[Feature][release_4.6] Policy as Code MVP part 1 (#6848)

awx/conf/fields.py

@@ -10,7 +10,7 @@ from django.core.validators import URLValidator, _lazy_re_compile
 from django.utils.translation import gettext_lazy as _
 
 # Django REST Framework
-from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, DateTimeField, EmailField, IntegerField, ListField  # noqa
+from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, DateTimeField, EmailField, IntegerField, ListField, FloatField  # noqa
 from rest_framework.serializers import PrimaryKeyRelatedField  # noqa
 
 # AWX

awx/main/conf.py

@@ -4,6 +4,7 @@ import logging
 # Django
 from django.core.checks import Error
 from django.utils.translation import gettext_lazy as _
+from django.conf import settings
 
 # Django REST Framework
 from rest_framework import serializers
@@ -12,6 +13,7 @@ from rest_framework import serializers
 from awx.conf import fields, register, register_validate
 from awx.main.models import ExecutionEnvironment
 from awx.main.constants import SUBSCRIPTION_USAGE_MODEL_UNIQUE_HOSTS
+from awx.main.tasks.policy import OPA_AUTH_TYPES
 
 logger = logging.getLogger('awx.main.conf')
 
@@ -993,3 +995,124 @@ def csrf_trusted_origins_validate(serializer, attrs):
 
 
 register_validate('system', csrf_trusted_origins_validate)
+
+
+if settings.FEATURE_POLICY_AS_CODE_ENABLED:  # Unable to use flag_enabled due to AppRegistryNotReady error
+    register(
+        'OPA_HOST',
+        field_class=fields.CharField,
+        label=_('OPA Server Hostname'),
+        default='',
+        help_text=_('Host to connect to OPA service, when set to the default value of "" policy enforcement will be disabled.'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+        allow_blank=True,
+    )
+
+    register(
+        'OPA_PORT',
+        field_class=fields.IntegerField,
+        label=_('OPA Server Port'),
+        default=8181,
+        help_text=_('Port to connect to OPA service, defaults to 8181.'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+    )
+
+    register(
+        'OPA_SSL',
+        field_class=fields.BooleanField,
+        label=_('Use SSL for OPA Connection'),
+        default=False,
+        help_text=_('Use SSL to connect to OPA service, defaults to False.'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+    )
+
+    register(
+        'OPA_AUTH_TYPE',
+        field_class=fields.ChoiceField,
+        label=_('OPA Authentication Type'),
+        choices=[OPA_AUTH_TYPES.NONE, OPA_AUTH_TYPES.TOKEN, OPA_AUTH_TYPES.CERTIFICATE],
+        default=OPA_AUTH_TYPES.NONE,
+        help_text=_('Authentication type for OPA: "None", "Token", or "Certificate".'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+    )
+
+    register(
+        'OPA_AUTH_TOKEN',
+        field_class=fields.CharField,
+        label=_('OPA Authentication Token'),
+        default='',
+        help_text=_('Token for OPA authentication, required when OPA_AUTH_TYPE is "Token".'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+        allow_blank=True,
+        encrypted=True,
+    )
+
+    register(
+        'OPA_AUTH_CLIENT_CERT',
+        field_class=fields.CharField,
+        label=_('OPA Client Certificate Content'),
+        default='',
+        help_text=_('Content of the client certificate file for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate".'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+        allow_blank=True,
+    )
+
+    register(
+        'OPA_AUTH_CLIENT_KEY',
+        field_class=fields.CharField,
+        label=_('OPA Client Key Content'),
+        default='',
+        help_text=_('Content of the client key for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate".'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+        allow_blank=True,
+        encrypted=True,
+    )
+
+    register(
+        'OPA_AUTH_CA_CERT',
+        field_class=fields.CharField,
+        label=_('OPA CA Certificate Content'),
+        default='',
+        help_text=_('Content of the CA certificate for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate".'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+        allow_blank=True,
+    )
+
+    register(
+        'OPA_AUTH_CUSTOM_HEADERS',
+        field_class=fields.DictField,
+        label=_('OPA Custom Authentication Headers'),
+        default={},
+        help_text=_('Custom headers for OPA authentication, defaults to {}, this will be added to the request headers. TODO: currently unimplemented.'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+        encrypted=True,
+    )
+
+    register(
+        'OPA_REQUEST_TIMEOUT',
+        field_class=fields.FloatField,
+        label=_('OPA Request Timeout'),
+        default=1.5,
+        help_text=_('Connection timeout in seconds, defaults to 1.5 seconds.'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+    )
+
+    register(
+        'OPA_REQUEST_RETRIES',
+        field_class=fields.IntegerField,
+        label=_('OPA Request Retry Count'),
+        default=2,
+        help_text=_('Number of retries to connect to OPA service, defaults to 2.'),
+        category=('PolicyAsCode'),
+        category_slug='policyascode',
+    )

