From 2d648d1225dbfc43b20e76f84791dc26ac542bc4 Mon Sep 17 00:00:00 2001 From: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com> Date: Mon, 24 Feb 2025 15:58:57 -0500 Subject: [PATCH] [Feature][release_4.6] Policy as Code MVP part 1 (#6848) --- awx/conf/fields.py | 2 +- awx/main/conf.py | 123 ++++++++++ awx/main/exceptions.py | 7 + awx/main/tasks/jobs.py | 12 +- awx/main/tasks/policy.py | 286 +++++++++++++++++++++++ awx/main/tests/functional/test_policy.py | 182 +++++++++++++++ awx/main/tests/unit/test_tasks.py | 2 +- awx/settings/defaults.py | 20 +- licenses/OPA-python-client.txt | 21 ++ licenses/aiodns.txt | 19 ++ licenses/aiofiles.txt | 201 ++++++++++++++++ licenses/brotli.txt | 19 ++ licenses/pycares.txt | 19 ++ requirements/requirements.in | 1 + requirements/requirements.txt | 20 +- 15 files changed, 922 insertions(+), 12 deletions(-) create mode 100644 awx/main/tasks/policy.py create mode 100644 awx/main/tests/functional/test_policy.py create mode 100644 licenses/OPA-python-client.txt create mode 100644 licenses/aiodns.txt create mode 100644 licenses/aiofiles.txt create mode 100644 licenses/brotli.txt create mode 100644 licenses/pycares.txt diff --git a/awx/conf/fields.py b/awx/conf/fields.py index f25b722ece..7644251ba8 100644 --- a/awx/conf/fields.py +++ b/awx/conf/fields.py @@ -10,7 +10,7 @@ from django.core.validators import URLValidator, _lazy_re_compile from django.utils.translation import gettext_lazy as _ # Django REST Framework -from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, DateTimeField, EmailField, IntegerField, ListField # noqa +from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, DateTimeField, EmailField, IntegerField, ListField, FloatField # noqa from rest_framework.serializers import PrimaryKeyRelatedField # noqa # AWX diff --git a/awx/main/conf.py b/awx/main/conf.py index 8753e88bdd..7d6f5b139b 100644 --- a/awx/main/conf.py +++ b/awx/main/conf.py @@ -4,6 +4,7 @@ import logging # Django from django.core.checks import Error from django.utils.translation import gettext_lazy as _ +from django.conf import settings # Django REST Framework from rest_framework import serializers @@ -12,6 +13,7 @@ from rest_framework import serializers from awx.conf import fields, register, register_validate from awx.main.models import ExecutionEnvironment from awx.main.constants import SUBSCRIPTION_USAGE_MODEL_UNIQUE_HOSTS +from awx.main.tasks.policy import OPA_AUTH_TYPES logger = logging.getLogger('awx.main.conf') @@ -993,3 +995,124 @@ def csrf_trusted_origins_validate(serializer, attrs): register_validate('system', csrf_trusted_origins_validate) + + +if settings.FEATURE_POLICY_AS_CODE_ENABLED: # Unable to use flag_enabled due to AppRegistryNotReady error + register( + 'OPA_HOST', + field_class=fields.CharField, + label=_('OPA Server Hostname'), + default='', + help_text=_('Host to connect to OPA service, when set to the default value of "" policy enforcement will be disabled.'), + category=('PolicyAsCode'), + category_slug='policyascode', + allow_blank=True, + ) + + register( + 'OPA_PORT', + field_class=fields.IntegerField, + label=_('OPA Server Port'), + default=8181, + help_text=_('Port to connect to OPA service, defaults to 8181.'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) + + register( + 'OPA_SSL', + field_class=fields.BooleanField, + label=_('Use SSL for OPA Connection'), + default=False, + help_text=_('Use SSL to connect to OPA service, defaults to False.'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) + + register( + 'OPA_AUTH_TYPE', + field_class=fields.ChoiceField, + label=_('OPA Authentication Type'), + choices=[OPA_AUTH_TYPES.NONE, OPA_AUTH_TYPES.TOKEN, OPA_AUTH_TYPES.CERTIFICATE], + default=OPA_AUTH_TYPES.NONE, + help_text=_('Authentication type for OPA: "None", "Token", or "Certificate".'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) + + register( + 'OPA_AUTH_TOKEN', + field_class=fields.CharField, + label=_('OPA Authentication Token'), + default='', + help_text=_('Token for OPA authentication, required when OPA_AUTH_TYPE is "Token".'), + category=('PolicyAsCode'), + category_slug='policyascode', + allow_blank=True, + encrypted=True, + ) + + register( + 'OPA_AUTH_CLIENT_CERT', + field_class=fields.CharField, + label=_('OPA Client Certificate Content'), + default='', + help_text=_('Content of the client certificate file for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate".'), + category=('PolicyAsCode'), + category_slug='policyascode', + allow_blank=True, + ) + + register( + 'OPA_AUTH_CLIENT_KEY', + field_class=fields.CharField, + label=_('OPA Client Key Content'), + default='', + help_text=_('Content of the client key for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate".'), + category=('PolicyAsCode'), + category_slug='policyascode', + allow_blank=True, + encrypted=True, + ) + + register( + 'OPA_AUTH_CA_CERT', + field_class=fields.CharField, + label=_('OPA CA Certificate Content'), + default='', + help_text=_('Content of the CA certificate for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate".'), + category=('PolicyAsCode'), + category_slug='policyascode', + allow_blank=True, + ) + + register( + 'OPA_AUTH_CUSTOM_HEADERS', + field_class=fields.DictField, + label=_('OPA Custom Authentication Headers'), + default={}, + help_text=_('Custom headers for OPA authentication, defaults to {}, this will be added to the request headers. TODO: currently unimplemented.'), + category=('PolicyAsCode'), + category_slug='policyascode', + encrypted=True, + ) + + register( + 'OPA_REQUEST_TIMEOUT', + field_class=fields.FloatField, + label=_('OPA Request Timeout'), + default=1.5, + help_text=_('Connection timeout in seconds, defaults to 1.5 seconds.'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) + + register( + 'OPA_REQUEST_RETRIES', + field_class=fields.IntegerField, + label=_('OPA Request Retry Count'), + default=2, + help_text=_('Number of retries to connect to OPA service, defaults to 2.'), + category=('PolicyAsCode'), + category_slug='policyascode', + ) diff --git a/awx/main/exceptions.py b/awx/main/exceptions.py index 2cd9a44418..14618ddccd 100644 --- a/awx/main/exceptions.py +++ b/awx/main/exceptions.py @@ -38,5 +38,12 @@ class PostRunError(Exception): super(PostRunError, self).__init__(msg) +class PolicyEvaluationError(Exception): + def __init__(self, msg, status='failed', tb=''): + self.status = status + self.tb = tb + super(PolicyEvaluationError, self).__init__(msg) + + class ReceptorNodeNotFound(RuntimeError): pass diff --git a/awx/main/tasks/jobs.py b/awx/main/tasks/jobs.py index 9c7f56dd39..d077bed816 100644 --- a/awx/main/tasks/jobs.py +++ b/awx/main/tasks/jobs.py @@ -17,7 +17,8 @@ import urllib.parse as urlparse # Django from django.conf import settings - +from django.utils.translation import gettext_lazy as _ +from rest_framework.exceptions import PermissionDenied # Runner import ansible_runner @@ -26,7 +27,6 @@ import ansible_runner import git from gitdb.exc import BadName as BadGitName - # AWX from awx.main.dispatch.publish import task from awx.main.dispatch import get_task_queuename @@ -62,10 +62,11 @@ from awx.main.tasks.callback import ( RunnerCallbackForProjectUpdate, RunnerCallbackForSystemJob, ) +from awx.main.tasks.policy import evaluate_policy from awx.main.tasks.signals import with_signal_handling, signal_callback from awx.main.tasks.receptor import AWXReceptorJob from awx.main.tasks.facts import start_fact_cache, finish_fact_cache -from awx.main.exceptions import AwxTaskError, PostRunError, ReceptorNodeNotFound +from awx.main.exceptions import AwxTaskError, PolicyEvaluationError, PostRunError, ReceptorNodeNotFound from awx.main.utils.ansible import read_ansible_config from awx.main.utils.execution_environments import CONTAINER_ROOT, to_container_path from awx.main.utils.safe_yaml import safe_dump, sanitize_jinja @@ -81,8 +82,6 @@ from awx.conf.license import get_license from awx.main.utils.handlers import SpecialInventoryHandler from awx.main.tasks.system import update_smart_memberships_for_inventory, update_inventory_computed_fields from awx.main.utils.update_model import update_model -from rest_framework.exceptions import PermissionDenied -from django.utils.translation import gettext_lazy as _ logger = logging.getLogger('awx.main.tasks.jobs') @@ -497,6 +496,7 @@ class BaseTask(object): self.instance.send_notification_templates("running") private_data_dir = self.build_private_data_dir(self.instance) self.pre_run_hook(self.instance, private_data_dir) + evaluate_policy(self.instance) self.build_project_dir(self.instance, private_data_dir) self.instance.log_lifecycle("preparing_playbook") if self.instance.cancel_flag or signal_callback(): @@ -624,6 +624,8 @@ class BaseTask(object): elif cancel_flag_value is False: self.runner_callback.delay_update(skip_if_already_set=True, job_explanation="The running ansible process received a shutdown signal.") status = 'failed' + except PolicyEvaluationError as exc: + self.runner_callback.delay_update(job_explanation=str(exc), result_traceback=str(exc)) except ReceptorNodeNotFound as exc: self.runner_callback.delay_update(job_explanation=str(exc)) except Exception: diff --git a/awx/main/tasks/policy.py b/awx/main/tasks/policy.py new file mode 100644 index 0000000000..6adb089dca --- /dev/null +++ b/awx/main/tasks/policy.py @@ -0,0 +1,286 @@ +import json +import tempfile +import contextlib + +from django.conf import settings +from django.utils.translation import gettext_lazy as _ +from flags.state import flag_enabled +from opa_client import OpaClient +from requests import HTTPError +from rest_framework import serializers +from rest_framework import fields + +from awx.main import models +from awx.main.exceptions import PolicyEvaluationError + + +class _UserSerializer(serializers.ModelSerializer): + class Meta: + model = models.User + fields = ('id', 'username', 'is_superuser') + + +class _ExecutionEnvironmentSerializer(serializers.ModelSerializer): + class Meta: + model = models.ExecutionEnvironment + fields = ( + 'id', + 'name', + 'image', + 'pull', + ) + + +class _InstanceGroupSerializer(serializers.ModelSerializer): + class Meta: + model = models.InstanceGroup + fields = ( + 'id', + 'name', + 'capacity', + 'jobs_running', + 'jobs_total', + 'max_concurrent_jobs', + 'max_forks', + ) + + +class _InventorySourceSerializer(serializers.ModelSerializer): + class Meta: + model = models.InventorySource + fields = ('id', 'name', 'type', 'kind') + + +class _InventorySerializer(serializers.ModelSerializer): + inventory_sources = _InventorySourceSerializer(many=True) + + class Meta: + model = models.Inventory + fields = ( + 'id', + 'name', + 'description', + 'total_hosts', + 'total_groups', + 'inventory_sources', + ) + + +class _JobTemplateSerializer(serializers.ModelSerializer): + class Meta: + model = models.JobTemplate + fields = ( + 'id', + 'name', + 'job_type', + ) + + +class _WorkflowJobTemplateSerializer(serializers.ModelSerializer): + class Meta: + model = models.WorkflowJobTemplate + fields = ( + 'id', + 'name', + 'job_type', + ) + + +class _OrganizationSerializer(serializers.ModelSerializer): + class Meta: + model = models.Organization + fields = ( + 'id', + 'name', + ) + + +class _ProjectSerializer(serializers.ModelSerializer): + class Meta: + model = models.Project + fields = ( + 'id', + 'name', + 'status', + 'scm_type', + 'scm_url', + 'scm_branch', + 'scm_refspec', + 'scm_clean', + 'scm_track_submodules', + 'scm_delete_on_update', + ) + + +class JobSerializer(serializers.ModelSerializer): + created_by = _UserSerializer() + execution_environment = _ExecutionEnvironmentSerializer() + instance_group = _InstanceGroupSerializer() + job_template = _JobTemplateSerializer() + organization = _OrganizationSerializer() + project = _ProjectSerializer() + extra_vars = fields.SerializerMethodField() + hosts_count = fields.SerializerMethodField() + workflow_job_template = fields.SerializerMethodField() + + class Meta: + model = models.Job + fields = ( + 'id', + 'name', + 'created', + 'created_by', + 'execution_environment', + 'extra_vars', + 'forks', + 'hosts_count', + 'instance_group', + 'inventory', + 'job_template', + 'job_type', + 'job_type_name', + 'launch_type', + 'limit', + 'launched_by', + 'organization', + 'playbook', + 'project', + 'scm_branch', + 'scm_revision', + 'workflow_job_id', + 'workflow_node_id', + 'workflow_job_template', + ) + + def get_extra_vars(self, obj: models.Job): + return json.loads(obj.display_extra_vars()) + + def get_hosts_count(self, obj: models.Job): + return obj.hosts.count() + + def get_workflow_job_template(self, obj: models.Job): + workflow_job: models.WorkflowJob = obj.get_workflow_job() + if workflow_job is None: + return None + + workflow_job_template: models.WorkflowJobTemplate = workflow_job.workflow_job_template + if workflow_job_template is None: + return None + + return _WorkflowJobTemplateSerializer().to_representation(workflow_job_template) + + +class OPAResultSerializer(serializers.Serializer): + allowed = fields.BooleanField(required=True) + violations = fields.ListField(child=fields.CharField()) + + +class OPA_AUTH_TYPES: + NONE = 'None' + TOKEN = 'Token' + CERTIFICATE = 'Certificate' + + +@contextlib.contextmanager +def opa_cert_file(): + if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.CERTIFICATE: + with tempfile.NamedTemporaryFile(delete=True, mode='w', suffix=".pem") as cert_temp: + cert_temp.write(settings.OPA_AUTH_CA_CERT) + cert_temp.write("\n") + cert_temp.write(settings.OPA_AUTH_CLIENT_CERT) + cert_temp.write("\n") + cert_temp.write(settings.OPA_AUTH_CLIENT_KEY) + cert_temp.write("\n") + cert_temp.flush() + yield cert_temp.name + elif settings.OPA_SSL and settings.OPA_AUTH_CA_CERT: + with tempfile.NamedTemporaryFile(delete=True, mode='w', suffix=".pem") as cert_temp: + cert_temp.write(settings.OPA_AUTH_CA_CERT) + cert_temp.write("\n") + cert_temp.flush() + yield cert_temp.name + else: + yield None + + +@contextlib.contextmanager +def opa_client(headers=None): + with opa_cert_file() as cert_temp_file_name: + with OpaClient( + host=settings.OPA_HOST, + port=settings.OPA_PORT, + headers=headers, + ssl=settings.OPA_SSL, + cert=cert_temp_file_name, + retries=settings.OPA_REQUEST_RETRIES, + timeout=settings.OPA_REQUEST_TIMEOUT, + ) as client: + yield client + + +def evaluate_policy(instance): + # Policy evaluation for Policy as Code feature + if not flag_enabled("FEATURE_POLICY_AS_CODE_ENABLED"): + return + + if not settings.OPA_HOST: + return + + if not isinstance(instance, models.Job): + return + + input_data = JobSerializer(instance=instance).data + + headers = None + if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.TOKEN: + headers = {'Authorization': 'Bearer {}'.format(settings.OPA_AUTH_TOKEN)} + + if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.CERTIFICATE and not settings.OPA_SSL: + raise PolicyEvaluationError(_('OPA_AUTH_TYPE=Certificate requires OPA_SSL to be enabled.')) + + cert_settings_missing = [] + + if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.CERTIFICATE: + if not settings.OPA_AUTH_CLIENT_CERT: + cert_settings_missing += ['OPA_AUTH_CLIENT_CERT'] + if not settings.OPA_AUTH_CLIENT_KEY: + cert_settings_missing += ['OPA_AUTH_CLIENT_KEY'] + if not settings.OPA_AUTH_CA_CERT: + cert_settings_missing += ['OPA_AUTH_CA_CERT'] + + if cert_settings_missing: + raise PolicyEvaluationError(_('Following certificate settings are missing for OPA_AUTH_TYPE=Certificate: {}').format(cert_settings_missing)) + + try: + with opa_client(headers=headers) as client: + try: + response = client.query_rule(input_data=input_data, package_path='job_template', rule_name='response') + except HTTPError as e: + message = _('Call to OPA failed. Exception: {}').format(e) + try: + error_data = e.response.json() + except ValueError: + raise PolicyEvaluationError(message) + + error_code = error_data.get("code") + error_message = error_data.get("message") + if error_code or error_message: + message = _('Call to OPA failed. Code: {}, Message: {}').format(error_code, error_message) + raise PolicyEvaluationError(message) + except Exception as e: + raise PolicyEvaluationError(_('Call to OPA failed. Exception: {}').format(e)) + + result = response.get('result') + if result is None: + raise PolicyEvaluationError(_('Call to OPA did not return a "result" property. The path refers to an undefined document.')) + + result_serializer = OPAResultSerializer(data=result) + if not result_serializer.is_valid(): + raise PolicyEvaluationError(_('OPA policy returned invalid result.')) + + result_data = result_serializer.validated_data + if not result_data["allowed"]: + violations = result_data.get("violations", []) + raise PolicyEvaluationError(_('OPA policy denied the request, Violations: {}').format(violations)) + except Exception as e: + raise PolicyEvaluationError(_('Policy evaluation failed, Exception: {}').format(e)) diff --git a/awx/main/tests/functional/test_policy.py b/awx/main/tests/functional/test_policy.py new file mode 100644 index 0000000000..5c4e14081d --- /dev/null +++ b/awx/main/tests/functional/test_policy.py @@ -0,0 +1,182 @@ +import json +import re +from unittest import mock + +import pytest +import requests.exceptions +from django.test import override_settings + +from awx.main.models import Job, Inventory, Project, Organization +from awx.main.exceptions import PolicyEvaluationError +from awx.main.tasks import policy +from awx.main.tasks.policy import JobSerializer + + +@pytest.fixture(autouse=True) +def enable_flag(): + with override_settings( + OPA_HOST='opa.example.com', + FLAGS={"FEATURE_POLICY_AS_CODE_ENABLED": [("boolean", True)]}, + FLAG_SOURCES=('flags.sources.SettingsFlagsSource',), + ): + yield + + +@pytest.fixture +def opa_client(): + cls_mock = mock.MagicMock(name='OpaClient') + instance_mock = cls_mock.return_value + instance_mock.__enter__.return_value = instance_mock + + with mock.patch('awx.main.tasks.policy.OpaClient', cls_mock): + yield instance_mock + + +@pytest.fixture +def job(): + project: Project = Project.objects.create(name='proj1', scm_type='git', scm_branch='main', scm_url='https://git.example.com/proj1') + inventory: Inventory = Inventory.objects.create(name='inv1') + job: Job = Job.objects.create(name='job1', extra_vars="{}", inventory=inventory, project=project) + return job + + +@pytest.mark.django_db +def test_job_serializer(): + org: Organization = Organization.objects.create(name='org1') + project: Project = Project.objects.create(name='proj1', scm_type='git', scm_branch='main', scm_url='https://git.example.com/proj1') + inventory: Inventory = Inventory.objects.create(name='inv1') + extra_vars = {"FOO": "value1", "BAR": "value2"} + job: Job = Job.objects.create(name='job1', extra_vars=json.dumps(extra_vars), inventory=inventory, project=project, organization=org) + + serializer = JobSerializer(instance=job) + + assert serializer.data == { + 'id': job.id, + 'name': 'job1', + 'created': job.created.strftime("%Y-%m-%dT%H:%M:%S.%fZ"), + 'created_by': None, + 'execution_environment': None, + 'extra_vars': extra_vars, + 'forks': 0, + 'hosts_count': 0, + 'instance_group': None, + 'inventory': inventory.id, + 'job_template': None, + 'job_type': 'run', + 'job_type_name': 'job', + 'launch_type': 'manual', + 'limit': '', + 'launched_by': {}, + 'organization': { + 'id': org.id, + 'name': 'org1', + }, + 'playbook': '', + 'project': { + 'id': project.id, + 'name': 'proj1', + 'status': 'pending', + 'scm_type': 'git', + 'scm_url': 'https://git.example.com/proj1', + 'scm_branch': 'main', + 'scm_refspec': '', + 'scm_clean': False, + 'scm_track_submodules': False, + 'scm_delete_on_update': False, + }, + 'scm_branch': '', + 'scm_revision': '', + 'workflow_job_id': None, + 'workflow_node_id': None, + 'workflow_job_template': None, + } + + +@pytest.mark.django_db +def test_evaluate_policy(opa_client): + project: Project = Project.objects.create(name='proj1', scm_type='git', scm_branch='main', scm_url='https://git.example.com/proj1') + inventory: Inventory = Inventory.objects.create(name='inv1') + job: Job = Job.objects.create(name='job1', extra_vars="{}", inventory=inventory, project=project) + + response = { + "result": { + "allowed": True, + "violations": [], + } + } + opa_client.query_rule.return_value = response + try: + policy.evaluate_policy(job) + except PolicyEvaluationError as e: + pytest.fail(f"Must not raise PolicyEvaluationError: {e}") + + opa_client.query_rule.assert_called_once_with(input_data=mock.ANY, package_path='job_template', rule_name='response') + + +@pytest.mark.django_db +def test_evaluate_policy_allowed(opa_client, job): + response = { + "result": { + "allowed": True, + "violations": [], + } + } + opa_client.query_rule.return_value = response + try: + policy.evaluate_policy(job) + except PolicyEvaluationError as e: + pytest.fail(f"Must not raise PolicyEvaluationError: {e}") + + opa_client.query_rule.assert_called_once() + + +@pytest.mark.django_db +def test_evaluate_policy_not_allowed(opa_client, job): + response = { + "result": { + "allowed": False, + "violations": ["Access not allowed."], + } + } + opa_client.query_rule.return_value = response + + with pytest.raises(PolicyEvaluationError, match=re.escape("OPA policy denied the request, Violations: ['Access not allowed.']")): + policy.evaluate_policy(job) + + opa_client.query_rule.assert_called_once() + + +@pytest.mark.django_db +def test_evaluate_policy_not_found(opa_client, job): + response = {} + opa_client.query_rule.return_value = response + + with pytest.raises(PolicyEvaluationError, match=re.escape('Call to OPA did not return a "result" property. The path refers to an undefined document.')): + policy.evaluate_policy(job) + + opa_client.query_rule.assert_called_once() + + +@pytest.mark.django_db +def test_evaluate_policy_server_error(opa_client, job): + http_error_msg = '500 Server Error: Internal Server Error for url: https://opa.example.com:8181/v1/data/job_template/response/invalid' + error_response = { + 'code': 'internal_error', + 'message': ( + '1 error occurred: 1:1: rego_type_error: undefined ref: data.job_template.response.invalid\n\t' + 'data.job_template.response.invalid\n\t' + ' ^\n\t' + ' have: "invalid"\n\t' + ' want (one of): ["allowed" "violations"]' + ), + } + response = mock.Mock() + response.status_code = requests.codes.internal_server_error + response.json.return_value = error_response + + opa_client.query_rule.side_effect = requests.exceptions.HTTPError(http_error_msg, response=response) + + with pytest.raises(PolicyEvaluationError, match=re.escape(f'Call to OPA failed. Code: internal_error, Message: {error_response["message"]}')): + policy.evaluate_policy(job) + + opa_client.query_rule.assert_called_once() diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index 10ed00b186..c0ba988e62 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -473,7 +473,7 @@ class TestGenericRun: task.model.objects.get = mock.Mock(return_value=job) task.build_private_data_files = mock.Mock(side_effect=OSError()) - with mock.patch('awx.main.tasks.jobs.shutil.copytree'): + with mock.patch('awx.main.tasks.jobs.shutil.copytree'), mock.patch('awx.main.tasks.jobs.evaluate_policy'): with pytest.raises(Exception): task.run(1) diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py index a71367d4ac..661aed5adc 100644 --- a/awx/settings/defaults.py +++ b/awx/settings/defaults.py @@ -1213,7 +1213,23 @@ ANSIBLE_BASE_ALLOW_SINGLETON_ROLES_API = False # Do not allow creating user-def # system username for django-ansible-base SYSTEM_USERNAME = None -# feature flags -FLAGS = {} +# setting for Policy as Code feature +FEATURE_POLICY_AS_CODE_ENABLED = False +OPA_POLICY_EVALUATION_DEFAULT_RESULT = {'allowed': True} # Default policy enforcement decision if policy evaluation fail for any reason. +OPA_HOST = '' # Host to connect to OPA service, defaults to ''. When this value is set to '', policy enforcement will be disabled. +OPA_PORT = 8181 # Port to connect to OPA service, defaults to 8181. +OPA_SSL = False # Use SSL to connect to OPA service, defaults to False. + +OPA_AUTH_TYPE = 'None' # 'None', 'Token', 'Certificate' +OPA_AUTH_TOKEN = '' # Token for OPA authentication, defaults to '', required when OPA_AUTH_TYPE = 'Token'. +OPA_AUTH_CLIENT_CERT = '' # Content of the client certificate file for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate". +OPA_AUTH_CLIENT_KEY = '' # Content of the client key file for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate". +OPA_AUTH_CA_CERT = '' # Content of the CA certificate file for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate". +OPA_AUTH_CUSTOM_HEADERS = {} # Custom header for OPA authentication, defaults to {}, this will be added to the request headers. TODO: currently unimplemented. +OPA_REQUEST_TIMEOUT = 1.5 # Connection timeout in seconds, defaults to 1.5 seconds. +OPA_REQUEST_RETRIES = 2 # Number of retries to connect to OPA service, defaults to 2. + +# feature flags FLAG_SOURCES = ('flags.sources.SettingsFlagsSource',) +FLAGS = {'FEATURE_POLICY_AS_CODE_ENABLED': [{'condition': 'boolean', 'value': False}]} diff --git a/licenses/OPA-python-client.txt b/licenses/OPA-python-client.txt new file mode 100644 index 0000000000..442153459d --- /dev/null +++ b/licenses/OPA-python-client.txt @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2019 Tural Muradov Mohubbet + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/licenses/aiodns.txt b/licenses/aiodns.txt new file mode 100644 index 0000000000..7497f5f911 --- /dev/null +++ b/licenses/aiodns.txt @@ -0,0 +1,19 @@ +Copyright (C) 2014 by Saúl Ibarra Corretgé + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/licenses/aiofiles.txt b/licenses/aiofiles.txt new file mode 100644 index 0000000000..5c304d1a4a --- /dev/null +++ b/licenses/aiofiles.txt @@ -0,0 +1,201 @@ +Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/licenses/brotli.txt b/licenses/brotli.txt new file mode 100644 index 0000000000..33b7cdd2db --- /dev/null +++ b/licenses/brotli.txt @@ -0,0 +1,19 @@ +Copyright (c) 2009, 2010, 2013-2016 by the Brotli Authors. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/licenses/pycares.txt b/licenses/pycares.txt new file mode 100644 index 0000000000..3424329be1 --- /dev/null +++ b/licenses/pycares.txt @@ -0,0 +1,19 @@ +Copyright (C) 2012 by Saúl Ibarra Corretgé + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/requirements/requirements.in b/requirements/requirements.in index 329c856200..c8205ab3cd 100644 --- a/requirements/requirements.in +++ b/requirements/requirements.in @@ -38,6 +38,7 @@ Markdown # used for formatting API help maturin # pydantic-core build dep msgpack<1.0.6 # 1.0.6+ requires cython>=3 msrestazure +OPA-python-client openshift opentelemetry-api~=1.24 # new y streams can be drastically different, in a good way opentelemetry-sdk~=1.24 diff --git a/requirements/requirements.txt b/requirements/requirements.txt index e0c9e77e30..233e2e1e59 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -1,11 +1,16 @@ adal==1.2.7 # via msrestazure +aiodns==3.2.0 + # via aiohttp +aiofiles==24.1.0 + # via opa-python-client aiohappyeyeballs==2.4.3 # via aiohttp -aiohttp==3.11.6 +aiohttp[speedups]==3.11.6 # via # -r /awx_devel/requirements/requirements.in # aiohttp-retry + # opa-python-client # twilio aiohttp-retry==2.8.3 # via twilio @@ -75,6 +80,8 @@ botocore==1.34.47 # -r /awx_devel/requirements/requirements.in # boto3 # s3transfer +brotli==1.1.0 + # via aiohttp cachetools==5.3.2 # via google-auth # via @@ -83,7 +90,9 @@ cachetools==5.3.2 # msrest # requests cffi==1.16.0 - # via cryptography + # via + # cryptography + # pycares channels==3.0.5 # via # -r /awx_devel/requirements/requirements.in @@ -310,6 +319,8 @@ oauthlib==3.2.2 # kubernetes # requests-oauthlib # social-auth-core +opa-python-client==2.0.2 + # via -r /awx_devel/requirements/requirements.in openshift==0.13.2 # via -r /awx_devel/requirements/requirements.in opentelemetry-api==1.24.0 @@ -388,6 +399,8 @@ pyasn1-modules==0.3.0 # google-auth # python-ldap # service-identity +pycares==4.5.0 + # via aiodns pycparser==2.21 # via cffi pydantic==2.5.0 @@ -456,7 +469,7 @@ referencing==0.33.0 # via # jsonschema # jsonschema-specifications -requests==2.31.0 +requests==2.32.3 # via # -r /awx_devel/requirements/requirements.in # adal @@ -465,6 +478,7 @@ requests==2.31.0 # kubernetes # msal # msrest + # opa-python-client # opentelemetry-exporter-otlp-proto-http # python-dsv-sdk # python-tss-sdk