diff --git a/awx/api/serializers.py b/awx/api/serializers.py index 987e3387a2..a5c960e9b7 100644 --- a/awx/api/serializers.py +++ b/awx/api/serializers.py @@ -7,6 +7,7 @@ import json import logging import re import yaml +import urllib.parse from collections import Counter, OrderedDict from datetime import timedelta from uuid import uuid4 @@ -45,6 +46,9 @@ from ansible_base.lib.utils.models import get_type_for_model from ansible_base.rbac.models import RoleEvaluation, ObjectRole from ansible_base.rbac import permission_registry +# django-flags +from flags.state import flag_enabled + # AWX from awx.main.access import get_user_capabilities from awx.main.constants import ACTIVE_STATES, org_role_to_permission @@ -732,7 +736,25 @@ class EmptySerializer(serializers.Serializer): pass -class UnifiedJobTemplateSerializer(BaseSerializer): +class OpaQueryPathEnabledMixin(serializers.Serializer): + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + + if not flag_enabled("FEATURE_POLICY_AS_CODE_ENABLED") and 'opa_query_path' in self.fields: + self.fields.pop('opa_query_path') + + def validate_opa_query_path(self, value): + # Decode the URL and re-encode it + decoded_value = urllib.parse.unquote(value) + re_encoded_value = urllib.parse.quote(decoded_value, safe='/') + + if value != re_encoded_value: + raise serializers.ValidationError(_("The URL must be properly encoded.")) + + return value + + +class UnifiedJobTemplateSerializer(BaseSerializer, OpaQueryPathEnabledMixin): # As a base serializer, the capabilities prefetch is not used directly, # instead they are derived from the Workflow Job Template Serializer and the Job Template Serializer, respectively. capabilities_prefetch = [] @@ -1165,12 +1187,12 @@ class UserActivityStreamSerializer(UserSerializer): fields = ('*', '-is_system_auditor') -class OrganizationSerializer(BaseSerializer): +class OrganizationSerializer(BaseSerializer, OpaQueryPathEnabledMixin): show_capabilities = ['edit', 'delete'] class Meta: model = Organization - fields = ('*', 'max_hosts', 'custom_virtualenv', 'default_environment') + fields = ('*', 'max_hosts', 'custom_virtualenv', 'default_environment', 'opa_query_path') read_only_fields = ('*', 'custom_virtualenv') def get_related(self, obj): @@ -1524,7 +1546,7 @@ class LabelsListMixin(object): return res -class InventorySerializer(LabelsListMixin, BaseSerializerWithVariables): +class InventorySerializer(LabelsListMixin, BaseSerializerWithVariables, OpaQueryPathEnabledMixin): show_capabilities = ['edit', 'delete', 'adhoc', 'copy'] capabilities_prefetch = ['admin', 'adhoc', {'copy': 'organization.inventory_admin'}] @@ -1545,6 +1567,7 @@ class InventorySerializer(LabelsListMixin, BaseSerializerWithVariables): 'inventory_sources_with_failures', 'pending_deletion', 'prevent_instance_group_fallback', + 'opa_query_path', ) def get_related(self, obj): @@ -3247,6 +3270,7 @@ class JobTemplateSerializer(JobTemplateMixin, UnifiedJobTemplateSerializer, JobO 'webhook_service', 'webhook_credential', 'prevent_instance_group_fallback', + 'opa_query_path', ) read_only_fields = ('*', 'custom_virtualenv') diff --git a/awx/conf/fields.py b/awx/conf/fields.py index 923caa5a9f..3296c29c04 100644 --- a/awx/conf/fields.py +++ b/awx/conf/fields.py @@ -10,7 +10,7 @@ from django.core.validators import URLValidator, _lazy_re_compile from django.utils.translation import gettext_lazy as _ # Django REST Framework -from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, DateTimeField, EmailField, IntegerField, ListField # noqa +from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, DateTimeField, EmailField, IntegerField, ListField, FloatField # noqa from rest_framework.serializers import PrimaryKeyRelatedField # noqa # AWX diff --git a/awx/main/conf.py b/awx/main/conf.py index 39eb34dfdb..354e973a19 100644 --- a/awx/main/conf.py +++ b/awx/main/conf.py @@ -4,6 +4,7 @@ import logging # Django from django.core.checks import Error from django.utils.translation import gettext_lazy as _ +from django.conf import settings # Django REST Framework from rest_framework import serializers @@ -12,6 +13,7 @@ from rest_framework import serializers from awx.conf import fields, register, register_validate from awx.main.models import ExecutionEnvironment from awx.main.constants import SUBSCRIPTION_USAGE_MODEL_UNIQUE_HOSTS +from awx.main.tasks.policy import OPA_AUTH_TYPES logger = logging.getLogger('awx.main.conf') @@ -980,3 +982,125 @@ def csrf_trusted_origins_validate(serializer, attrs): register_validate('system', csrf_trusted_origins_validate) + + +if settings.FEATURE_POLICY_AS_CODE_ENABLED: # Unable to use flag_enabled due to AppRegistryNotReady error + register( + 'OPA_HOST', + field_class=fields.CharField, + label=_('OPA server hostname'), + default='', + help_text=_('The hostname used to connect to the OPA server. If empty, policy enforcement will be disabled.'), + category=('PolicyAsCode'), + category_slug='policyascode', + allow_blank=True, + ) + + register( + 'OPA_PORT', + field_class=fields.IntegerField, + label=_('OPA server port'), + default=8181, + help_text=_('The port used to connect to the OPA server. Defaults to 8181.'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) + + register( + 'OPA_SSL', + field_class=fields.BooleanField, + label=_('Use SSL for OPA connection'), + default=False, + help_text=_('Enable or disable the use of SSL to connect to the OPA server. Defaults to false.'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) + + register( + 'OPA_AUTH_TYPE', + field_class=fields.ChoiceField, + label=_('OPA authentication type'), + choices=[OPA_AUTH_TYPES.NONE, OPA_AUTH_TYPES.TOKEN, OPA_AUTH_TYPES.CERTIFICATE], + default=OPA_AUTH_TYPES.NONE, + help_text=_('The authentication type that will be used to connect to the OPA server: "None", "Token", or "Certificate".'