awx/main/exceptions.py

@@ -38,5 +38,12 @@ class PostRunError(Exception):
         super(PostRunError, self).__init__(msg)
 
 
+class PolicyEvaluationError(Exception):
+    def __init__(self, msg, status='failed', tb=''):
+        self.status = status
+        self.tb = tb
+        super(PolicyEvaluationError, self).__init__(msg)
+
+
 class ReceptorNodeNotFound(RuntimeError):
     pass

awx/main/tasks/jobs.py

@@ -17,7 +17,8 @@ import urllib.parse as urlparse
 
 # Django
 from django.conf import settings
-
+from django.utils.translation import gettext_lazy as _
+from rest_framework.exceptions import PermissionDenied
 
 # Runner
 import ansible_runner
@@ -26,7 +27,6 @@ import ansible_runner
 import git
 from gitdb.exc import BadName as BadGitName
 
-
 # AWX
 from awx.main.dispatch.publish import task
 from awx.main.dispatch import get_task_queuename
@@ -62,10 +62,11 @@ from awx.main.tasks.callback import (
     RunnerCallbackForProjectUpdate,
     RunnerCallbackForSystemJob,
 )
+from awx.main.tasks.policy import evaluate_policy
 from awx.main.tasks.signals import with_signal_handling, signal_callback
 from awx.main.tasks.receptor import AWXReceptorJob
 from awx.main.tasks.facts import start_fact_cache, finish_fact_cache
-from awx.main.exceptions import AwxTaskError, PostRunError, ReceptorNodeNotFound
+from awx.main.exceptions import AwxTaskError, PolicyEvaluationError, PostRunError, ReceptorNodeNotFound
 from awx.main.utils.ansible import read_ansible_config
 from awx.main.utils.execution_environments import CONTAINER_ROOT, to_container_path
 from awx.main.utils.safe_yaml import safe_dump, sanitize_jinja
@@ -81,8 +82,6 @@ from awx.conf.license import get_license
 from awx.main.utils.handlers import SpecialInventoryHandler
 from awx.main.tasks.system import update_smart_memberships_for_inventory, update_inventory_computed_fields
 from awx.main.utils.update_model import update_model
-from rest_framework.exceptions import PermissionDenied
-from django.utils.translation import gettext_lazy as _
 
 logger = logging.getLogger('awx.main.tasks.jobs')
 
@@ -497,6 +496,7 @@ class BaseTask(object):
             self.instance.send_notification_templates("running")
             private_data_dir = self.build_private_data_dir(self.instance)
             self.pre_run_hook(self.instance, private_data_dir)
+            evaluate_policy(self.instance)
             self.build_project_dir(self.instance, private_data_dir)
             self.instance.log_lifecycle("preparing_playbook")
             if self.instance.cancel_flag or signal_callback():
@@ -624,6 +624,8 @@ class BaseTask(object):
                 elif cancel_flag_value is False:
                     self.runner_callback.delay_update(skip_if_already_set=True, job_explanation="The running ansible process received a shutdown signal.")
                     status = 'failed'
+        except PolicyEvaluationError as exc:
+            self.runner_callback.delay_update(job_explanation=str(exc), result_traceback=str(exc))
         except ReceptorNodeNotFound as exc:
             self.runner_callback.delay_update(job_explanation=str(exc))
         except Exception:

