odbc: add Arch Linux support via AUR psqlodbc (#11944)
* test(odbc): add Arch Linux support via AUR psqlodbc
Fixes#4267
* test(setup_postgresql_db): guard Arch Linux initdb with creates
* test(odbc): add setup_remote_tmp_dir dependency
(cherry picked from commit c7be9e4d5b)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
test(integration): enable homectl test for ArchLinux (#11945)
* test(integration): enable homectl test for ArchLinux
* install passlib in Arch Linux
* test: requires vm in homectl aliases
(cherry picked from commit 036811e668)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
parted: add unit_preserve_case option to fix unit case in return value (#11813)
* parted: add unit_preserve_case option to fix unit case in return value
Adds O(unit_preserve_case) feature flag (bool, default None) to control
the case of the ``unit`` field in the module return value.
Previously the unit was always lowercased (e.g. ``kib``), making it
impossible to feed ``disk.unit`` back as the ``unit`` parameter without
a validation error. With O(unit_preserve_case=true) the unit is returned
in its original mixed case (e.g. ``KiB``), matching the accepted input
values.
The default (None) emits a deprecation notice; the default will become
V(true) in community.general 14.0.0.
Fixes#1860
* parted: add changelog fragment for PR #11813
* adjustments from review
* Comment 15.0.0 deprecation in option decription.
* parted: fix unit test calls to parse_partition_info after signature change
* parted: fix unit_preserve_case - parted outputs lowercase units in machine mode
Parted's machine-parseable output always uses lowercase unit suffixes
(e.g. ``kib``, ``mib``) regardless of what was passed to the ``unit``
parameter. Removing the explicit ``.lower()`` call was therefore not
enough to preserve case.
Add a ``canonical_unit()`` helper that maps a unit string to its canonical
mixed-case form using ``parted_units`` as the reference, and use it
instead of a bare identity when ``unit_preserve_case=true``.
Also fix a yamllint violation in the DOCUMENTATION block (missing space
after ``#`` in inline comments).
* Update plugins/modules/parted.py
* Update plugins/modules/parted.py
---------
(cherry picked from commit edf8f24959)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
CI: Replace Fedora 43 with 44 for devel (#11836)
* Replace Fedora 43 with 44 for devel in CI.
* Adjust tests.
* Adjust flatpak module to Fedora 44.
(cherry picked from commit ef656cb9b6)
Co-authored-by: Felix Fontein <felix@fontein.de>
flatpak: add from_url parameter, deprecate URLs in name (#11748)
* flatpak: add from_url parameter, deprecate URLs in name
Adds a new `from_url` parameter for installing flatpaks from a
.flatpakref URL, using `flatpak install --from <url>`. The `name`
parameter then carries the reverse DNS application ID, enabling
reliable idempotency checks.
Passing URLs directly in `name` is now deprecated and will be
removed in community.general 14.0.0.
Fixes#4000
* flatpak: add changelog fragment for PR #11748
* flatpak: remove deprecation, adjust docs tone
* flatpak: add integration tests for from_url parameter
---------
(cherry picked from commit 972bed66f4)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
integration tests: remove CentOS conditionals (#11715)
* test(integration): remove CentOS references
* further simplification
* more removals
* rollback systemd_info for now
* ufw: not trivially used with RHEL9 and RHEL10, simplifying tests
* remove tasks for setup_epel where unused
* adjustments from review
(cherry picked from commit 79431c36b5)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
consul integration tests: re-enable on macOS (#11697)
* consul integration tests: re-enable on macOS
- Update consul version to 1.22.6
- Add arm64/aarch64 architecture support
- Fix macOS Gatekeeper quarantine on downloaded binary
- Add wait_for before ACL bootstrap (race condition fix)
- Update HCL config to use tls stanza (required in 1.22)
- Disable gRPC port (conflicts with tls stanza when not configured)
- Remove skip/macos from aliases
Fixes: https://github.com/ansible-collections/community.general/issues/1016
* changelogs/fragments: add PR number for consul tests fix
* remove changelog fragment (test-only PR)
---------
(cherry picked from commit 8b114e999e)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
etcd3: re-enable and fix tests, add unit tests (#11678)
* etcd3: re-enable and fix tests, add unit tests
- Add unit tests for community.general.etcd3 module (12 tests covering
state=present/absent, idempotency, check mode, and error paths)
- Fix integration test setup: update etcd binary to v3.6.9 (from v3.2.14),
download from GitHub releases, add health-check retry loop after start
- Work around etcd3 Python library incompatibility with protobuf >= 4.x
by setting PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python
- Update to FQCNs throughout integration tests
- Re-enable both etcd3 and lookup_etcd3 integration targets
Fixes https://github.com/ansible-collections/community.general/issues/322
* improve use of multiple context managers
---------
(cherry picked from commit d06c83eb68)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
osx_defaults: add dict support (#11659)
* osx_defaults: add dict support
* add changelog frag
* osx_defaults: fix dict idempotency by using plutil -extract for type-preserving read
The previous approach piped `defaults read` output (old-style plist text)
through `plutil -convert json`. Old-style plist loses boolean type info
(booleans appear as 1/0, indistinguishable from integers), causing the
comparison to fail and reporting changed=True on every run.