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) + + register( + 'OPA_AUTH_TOKEN', + field_class=fields.CharField, + label=_('OPA authentication token'), + default='', + help_text=_( + 'The token for authentication to the OPA server. Required when OPA_AUTH_TYPE is "Token". If an authorization header is defined in OPA_AUTH_CUSTOM_HEADERS, it will be overridden by OPA_AUTH_TOKEN.' + ), + category=('PolicyAsCode'), + category_slug='policyascode', + allow_blank=True, + encrypted=True, + ) + + register( + 'OPA_AUTH_CLIENT_CERT', + field_class=fields.CharField, + label=_('OPA client certificate content'), + default='', + help_text=_('The content of the client certificate file for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate".'), + category=('PolicyAsCode'), + category_slug='policyascode', + allow_blank=True, + ) + + register( + 'OPA_AUTH_CLIENT_KEY', + field_class=fields.CharField, + label=_('OPA client key content'), + default='', + help_text=_('The content of the client key for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate".'), + category=('PolicyAsCode'), + category_slug='policyascode', + allow_blank=True, + encrypted=True, + ) + + register( + 'OPA_AUTH_CA_CERT', + field_class=fields.CharField, + label=_('OPA CA certificate content'), + default='', + help_text=_('The content of the CA certificate for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate".'), + category=('PolicyAsCode'), + category_slug='policyascode', + allow_blank=True, + ) + + register( + 'OPA_AUTH_CUSTOM_HEADERS', + field_class=fields.DictField, + label=_('OPA custom authentication headers'), + default={}, + help_text=_('Optional custom headers included in requests to the OPA server. Defaults to empty dictionary ({}).'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) + + register( + 'OPA_REQUEST_TIMEOUT', + field_class=fields.FloatField, + label=_('OPA request timeout'), + default=1.5, + help_text=_('The number of seconds after which the connection to the OPA server will time out. Defaults to 1.5 seconds.'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) + + register( + 'OPA_REQUEST_RETRIES', + field_class=fields.IntegerField, + label=_('OPA request retry count'), + default=2, + help_text=_('The number of retry attempts for connecting to the OPA server. Default is 2.'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) diff --git a/awx/main/exceptions.py b/awx/main/exceptions.py index 2cd9a44418..14618ddccd 100644 --- a/awx/main/exceptions.py +++ b/awx/main/exceptions.py @@ -38,5 +38,12 @@ class PostRunError(Exception): super(PostRunError, self).__init__(msg) +class PolicyEvaluationError(Exception): + def __init__(self, msg, status='failed', tb=''): + self.status = status + self.tb = tb + super(PolicyEvaluationError, self).__init__(msg) + + class ReceptorNodeNotFound(RuntimeError): pass diff --git a/awx/main/tasks/jobs.py b/awx/main/tasks/jobs.py index cdd6ea0616..b7787d8cc5 100644 --- a/awx/main/tasks/jobs.py +++ b/awx/main/tasks/jobs.py @@ -21,7 +21,6 @@ from django.conf import settings # Shared code for the AWX platform from awx_plugins.interfaces._temporary_private_container_api import CONTAINER_ROOT, get_incontainer_path - # Runner import ansible_runner @@ -29,7 +28,6 @@ import ansible_runner import git from gitdb.exc import BadName as BadGitName - # AWX from awx.main.dispatch.publish import task from awx.main.dispatch import get_task_queuename @@ -65,11 +63,12 @@ from awx.main.tasks.callback import ( RunnerCallbackForProjectUpdate, RunnerCallbackForSystemJob, ) +from awx.main.tasks.policy import evaluate_policy from awx.main.tasks.signals import with_signal_handling, signal_callback from awx.main.tasks.receptor import AWXReceptorJob from awx.main.tasks.facts import start_fact_cache, finish_fact_cache from awx.main.tasks.system import update_smart_memberships_for_inventory, update_inventory_computed_fields, events_processed_hook -from awx.main.exceptions import AwxTaskError, PostRunError, ReceptorNodeNotFound +from awx.main.exceptions import AwxTaskError, PolicyEvaluationError, PostRunError, ReceptorNodeNotFound from awx.main.utils.ansible import read_ansible_config from awx.main.utils.safe_yaml import safe_dump, sanitize_jinja from awx.main.utils.common import ( @@ -488,6 +487,7 @@ class BaseTask(object): self.instance.send_notification_templates("running") private_data_dir = self.build_private_data_dir(self.instance) self.pre_run_hook(self.instance, private_data_dir) + evaluate_policy(self.instance) self.build_project_dir(self.instance, private_data_dir) self.instance.log_lifecycle("preparing_playbook") if self.instance.cancel_flag or signal_callback(): @@ -619,6 +619,8 @@ class BaseTask(object): elif cancel_flag_value is False: self.runner_callback.delay_update(skip_if_already_set=True, job_explanation="The running ansible process received a shutdown signal.") status = 'failed' + except PolicyEvaluationError as exc: + self.runner_callback.delay_update(job_explanation=str(exc), result_traceback=str(exc)) except ReceptorNodeNotFound as exc: self.runner_callback.delay_update(job_explanation=str(exc)) except Exception: diff --git a/awx/main/tasks/policy.py b/awx/main/tasks/policy.py new file mode 100644 index 0000000000..1de7b50419 --- /dev/null +++ b/awx/main/tasks/policy.py @@ -0,0 +1,462 @@ +import json +import tempfile +import contextlib + +from pprint import pformat + +from typing import Optional, Union + +from django.conf import settings +from django.utils.translation import gettext_lazy as _ +from flags.state import flag_enabled +from opa_client import OpaClient +from opa_client.base import BaseClient +from requests import HTTPError +from rest_framework import serializers +from rest_framework import fields + +from awx.main import models +from awx.main.exceptions import PolicyEvaluationError + + +# Monkey patching opa_client.base.BaseClient to fix retries and timeout settings +_original_opa_base_client_init = BaseClient.__init__ + + +def _opa_base_client_init_fix( + self, + host: str = "localhost", + port: int = 8181, + version: str = "v1", + ssl: bool = False, + cert: Optional[Union[str, tuple]] = None, + headers: Optional[dict] = None, + retries: int = 2, + timeout: float = 1.5, +): + _original_opa_base_client_init(self, host, port, version, ssl, cert, headers) + self.retries = retries + self.timeout = timeout + + +BaseClient.__init__ = _opa_base_client_init_fix + + +class _TeamSerializer(serializers.ModelSerializer): + class Meta: + model = models.Team + fields = ('id', 'name') + + +class _UserSerializer(serializers.ModelSerializer): + teams = serializers.SerializerMethodField() + + class Meta: + model = models.User + fields = ('id', 'username', 'is_superuser', 'teams') + + def get_teams(self, user: models.User): + teams = models.Team.access_qs(user, 'member') + return _TeamSerializer(many=True).to_representation(teams) + + +class _ExecutionEnvironmentSerializer(serializers.ModelSerializer): + class Meta: + model = models.ExecutionEnvironment + fields = ( + 'id', + 'name', + 'image', + 'pull', + ) + + +class _InstanceGroupSerializer(serializers.ModelSerializer): + class Meta: + model = models.InstanceGroup + fields = ( + 'id', + 'name', + 'capacity', + 'jobs_running', + 'jobs_total', + 'max_concurrent_jobs', + 'max_forks', + ) + + +class _InventorySourceSerializer(serializers.ModelSerializer): + class Meta: + model = models.InventorySource + fields = ('id', 'name', 'source', 'status') + + +class _InventorySerializer(serializers.ModelSerializer): + inventory_sources = _InventorySourceSerializer(many=True) + + class Meta: + model = models.Inventory + fields = ( + 'id', + 'name', + 'description', + 'kind', + 'total_hosts', + 'total_groups', + 'has_inventory_sources', + 'total_inventory_sources', + 'has_active_failures', + 'hosts_with_active_failures', + 'inventory_sources', + ) + + +class _JobTemplateSerializer(serializers.ModelSerializer): + class Meta: + model = models.JobTemplate + fields = ( + 'id', + 'name', + 'job_type', + ) + + +class _WorkflowJobTemplateSerializer(serializers.ModelSerializer): + class Meta: + model = models.WorkflowJobTemplate + fields = ( + 'id', + 'name', + 'job_type', + ) + + +class _WorkflowJobSerializer(serializers.ModelSerializer): + class Meta: + model = models.WorkflowJob + fields = ( + 'id', + 'name', + ) + + +class _OrganizationSerializer(serializers.ModelSerializer): + class Meta: + model = models.Organization + fields = ( + 'id', + 'name', + ) + + +class _ProjectSerializer(serializers.ModelSerializer): + class Meta: + model = models.Project + fields = ( + 'id', + 'name', + 'status', + 'scm_type', + 'scm_url', + 'scm_branch', + 'scm_refspec', + 'scm_clean', + 'scm_track_submodules', + 'scm_delete_on_update', + ) + + +class _CredentialSerializer(serializers.ModelSerializer): + organization = _OrganizationSerializer() + + class Meta: + model = models.Credential + fields = ( + 'id', + 'name', + 'description', + 'organization', + 'credential_type', + 'managed', + 'kind', + 'cloud', + 'kubernetes', + ) + + +class _LabelSerializer(serializers.ModelSerializer): + organization = _OrganizationSerializer() + + class Meta: + model = models.Label + fields = ('id', 'name', 'organization') + + +class JobSerializer(serializers.ModelSerializer): + created_by = _UserSerializer() + credentials = _CredentialSerializer(many=True) + execution_environment = _ExecutionEnvironmentSerializer() + instance_group = _InstanceGroupSerializer() + inventory = _InventorySerializer() + job_template = _JobTemplateSerializer() + labels = _LabelSerializer(many=True) + organization = _OrganizationSerializer() + project = _ProjectSerializer() + extra_vars = fields.SerializerMethodField() + hosts_count = fields.SerializerMethodField() + workflow_job = fields.SerializerMethodField() + workflow_job_template = fields.SerializerMethodField() + + class Meta: + model = models.Job + fields = ( + 'id', + 'name', + 'created', + 'created_by', + 'credentials', + 'execution_environment', + 'extra_vars', + 'forks', + 'hosts_count', + 'instance_group', + 'inventory', + 'job_template', + 'job_type', + 'job_type_name', + 'labels', + 'launch_type', + 'limit', + 'launched_by', + 'organization', + 'playbook', + 'project', + 'scm_branch', + 'scm_revision', + 'workflow_job', + 'workflow_job_template', + ) + + def get_extra_vars(self, obj: models.Job): + return json.loads(obj.display_extra_vars()) + + def get_hosts_count(self, obj: models.Job): + return obj.hosts.count() + + def get_workflow_job(self, obj: models.Job): + workflow_job: models.WorkflowJob = obj.get_workflow_job() + if workflow_job is None: + return None + return _WorkflowJobSerializer().to_representation(workflow_job) + + def get_workflow_job_template(self, obj: models.Job): + workflow_job: models.WorkflowJob = obj.get_workflow_job() + if workflow_job is None: + return None + + workflow_job_template: models.WorkflowJobTemplate = workflow_job.workflow_job_template + if workflow_job_template is None: + return None + + return _WorkflowJobTemplateSerializer().to_representation(workflow_job_template) + + +class OPAResultSerializer(serializers.Serializer): + allowed = fields.BooleanField(required=True) + violations = fields.ListField(child=fields.CharField()) + + +class OPA_AUTH_TYPES: + NONE = 'None' + TOKEN = 'Token' + CERTIFICATE = 'Certificate' + + +@contextlib.contextmanager +def opa_cert_file(): + """ + Context manager that creates temporary certificate files for OPA authentication. + + For mTLS (mutual TLS), we need: + - Client certificate and key for client authentication + - CA certificate (optional) for server verification + + Returns: + tuple: (client_cert_path, verify_path) + - client_cert_path: Path to client cert file or None if not using client cert + - verify_path: Path to CA cert file, True to use system CA store, or False for no verification + """ + client_cert_temp = None + ca_temp = None + + try: + # Case 1: Full mTLS with client cert and optional CA cert + if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.CERTIFICATE: + # Create client certificate file (required for mTLS) + client_cert_temp = tempfile.NamedTemporaryFile(delete=True, mode='w', suffix=".pem") + client_cert_temp.write(settings.OPA_AUTH_CLIENT_CERT) + client_cert_temp.write("\n") + client_cert_temp.write(settings.OPA_AUTH_CLIENT_KEY) + client_cert_temp.write("\n") + client_cert_temp.flush() + + # If CA cert is provided, use it for server verification + # Otherwise, use system CA store (True) + if settings.OPA_AUTH_CA_CERT: + ca_temp = tempfile.NamedTemporaryFile(delete=True, mode='w', suffix=".pem") + ca_temp.write(settings.OPA_AUTH_CA_CERT) + ca_temp.write("\n") + ca_temp.flush() + verify_path = ca_temp.name + else: + verify_path = True # Use system CA store + + yield (client_cert_temp.name, verify_path) + + # Case 2: TLS with only server verification (no client cert) + elif settings.OPA_SSL: + # If CA cert is provided, use it for server verification + # Otherwise, use system CA store (True) + if settings.OPA_AUTH_CA_CERT: + ca_temp = tempfile.NamedTemporaryFile(delete=True, mode='w', suffix=".pem") + ca_temp.write(settings.OPA_AUTH_CA_CERT) + ca_temp.write("\n") + ca_temp.flush() + verify_path = ca_temp.name + else: + verify_path = True # Use system CA store + + yield (None, verify_path) + + # Case 3: No TLS + else: + yield (None, False) + + finally: + # Clean up temporary files + if client_cert_temp: + client_cert_temp.close() + if ca_temp: + ca_temp.close() + + +@contextlib.contextmanager +def opa_client(headers=None): + with opa_cert_file() as cert_files: + cert, verify = cert_files + + with OpaClient( + host=settings.OPA_HOST, + port=settings.OPA_PORT, + headers=headers, + ssl=settings.OPA_SSL, + cert=cert, + timeout=settings.OPA_REQUEST_TIMEOUT, + retries=settings.OPA_REQUEST_RETRIES, + ) as client: + # Workaround for https://github.com/Turall/OPA-python-client/issues/32 + # by directly setting cert and verify on requests.session + client._session.cert = cert + client._session.verify = verify + + yield client + + +def evaluate_policy(instance): + # Policy evaluation for Policy as Code feature + if not flag_enabled("FEATURE_POLICY_AS_CODE_ENABLED"): + return + + if not settings.OPA_HOST: + return + + if not isinstance(instance, models.Job): + return + + instance.log_lifecycle("evaluate_policy") + + input_data = JobSerializer(instance=instance).data + + headers = settings.OPA_AUTH_CUSTOM_HEADERS + if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.TOKEN: + headers.update({'Authorization': 'Bearer {}'.format(settings.OPA_AUTH_TOKEN)}) + + if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.CERTIFICATE and not settings.OPA_SSL: + raise PolicyEvaluationError(_('OPA_AUTH_TYPE=Certificate requires OPA_SSL to be enabled.')) + + cert_settings_missing = [] + + if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.CERTIFICATE: + if not settings.OPA_AUTH_CLIENT_CERT: + cert_settings_missing += ['OPA_AUTH_CLIENT_CERT'] + if not settings.OPA_AUTH_CLIENT_KEY: + cert_settings_missing += ['OPA_AUTH_CLIENT_KEY'] + if not settings.OPA_AUTH_CA_CERT: + cert_settings_missing += ['OPA_AUTH_CA_CERT'] + + if cert_settings_missing: + raise PolicyEvaluationError(_('Following certificate settings are missing for OPA_AUTH_TYPE=Certificate: {}').format(cert_settings_missing)) + + query_paths = [ + ('Organization', instance.organization.opa_query_path), + ('Inventory', instance.inventory.opa_query_path), + ('Job template', instance.job_template.opa_query_path), + ] + violations = dict() + errors = dict() + + try: + with opa_client(headers=headers) as client: + for path_type, query_path in query_paths: + response = dict() + try: + if not query_path: + continue + + response = client.query_rule(input_data=input_data, package_path=query_path) + + except HTTPError as e: + message = _('Call to OPA failed. Exception: {}').format(e) + try: + error_data = e.response.json() + except ValueError: + errors[path_type] = message + continue + + error_code = error_data.get("code") + error_message = error_data.get("message") + if error_code or error_message: + message = _('Call to OPA failed. Code: {}, Message: {}').format(error_code, error_message) + errors[path_type] = message + continue + + except Exception as e: + errors[path_type] = _('Call to OPA failed. Exception: {}').format(e) + continue + + result = response.get('result') + if result is None: + errors[path_type] = _('Call to OPA did not return a "result" property. The path refers to an undefined document.') + continue + + result_serializer = OPAResultSerializer(data=result) + if not result_serializer.is_valid(): + errors[path_type] = _('OPA policy returned invalid result.') + continue + + result_data = result_serializer.validated_data + if not result_data.get("allowed") and (result_violations := result_data.get("violations")): + violations[path_type] = result_violations + + format_results = dict() + if any(errors[e] for e in errors): + format_results["Errors"] = errors + + if any(violations[v] for v in violations): + format_results["Violations"] = violations + + if violations or errors: + raise PolicyEvaluationError(pformat(format_results, width=80)) + + except Exception as e: + raise PolicyEvaluationError(_('This job cannot be executed due to a policy violation or error. See the following details:\n{}').format(e)) diff --git a/awx/main/tests/functional/test_policy.py b/awx/main/tests/functional/test_policy.py new file mode 100644 index 0000000000..63ff41e0c4 --- /dev/null +++ b/awx/main/tests/functional/test_policy.py @@ -0,0 +1,633 @@ +import json +import os +from unittest import mock + +import pytest +import requests.exceptions +from django.test import override_settings + +from awx.main.models import ( + Job, + Inventory, + Project, + Organization, + JobTemplate, + Credential, + CredentialType, + User, + Team, + Label, + WorkflowJob, + WorkflowJobNode, + InventorySource, +) +from awx.main.exceptions import PolicyEvaluationError +from awx.main.tasks import policy +from awx.main.tasks.policy import JobSerializer, OPA_AUTH_TYPES + + +def _parse_exception_message(exception: PolicyEvaluationError): + pe_plain = str(exception.value) + + assert "This job cannot be executed due to a policy violation or error. See the following details:" in pe_plain + + violation_message = "This job cannot be executed due to a policy violation or error. See the following details:" + return eval(pe_plain.split(violation_message)[1].strip()) + + +@pytest.fixture(autouse=True) +def enable_flag(): + with override_settings( + OPA_HOST='opa.example.com', + FLAGS={"FEATURE_POLICY_AS_CODE_ENABLED": [("boolean", True)]}, + FLAG_SOURCES=('flags.sources.SettingsFlagsSource',), + ): + yield + + +@pytest.fixture +def opa_client(): + cls_mock = mock.MagicMock(name='OpaClient') + instance_mock = cls_mock.return_value + instance_mock.__enter__.return_value = instance_mock + + with mock.patch('awx.main.tasks.policy.OpaClient', cls_mock): + yield instance_mock + + +@pytest.fixture +def job(): + project: Project = Project.objects.create(name='proj1', scm_type='git', scm_branch='main', scm_url='https://git.example.com/proj1') + inventory: Inventory = Inventory.objects.create(name='inv1', opa_query_path="inventory/response") + org: Organization = Organization.objects.create(name="org1", opa_query_path="organization/response") + jt: JobTemplate = JobTemplate.objects.create(name="jt1", opa_query_path="job_template/response") + job: Job = Job.objects.create(name='job1', extra_vars="{}", inventory=inventory, project=project, organization=org, job_template=jt) + return job + + +@pytest.mark.django_db +def test_job_serializer(): + user: User = User.objects.create(username='user1') + org: Organization = Organization.objects.create(name='org1') + + team: Team = Team.objects.create(name='team1', organization=org) + team.admin_role.members.add(user) + + project: Project = Project.objects.create(name='proj1', scm_type='git', scm_branch='main', scm_url='https://git.example.com/proj1') + inventory: Inventory = Inventory.objects.create(name='inv1', description='Demo inventory') + inventory_source: InventorySource = InventorySource.objects.create(name='inv-src1', source='file', inventory=inventory) + extra_vars = {"FOO": "value1", "BAR": "value2"} + + CredentialType.setup_tower_managed_defaults() + cred_type_ssh: CredentialType = CredentialType.objects.get(kind='ssh') + cred: Credential = Credential.objects.create(name="cred1", description='Demo credential', credential_type=cred_type_ssh, organization=org) + + label: Label = Label.objects.create(name='label1', organization=org) + + job: Job = Job.objects.create( + name='job1', extra_vars=json.dumps(extra_vars), inventory=inventory, project=project, organization=org, created_by=user, launch_type='workflow' + ) + # job.unified_job_node.workflow_job = workflow_job + job.credentials.add(cred) + job.labels.add(label) + + workflow_job: WorkflowJob = WorkflowJob.objects.create(name='wf-job1') + WorkflowJobNode.objects.create(job=job, workflow_job=workflow_job) + + serializer = JobSerializer(instance=job) + + assert serializer.data == { + 'id': job.id, + 'name': 'job1', + 'created': job.created.strftime("%Y-%m-%dT%H:%M:%S.%fZ"), + 'created_by': { + 'id': user.id, + 'username': 'user1', + 'is_superuser': False, + 'teams': [ + {'id': team.id, 'name': 'team1'}, + ], + }, + 'credentials': [ + { + 'id': cred.id, + 'name': 'cred1', + 'description': 'Demo credential', + 'organization': { + 'id': org.id, + 'name': 'org1', + }, + 'credential_type': cred_type_ssh.id, + 'kind': 'ssh', + 'managed': False, + 'kubernetes': False, + 'cloud': False, + }, + ], + 'execution_environment': None, + 'extra_vars': extra_vars, + 'forks': 0, + 'hosts_count': 0, + 'instance_group': None, + 'inventory': { + 'id': inventory.id, + 'name': 'inv1', + 'description': 'Demo inventory', + 'kind': '', + 'total_hosts': 0, + 'total_groups': 0, + 'has_inventory_sources': False, + 'total_inventory_sources': 0, + 'has_active_failures': False, + 'hosts_with_active_failures': 0, + 'inventory_sources': [ + { + 'id': inventory_source.id, + 'name': 'inv-src1', + 'source': 'file', + 'status': 'never updated', + } + ], + }, + 'job_template': None, + 'job_type': 'run', + 'job_type_name': 'job', + 'labels': [ + { + 'id': label.id, + 'name': 'label1', + 'organization': { + 'id': org.id, + 'name': 'org1', + }, + }, + ], + 'launch_type': 'workflow', + 'limit': '', + 'launched_by': {}, + 'organization': { + 'id': org.id, + 'name': 'org1', + }, + 'playbook': '', + 'project': { + 'id': project.id, + 'name': 'proj1', + 'status': 'pending', + 'scm_type': 'git', + 'scm_url': 'https://git.example.com/proj1', + 'scm_branch': 'main', + 'scm_refspec': '', + 'scm_clean': False, + 'scm_track_submodules': False, + 'scm_delete_on_update': False, + }, + 'scm_branch': '', + 'scm_revision': '', + 'workflow_job': { + 'id': workflow_job.id, + 'name': 'wf-job1', + }, + 'workflow_job_template': None, + } + + +@pytest.mark.django_db +def test_evaluate_policy_missing_opa_query_path_field(opa_client): + project: Project = Project.objects.create(name='proj1', scm_type='git', scm_branch='main', scm_url='https://git.example.com/proj1') + inventory: Inventory = Inventory.objects.create(name='inv1') + org: Organization = Organization.objects.create(name="org1") + jt: JobTemplate = JobTemplate.objects.create(name="jt1") + job: Job = Job.objects.create(name='job1', extra_vars="{}", inventory=inventory, project=project, organization=org, job_template=jt) + + response = { + "result": { + "allowed": True, + "violations": [], + } + } + opa_client.query_rule.return_value = response + try: + policy.evaluate_policy(job) + except PolicyEvaluationError as e: + pytest.fail(f"Must not raise PolicyEvaluationError: {e}") + + assert opa_client.query_rule.call_count == 0 + + +@pytest.mark.django_db +def test_evaluate_policy(opa_client, job): + response = { + "result": { + "allowed": True, + "violations": [], + } + } + opa_client.query_rule.return_value = response + try: + policy.evaluate_policy(job) + except PolicyEvaluationError as e: + pytest.fail(f"Must not raise PolicyEvaluationError: {e}") + + opa_client.query_rule.assert_has_calls( + [ + mock.call(input_data=mock.ANY, package_path='organization/response'), + mock.call(input_data=mock.ANY, package_path='inventory/response'), + mock.call(input_data=mock.ANY, package_path='job_template/response'), + ], + any_order=False, + ) + assert opa_client.query_rule.call_count == 3 + + +@pytest.mark.django_db +def test_evaluate_policy_allowed(opa_client, job): + response = { + "result": { + "allowed": True, + "violations": [], + } + } + opa_client.query_rule.return_value = response + try: + policy.evaluate_policy(job) + except PolicyEvaluationError as e: + pytest.fail(f"Must not raise PolicyEvaluationError: {e}") + + assert opa_client.query_rule.call_count == 3 + + +@pytest.mark.django_db +def test_evaluate_policy_not_allowed(opa_client, job): + response = { + "result": { + "allowed": False, + "violations": ["Access not allowed."], + } + } + opa_client.query_rule.return_value = response + + with pytest.raises(PolicyEvaluationError) as pe: + policy.evaluate_policy(job) + + pe_plain = str(pe.value) + assert "Errors:" not in pe_plain + + exception = _parse_exception_message(pe) + + assert exception["Violations"]["Organization"] == ["Access not allowed."] + assert exception["Violations"]["Inventory"] == ["Access not allowed."] + assert exception["Violations"]["Job template"] == ["Access not allowed."] + + assert opa_client.query_rule.call_count == 3 + + +@pytest.mark.django_db +def test_evaluate_policy_not_found(opa_client, job): + response = {} + opa_client.query_rule.return_value = response + + with pytest.raises(PolicyEvaluationError) as pe: + policy.evaluate_policy(job) + + missing_result_property = 'Call to OPA did not return a "result" property. The path refers to an undefined document.' + + exception = _parse_exception_message(pe) + assert exception["Errors"]["Organization"] == missing_result_property + assert exception["Errors"]["Inventory"] == missing_result_property + assert exception["Errors"]["Job template"] == missing_result_property + + assert opa_client.query_rule.call_count == 3 + + +@pytest.mark.django_db +def test_evaluate_policy_server_error(opa_client, job): + http_error_msg = '500 Server Error: Internal Server Error for url: https://opa.example.com:8181/v1/data/job_template/response/invalid' + error_response = { + 'code': 'internal_error', + 'message': ( + '1 error occurred: 1:1: rego_type_error: undefined ref: data.job_template.response.invalid\n\t' + 'data.job_template.response.invalid\n\t' + ' ^\n\t' + ' have: "invalid"\n\t' + ' want (one of): ["allowed" "violations"]' + ), + } + response = mock.Mock() + response.status_code = requests.codes.internal_server_error + response.json.return_value = error_response + + opa_client.query_rule.side_effect = requests.exceptions.HTTPError(http_error_msg, response=response) + + with pytest.raises(PolicyEvaluationError) as pe: + policy.evaluate_policy(job) + + exception = _parse_exception_message(pe) + assert exception["Errors"]["Organization"] == f'Call to OPA failed. Code: internal_error, Message: {error_response["message"]}' + assert exception["Errors"]["Inventory"] == f'Call to OPA failed. Code: internal_error, Message: {error_response["message"]}' + assert exception["Errors"]["Job template"] == f'Call to OPA failed. Code: internal_error, Message: {error_response["message"]}' + + assert opa_client.query_rule.call_count == 3 + + +@pytest.mark.django_db +def test_evaluate_policy_invalid_result(opa_client, job): + response = { + "result": { + "absolutely": "no!", + } + } + opa_client.query_rule.return_value = response + + with pytest.raises(PolicyEvaluationError) as pe: + policy.evaluate_policy(job) + + invalid_result = 'OPA policy returned invalid result.' + + exception = _parse_exception_message(pe) + assert exception["Errors"]["Organization"] == invalid_result + assert exception["Errors"]["Inventory"] == invalid_result + assert exception["Errors"]["Job template"] == invalid_result + + assert opa_client.query_rule.call_count == 3 + + +@pytest.mark.django_db +def test_evaluate_policy_failed_exception(opa_client, job): + error_response = {} + response = mock.Mock() + response.status_code = requests.codes.internal_server_error + response.json.return_value = error_response + + opa_client.query_rule.side_effect = ValueError("Invalid JSON") + + with pytest.raises(PolicyEvaluationError) as pe: + policy.evaluate_policy(job) + + opa_failed_exception = 'Call to OPA failed. Exception: Invalid JSON' + + exception = _parse_exception_message(pe) + assert exception["Errors"]["Organization"] == opa_failed_exception + assert exception["Errors"]["Inventory"] == opa_failed_exception + assert exception["Errors"]["Job template"] == opa_failed_exception + + assert opa_client.query_rule.call_count == 3 + + +@pytest.mark.django_db +@pytest.mark.parametrize( + "settings_kwargs, expected_client_cert, expected_verify, verify_content", + [ + # Case 1: Certificate-based authentication (mTLS) + ( + { + "OPA_HOST": "opa.example.com", + "OPA_SSL": True, + "OPA_AUTH_TYPE": OPA_AUTH_TYPES.CERTIFICATE, + "OPA_AUTH_CLIENT_CERT": "-----BEGIN CERTIFICATE-----\nMIICert\n-----END CERTIFICATE-----", + "OPA_AUTH_CLIENT_KEY": "-----BEGIN PRIVATE KEY-----\nMIIKey\n-----END PRIVATE KEY-----", + "OPA_AUTH_CA_CERT": "-----BEGIN CERTIFICATE-----\nMIICACert\n-----END CERTIFICATE-----", + }, + True, # Client cert should be created + "file", # Verify path should be a file + "-----BEGIN CERTIFICATE-----", # Expected content in verify file + ), + # Case 2: SSL with server verification only + ( + { + "OPA_HOST": "opa.example.com", + "OPA_SSL": True, + "OPA_AUTH_TYPE": OPA_AUTH_TYPES.NONE, + "OPA_AUTH_CA_CERT": "-----BEGIN CERTIFICATE-----\nMIICACert\n-----END CERTIFICATE-----", + }, + False, # No client cert should be created + "file", # Verify path should be a file + "-----BEGIN CERTIFICATE-----", # Expected content in verify file + ), + # Case 3: SSL with system CA store + ( + { + "OPA_HOST": "opa.example.com", + "OPA_SSL": True, + "OPA_AUTH_TYPE": OPA_AUTH_TYPES.NONE, + "OPA_AUTH_CA_CERT": "", # No custom CA cert + }, + False, # No client cert should be created + True, # Verify path should be True (system CA store) + None, # No file to check content + ), + # Case 4: No SSL + ( + { + "OPA_HOST": "opa.example.com", + "OPA_SSL": False, + "OPA_AUTH_TYPE": OPA_AUTH_TYPES.NONE, + }, + False, # No client cert should be created + False, # Verify path should be False (no verification) + None, # No file to check content + ), + ], + ids=[ + "certificate_auth", + "ssl_server_verification", + "ssl_system_ca_store", + "no_ssl", + ], +) +def test_opa_cert_file(settings_kwargs, expected_client_cert, expected_verify, verify_content): + """Parameterized test for the opa_cert_file context manager. + + Tests different configurations: + - Certificate-based authentication (mTLS) + - SSL with server verification only + - SSL with system CA store + - No SSL + """ + with override_settings(**settings_kwargs): + client_cert_path = None + verify_path = None + + with policy.opa_cert_file() as cert_files: + client_cert_path, verify_path = cert_files + + # Check client cert based on expected_client_cert + if expected_client_cert: + assert client_cert_path is not None + with open(client_cert_path, 'r') as f: + content = f.read() + assert "-----BEGIN CERTIFICATE-----" in content + assert "-----BEGIN PRIVATE KEY-----" in content + else: + assert client_cert_path is None + + # Check verify path based on expected_verify + if expected_verify == "file": + assert verify_path is not None + assert os.path.isfile(verify_path) + with open(verify_path, 'r') as f: + content = f.read() + assert verify_content in content + else: + assert verify_path is expected_verify + + # Verify files are deleted after context manager exits + if expected_client_cert: + assert not os.path.exists(client_cert_path), "Client cert file was not deleted" + + if expected_verify == "file": + assert not os.path.exists(verify_path), "CA cert file was not deleted" + + +@pytest.mark.django_db +@override_settings( + OPA_HOST='opa.example.com', + OPA_SSL=False, # SSL disabled + OPA_AUTH_TYPE=OPA_AUTH_TYPES.CERTIFICATE, # But cert auth enabled + OPA_AUTH_CLIENT_CERT="-----BEGIN CERTIFICATE-----\nMIICert\n-----END CERTIFICATE-----", + OPA_AUTH_CLIENT_KEY="-----BEGIN PRIVATE KEY-----\nMIIKey\n-----END PRIVATE KEY-----", +) +def test_evaluate_policy_cert_auth_requires_ssl(): + """Test that policy evaluation raises an error when certificate auth is used without SSL.""" + project = Project.objects.create(name='proj1') + inventory = Inventory.objects.create(name='inv1', opa_query_path="inventory/response") + org = Organization.objects.create(name="org1", opa_query_path="organization/response") + jt = JobTemplate.objects.create(name="jt1", opa_query_path="job_template/response") + job = Job.objects.create(name='job1', extra_vars="{}", inventory=inventory, project=project, organization=org, job_template=jt) + + with pytest.raises(PolicyEvaluationError) as pe: + policy.evaluate_policy(job) + + assert "OPA_AUTH_TYPE=Certificate requires OPA_SSL to be enabled" in str(pe.value) + + +@pytest.mark.django_db +@override_settings( + OPA_HOST='opa.example.com', + OPA_SSL=True, + OPA_AUTH_TYPE=OPA_AUTH_TYPES.CERTIFICATE, + OPA_AUTH_CLIENT_CERT="", # Missing client cert + OPA_AUTH_CLIENT_KEY="", # Missing client key + OPA_AUTH_CA_CERT="", # Missing CA cert +) +def test_evaluate_policy_missing_cert_settings(): + """Test that policy evaluation raises an error when certificate settings are missing.""" + project = Project.objects.create(name='proj1') + inventory = Inventory.objects.create(name='inv1', opa_query_path="inventory/response") + org = Organization.objects.create(name="org1", opa_query_path="organization/response") + jt = JobTemplate.objects.create(name="jt1", opa_query_path="job_template/response") + job = Job.objects.create(name='job1', extra_vars="{}", inventory=inventory, project=project, organization=org, job_template=jt) + + with pytest.raises(PolicyEvaluationError) as pe: + policy.evaluate_policy(job) + + error_msg = str(pe.value) + assert "Following certificate settings are missing for OPA_AUTH_TYPE=Certificate:" in error_msg + assert "OPA_AUTH_CLIENT_CERT" in error_msg + assert "OPA_AUTH_CLIENT_KEY" in error_msg + assert "OPA_AUTH_CA_CERT" in error_msg + + +@pytest.mark.django_db +@override_settings( + OPA_HOST='opa.example.com', + OPA_PORT=8181, + OPA_SSL=True, + OPA_AUTH_TYPE=OPA_AUTH_TYPES.CERTIFICATE, + OPA_AUTH_CLIENT_CERT="-----BEGIN CERTIFICATE-----\nMIICert\n-----END CERTIFICATE-----", + OPA_AUTH_CLIENT_KEY="-----BEGIN PRIVATE KEY-----\nMIIKey\n-----END PRIVATE KEY-----", + OPA_AUTH_CA_CERT="-----BEGIN CERTIFICATE-----\nMIICACert\n-----END CERTIFICATE-----", + OPA_REQUEST_TIMEOUT=2.5, + OPA_REQUEST_RETRIES=3, +) +def test_opa_client_context_manager_mtls(): + """Test that opa_client context manager correctly initializes the OPA client.""" + # Mock the OpaClient class + with mock.patch('awx.main.tasks.policy.OpaClient') as mock_opa_client: + # Setup the mock + mock_instance = mock_opa_client.return_value + mock_instance.__enter__.return_value = mock_instance + mock_instance._session = mock.MagicMock() + + # Use the context manager + with policy.opa_client(headers={'Custom-Header': 'Value'}) as client: + # Verify the client was initialized with the correct parameters + mock_opa_client.assert_called_once_with( + host='opa.example.com', + port=8181, + headers={'Custom-Header': 'Value'}, + ssl=True, + cert=mock.ANY, # We can't check the exact value as it's a temporary file + timeout=2.5, + retries=3, + ) + + # Verify the session properties were set correctly + assert client._session.cert is not None + assert client._session.verify is not None + + # Check the content of the cert file + cert_file_path = client._session.cert + assert os.path.isfile(cert_file_path) + with open(cert_file_path, 'r') as f: + cert_content = f.read() + assert "-----BEGIN CERTIFICATE-----" in cert_content + assert "MIICert" in cert_content + assert "-----BEGIN PRIVATE KEY-----" in cert_content + assert "MIIKey" in cert_content + + # Check the content of the verify file + verify_file_path = client._session.verify + assert os.path.isfile(verify_file_path) + with open(verify_file_path, 'r') as f: + verify_content = f.read() + assert "-----BEGIN CERTIFICATE-----" in verify_content + assert "MIICACert" in verify_content + + # Verify the client is the mocked instance + assert client is mock_instance + + # Store file paths for checking after context exit + cert_path = client._session.cert + verify_path = client._session.verify + + # Verify files are deleted after context manager exits + assert not os.path.exists(cert_path), "Client cert file was not deleted" + assert not os.path.exists(verify_path), "CA cert file was not deleted" + + +@pytest.mark.django_db +@override_settings( + OPA_HOST='opa.example.com', + OPA_SSL=True, + OPA_AUTH_TYPE=OPA_AUTH_TYPES.TOKEN, + OPA_AUTH_TOKEN='secret-token', + OPA_AUTH_CUSTOM_HEADERS={'X-Custom': 'Header'}, +) +def test_opa_client_token_auth(): + """Test that token authentication correctly adds the Authorization header.""" + # Create a job for testing + project = Project.objects.create(name='proj1') + inventory = Inventory.objects.create(name='inv1', opa_query_path="inventory/response") + org = Organization.objects.create(name="org1", opa_query_path="organization/response") + jt = JobTemplate.objects.create(name="jt1", opa_query_path="job_template/response") + job = Job.objects.create(name='job1', extra_vars="{}", inventory=inventory, project=project, organization=org, job_template=jt) + + # Mock the OpaClient class + with mock.patch('awx.main.tasks.policy.opa_client') as mock_opa_client_cm: + # Setup the mock + mock_client = mock.MagicMock() + mock_opa_client_cm.return_value.