awx/main/tasks/policy.py

@@ -0,0 +1,286 @@
+import json
+import tempfile
+import contextlib
+
+from django.conf import settings
+from django.utils.translation import gettext_lazy as _
+from flags.state import flag_enabled
+from opa_client import OpaClient
+from requests import HTTPError
+from rest_framework import serializers
+from rest_framework import fields
+
+from awx.main import models
+from awx.main.exceptions import PolicyEvaluationError
+
+
+class _UserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.User
+        fields = ('id', 'username', 'is_superuser')
+
+
+class _ExecutionEnvironmentSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.ExecutionEnvironment
+        fields = (
+            'id',
+            'name',
+            'image',
+            'pull',
+        )
+
+
+class _InstanceGroupSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.InstanceGroup
+        fields = (
+            'id',
+            'name',
+            'capacity',
+            'jobs_running',
+            'jobs_total',
+            'max_concurrent_jobs',
+            'max_forks',
+        )
+
+
+class _InventorySourceSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.InventorySource
+        fields = ('id', 'name', 'type', 'kind')
+
+
+class _InventorySerializer(serializers.ModelSerializer):
+    inventory_sources = _InventorySourceSerializer(many=True)
+
+    class Meta:
+        model = models.Inventory
+        fields = (
+            'id',
+            'name',
+            'description',
+            'total_hosts',
+            'total_groups',
+            'inventory_sources',
+        )
+
+
+class _JobTemplateSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.JobTemplate
+        fields = (
+            'id',
+            'name',
+            'job_type',
+        )
+
+
+class _WorkflowJobTemplateSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.WorkflowJobTemplate
+        fields = (
+            'id',
+            'name',
+            'job_type',
+        )
+
+
+class _OrganizationSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.Organization
+        fields = (
+            'id',
+            'name',
+        )
+
+
+class _ProjectSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.Project
+        fields = (
+            'id',
+            'name',
+            'status',
+            'scm_type',
+            'scm_url',
+            'scm_branch',
+            'scm_refspec',
+            'scm_clean',
+            'scm_track_submodules',
+            'scm_delete_on_update',
+        )
+
+
+class JobSerializer(serializers.ModelSerializer):
+    created_by = _UserSerializer()
+    execution_environment = _ExecutionEnvironmentSerializer()
+    instance_group = _InstanceGroupSerializer()
+    job_template = _JobTemplateSerializer()
+    organization = _OrganizationSerializer()
+    project = _ProjectSerializer()
+    extra_vars = fields.SerializerMethodField()
+    hosts_count = fields.SerializerMethodField()
+    workflow_job_template = fields.SerializerMethodField()
+
+    class Meta:
+        model = models.Job
+        fields = (
+            'id',
+            'name',
+            'created',
+            'created_by',
+            'execution_environment',
+            'extra_vars',
+            'forks',
+            'hosts_count',
+            'instance_group',
+            'inventory',
+            'job_template',
+            'job_type',
+            'job_type_name',
+            'launch_type',
+            'limit',
+            'launched_by',
+            'organization',
+            'playbook',
+            'project',
+            'scm_branch',
+            'scm_revision',
+            'workflow_job_id',
+            'workflow_node_id',
+            'workflow_job_template',
+        )
+
+    def get_extra_vars(self, obj: models.Job):
+        return json.loads(obj.display_extra_vars())
+
+    def get_hosts_count(self, obj: models.Job):
+        return obj.hosts.count()
+
+    def get_workflow_job_template(self, obj: models.Job):
+        workflow_job: models.WorkflowJob = obj.get_workflow_job()
+        if workflow_job is None:
+            return None
+
+        workflow_job_template: models.WorkflowJobTemplate = workflow_job.workflow_job_template
+        if workflow_job_template is None:
+            return None
+
+        return _WorkflowJobTemplateSerializer().to_representation(workflow_job_template)
+
+
+class OPAResultSerializer(serializers.Serializer):
+    allowed = fields.BooleanField(required=True)
+    violations = fields.ListField(child=fields.CharField())
