External users should not be able to change their password (#13491)

* Azure AD users should not be able to change their password * Multiple auth changes Moving get_external_user function into awx.sso.common Altering get_external_user to not look at current config, just user object values Altering how api/conf.py detects external auth config (and making reusable function in awx.sso.common) Altering logic in api.serializers in _update_pasword to use awx.sso.common * Adding unit tests --------- Co-authored-by: John Westcott IV <john.westcott.iv@redhat.com>
2026-03-29 06:45:09 -02:30 · 2023-02-28 13:44:34 -05:00
parent c2df22e0f0
commit 52d46c88e4
6 changed files with 148 additions and 58 deletions
--- a/awx/api/conf.py
+++ b/awx/api/conf.py
@@ -1,5 +1,4 @@
 # Django
-from django.conf import settings
 from django.utils.translation import gettext_lazy as _

 # Django REST Framework
@@ -9,6 +8,7 @@ from rest_framework import serializers
 from awx.conf import fields, register, register_validate
 from awx.api.fields import OAuth2ProviderField
 from oauth2_provider.settings import oauth2_settings
+from awx.sso.common import is_remote_auth_enabled


 register(
@@ -108,19 +108,8 @@ register(


 def authentication_validate(serializer, attrs):
-    remote_auth_settings = [
-        'AUTH_LDAP_SERVER_URI',
-        'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY',
-        'SOCIAL_AUTH_GITHUB_KEY',
-        'SOCIAL_AUTH_GITHUB_ORG_KEY',
-        'SOCIAL_AUTH_GITHUB_TEAM_KEY',
-        'SOCIAL_AUTH_SAML_ENABLED_IDPS',
-        'RADIUS_SERVER',
-        'TACACSPLUS_HOST',
-    ]
-    if attrs.get('DISABLE_LOCAL_AUTH', False):
-        if not any(getattr(settings, s, None) for s in remote_auth_settings):
-            raise serializers.ValidationError(_("There are no remote authentication systems configured."))
+    if attrs.get('DISABLE_LOCAL_AUTH', False) and not is_remote_auth_enabled():
+        raise serializers.ValidationError(_("There are no remote authentication systems configured."))
    return attrs