From 55dae7c2a6adaa78e3f9fc49ffdaaa023d7b0bd1 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Thu, 12 Mar 2026 21:13:02 +0100
Subject: [PATCH] doas: allow to explicitly enable pipelining (#11481)

* Allow to explicitly enable pipelining.

* Add markup.
---
 .../fragments/11481-doas-pipelining.yml       |  4 +++
 plugins/become/doas.py                        | 28 ++++++++++++++++---
 2 files changed, 28 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/fragments/11481-doas-pipelining.yml

diff --git a/changelogs/fragments/11481-doas-pipelining.yml b/changelogs/fragments/11481-doas-pipelining.yml
new file mode 100644
index 0000000000..ef3c586689
--- /dev/null
+++ b/changelogs/fragments/11481-doas-pipelining.yml
@@ -0,0 +1,4 @@
+minor_changes:
+  - "doas become plugin - add new option ``allow_pipelining`` to explicitly allow the use of pipelining with this plugin.
+     This should only be set to ``true`` with ansible-core 2.19+ when ``doas`` does not require a password
+     (https://github.com/ansible-collections/community.general/issues/11411, https://github.com/ansible-collections/community.general/pull/11481)."
diff --git a/plugins/become/doas.py b/plugins/become/doas.py
index 868094a7aa..ac0cf33826 100644
--- a/plugins/become/doas.py
+++ b/plugins/become/doas.py
@@ -82,9 +82,26 @@ options:
       - name: ansible_doas_prompt_l10n
     env:
       - name: ANSIBLE_DOAS_PROMPT_L10N
+  allow_pipelining:
+    description:
+      - When set to V(true), do allow pipelining with ansible-core 2.19+.
+      - This should only be used when doas is configured to not ask for a password (C(nopass)).
+    type: boolean
+    default: false
+    version_added: 12.4.0
+    ini:
+      - section: doas_become_plugin
+        key: allow_pipelining
+    vars:
+      - name: ansible_doas_allow_pipelining
+    env:
+      - name: ANSIBLE_DOAS_ALLOW_PIPELINING
 notes:
-  - This become plugin does not work when connection pipelining is enabled. With ansible-core 2.19+, using it automatically
-    disables pipelining. On ansible-core 2.18 and before, pipelining must explicitly be disabled by the user.
+  - This become plugin does not work when connection pipelining is enabled
+    and doas requests a password.
+    With ansible-core 2.19+, using this plugin automatically disables pipelining,
+    unless O(allow_pipelining=true) is explicitly set by the user.
+    On ansible-core 2.18 and before, pipelining must explicitly be disabled by the user.
 """
 
 import re
@@ -101,8 +118,11 @@ class BecomeModule(BecomeBase):
     missing = ("Authorization required",)
 
     # See https://github.com/ansible-collections/community.general/issues/9977,
-    # https://github.com/ansible/ansible/pull/78111
-    pipelining = False
+    # https://github.com/ansible/ansible/pull/78111,
+    # https://github.com/ansible-collections/community.general/issues/11411
+    @property
+    def pipelining(self) -> bool:  # type: ignore[override]
+        return self.get_option("allow_pipelining")
 
     def check_password_prompt(self, b_output):
         """checks if the expected password prompt exists in b_output"""