+
+
+class OPA_AUTH_TYPES:
+    NONE = 'None'
+    TOKEN = 'Token'
+    CERTIFICATE = 'Certificate'
+
+
+@contextlib.contextmanager
+def opa_cert_file():
+    if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.CERTIFICATE:
+        with tempfile.NamedTemporaryFile(delete=True, mode='w', suffix=".pem") as cert_temp:
+            cert_temp.write(settings.OPA_AUTH_CA_CERT)
+            cert_temp.write("\n")
+            cert_temp.write(settings.OPA_AUTH_CLIENT_CERT)
+            cert_temp.write("\n")
+            cert_temp.write(settings.OPA_AUTH_CLIENT_KEY)
+            cert_temp.write("\n")
+            cert_temp.flush()
+            yield cert_temp.name
+    elif settings.OPA_SSL and settings.OPA_AUTH_CA_CERT:
+        with tempfile.NamedTemporaryFile(delete=True, mode='w', suffix=".pem") as cert_temp:
+            cert_temp.write(settings.OPA_AUTH_CA_CERT)
+            cert_temp.write("\n")
+            cert_temp.flush()
+            yield cert_temp.name
+    else:
+        yield None
+
+
+@contextlib.contextmanager
+def opa_client(headers=None):
+    with opa_cert_file() as cert_temp_file_name:
+        with OpaClient(
+            host=settings.OPA_HOST,
+            port=settings.OPA_PORT,
+            headers=headers,
+            ssl=settings.OPA_SSL,
+            cert=cert_temp_file_name,
+            retries=settings.OPA_REQUEST_RETRIES,
+            timeout=settings.OPA_REQUEST_TIMEOUT,
+        ) as client:
+            yield client
+
+
+def evaluate_policy(instance):
+    # Policy evaluation for Policy as Code feature
+    if not flag_enabled("FEATURE_POLICY_AS_CODE_ENABLED"):
+        return
+
+    if not settings.OPA_HOST:
+        return
+
+    if not isinstance(instance, models.Job):
+        return
+
+    input_data = JobSerializer(instance=instance).data
+
+    headers = None
+    if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.TOKEN:
+        headers = {'Authorization': 'Bearer {}'.format(settings.OPA_AUTH_TOKEN)}
+
+    if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.CERTIFICATE and not settings.OPA_SSL:
+        raise PolicyEvaluationError(_('OPA_AUTH_TYPE=Certificate requires OPA_SSL to be enabled.'))
+
+    cert_settings_missing = []
+
+    if settings.OPA_AUTH_TYPE == OPA_AUTH_TYPES.CERTIFICATE:
+        if not settings.OPA_AUTH_CLIENT_CERT:
+            cert_settings_missing += ['OPA_AUTH_CLIENT_CERT']
+        if not settings.OPA_AUTH_CLIENT_KEY:
+            cert_settings_missing += ['OPA_AUTH_CLIENT_KEY']
+        if not settings.OPA_AUTH_CA_CERT:
+            cert_settings_missing += ['OPA_AUTH_CA_CERT']
+
+        if cert_settings_missing:
+            raise PolicyEvaluationError(_('Following certificate settings are missing for OPA_AUTH_TYPE=Certificate: {}').format(cert_settings_missing))
+
+    try:
+        with opa_client(headers=headers) as client:
+            try:
+                response = client.query_rule(input_data=input_data, package_path='job_template', rule_name='response')
+            except HTTPError as e:
+                message = _('Call to OPA failed. Exception: {}').format(e)
+                try:
+                    error_data = e.response.json()
+                except ValueError:
+                    raise PolicyEvaluationError(message)
+
+                error_code = error_data.get("code")
+                error_message = error_data.get("message")
+                if error_code or error_message:
+                    message = _('Call to OPA failed. Code: {}, Message: {}').format(error_code, error_message)
+                raise PolicyEvaluationError(message)
+            except Exception as e:
+                raise PolicyEvaluationError(_('Call to OPA failed. Exception: {}').format(e))
+
+            result = response.get('result')
+            if result is None:
+                raise PolicyEvaluationError(_('Call to OPA did not return a "result" property. The path refers to an undefined document.'))
+
+            result_serializer = OPAResultSerializer(data=result)
+            if not result_serializer.is_valid():
+                raise PolicyEvaluationError(_('OPA policy returned invalid result.'))
+
+            result_data = result_serializer.validated_data
+            if not result_data["allowed"]:
+                violations = result_data.get("violations", [])
+                raise PolicyEvaluationError(_('OPA policy denied the request, Violations: {}').format(violations))
+    except Exception as e:
+        raise PolicyEvaluationError(_('Policy evaluation failed, Exception: {}').format(e))

