Merge branch 'ansible:devel' into bugfix-role-lookup

.github/actions/run_awx_devel/action.yml

@@ -13,9 +13,6 @@ outputs:
   ip:
     description: The IP of the tools_awx_1 container
     value: ${{ steps.data.outputs.ip }}
-  admin-token:
-    description: OAuth token for admin user
-    value: ${{ steps.data.outputs.admin_token }}
 runs:
   using: composite
   steps:
@@ -62,6 +59,4 @@ runs:
       shell: bash
       run: |
         AWX_IP=$(docker inspect -f '{{.NetworkSettings.Networks.awx.IPAddress}}' tools_awx_1)
-        ADMIN_TOKEN=$(docker exec -i tools_awx_1 awx-manage create_oauth2_token --user admin)
-        echo "ip=$AWX_IP" >> $GITHUB_OUTPUT
-        echo "admin_token=$ADMIN_TOKEN" >> $GITHUB_OUTPUT
+        echo "ip=$AWX_IP" >> $GITHUB_OUTPUT

.github/workflows/ci.yml

@@ -129,6 +129,10 @@ jobs:
         with:
           show-progress: false
 
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
       - uses: ./.github/actions/run_awx_devel
         id: awx
         with:
@@ -266,6 +270,10 @@ jobs:
         with:
           show-progress: false
 
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
       - uses: ./.github/actions/run_awx_devel
         id: awx
         with:
@@ -283,7 +291,8 @@ jobs:
           echo "::remove-matcher owner=python::"  # Disable annoying annotations from setup-python
           echo '[general]' > ~/.tower_cli.cfg
           echo 'host = https://${{ steps.awx.outputs.ip }}:8043' >> ~/.tower_cli.cfg
-          echo 'oauth_token = ${{ steps.awx.outputs.admin-token }}' >> ~/.tower_cli.cfg
+          echo 'username = admin' >> ~/.tower_cli.cfg
+          echo 'password = password' >> ~/.tower_cli.cfg
           echo 'verify_ssl = false' >> ~/.tower_cli.cfg
           TARGETS="$(ls awx_collection/tests/integration/targets | grep '${{ matrix.target-regex.regex }}' | tr '\n' ' ')"
           make COLLECTION_VERSION=100.100.100-git COLLECTION_TEST_TARGET="--requirements $TARGETS" test_collection_integration
@@ -336,6 +345,10 @@ jobs:
         with:
           show-progress: false
 
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
       - name: Upgrade ansible-core
         run: python3 -m pip install --upgrade ansible-core
 

.github/workflows/docs.yml

@@ -12,6 +12,10 @@ jobs:
         with:
           show-progress: false
 
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
       - name: install tox
         run: pip install tox
 

.github/workflows/label_pr.yml

@@ -33,7 +33,10 @@ jobs:
         with:
           show-progress: false
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
       - name: Install python requests
         run: pip install requests
       - name: Check if user is a member of Ansible org

.gitignore

@@ -31,7 +31,6 @@ tools/docker-compose/_build
 tools/docker-compose/_sources
 tools/docker-compose/overrides/
 tools/docker-compose-minikube/_sources
-tools/docker-compose/keycloak.awx.realm.json
 
 !tools/docker-compose/editable_dependencies
 tools/docker-compose/editable_dependencies/*

Makefile

@@ -31,10 +31,6 @@ COMPOSE_TAG ?= $(GIT_BRANCH)
 MAIN_NODE_TYPE ?= hybrid
 # If set to true docker-compose will also start a pgbouncer instance and use it
 PGBOUNCER ?= false
-# If set to true docker-compose will also start a keycloak instance
-KEYCLOAK ?= false
-# If set to true docker-compose will also start an ldap instance
-LDAP ?= false
 # If set to true docker-compose will also start a splunk instance
 SPLUNK ?= false
 # If set to true docker-compose will also start a prometheus instance
@@ -45,8 +41,6 @@ GRAFANA ?= false
 VAULT ?= false
 # If set to true docker-compose will also start a hashicorp vault instance with TLS enabled
 VAULT_TLS ?= false
-# If set to true docker-compose will also start a tacacs+ instance
-TACACS ?= false
 # If set to true docker-compose will also start an OpenTelemetry Collector instance
 OTEL ?= false
 # If set to true docker-compose will also start a Loki instance
@@ -345,7 +339,7 @@ api-lint:
 awx-link:
 	[ -d "/awx_devel/awx.egg-info" ] || $(PYTHON) /awx_devel/tools/scripts/egg_info_dev
 
