta):
+    """Base class for authenticators."""
+
+    @staticmethod
+    def list() -> list[type[Authenticator]]:
+        """List all authenticators in priority order."""
+        return sorted((sc for sc in get_subclasses(Authenticator) if not inspect.isabstract(sc)), key=lambda obj: obj.priority())
+
+    @staticmethod
+    def load() -> Authenticator | None:
+        """Load an authenticator instance, returning None if not configured."""
+        for implementation in Authenticator.list():
+            if implementation.config_file().exists():
+                return implementation()
+
+        return None
+
+    @staticmethod
+    def available() -> bool:
+        """Return True if an authenticator is available, otherwise False."""
+        return bool(Authenticator.load())
+
+    @classmethod
+    @abc.abstractmethod
+    def priority(cls) -> int:
+        """Priority used to determine which authenticator is tried first, from lowest to highest."""
+
+    @classmethod
+    @abc.abstractmethod
+    def config_file(cls) -> pathlib.Path:
+        """Path to the config file for this authenticator."""
+
+    @abc.abstractmethod
+    def prepare_auth_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        """Prepare an authenticated Ansible Core CI request using the given config and context."""
+
+    def __str__(self) -> str:
+        return self.__class__.__name__
+
+
+class PasswordAuthenticator(Authenticator):
+    """Authenticate using a password."""
+
+    @classmethod
+    def priority(cls) -> int:
+        return 200
+
+    @classmethod
+    def config_file(cls) -> pathlib.Path:
+        return pathlib.Path('~/.ansible-core-ci.key').expanduser()
+
+    def prepare_auth_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        parts = self.config_file().read_text().strip().split(maxsplit=1)
+
+        if len(parts) == 1:  # temporary backward compatibility for legacy API keys
+            request = dict(
+                config=config,
+                auth=dict(
+                    remote=dict(
+                        key=parts[0],
+                    ),
+                ),
+            )
+
+            return request
+
+        username, password = parts
+
+        request = dict(
+            type="remote:password",
+            config=config,
+            username=username,
+            password=password,
+        )
+
+        return request
+
+
+class SshAuthenticator(Authenticator):
+    """Authenticate using an SSH key."""
+
+    @classmethod
+    def priority(cls) -> int:
+        return 100
+
+    @classmethod
+    def config_file(cls) -> pathlib.Path:
+        return pathlib.Path('~/.ansible-core-ci.auth').expanduser()
+
+    def prepare_auth_request(self, config: dict[str, object], context: AuthContext) -> dict[str, object]:
+        parts = self.config_file().read_text().strip().split(maxsplit=1)
+        username, key_file = parts
+
+        request: dict[str, object] = dict(
+            type="remote:ssh",
+            config=config,
+            username=username,
+        )
+
+        auth_helper = AuthHelper(pathlib.Path(key_file).expanduser())
+        auth_helper.sign_request(request, context)
+
+        return request

ansible_test/_internal/core_ci.py

@@ -42,6 +42,7 @@ from .config import (
 )
 
 from .ci import (
+    AuthContext,
     get_ci_provider,
 )
 
@@ -68,6 +69,10 @@ class Resource(metaclass=abc.ABCMeta):
     def persist(self) -> bool:
         """True if the resource is persistent, otherwise false."""
 
+    @abc.abstractmethod
+    def get_config(self, core_ci: AnsibleCoreCI) -> dict[str, object]:
+        """Return the configuration for this resource."""
+
 
 @dataclasses.dataclass(frozen=True)
 class VmResource(Resource):
@@ -92,6 +97,16 @@ class VmResource(Resource):
         """True if the resource is persistent, otherwise false."""
         return True
 
+    def get_config(self, core_ci: AnsibleCoreCI) -> dict[str, object]:
+        """Return the configuration for this resource."""
+        return dict(
+            type="vm",
+            platform=self.platform,
+            version=self.version,
+            architecture=self.architecture,
+            public_key=core_ci.ssh_key.pub_contents,
+        )
+
 
 @dataclasses.dataclass(frozen=True)
 class CloudResource(Resource):
@@ -112,6 +127,12 @@ class CloudResource(Resource):
         """True if the resource is persistent, otherwise false."""
         return False
 
+    def get_config(self, core_ci: AnsibleCoreCI) -> dict[str, object]:
+        """Return the configuration for this resource."""
+        return dict(
+            type="cloud",
+        )
+
 
 class AnsibleCoreCI:
     """Client for Ansible Core CI services."""
@@ -189,7 +210,7 @@ class AnsibleCoreCI:
             display.info(f'Skipping started {self.label} instance.', verbosity=1)
             return None
 
-        return self._start(self.ci_provider.prepare_core_ci_auth())
+        return self._start()
 
     def stop(self) -> None:
         """Stop instance."""
@@ -288,26 +309,25 @@ class AnsibleCoreCI:
     def _uri(self) -> str:
         return f'{self.endpoint}/{self.stage}/{self.provider}/{self.instance_id}'
 
-    def _start(self, auth) -> dict[str, t.Any]:
+    def _start(self) -> dict[str, t.Any]:
         """Start instance."""
         display.info(f'Initializing new {self.label} instance using: {self._uri}', verbosity=1)
 
-        data = dict(
-            config=dict(
-                platform=self.platform,
-                version=self.version,
-                architecture=self.arch,
-                public_key=self.ssh_key.pub_contents,
-            )
+        config = self.resource.get_config(self)
+
+        context = AuthContext(
+            request_id=self.instance_id,
+            stage=self.stage,
+            provider=self.provider,
         )
 
-        data.update(auth=auth)
+        request = self.ci_provider.prepare_core_ci_request(config, context)
 
         headers = {
             'Content-Type': 'application/json',
         }
 
-        response = self._start_endpoint(data, headers)
+        response = self._start_endpoint(request, headers)
 
         self.started = True
         self._save()

ansible_test/_internal/host_profiles.py

@@ -265,6 +265,9 @@ class HostProfile(t.Generic[THostConfig], metaclass=abc.ABCMeta):
     def name(self) -> str:
         """The name of the host profile."""
 
+    def pre_provision(self) -> None:
+        """Pre-provision the host profile."""
+
     def provision(self) -> None:
         """Provision the host before delegation."""
 
@@ -522,8 +525,8 @@ class RemoteProfile(SshTargetHostProfile[TRemoteConfig], metaclass=abc.ABCMeta):
         """The saved Ansible Core CI state."""
         self.state['core_ci'] = value
 
-    def provision(self) -> None:
-        """Provision the host before delegation."""
+    def pre_provision(self) -> None:
+        """Pre-provision the host before delegation."""
         self.core_ci = self.create_core_ci(load=True)
         self.core_ci.start()
 

ansible_test/_internal/provisioning.py

@@ -132,6 +132,9 @@ def prepare_profiles(
 
         ExitHandler.register(functools.partial(cleanup_profiles, host_state))
 
+        for pre_profile in host_state.profiles:
+            pre_profile.pre_provision()
+
         def provision(profile: HostProfile) -> None:
             """Provision the given profile."""
             profile.provision()

ansible_test/_internal/util.py

@@ -707,6 +707,7 @@ def common_environment() -> dict[str, str]:
     optional = (
         'LD_LIBRARY_PATH',
         'SSH_AUTH_SOCK',
+        'SSH_SK_PROVIDER',
         # MacOS High Sierra Compatibility
         # http://sealiesoftware.com/blog/archive/2017/6/5/Objective-C_and_fork_in_macOS_1013.html
         # Example configuration for macOS: