Support for remote hosts that require password for sudo.

Introduce --ask-become-pass or -K to support password-required sudo on remote hosts, just like Ansible.

It will also fall back to this prompt if a password is required but the arg wasn't passed in.

With thanks to slhck from HN for the initial patch, advice and feedback.

tests/test_cli.py

@@ -1,5 +1,7 @@
 import sys
 
+import pytest
+
 import enroll.cli as cli
 
 
@@ -258,6 +260,113 @@ def test_cli_single_shot_remote_without_harvest_prints_state_path(
     assert ("manifest", str(cache_dir), str(ansible_dir), "example.test") in calls
 
 
+def test_cli_harvest_remote_ask_become_pass_prompts_and_passes_password(
+    monkeypatch, tmp_path
+):
+    from enroll.cache import HarvestCache
+    import enroll.remote as r
+
+    cache_dir = tmp_path / "cache"
+    cache_dir.mkdir()
+
+    called = {}
+
+    def fake_cache_dir(*, hint=None):
+        return HarvestCache(dir=cache_dir)
+
+    def fake__remote_harvest(*, sudo_password=None, **kwargs):
+        called["sudo_password"] = sudo_password
+        return cache_dir / "state.json"
+
+    monkeypatch.setattr(cli, "new_harvest_cache_dir", fake_cache_dir)
+    monkeypatch.setattr(r, "_remote_harvest", fake__remote_harvest)
+    monkeypatch.setattr(r.getpass, "getpass", lambda _prompt="": "pw123")
+
+    monkeypatch.setattr(
+        sys,
+        "argv",
+        [
+            "enroll",
+            "harvest",
+            "--remote-host",
+            "example.test",
+            "--ask-become-pass",
+        ],
+    )
+
+    cli.main()
+    assert called["sudo_password"] == "pw123"
+
+
+def test_cli_harvest_remote_password_required_fallback_prompts_and_retries(
+    monkeypatch, tmp_path
+):
+    from enroll.cache import HarvestCache
+    import enroll.remote as r
+
+    cache_dir = tmp_path / "cache"
+    cache_dir.mkdir()
+
+    def fake_cache_dir(*, hint=None):
+        return HarvestCache(dir=cache_dir)
+
+    calls = []
+
+    def fake__remote_harvest(*, sudo_password=None, **kwargs):
+        calls.append(sudo_password)
+        if sudo_password is None:
+            raise r.RemoteSudoPasswordRequired("pw required")
+        return cache_dir / "state.json"
+
+    class _TTYStdin:
+        def isatty(self):
+            return True
+
+    monkeypatch.setattr(cli, "new_harvest_cache_dir", fake_cache_dir)
+    monkeypatch.setattr(r, "_remote_harvest", fake__remote_harvest)
+    monkeypatch.setattr(r.getpass, "getpass", lambda _prompt="": "pw456")
+    monkeypatch.setattr(sys, "stdin", _TTYStdin())
+
+    monkeypatch.setattr(
+        sys, "argv", ["enroll", "harvest", "--remote-host", "example.test"]
+    )
+
+    cli.main()
+    assert calls == [None, "pw456"]
+
+
+def test_cli_harvest_remote_password_required_noninteractive_errors(
+    monkeypatch, tmp_path
+):
+    from enroll.cache import HarvestCache
+    import enroll.remote as r
+
+    cache_dir = tmp_path / "cache"
+    cache_dir.mkdir()
+
+    def fake_cache_dir(*, hint=None):
+        return HarvestCache(dir=cache_dir)
+
+    def fake__remote_harvest(*, sudo_password=None, **kwargs):
+        raise r.RemoteSudoPasswordRequired("pw required")
+
+    class _NoTTYStdin:
+        def isatty(self):
+            return False
+
+    monkeypatch.setattr(cli, "new_harvest_cache_dir", fake_cache_dir)
+    monkeypatch.setattr(r, "_remote_harvest", fake__remote_harvest)
+    monkeypatch.setattr(sys, "stdin", _NoTTYStdin())
+
+    monkeypatch.setattr(
+        sys, "argv", ["enroll", "harvest", "--remote-host", "example.test"]
+    )
+
+    with pytest.raises(SystemExit) as e:
+        cli.main()
+    assert "--ask-become-pass" in str(e.value)
+
+
 def test_cli_manifest_common_args(monkeypatch, tmp_path):
     """Ensure --fqdn and jinjaturtle mode flags are forwarded correctly."""