Merge branch 'devel' into make_cloud_providers_dynamic_28722

.gitignore

@@ -31,7 +31,6 @@ tools/docker-compose/_build
 tools/docker-compose/_sources
 tools/docker-compose/overrides/
 tools/docker-compose-minikube/_sources
-tools/docker-compose/keycloak.awx.realm.json
 
 !tools/docker-compose/editable_dependencies
 tools/docker-compose/editable_dependencies/*

Makefile

@@ -31,10 +31,6 @@ COMPOSE_TAG ?= $(GIT_BRANCH)
 MAIN_NODE_TYPE ?= hybrid
 # If set to true docker-compose will also start a pgbouncer instance and use it
 PGBOUNCER ?= false
-# If set to true docker-compose will also start a keycloak instance
-KEYCLOAK ?= false
-# If set to true docker-compose will also start an ldap instance
-LDAP ?= false
 # If set to true docker-compose will also start a splunk instance
 SPLUNK ?= false
 # If set to true docker-compose will also start a prometheus instance
@@ -45,8 +41,6 @@ GRAFANA ?= false
 VAULT ?= false
 # If set to true docker-compose will also start a hashicorp vault instance with TLS enabled
 VAULT_TLS ?= false
-# If set to true docker-compose will also start a tacacs+ instance
-TACACS ?= false
 # If set to true docker-compose will also start an OpenTelemetry Collector instance
 OTEL ?= false
 # If set to true docker-compose will also start a Loki instance
@@ -345,7 +339,7 @@ api-lint:
 awx-link:
  [ -d "/awx_devel/awx.egg-info" ] || $(PYTHON) /awx_devel/tools/scripts/egg_info_dev
 
-TEST_DIRS ?= awx/main/tests/unit awx/main/tests/functional awx/conf/tests awx/sso/tests
+TEST_DIRS ?= awx/main/tests/unit awx/main/tests/functional awx/conf/tests
 PYTEST_ARGS ?= -n auto
 ## Run all API unit tests.
 test:
@@ -446,7 +440,7 @@ test_unit:
  @if [ "$(VENV_BASE)" ]; then \
  . $(VENV_BASE)/awx/bin/activate; \
  fi; \
- py.test awx/main/tests/unit awx/conf/tests/unit awx/sso/tests/unit
+ py.test awx/main/tests/unit awx/conf/tests/unit
 
 ## Output test coverage as HTML (into htmlcov directory).
 coverage_html:
@@ -507,14 +501,11 @@ docker-compose-sources: .git/hooks/pre-commit
  -e execution_node_count=$(EXECUTION_NODE_COUNT) \
  -e minikube_container_group=$(MINIKUBE_CONTAINER_GROUP) \
  -e enable_pgbouncer=$(PGBOUNCER) \
- -e enable_keycloak=$(KEYCLOAK) \
- -e enable_ldap=$(LDAP) \
  -e enable_splunk=$(SPLUNK) \
  -e enable_prometheus=$(PROMETHEUS) \
  -e enable_grafana=$(GRAFANA) \
  -e enable_vault=$(VAULT) \
  -e vault_tls=$(VAULT_TLS) \
- -e enable_tacacs=$(TACACS) \
  -e enable_otel=$(OTEL) \
  -e enable_loki=$(LOKI) \
  -e install_editable_dependencies=$(EDITABLE_DEPENDENCIES) \
@@ -525,8 +516,7 @@ docker-compose: awx/projects docker-compose-sources
  ansible-galaxy install --ignore-certs -r tools/docker-compose/ansible/requirements.yml;
  $(ANSIBLE_PLAYBOOK) -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \
  -e enable_vault=$(VAULT) \
- -e vault_tls=$(VAULT_TLS) \
- -e enable_ldap=$(LDAP); \
+ -e vault_tls=$(VAULT_TLS); \
  $(MAKE) docker-compose-up
 
 docker-compose-up:
@@ -598,7 +588,7 @@ docker-clean:
  -$(foreach image_id,$(shell docker images --filter=reference='*/*/*awx_devel*' --filter=reference='*/*awx_devel*' --filter=reference='*awx_devel*' -aq),docker rmi --force $(image_id);)
 
 docker-clean-volumes: docker-compose-clean docker-compose-container-group-clean
- docker volume rm -f tools_var_lib_awx tools_awx_db tools_awx_db_15 tools_vault_1 tools_ldap_1 tools_grafana_storage tools_prometheus_storage $(shell docker volume ls --filter name=tools_redis_socket_ -q)
+ docker volume rm -f tools_var_lib_awx tools_awx_db tools_awx_db_15 tools_vault_1 tools_grafana_storage tools_prometheus_storage $(shell docker volume ls --filter name=tools_redis_socket_ -q)
 
