Merge pull request #13213 from AlanCoding/execution_signing

Fix fallout from turning off work signing in docker-compose
2026-01-17 04:31:21 -03:30 · 2022-11-18 15:22:18 -05:00 · 2022-11-18 15:22:18 -05:00 · 239959a4c9
commit 239959a4c9
parent 9d7b249b20 84f2b91105
2 changed files with 29 additions and 15 deletions
--- a/awx/main/tasks/receptor.py
+++ b/awx/main/tasks/receptor.py
@ -61,10 +61,15 @@ def read_receptor_config():
            return yaml.safe_load(f)


-def get_receptor_sockfile():
-    data = read_receptor_config()
+def work_signing_enabled(config_data):
+    for section in config_data:
+        if 'work-verification' in section:
+            return True
+    return False

-    for section in data:
+
+def get_receptor_sockfile(config_data):
+    for section in config_data:
        for entry_name, entry_data in section.items():
            if entry_name == 'control-service':
                if 'filename' in entry_data:
@ -75,12 +80,11 @@ def get_receptor_sockfile():
        raise RuntimeError(f'Receptor conf {__RECEPTOR_CONF} does not have control-service entry needed to get sockfile')


-def get_tls_client(use_stream_tls=None):
+def get_tls_client(config_data, use_stream_tls=None):
    if not use_stream_tls:
        return None

-    data = read_receptor_config()
-    for section in data:
+    for section in config_data:
        for entry_name, entry_data in section.items():
            if entry_name == 'tls-client':
                if 'name' in entry_data:
@ -88,10 +92,12 @@ def get_tls_client(use_stream_tls=None):
    return None


-def get_receptor_ctl():
-    receptor_sockfile = get_receptor_sockfile()
+def get_receptor_ctl(config_data=None):
+    if config_data is None:
+        config_data = read_receptor_config()
+    receptor_sockfile = get_receptor_sockfile(config_data)
    try:
-        return ReceptorControl(receptor_sockfile, config=__RECEPTOR_CONF, tlsclient=get_tls_client(True))
+        return ReceptorControl(receptor_sockfile, config=__RECEPTOR_CONF, tlsclient=get_tls_client(config_data, True))
    except RuntimeError:
        return ReceptorControl(receptor_sockfile)

@ -159,15 +165,18 @@ def run_until_complete(node, timing_data=None, **kwargs):
    """
    Runs an ansible-runner work_type on remote node, waits until it completes, then returns stdout.
    """
-    receptor_ctl = get_receptor_ctl()
+    config_data = read_receptor_config()
+    receptor_ctl = get_receptor_ctl(config_data)

    use_stream_tls = getattr(get_conn_type(node, receptor_ctl), 'name', None) == "STREAMTLS"
-    kwargs.setdefault('tlsclient', get_tls_client(use_stream_tls))
+    kwargs.setdefault('tlsclient', get_tls_client(config_data, use_stream_tls))
    kwargs.setdefault('ttl', '20s')
    kwargs.setdefault('payload', '')
+    if work_signing_enabled(config_data):
+        kwargs['signwork'] = True

    transmit_start = time.time()
-    result = receptor_ctl.submit_work(worktype='ansible-runner', node=node, signwork=True, **kwargs)
+    result = receptor_ctl.submit_work(worktype='ansible-runner', node=node, **kwargs)

    unit_id = result['unitid']
    run_start = time.time()
@ -302,7 +311,8 @@ class AWXReceptorJob:

    def run(self):
        # We establish a connection to the Receptor socket
-        receptor_ctl = get_receptor_ctl()
+        self.config_data = read_receptor_config()
+        receptor_ctl = get_receptor_ctl(self.config_data)

        res = None
        try:
@ -327,7 +337,7 @@ class AWXReceptorJob:
        if self.work_type == 'ansible-runner':
            work_submit_kw['node'] = self.task.instance.execution_node
            use_stream_tls = get_conn_type(work_submit_kw['node'], receptor_ctl).name == "STREAMTLS"
-            work_submit_kw['tlsclient'] = get_tls_client(use_stream_tls)
+            work_submit_kw['tlsclient'] = get_tls_client(self.config_data, use_stream_tls)

        with concurrent.futures.ThreadPoolExecutor(max_workers=1) as executor:
            transmitter_future = executor.submit(self.transmit, sockin)
@ -477,7 +487,9 @@ class AWXReceptorJob:

    @property
    def sign_work(self):
-        return True if self.work_type in ('ansible-runner', 'local') else False
+        if self.work_type in ('ansible-runner', 'local'):
+            return work_signing_enabled(self.config_data)
+        return False

    @property
    def work_type(self):
--- a/tools/docker-compose/ansible/roles/sources/templates/receptor-worker.conf.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/receptor-worker.conf.j2
@ -8,8 +8,10 @@
    address: tools_receptor_hop:5555
    redial: true

+{% if sign_work|bool %}
 - work-verification:
    publickey: /etc/receptor/work_public_key.pem
+{% endif %}

 - work-command:
    worktype: ansible-runner