Fix by exporting the domain binary plist to a temp file and using
`plutil -extract key json` which correctly preserves all plist types
(booleans stay true/false, integers stay integers, etc.).
* change param from bool to str
* Apply suggestion from review
* Update plugins/modules/osx_defaults.py
---------
(cherry picked from commit d6cb56c022)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
CI: Remove FreeBSD 14.3 for devel, and replace macOS 15.3 with 26.3 (#11631)
* Replace FreeBSD 14.3 with 14.4, and macOS 15.3 with 26.3.
* FreeBSD 14.4 seems to have the same problem as FreeBSD 15.0, disabling for now.
(cherry picked from commit b4336659f6)
Co-authored-by: Felix Fontein <felix@fontein.de>
CI: Replace apt_repository and apt_key with deb822_repository (#11625)
Replace apt_repository and apt_key with deb822_repository.
(cherry picked from commit bc22fbcaa0)
Co-authored-by: Felix Fontein <felix@fontein.de>
merge_variables: extended merge capabilities added (#11536)
* merge_variables: extended merge capabilities added
This extension gives you more control over the variable merging process of the lookup plugin `merge_variables`. It closes the gap between Puppet's Hiera merging capabilities and the limitations of Ansible's default variable plugin `host_group_vars` regarding fragment-based value definition. You can now decide which merge strategy should be applied to dicts, lists, and other types. Furthermore, you can specify a merge strategy that should be applied in case of type conflicts.
The default behavior of the plugin has been preserved so that it is fully backward-compatible with the already implemented state.
* Update changelogs/fragments/11536-merge-variables-extended-merging-capabilities.yml
* Update plugins/lookup/merge_variables.py
* Periods added at the end of each choice description
* Update plugins/lookup/merge_variables.py
* ref: follow project standard for choice descriptions
* ref: more examples added and refactoring
* Update plugins/lookup/merge_variables.py
* ref: some more comments to examples added
* fix: unused import removed
* ref: re-add "merge" to strategy map
* Update comments
* Specification of transformations solely as string
* Comments updated
* ref: `append_rp` and `prepend_rp` removed
feat: options dict for list transformations re-added
feat: allow setting `keep` for dedup transformation with possible values: `first` (default) and `last`
* ref: improve options documentation
* ref: documentation improved, avoiding words like newer or older in merge description
* Update plugins/lookup/merge_variables.py
* ref: "prio" replaced by "dict"
* feat: two integration tests added
---------
(cherry picked from commit dae2157bb7)
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Christoph Fiehe <cfiehe@users.noreply.github.com>
Co-authored-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Mark <40321020+m-a-r-k-e@users.noreply.github.com>
Simplify and extend from_ini tests (#11534)
Simplify and extend from_ini tests.