__enter__.return_value = mock_client + mock_client.query_rule.return_value = { + "result": { + "allowed": True, + "violations": [], + } + } + + # Call evaluate_policy + policy.evaluate_policy(job) + + # Verify opa_client was called with the correct headers + expected_headers = {'X-Custom': 'Header', 'Authorization': 'Bearer secret-token'} + mock_opa_client_cm.assert_called_once_with(headers=expected_headers) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index 9ac278b568..f62e547c28 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -472,7 +472,7 @@ class TestGenericRun: task.model.objects.get = mock.Mock(return_value=job) task.build_private_data_files = mock.Mock(side_effect=OSError()) - with mock.patch('awx.main.tasks.jobs.shutil.copytree'): + with mock.patch('awx.main.tasks.jobs.shutil.copytree'), mock.patch('awx.main.tasks.jobs.evaluate_policy'): with pytest.raises(Exception): task.run(1) diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index 533f49c935..f20df26c6b 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -1078,7 +1078,25 @@ INDIRECT_HOST_QUERY_FALLBACK_GIVEUP_DAYS = 3 INDIRECT_HOST_AUDIT_RECORD_MAX_AGE_DAYS = 7 -# feature flags -FLAGS = {'FEATURE_INDIRECT_NODE_COUNTING_ENABLED': [{'condition': 'boolean', 'value': False}]} +# setting for Policy as Code feature +FEATURE_POLICY_AS_CODE_ENABLED = False +OPA_HOST = '' # The hostname used to connect to the OPA server. If empty, policy enforcement will be disabled. +OPA_PORT = 8181 # The port used to connect to the OPA server. Defaults to 8181. +OPA_SSL = False # Enable or disable the use of SSL to connect to the OPA server. Defaults to false. + +OPA_AUTH_TYPE = 'None' # The authentication type that will be used to connect to the OPA server: "None", "Token", or "Certificate". +OPA_AUTH_TOKEN = '' # The token for authentication to the OPA server. Required when OPA_AUTH_TYPE is "Token". If an authorization header is defined in OPA_AUTH_CUSTOM_HEADERS, it will be overridden by OPA_AUTH_TOKEN. +OPA_AUTH_CLIENT_CERT = '' # The content of the client certificate file for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate". +OPA_AUTH_CLIENT_KEY = '' # The content of the client key for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate". +OPA_AUTH_CA_CERT = '' # The content of the CA certificate for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate". +OPA_AUTH_CUSTOM_HEADERS = {} # Optional custom headers included in requests to the OPA server. Defaults to empty dictionary ({}). +OPA_REQUEST_TIMEOUT = 1.5 # The number of seconds after which the connection to the OPA server will time out. Defaults to 1.5 seconds. +OPA_REQUEST_RETRIES = 2 # The number of retry attempts for connecting to the OPA server. Default is 2. + +# feature flags FLAG_SOURCES = ('flags.sources.SettingsFlagsSource',) +FLAGS = { + 'FEATURE_INDIRECT_NODE_COUNTING_ENABLED': [{'condition': 'boolean', 'value': False}], + 'FEATURE_POLICY_AS_CODE_ENABLED': [{'condition': 'boolean', 'value': False}], +} diff --git a/licenses/OPA-python-client.txt b/licenses/OPA-python-client.txt new file mode 100644 index 0000000000..442153459d --- /dev/null +++ b/licenses/OPA-python-client.txt @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2019 Tural Muradov Mohubbet + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/licenses/aiodns.txt b/licenses/aiodns.txt new file mode 100644 index 0000000000..7497f5f911 --- /dev/null +++ b/licenses/aiodns.txt @@ -0,0 +1,19 @@ +Copyright (C) 2014 by Saúl Ibarra Corretgé + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/licenses/aiofiles.txt b/licenses/aiofiles.txt new file mode 100644 index 0000000000..5c304d1a4a --- /dev/null +++ b/licenses/aiofiles.txt @@ -0,0 +1,201 @@ +Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/licenses/brotli.txt b/licenses/brotli.txt new file mode 100644 index 0000000000..33b7cdd2db --- /dev/null +++ b/licenses/brotli.txt @@ -0,0 +1,19 @@ +Copyright (c) 2009, 2010, 2013-2016 by the Brotli Authors. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/licenses/pycares.txt b/licenses/pycares.txt new file mode 100644 index 0000000000..3424329be1 --- /dev/null +++ b/licenses/pycares.txt @@ -0,0 +1,19 @@ +Copyright (C) 2012 by Saúl Ibarra Corretgé + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/requirements/requirements.in b/requirements/requirements.in index 4e2e9eb6d2..3b9cb59b95 100644 --- a/requirements/requirements.in +++ b/requirements/requirements.in @@ -36,6 +36,7 @@ Markdown # used for formatting API help maturin # pydantic-core build dep msgpack msrestazure +OPA-python-client==2.0.2 # Code contain monkey patch targeted to 2.0.2 to fix https://github.com/Turall/OPA-python-client/issues/29 openshift opentelemetry-api~=1.24 # new y streams can be drastically different, in a good way opentelemetry-sdk~=1.24 diff --git a/requirements/requirements.txt b/requirements/requirements.txt index 2a405932f4..69b019b304 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -1,11 +1,16 @@ adal==1.2.7 # via msrestazure +aiodns==3.2.0 + # via aiohttp +aiofiles==24.1.0 + # via opa-python-client aiohappyeyeballs==2.4.4 # via aiohttp -aiohttp==3.11.11 +aiohttp[speedups]==3.11.11 # via # -r /awx_devel/requirements/requirements.in # aiohttp-retry + # opa-python-client # twilio aiohttp-retry==2.8.3 # via twilio @@ -72,6 +77,8 @@ botocore==1.35.96 # -r /awx_devel/requirements/requirements.in # boto3 # s3transfer +brotli==1.1.0 + # via aiohttp cachetools==5.5.0 # via google-auth # git+https://github.com/ansible/system-certifi.git@devel # git requirements installed separately @@ -83,6 +90,7 @@ cachetools==5.5.0 cffi==1.17.1 # via # cryptography + # pycares # pynacl channels==4.2.0 # via @@ -292,6 +300,8 @@ oauthlib==3.2.2 # django-oauth-toolkit # kubernetes # requests-oauthlib +opa-python-client==2.0.2 + # via -r /awx_devel/requirements/requirements.in openshift==0.13.2 # via -r /awx_devel/requirements/requirements.in opentelemetry-api==1.29.0 @@ -369,6 +379,8 @@ pyasn1-modules==0.4.1 # via # google-auth # service-identity +pycares==4.5.0 + # via aiodns pycparser==2.22 # via cffi pygerduty==0.38.3 @@ -438,6 +450,7 @@ requests==2.32.3 # kubernetes # msal # msrest + # opa-python-client # opentelemetry-exporter-otlp-proto-http # pygithub # python-dsv-sdk