 docker-refresh: docker-clean docker-compose
 

awx/api/conf.py

@@ -8,7 +8,6 @@
 from awx.conf import fields, register, register_validate
 from awx.api.fields import OAuth2ProviderField
 from oauth2_provider.settings import oauth2_settings
-from awx.sso.common import is_remote_auth_enabled
 
 
 register(
@@ -35,10 +34,7 @@
  'DISABLE_LOCAL_AUTH',
  field_class=fields.BooleanField,
  label=_('Disable the built-in authentication system'),
- help_text=_(
- "Controls whether users are prevented from using the built-in authentication system. "
- "You probably want to do this if you are using an LDAP or SAML integration."
- ),
+ help_text=_("Controls whether users are prevented from using the built-in authentication system. "),
  category=_('Authentication'),
  category_slug='authentication',
 )
@@ -71,20 +67,6 @@
  category_slug='authentication',
  unit=_('seconds'),
 )
-register(
- 'ALLOW_OAUTH2_FOR_EXTERNAL_USERS',
- field_class=fields.BooleanField,
- default=False,
- label=_('Allow External Users to Create OAuth2 Tokens'),
- help_text=_(
- 'For security reasons, users from external auth providers (LDAP, SAML, '
- 'SSO, Radius, and others) are not allowed to create OAuth2 tokens. '
- 'To change this behavior, enable this setting. Existing tokens will '
- 'not be deleted when this setting is toggled off.'
- ),
- category=_('Authentication'),
- category_slug='authentication',
-)
 register(
  'LOGIN_REDIRECT_OVERRIDE',
  field_class=fields.CharField,
@@ -109,7 +91,7 @@
 
 
 def authentication_validate(serializer, attrs):
- if attrs.get('DISABLE_LOCAL_AUTH', False) and not is_remote_auth_enabled():
+ if attrs.get('DISABLE_LOCAL_AUTH', False):
  raise serializers.ValidationError(_("There are no remote authentication systems configured."))
  return attrs
 

awx/api/generics.py

@@ -14,7 +14,7 @@
 from django.db import connection, transaction
 from django.db.models.fields.related import OneToOneRel
 from django.http import QueryDict
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, redirect
 from django.template.loader import render_to_string
 from django.utils.encoding import smart_str
 from django.utils.safestring import mark_safe
@@ -36,7 +36,7 @@
 # django-ansible-base
 from ansible_base.rest_filters.rest_framework.field_lookup_backend import FieldLookupBackend
 from ansible_base.lib.utils.models import get_all_field_names
-from ansible_base.lib.utils.requests import get_remote_host
+from ansible_base.lib.utils.requests import get_remote_host, is_proxied_request
 from ansible_base.rbac.models import RoleEvaluation, RoleDefinition
 from ansible_base.rbac.permission_registry import permission_registry
 from ansible_base.jwt_consumer.common.util import validate_x_trusted_proxy_header
@@ -82,6 +82,12 @@
 
 class LoggedLoginView(auth_views.LoginView):
  def get(self, request, *args, **kwargs):
+ if is_proxied_request():
+ next = request.GET.get('next', "")
+ if next:
+ next = f"?next={next}"
+ return redirect(f"/{next}")
+
  # The django.auth.contrib login form doesn't perform the content
  # negotiation we've come to expect from DRF; add in code to catch
  # situations where Accept != text/html (or */*) and reply with
@@ -97,6 +103,15 @@ def get(self, request, *args, **kwargs):
  return super(LoggedLoginView, self).get(request, *args, **kwargs)
 
  def post(self, request, *args, **kwargs):
+ if is_proxied_request():
+ # Give a message, saying to login via AAP
+ return Response(
+ {
+ 'detail': _('Please log in via Platform Authentication.'),
+ },
+ status=status.HTTP_401_UNAUTHORIZED,
+ )
+
  ret = super(LoggedLoginView, self).post(request, *args, **kwargs)
  ip = get_remote_host(request) # request.META.get('REMOTE_ADDR', None)
  if request.user.is_authenticated:
@@ -115,10 +130,15 @@ def post(self, request, *args, **kwargs):
 
 
 class LoggedLogoutView(auth_views.LogoutView):
-
  success_url_allowed_hosts = set(settings.LOGOUT_ALLOWED_HOSTS.split(",")) if settings.LOGOUT_ALLOWED_HOSTS else set()
 