awx/main/tests/functional/test_policy.py

@@ -0,0 +1,182 @@
+import json
+import re
+from unittest import mock
+
+import pytest
+import requests.exceptions
+from django.test import override_settings
+
+from awx.main.models import Job, Inventory, Project, Organization
+from awx.main.exceptions import PolicyEvaluationError
+from awx.main.tasks import policy
+from awx.main.tasks.policy import JobSerializer
+
+
+@pytest.fixture(autouse=True)
+def enable_flag():
+    with override_settings(
+        OPA_HOST='opa.example.com',
+        FLAGS={"FEATURE_POLICY_AS_CODE_ENABLED": [("boolean", True)]},
+        FLAG_SOURCES=('flags.sources.SettingsFlagsSource',),
+    ):
+        yield
+
+
+@pytest.fixture
+def opa_client():
+    cls_mock = mock.MagicMock(name='OpaClient')
+    instance_mock = cls_mock.return_value
+    instance_mock.__enter__.return_value = instance_mock
+
+    with mock.patch('awx.main.tasks.policy.OpaClient', cls_mock):
+        yield instance_mock
+
+
+@pytest.fixture
+def job():
+    project: Project = Project.objects.create(name='proj1', scm_type='git', scm_branch='main', scm_url='https://git.example.com/proj1')
+    inventory: Inventory = Inventory.objects.create(name='inv1')
+    job: Job = Job.objects.create(name='job1', extra_vars="{}", inventory=inventory, project=project)
+    return job
+
+
+@pytest.mark.django_db
+def test_job_serializer():
+    org: Organization = Organization.objects.create(name='org1')
+    project: Project = Project.objects.create(name='proj1', scm_type='git', scm_branch='main', scm_url='https://git.example.com/proj1')
+    inventory: Inventory = Inventory.objects.create(name='inv1')
+    extra_vars = {"FOO": "value1", "BAR": "value2"}
+    job: Job = Job.objects.create(name='job1', extra_vars=json.dumps(extra_vars), inventory=inventory, project=project, organization=org)
+
+    serializer = JobSerializer(instance=job)
+
+    assert serializer.data == {
+        'id': job.id,
+        'name': 'job1',
+        'created': job.created.strftime("%Y-%m-%dT%H:%M:%S.%fZ"),
+        'created_by': None,
+        'execution_environment': None,
+        'extra_vars': extra_vars,
+        'forks': 0,
+        'hosts_count': 0,
+        'instance_group': None,
+        'inventory': inventory.id,
+        'job_template': None,
+        'job_type': 'run',
+        'job_type_name': 'job',
+        'launch_type': 'manual',
+        'limit': '',
+        'launched_by': {},
+        'organization': {
+            'id': org.id,
+            'name': 'org1',
+        },
+        'playbook': '',
+        'project': {
+            'id': project.id,
+            'name': 'proj1',
+            'status': 'pending',
+            'scm_type': 'git',
+            'scm_url': 'https://git.example.com/proj1',
+            'scm_branch': 'main',
+            'scm_refspec': '',
+            'scm_clean': False,
+            'scm_track_submodules': False,
+            'scm_delete_on_update': False,
+        },
+        'scm_branch': '',
+        'scm_revision': '',
+        'workflow_job_id': None,
+        'workflow_node_id': None,
+        'workflow_job_template': None,
+    }
+
+
+@pytest.mark.django_db
+def test_evaluate_policy(opa_client):
+    project: Project = Project.objects.create(name='proj1', scm_type='git', scm_branch='main', scm_url='https://git.example.com/proj1')
+    inventory: Inventory = Inventory.objects.create(name='inv1')
+    job: Job = Job.objects.create(name='job1', extra_vars="{}", inventory=inventory, project=project)
+
+    response = {
+        "result": {
+            "allowed": True,
+            "violations": [],
+        }
+    }
+    opa_client.query_rule.return_value = response
+    try:
+        policy.evaluate_policy(job)
+    except PolicyEvaluationError as e:
+        pytest.fail(f"Must not raise PolicyEvaluationError: {e}")
+
+    opa_client.query_rule.assert_called_once_with(input_data=mock.ANY, package_path='job_template', rule_name='response')
+
+
+@pytest.mark.django_db
+def test_evaluate_policy_allowed(opa_client, job):
+    response = {
+        "result": {
+            "allowed": True,
+            "violations": [],
+        }
+    }
+    opa_client.query_rule.return_value = response
+    try:
+        policy.evaluate_policy(job)
+    except PolicyEvaluationError as e:
+        pytest.fail(f"Must not raise PolicyEvaluationError: {e}")
+
+    opa_client.query_rule.assert_called_once()
+
+
+@pytest.mark.django_db
+def test_evaluate_policy_not_allowed(opa_client, job):
+    response = {
+        "result": {
+            "allowed": False,
+            "violations": ["Access not allowed."],
+        }
+    }
+    opa_client.query_rule.return_value = response
+
+    with pytest.raises(PolicyEvaluationError, match=re.escape("OPA policy denied the request, Violations: ['Access not allowed.']")):
+        policy.evaluate_policy(job)
+
+    opa_client.query_rule.assert_called_once()
+
+
+@pytest.mark.django_db
+def test_evaluate_policy_not_found(opa_client, job):
+    response = {}
+    opa_client.query_rule.return_value = response
+
+    with pytest.raises(PolicyEvaluationError, match=re.escape('Call to OPA did not return a "result" property. The path refers to an undefined document.')):
+        policy.evaluate_policy(job)
+
+    opa_client.query_rule.assert_called_once()
+
+
+@pytest.mark.django_db
+def test_evaluate_policy_server_error(opa_client, job):
+    http_error_msg = '500 Server Error: Internal Server Error for url: https://opa.example.com:8181/v1/data/job_template/response/invalid'
+    error_response = {
+        'code': 'internal_error',
+        'message': (
+            '1 error occurred: 1:1: rego_type_error: undefined ref: data.job_template.response.invalid\n\t'
+            'data.job_template.response.invalid\n\t'
+            '                           ^\n\t'
+            '                           have: "invalid"\n\t'
+            '                           want (one of): ["allowed" "violations"]'
+        ),
+    }
+    response = mock.Mock()
+    response.status_code = requests.codes.internal_server_error
+    response.json.return_value = error_response
+
+    opa_client.query_rule.side_effect = requests.exceptions.HTTPError(http_error_msg, response=response)
+
+    with pytest.raises(PolicyEvaluationError, match=re.escape(f'Call to OPA failed. Code: internal_error, Message: {error_response["message"]}')):
+        policy.evaluate_policy(job)
+
+    opa_client.query_rule.assert_called_once()

