From 3b024a057fb6e587caf6fc2d7446a98a57b38dfb Mon Sep 17 00:00:00 2001
From: Seth Foster <fosterseth@users.noreply.github.com>
Date: Mon, 29 Aug 2022 16:19:53 -0400
Subject: [PATCH] Allow work signing for execution node (#12771)

- work-signing added to the generated receptor config
- During receptor task submission, signwork is True when submitting to
  an execution node
---
 awx/main/tasks/receptor.py | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/awx/main/tasks/receptor.py b/awx/main/tasks/receptor.py
index a5e2586f4d..b62f53ae42 100644
--- a/awx/main/tasks/receptor.py
+++ b/awx/main/tasks/receptor.py
@@ -158,8 +158,7 @@ def run_until_complete(node, timing_data=None, **kwargs):
     kwargs.setdefault('payload', '')
 
     transmit_start = time.time()
-    sign_work = False if settings.IS_K8S else True
-    result = receptor_ctl.submit_work(worktype='ansible-runner', node=node, signwork=sign_work, **kwargs)
+    result = receptor_ctl.submit_work(worktype='ansible-runner', node=node, signwork=True, **kwargs)
 
     unit_id = result['unitid']
     run_start = time.time()
@@ -305,10 +304,6 @@ class AWXReceptorJob:
                 except Exception:
                     logger.exception(f"Error releasing work unit {self.unit_id}.")
 
-    @property
-    def sign_work(self):
-        return False if settings.IS_K8S else True
-
     def _run_internal(self, receptor_ctl):
         # Create a socketpair. Where the left side will be used for writing our payload
         # (private data dir, kwargs). The right side will be passed to Receptor for
@@ -468,6 +463,10 @@ class AWXReceptorJob:
 
         return receptor_params
 
+    @property
+    def sign_work(self):
+        return True if self.work_type in ('ansible-runner', 'local') else False
+
     @property
     def work_type(self):
         if self.task.instance.is_container_group_task:
@@ -598,10 +597,17 @@ class AWXReceptorJob:
         return config
 
 
+# TODO: receptor reload expects ordering within config items to be preserved
+# if python dictionary is not preserving order properly, may need to find a
+# solution. yaml.dump does not seem to work well with OrderedDict. below line may help
+# yaml.add_representer(OrderedDict, lambda dumper, data: dumper.represent_mapping('tag:yaml.org,2002:map', data.items()))
+#
 RECEPTOR_CONFIG_STARTER = (
-    {'control-service': {'service': 'control', 'filename': '/var/run/receptor/receptor.sock', 'permissions': '0600'}},
     {'local-only': None},
+    {'log-level': 'debug'},
+    {'control-service': {'service': 'control', 'filename': '/var/run/receptor/receptor.sock', 'permissions': '0660'}},
     {'work-command': {'worktype': 'local', 'command': 'ansible-runner', 'params': 'worker', 'allowruntimeparams': True}},
+    {'work-signing': {'privatekey': '/etc/receptor/signing/work-private-key.pem', 'tokenexpiration': '1m'}},
     {
         'work-kubernetes': {
             'worktype': 'kubernetes-runtime-auth',