(cherry picked from commit e118b23ba0)
Co-authored-by: Felix Fontein <felix@fontein.de>
adds parameter delimiters to from_ini filter (#11512)
* adds parameter delimiters to from_ini filter
fixes issue #11506
* adds changelog fragment
* fixes pylint dangerous-default-value / W0102
* does not assume default delimiters
let that be decided in the super class
* Update plugins/filter/from_ini.py
verbose description
* Update changelogs/fragments/11512-from_ini-delimiters.yaml
* adds input validation
* adss check for delimiters not None
* adds missing import
* removes the negation
* adds suggestions from russoz
* adds ruff format suggestion
---------
(cherry picked from commit aec0e61ba1)
Co-authored-by: Robert Sander <github@gurubert.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak_user_rolemapping: handle None response for client role lookup (#11471)
* fix(keycloak_user_rolemapping): handle None response for client role lookup
When adding a client role to a user who has no existing roles for that
client, get_client_user_rolemapping_by_id() returns None. The existing
code indexed directly into the result causing a TypeError. Add the same
None check that already existed for realm roles since PR #11256.
Fixes#10960
* fix(tests): use dict format for task vars in keycloak_user_rolemapping tests
Task-level vars requires a YAML mapping, not a sequence. The leading
dash (- roles:) produced a list instead of a dict, which ansible-core
2.20 rejects with "Vars in a Task must be specified as a dictionary".
* Update changelogs/fragments/keycloak-user-rolemapping-client-none-check.yml
---------
(cherry picked from commit 34938ca1ef)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak_realm_key: add full support for all Keycloak key providers (#11468)
* feat(keycloak_realm_key): add support for auto-generated key providers
Add support for Keycloak's auto-generated key providers where Keycloak
manages the key material automatically:
- rsa-generated: Auto-generates RSA signing keys
- hmac-generated: Auto-generates HMAC signing keys
- aes-generated: Auto-generates AES encryption keys
- ecdsa-generated: Auto-generates ECDSA signing keys
New algorithms:
- HMAC: HS256, HS384, HS512
- ECDSA: ES256, ES384, ES512
- AES: AES (no algorithm parameter needed)
New config options:
- secret_size: For HMAC/AES providers (key size in bytes)
- key_size: For RSA-generated provider (key size in bits)
- elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521)
Changes:
- Make private_key/certificate optional (only required for rsa/rsa-enc)
- Add provider-algorithm validation with clear error messages
- Fix KeyError when managing default realm keys (issue #11459)
- Maintain backward compatibility: RS256 default works for rsa/rsa-generated
Fixes: #11459
* fix: address sanity test failures
- Add 'default: RS256' to algorithm documentation to match spec
- Add no_log=True to secret_size parameter per sanity check
* feat(keycloak_realm_key): extend support for all Keycloak key providers
Add support for remaining auto-generated key providers:
- rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256)
- ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW)
- eddsa-generated (EdDSA signing with Ed25519, Ed448 curves)
Changes:
- Add provider-specific elliptic curve config key mapping
(ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey)
- Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm
- Add elliptic curve validation per provider type
- Update documentation with all supported algorithms and examples
- Add comprehensive integration tests for all new providers
This completes full coverage of all Keycloak key provider types.
* style: apply ruff formatting
* feat(keycloak_realm_key): add java-keystore provider and update_password
Add support for java-keystore provider to import keys from Java
Keystore (JKS or PKCS12) files on the Keycloak server filesystem.
Add update_password parameter to control password handling for
java-keystore provider:
- always (default): Always send passwords to Keycloak
- on_create: Only send passwords when creating, preserve existing
passwords when updating (enables idempotent playbooks)
The on_create mode sends the masked value ("**********") that Keycloak
recognizes as "preserve existing password", matching the behavior when
re-importing an exported realm.
Replace password_checksum with update_password - the checksum approach
was complex and error-prone. The update_password parameter is simpler
and follows the pattern used by ansible.builtin.user module.
Also adds key_info return value containing kid, certificate fingerprint,
status, and expiration for java-keystore keys.