-TEST_DIRS ?= awx/main/tests/unit awx/main/tests/functional awx/conf/tests awx/sso/tests
+TEST_DIRS ?= awx/main/tests/unit awx/main/tests/functional awx/conf/tests
 PYTEST_ARGS ?= -n auto
 ## Run all API unit tests.
 test:
@@ -446,7 +440,7 @@ test_unit:
 	@if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
 	fi; \
-	py.test awx/main/tests/unit awx/conf/tests/unit awx/sso/tests/unit
+	py.test awx/main/tests/unit awx/conf/tests/unit
 
 ## Output test coverage as HTML (into htmlcov directory).
 coverage_html:
@@ -507,14 +501,11 @@ docker-compose-sources: .git/hooks/pre-commit
 	    -e execution_node_count=$(EXECUTION_NODE_COUNT) \
 	    -e minikube_container_group=$(MINIKUBE_CONTAINER_GROUP) \
 	    -e enable_pgbouncer=$(PGBOUNCER) \
-	    -e enable_keycloak=$(KEYCLOAK) \
-	    -e enable_ldap=$(LDAP) \
 	    -e enable_splunk=$(SPLUNK) \
 	    -e enable_prometheus=$(PROMETHEUS) \
 	    -e enable_grafana=$(GRAFANA) \
 	    -e enable_vault=$(VAULT) \
 	    -e vault_tls=$(VAULT_TLS) \
-	    -e enable_tacacs=$(TACACS) \
 	    -e enable_otel=$(OTEL) \
 	    -e enable_loki=$(LOKI) \
 	    -e install_editable_dependencies=$(EDITABLE_DEPENDENCIES) \
@@ -525,8 +516,7 @@ docker-compose: awx/projects docker-compose-sources
 	ansible-galaxy install --ignore-certs -r tools/docker-compose/ansible/requirements.yml;
 	$(ANSIBLE_PLAYBOOK) -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \
 	    -e enable_vault=$(VAULT) \
-	    -e vault_tls=$(VAULT_TLS) \
-	    -e enable_ldap=$(LDAP); \
+	    -e vault_tls=$(VAULT_TLS); \
 	$(MAKE) docker-compose-up
 
 docker-compose-up:
@@ -598,7 +588,7 @@ docker-clean:
 	-$(foreach image_id,$(shell docker images --filter=reference='*/*/*awx_devel*' --filter=reference='*/*awx_devel*' --filter=reference='*awx_devel*' -aq),docker rmi --force $(image_id);)
 
 docker-clean-volumes: docker-compose-clean docker-compose-container-group-clean
-	docker volume rm -f tools_var_lib_awx tools_awx_db tools_awx_db_15 tools_vault_1 tools_ldap_1 tools_grafana_storage tools_prometheus_storage $(shell docker volume ls --filter name=tools_redis_socket_ -q)
+	docker volume rm -f tools_var_lib_awx tools_awx_db tools_awx_db_15 tools_vault_1 tools_grafana_storage tools_prometheus_storage $(shell docker volume ls --filter name=tools_redis_socket_ -q)
 
 docker-refresh: docker-clean docker-compose
 

awx/api/conf.py

@@ -8,7 +8,6 @@
 from awx.conf import fields, register, register_validate
 from awx.api.fields import OAuth2ProviderField
 from oauth2_provider.settings import oauth2_settings
-from awx.sso.common import is_remote_auth_enabled
 