awx/main/tests/unit/test_tasks.py

@@ -473,7 +473,7 @@ class TestGenericRun:
         task.model.objects.get = mock.Mock(return_value=job)
         task.build_private_data_files = mock.Mock(side_effect=OSError())
 
-        with mock.patch('awx.main.tasks.jobs.shutil.copytree'):
+        with mock.patch('awx.main.tasks.jobs.shutil.copytree'), mock.patch('awx.main.tasks.jobs.evaluate_policy'):
             with pytest.raises(Exception):
                 task.run(1)
 

awx/settings/defaults.py

@@ -1213,7 +1213,23 @@ ANSIBLE_BASE_ALLOW_SINGLETON_ROLES_API = False  # Do not allow creating user-def
 # system username for django-ansible-base
 SYSTEM_USERNAME = None
 
-# feature flags
+# setting for Policy as Code feature
-FLAGS = {}
+FEATURE_POLICY_AS_CODE_ENABLED = False
 
+OPA_POLICY_EVALUATION_DEFAULT_RESULT = {'allowed': True}  # Default policy enforcement decision if policy evaluation fail for any reason.
+OPA_HOST = ''  # Host to connect to OPA service, defaults to ''. When this value is set to '', policy enforcement will be disabled.
+OPA_PORT = 8181  # Port to connect to OPA service, defaults to 8181.
+OPA_SSL = False  # Use SSL to connect to OPA service, defaults to False.
+
+OPA_AUTH_TYPE = 'None'  # 'None', 'Token', 'Certificate'
+OPA_AUTH_TOKEN = ''  # Token for OPA authentication, defaults to '', required when OPA_AUTH_TYPE = 'Token'.
+OPA_AUTH_CLIENT_CERT = ''  # Content of the client certificate file for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate".
+OPA_AUTH_CLIENT_KEY = ''  # Content of the client key file for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate".
+OPA_AUTH_CA_CERT = ''  # Content of the CA certificate file for mTLS authentication, required when OPA_AUTH_TYPE is "Certificate".
+OPA_AUTH_CUSTOM_HEADERS = {}  # Custom header for OPA authentication, defaults to {}, this will be added to the request headers. TODO: currently unimplemented.
+OPA_REQUEST_TIMEOUT = 1.5  # Connection timeout in seconds, defaults to 1.5 seconds.
+OPA_REQUEST_RETRIES = 2  # Number of retries to connect to OPA service, defaults to 2.
+
+# feature flags
 FLAG_SOURCES = ('flags.sources.SettingsFlagsSource',)
+FLAGS = {'FEATURE_POLICY_AS_CODE_ENABLED': [{'condition': 'boolean', 'value': False}]}

licenses/OPA-python-client.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Tural Muradov Mohubbet
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

licenses/aiodns.txt

@@ -0,0 +1,19 @@
+Copyright (C) 2014 by Saúl Ibarra Corretgé
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

licenses/aiofiles.txt

@@ -0,0 +1,201 @@
+Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

licenses/brotli.txt

@@ -0,0 +1,19 @@
+Copyright (c) 2009, 2010, 2013-2016 by the Brotli Authors.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

licenses/pycares.txt

@@ -0,0 +1,19 @@
+Copyright (C) 2012 by Saúl Ibarra Corretgé
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

requirements/requirements.in

@@ -38,6 +38,7 @@ Markdown  # used for formatting API help
 maturin  # pydantic-core build dep
 msgpack<1.0.6  # 1.0.6+ requires cython>=3
 msrestazure
+OPA-python-client
 openshift
 opentelemetry-api~=1.24     # new y streams can be drastically different, in a good way
 opentelemetry-sdk~=1.24

requirements/requirements.txt

@@ -1,11 +1,16 @@
 adal==1.2.7
     # via msrestazure
+aiodns==3.2.0
+    # via aiohttp
+aiofiles==24.1.0
+    # via opa-python-client
 aiohappyeyeballs==2.4.3
     # via aiohttp
-aiohttp==3.11.6
+aiohttp[speedups]==3.11.6
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   aiohttp-retry
+    #   opa-python-client
     #   twilio
 aiohttp-retry==2.8.3
     # via twilio
@@ -75,6 +80,8 @@ botocore==1.34.47
     #   -r /awx_devel/requirements/requirements.in
     #   boto3
     #   s3transfer
+brotli==1.1.0
+    # via aiohttp
 cachetools==5.3.2
     # via google-auth
     # via
@@ -83,7 +90,9 @@ cachetools==5.3.2
     #   msrest
     #   requests
 cffi==1.16.0
-    # via cryptography
+    # via
+    #   cryptography
+    #   pycares
 channels==3.0.5
     # via
     #   -r /awx_devel/requirements/requirements.in
@@ -310,6 +319,8 @@ oauthlib==3.2.2
     #   kubernetes
     #   requests-oauthlib
     #   social-auth-core
+opa-python-client==2.0.2
+    # via -r /awx_devel/requirements/requirements.in
 openshift==0.13.2
     # via -r /awx_devel/requirements/requirements.in
 opentelemetry-api==1.24.0
@@ -388,6 +399,8 @@ pyasn1-modules==0.3.0
     #   google-auth
     #   python-ldap
     #   service-identity
+pycares==4.5.0
+    # via aiodns
 pycparser==2.21
     # via cffi
 pydantic==2.5.0
@@ -456,7 +469,7 @@ referencing==0.33.0
     # via
     #   jsonschema
     #   jsonschema-specifications
-requests==2.31.0
+requests==2.32.3
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   adal
@@ -465,6 +478,7 @@ requests==2.31.0
     #   kubernetes
     #   msal
     #   msrest
+    #   opa-python-client
     #   opentelemetry-exporter-otlp-proto-http
     #   python-dsv-sdk
     #   python-tss-sdk