* address PR review feedback
- Remove no_log=True from secret_size (just an int, not sensitive)
- Add version_added: 12.4.0 to new parameters and return values
- Remove "Added in community.general 12.4.0" from description text
- Consolidate changelog entries into 4 focused entries
- Remove bugfix from changelog (now in separate PR #11470)
* address review feedback from russoz and felixfontein
- remove docstrings from module-local helpers
- remove line-by-line comments and unnecessary null guard
- use specific exceptions instead of bare except Exception
- use module.params["key"] instead of .get("key")
- consolidate changelog into single entry
- avoid "complete set" claim, reference Keycloak 26 instead
* address round 2 review feedback
- Extract remove_sensitive_config_keys() helper (DRY refactor)
- Simplify RS256 validation to single code path
- Add TypeError to inner except in compute_certificate_fingerprint()
- Remove redundant comments (L812, L1031)
- Switch .get() to direct dict access for module.params
(cherry picked from commit 80d21f2a0d)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
Integration tests: replace ansible_xxx with ansible_facts.xxx (#11479)
Replace ansible_xxx with ansible_facts.xxx.
(cherry picked from commit 476f2bf641)
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak_client: add valid_post_logout_redirect_uris and backchannel_logout_url (#11473)
* feat(keycloak_client): add valid_post_logout_redirect_uris and backchannel_logout_url
Add two new convenience parameters that map to client attributes:
- valid_post_logout_redirect_uris: sets post.logout.redirect.uris
attribute (list items joined with ##)
- backchannel_logout_url: sets backchannel.logout.url attribute
These fields are not top-level in the Keycloak REST API but are stored
as client attributes. The new parameters provide a user-friendly
interface without requiring users to know the internal attribute names
and ##-separator format.
Fixes#6812, fixes#4892
* consolidate changelog and add PR link per review feedback
(cherry picked from commit df6d6269a6)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
keycloak: URL-encode query parameters for usernames with special characters (#11472)
* fix(keycloak): URL-encode query params for usernames with special chars
get_user_by_username() concatenates the username directly into the URL
query string. When the username contains a +, it is interpreted as a
space by the server, returning no match and causing a TypeError.
Use urllib.parse.quote() (already imported) for the username parameter.
Also replace three fragile .replace(' ', '%20') calls in the authz
search methods with proper quote() calls.
Fixes#10305
* Update changelogs/fragments/keycloak-url-encode-query-params.yml
---------
(cherry picked from commit c41de53dbb)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Logstash plugin version fix (#11440)
* logstash_plugin: fix argument order when using version parameter
* logstash_plugin: add integration tests
* logstash_plugin: add changelog fragment
(cherry picked from commit 53e1e86bcc)
Co-authored-by: Nicolas Boutet <amd3002@gmail.com>
Add `to_toml` filter (#11423)
* Add to_toml filter
This is based heavily on the to_yaml filter, but
with a pared-down feature set.
* Protect import
* Don't quote datetime as a string
* Use Ansible error types
* Import correct error types
* Don't use AnsibleTypeError
It doesn't seem to be available on older Ansible
core versions.
* Fix antsibull-nox errors
* Install dependencies for to_toml integration test
* Reduce author list to main contributor
* Update version added for to_toml
* Use AnsibleError for missing import
* Use AnsibleFilterError for runtime type check
* Move common code to plugin_utils/_tags.py
* Mark module util as private
* Update BOTMETA for to_toml
* Fix typo
* Correct version number
* Use to_text for to_toml dict key conversions
* Add tomlkit requirement to docs
* Add missing import
* Add aliases for for to_toml integration test
---------
(cherry picked from commit 864695f898)
Co-authored-by: Matt Williams <matt@milliams.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Update RHEL 9.x to 9.7 in CI (#11387)
* Update RHEL 9.x to 9.7 in CI.
* Add skips.
(cherry picked from commit d4089ca29a)
Co-authored-by: Felix Fontein <felix@fontein.de>
Clean up other Python files (#11379)
* Address issues found by ruff check.
* Make mypy happy; remove some Python 2 compat code.
* Also declare port1.
(cherry picked from commit b3dc06a7dd)
Co-authored-by: Felix Fontein <felix@fontein.de>
Add missing integration test aliases files (#11357)
* Add missing aliases files.
* Fix directory name.
* Add another missing aliases file.
* Adjust test to also work with newer jsonpatch versions.
(cherry picked from commit ddf05104f3)
Co-authored-by: Felix Fontein <felix@fontein.de>
sysrc tests: skip FreeBSD 14.2 for ezjail tests (#11276)
Looks like 14.2 no longer works.
(cherry picked from commit a96a5c44a5)
Co-authored-by: Felix Fontein <felix@fontein.de>