 
 register(
@@ -35,10 +34,7 @@
     'DISABLE_LOCAL_AUTH',
     field_class=fields.BooleanField,
     label=_('Disable the built-in authentication system'),
-    help_text=_(
-        "Controls whether users are prevented from using the built-in authentication system. "
-        "You probably want to do this if you are using an LDAP or SAML integration."
-    ),
+    help_text=_("Controls whether users are prevented from using the built-in authentication system. "),
     category=_('Authentication'),
     category_slug='authentication',
 )
@@ -71,20 +67,6 @@
     category_slug='authentication',
     unit=_('seconds'),
 )
-register(
-    'ALLOW_OAUTH2_FOR_EXTERNAL_USERS',
-    field_class=fields.BooleanField,
-    default=False,
-    label=_('Allow External Users to Create OAuth2 Tokens'),
-    help_text=_(
-        'For security reasons, users from external auth providers (LDAP, SAML, '
-        'SSO, Radius, and others) are not allowed to create OAuth2 tokens. '
-        'To change this behavior, enable this setting. Existing tokens will '
-        'not be deleted when this setting is toggled off.'
-    ),
-    category=_('Authentication'),
-    category_slug='authentication',
-)
 register(
     'LOGIN_REDIRECT_OVERRIDE',
     field_class=fields.CharField,
@@ -109,7 +91,7 @@
 
 
 def authentication_validate(serializer, attrs):
-    if attrs.get('DISABLE_LOCAL_AUTH', False) and not is_remote_auth_enabled():
+    if attrs.get('DISABLE_LOCAL_AUTH', False):
         raise serializers.ValidationError(_("There are no remote authentication systems configured."))
     return attrs
 

awx/api/generics.py

@@ -14,7 +14,7 @@
 from django.db import connection, transaction
 from django.db.models.fields.related import OneToOneRel
 from django.http import QueryDict
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, redirect
 from django.template.loader import render_to_string
 from django.utils.encoding import smart_str
 from django.utils.safestring import mark_safe
@@ -36,7 +36,7 @@
 # django-ansible-base
 from ansible_base.rest_filters.rest_framework.field_lookup_backend import FieldLookupBackend
 from ansible_base.lib.utils.models import get_all_field_names
-from ansible_base.lib.utils.requests import get_remote_host
+from ansible_base.lib.utils.requests import get_remote_host, is_proxied_request
 from ansible_base.rbac.models import RoleEvaluation, RoleDefinition
 from ansible_base.rbac.permission_registry import permission_registry
 from ansible_base.jwt_consumer.common.util import validate_x_trusted_proxy_header
@@ -82,6 +82,12 @@
 
 class LoggedLoginView(auth_views.LoginView):
     def get(self, request, *args, **kwargs):
+        if is_proxied_request():
+            next = request.GET.get('next', "")
+            if next:
+                next = f"?next={next}"
+            return redirect(f"/{next}")
+
         # The django.auth.contrib login form doesn't perform the content
         # negotiation we've come to expect from DRF; add in code to catch
         # situations where Accept != text/html (or */*) and reply with
@@ -97,6 +103,15 @@ def get(self, request, *args, **kwargs):
         return super(LoggedLoginView, self).get(request, *args, **kwargs)
 
     def post(self, request, *args, **kwargs):
+        if is_proxied_request():
+            # Give a message, saying to login via AAP
+            return Response(
+                {
+                    'detail': _('Please log in via Platform Authentication.'),
+                },
+                status=status.HTTP_401_UNAUTHORIZED,
+            )
+
         ret = super(LoggedLoginView, self).post(request, *args, **kwargs)
         ip = get_remote_host(request)  # request.META.get('REMOTE_ADDR', None)
         if request.user.is_authenticated:
@@ -115,10 +130,15 @@ def post(self, request, *args, **kwargs):
 
 
 class LoggedLogoutView(auth_views.LogoutView):
-
     success_url_allowed_hosts = set(settings.LOGOUT_ALLOWED_HOSTS.split(",")) if settings.LOGOUT_ALLOWED_HOSTS else set()
 
     def dispatch(self, request, *args, **kwargs):
+        if is_proxied_request():
+            # 1) We intentionally don't obey ?next= here, just always redirect to platform login
+            # 2) Hack to prevent rewrites of Location header
+            qs = "?__gateway_no_rewrite__=1&next=/"
+            return redirect(f"/api/gateway/v1/logout/{qs}")
+
         original_user = getattr(request, 'user', None)
         ret = super(LoggedLogoutView, self).dispatch(request, *args, **kwargs)
         current_user = getattr(request, 'user', None)