  def dispatch(self, request, *args, **kwargs):
+ if is_proxied_request():
+ # 1) We intentionally don't obey ?next= here, just always redirect to platform login
+ # 2) Hack to prevent rewrites of Location header
+ qs = "?__gateway_no_rewrite__=1&next=/"
+ return redirect(f"/api/gateway/v1/logout/{qs}")
+
  original_user = getattr(request, 'user', None)
  ret = super(LoggedLogoutView, self).dispatch(request, *args, **kwargs)
  current_user = getattr(request, 'user', None)

awx/api/serializers.py

@@ -135,8 +135,6 @@
 # AWX Utils
 from awx.api.validators import HostnameRegexValidator
 
-from awx.sso.common import get_external_account
-
 logger = logging.getLogger('awx.api.serializers')
 
 # Fields that should be summarized regardless of object type.
@@ -962,8 +960,6 @@ def get_types(self):
 
 class UserSerializer(BaseSerializer):
  password = serializers.CharField(required=False, default='', help_text=_('Field used to change the password.'))
- ldap_dn = serializers.CharField(source='profile.ldap_dn', read_only=True)
- external_account = serializers.SerializerMethodField(help_text=_('Set if the account is managed by an external service'))
  is_system_auditor = serializers.BooleanField(default=False)
  show_capabilities = ['edit', 'delete']
 
@@ -980,22 +976,13 @@ class Meta:
  'is_superuser',
  'is_system_auditor',
  'password',
- 'ldap_dn',
  'last_login',
- 'external_account',
  )
  extra_kwargs = {'last_login': {'read_only': True}}
 
  def to_representation(self, obj):
  ret = super(UserSerializer, self).to_representation(obj)
- if self.get_external_account(obj):
- # If this is an external account it shouldn't have a password field
- ret.pop('password', None)
- else:
- # If its an internal account lets assume there is a password and return $encrypted$ to the user
- ret['password'] = '$encrypted$'
- if obj and type(self) is UserSerializer:
- ret['auth'] = obj.social_auth.values('provider', 'uid')
+ ret['password'] = '$encrypted$'
  return ret
 
  def get_validation_exclusions(self, obj=None):
@@ -1028,10 +1015,7 @@ def validate_password(self, value):
  return value
 
  def _update_password(self, obj, new_password):
- # For now we're not raising an error, just not saving password for
- # users managed by LDAP who already have an unusable password set.
- # Get external password will return something like ldap or enterprise or None if the user isn't external. We only want to allow a password update for a None option
- if new_password and new_password != '$encrypted$' and not self.get_external_account(obj):
+ if new_password and new_password != '$encrypted$':
  obj.set_password(new_password)
  obj.save(update_fields=['password'])
 
@@ -1046,9 +1030,6 @@ def _update_password(self, obj, new_password):
  obj.set_unusable_password()
  obj.save(update_fields=['password'])
 
- def get_external_account(self, obj):
- return get_external_account(obj)
-
  def create(self, validated_data):
  new_password = validated_data.pop('password', None)
  is_system_auditor = validated_data.pop('is_system_auditor', None)
@@ -1086,37 +1067,6 @@ def get_related(self, obj):
  )
  return res
 
- def _validate_ldap_managed_field(self, value, field_name):
- if not getattr(settings, 'AUTH_LDAP_SERVER_URI', None):
- return value
- try:
- is_ldap_user = bool(self.instance and self.instance.profile.ldap_dn)
- except AttributeError:
- is_ldap_user = False
- if is_ldap_user:
- ldap_managed_fields = ['username']
- ldap_managed_fields.extend(getattr(settings, 'AUTH_LDAP_USER_ATTR_MAP', {}).keys())
- ldap_managed_fields.extend(getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys())
- if field_name in ldap_managed_fields:
- if value != getattr(self.instance, field_name):
- raise serializers.ValidationError(_('Unable to change %s on user managed by LDAP.') % field_name)
- return value
-
- def validate_username(self, value):
- return self._validate_ldap_managed_field(value, 'username')
-
- def validate_first_name(self, value):
- return self._validate_ldap_managed_field(value, 'first_name')
-
- def validate_last_name(self, value):
- return self._validate_ldap_managed_field(value, 'last_name')
-
- def validate_email(self, value):
- return self._validate_ldap_managed_field(value, 'email')
-
- def validate_is_superuser(self, value):
- return self._validate_ldap_managed_field(value, 'is_superuser')
-
 
 class UserActivityStreamSerializer(UserSerializer):
  """Changes to system auditor status are shown as separate entries,

awx/api/urls/urls.py

@@ -15,7 +15,6 @@
  ApiV2AttachView,
 )
 from awx.api.views import (
- AuthView,
  UserMeList,
  DashboardView,
  DashboardJobsGraphView,
@@ -106,7 +105,6 @@
  re_path(r'^config/$', ApiV2ConfigView.as_view(), name='api_v2_config_view'),
  re_path(r'^config/subscriptions/$', ApiV2SubscriptionView.as_view(), name='api_v2_subscription_view'),
  re_path(r'^config/attach/$', ApiV2AttachView.as_view(), name='api_v2_attach_view'),
- re_path(r'^auth/$', AuthView.as_view()),
  re_path(r'^me/$', UserMeList.as_view(), name='user_me_list'),
  re_path(r'^dashboard/$', DashboardView.as_view(), name='dashboard_view'),
  re_path(r'^dashboard/graphs/jobs/$', DashboardJobsGraphView.as_view(), name='dashboard_jobs_graph_view'),

awx/api/views/__init__.py

@@ -36,7 +36,7 @@
 # Django REST Framework
 from rest_framework.exceptions import APIException, PermissionDenied, ParseError, NotFound
 from rest_framework.parsers import FormParser
-from rest_framework.permissions import AllowAny, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.renderers import JSONRenderer, StaticHTMLRenderer
 from rest_framework.response import Response
 from rest_framework.settings import api_settings
@@ -50,9 +50,6 @@
 # ansi2html
 from ansi2html import Ansi2HTMLConverter
 
-# Python Social Auth
-from social_core.backends.utils import load_backends
-
 # Django OAuth Toolkit
 from oauth2_provider.models import get_access_token_model
 
@@ -677,41 +674,6 @@ class ScheduleUnifiedJobsList(SubListAPIView):
  name = _('Schedule Jobs List')
 
 
-class AuthView(APIView):
- '''List enabled single-sign-on endpoints'''
-
- authentication_classes = []
- permission_classes = (AllowAny,)
- swagger_topic = 'System Configuration'
-
- def get(self, request):
- from rest_framework.reverse import reverse
-
- data = OrderedDict()
- err_backend, err_message = request.session.get('social_auth_error', (None, None))
- auth_backends = list(load_backends(settings.AUTHENTICATION_BACKENDS, force_load=True).items())
- # Return auth backends in consistent order: Google, GitHub, SAML.
- auth_backends.sort(key=lambda x: 'g' if x[0] == 'google-oauth2' else x[0])
- for name, backend in auth_backends:
- login_url = reverse('social:begin', args=(name,))
- complete_url = request.build_absolute_uri(reverse('social:complete', args=(name,)))
- backend_data = {'login_url': login_url, 'complete_url': complete_url}
- if name == 'saml':
- backend_data['metadata_url'] = reverse('sso:saml_metadata')
- for idp in sorted(settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.keys()):
- saml_backend_data = dict(backend_data.items())
- saml_backend_data['login_url'] = '%s?idp=%s' % (login_url, idp)
- full_backend_name = '%s:%s' % (name, idp)
- if (err_backend == full_backend_name or err_backend == name) and err_message:
- saml_backend_data['error'] = err_message
- data[full_backend_name] = saml_backend_data
- else:
- if err_backend == name and err_message:
- backend_data['error'] = err_message
- data[name] = backend_data
- return Response(data)
-
-
 def immutablesharedfields(cls):
  '''
  Class decorator to prevent modifying shared resources when ALLOW_LOCAL_RESOURCE_MANAGEMENT setting is set to False.

awx/api/views/root.py

@@ -295,15 +295,6 @@ def get(self, request, format=None):
  become_methods=PRIVILEGE_ESCALATION_METHODS,
  )
 
- # If LDAP is enabled, user_ldap_fields will return a list of field
- # names that are managed by LDAP and should be read-only for users with
- # a non-empty ldap_dn attribute.
- if getattr(settings, 'AUTH_LDAP_SERVER_URI', None):
- user_ldap_fields = ['username', 'password']
- user_ldap_fields.extend(getattr(settings, 'AUTH_LDAP_USER_ATTR_MAP', {}).keys())
- user_ldap_fields.extend(getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys())
- data['user_ldap_fields'] = user_ldap_fields
-
  if (
  request.user.is_superuser
  or request.user.is_system_auditor