diff --git a/awx/main/tests/inventory.py b/awx/main/tests/inventory.py index b38ca13d82..b4ba836e00 100644 --- a/awx/main/tests/inventory.py +++ b/awx/main/tests/inventory.py @@ -1665,6 +1665,32 @@ class InventoryUpdatesTest(BaseTransactionTest): inventory_source.save() self.check_inventory_source(inventory_source, initial=False) + + def test_update_from_ec2_sts_iam(self): + source_username = getattr(settings, 'TEST_AWS_ACCESS_KEY_ID', '') + source_password = getattr(settings, 'TEST_AWS_SECRET_ACCESS_KEY', '') + source_regions = getattr(settings, 'TEST_AWS_REGIONS', 'all') + source_token = getattr(settings, 'TEST_AWS_SECURITY_TOKEN', '') + if not all([source_username, source_password, source_token]): + self.skipTest('no test ec2 sts credentials defined!') + self.create_test_license_file() + credential = Credential.objects.create(kind='aws', + user=self.super_django_user, + username=source_username, + password=source_password, + security_token=source_token) + # Set parent group name to one that might be created by the sync. + group = self.group + group.name = 'ec2' + group.save() + self.group = group + cache_path = tempfile.mkdtemp(prefix='awx_ec2_') + self._temp_paths.append(cache_path) + inventory_source = self.update_inventory_source(self.group, + source='ec2', credential=credential, source_regions=source_regions, + source_vars='---\n\nnested_groups: false\ncache_path: %s\n' % cache_path) + self.check_inventory_source(inventory_source) + def test_update_from_ec2_without_credential(self): self.create_test_license_file() group = self.group diff --git a/awx/settings/local_settings.py.docker_compose b/awx/settings/local_settings.py.docker_compose new file mode 100644 index 0000000000..cb17fa3b42 --- /dev/null +++ b/awx/settings/local_settings.py.docker_compose @@ -0,0 +1,508 @@ +# Copyright (c) 2015 Ansible, Inc. (formerly AnsibleWorks, Inc.) +# All Rights Reserved. + +# Local Django settings for AWX project. Rename to "local_settings.py" and +# edit as needed for your development environment. + +# All variables defined in awx/settings/development.py will already be loaded +# into the global namespace before this file is loaded, to allow for reading +# and updating the default settings as needed. + +############################################################################### +# MISC PROJECT SETTINGS +############################################################################### + +ADMINS = ( + # ('Your Name', 'your_email@domain.com'), +) + +MANAGERS = ADMINS + +# Database settings to use PostgreSQL for development. +DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.postgresql_psycopg2', + 'NAME': 'awx-dev', + 'USER': 'awx-dev', + 'PASSWORD': 'AWXsome1', + 'HOST': 'postgres', + 'PORT': '', + } +} + +# Use SQLite for unit tests instead of PostgreSQL. If the lines below are +# commented out, Django will create the test_awx-dev database in PostgreSQL to +# run unit tests. +if len(sys.argv) >= 2 and sys.argv[1] == 'test': + DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.sqlite3', + 'NAME': os.path.join(BASE_DIR, 'awx.sqlite3'), + # Test database cannot be :memory: for celery/inventory tests. + 'TEST_NAME': os.path.join(BASE_DIR, 'awx_test.sqlite3'), + } + } + + MONGO_DB = 'system_tracking_test' + +# Celery AMQP configuration. +BROKER_URL = 'redis://redis/' + +# Mongo host configuration +MONGO_HOST = 'mongo' + +# Set True to enable additional logging from the job_event_callback plugin +JOB_CALLBACK_DEBUG = False + +# Absolute filesystem path to the directory to host projects (with playbooks). +# This directory should NOT be web-accessible. +PROJECTS_ROOT = os.path.join(BASE_DIR, 'projects') + +# Absolute filesystem path to the directory for job status stdout +# This directory should not be web-accessible +JOBOUTPUT_ROOT = os.path.join(BASE_DIR, 'job_status') + +# The UUID of the system, for HA. +SYSTEM_UUID = '00000000-0000-0000-0000-000000000000' + +# Local time zone for this installation. Choices can be found here: +# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name +# although not all choices may be available on all operating systems. +# On Unix systems, a value of None will cause Django to use the same +# timezone as the operating system. +# If running in a Windows environment this must be set to the same as your +# system time zone. +TIME_ZONE = 'America/New_York' + +# Language code for this installation. All choices can be found here: +# http://www.i18nguy.com/unicode/language-identifiers.html +LANGUAGE_CODE = 'en-us' + +# SECURITY WARNING: keep the secret key used in production secret! +# Hardcoded values can leak through source control. Consider loading +# the secret key from an environment variable or a file instead. +SECRET_KEY = 'p7z7g1ql4%6+(6nlebb6hdk7sd^&fnjpal308%n%+p^_e6vo1y' + +# HTTP headers and meta keys to search to determine remote host name or IP. Add +# additional items to this list, such as "HTTP_X_FORWARDED_FOR", if behind a +# reverse proxy. +REMOTE_HOST_HEADERS = ['REMOTE_ADDR', 'REMOTE_HOST'] + +# Define additional environment variables to be passed to subprocess started by +# the celery task. +#AWX_TASK_ENV['FOO'] = 'BAR' + +# If set, use -vvv for project updates instead of -v for more output. +# PROJECT_UPDATE_VVV=True + +# Set verbosity for inventory import command when running inventory updates. +# INVENTORY_UPDATE_VERBOSITY=1 + +############################################################################### +# EMAIL SETTINGS +############################################################################### + +# Email address that error messages come from. +SERVER_EMAIL = 'root@localhost' + +# The email backend to use. For possible shortcuts see django.core.mail. +# The default is to use the SMTP backend. +# Third-party backends can be specified by providing a Python path +# to a module that defines an EmailBackend class. +EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' + +# Host for sending email. +EMAIL_HOST = 'localhost' + +# Port for sending email. +EMAIL_PORT = 25 + +# Optional SMTP authentication information for EMAIL_HOST. +EMAIL_HOST_USER = '' +EMAIL_HOST_PASSWORD = '' +EMAIL_USE_TLS = False + +# Default email address to use for various automated correspondence from +# the site managers. +DEFAULT_FROM_EMAIL = 'webmaster@localhost' + +# Subject-line prefix for email messages send with django.core.mail.mail_admins +# or ...mail_managers. Make sure to include the trailing space. +EMAIL_SUBJECT_PREFIX = '[AWX] ' + +############################################################################### +# LOGGING SETTINGS +############################################################################### + +# Enable logging to syslog. Setting level to ERROR captures 500 errors, +# WARNING also logs 4xx responses. +LOGGING['handlers']['syslog'] = { + 'level': 'WARNING', + 'filters': [], + 'class': 'logging.handlers.SysLogHandler', + 'address': '/dev/log', + 'facility': 'local0', + 'formatter': 'simple', +} + +# Enable the following lines to also log to a file. +#LOGGING['handlers']['file'] = { +# 'class': 'logging.FileHandler', +# 'filename': os.path.join(BASE_DIR, 'awx.log'), +# 'formatter': 'simple', +#} + +# Enable the following lines to turn on lots of permissions-related logging. +#LOGGING['loggers']['awx.main.access']['propagate'] = True +#LOGGING['loggers']['awx.main.signals']['propagate'] = True +#LOGGING['loggers']['awx.main.permissions']['propagate'] = True + +# Enable the following lines to turn on LDAP auth logging. +#LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console'] +#LOGGING['loggers']['django_auth_ldap']['level'] = 'DEBUG' + +############################################################################### +# LDAP AUTHENTICATION SETTINGS +############################################################################### + +# Refer to django-auth-ldap docs for more details: +# http://pythonhosted.org/django-auth-ldap/authentication.html + +# LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or +# "ldaps://ldap.example.com:636" (SSL). LDAP authentication is disable if this +# parameter is empty. +AUTH_LDAP_SERVER_URI = '' + +# DN of user to bind for all search queries. Normally in the format +# "CN=Some User,OU=Users,DC=example,DC=com" but may also be specified as +# "DOMAIN\username" for Active Directory. +AUTH_LDAP_BIND_DN = '' + +# Password using to bind above user account. +AUTH_LDAP_BIND_PASSWORD = '' + +# Enable TLS when the connection is not using SSL. +AUTH_LDAP_START_TLS = False + +# Imports needed for remaining LDAP configuration. +import ldap +from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion +from django_auth_ldap.config import ActiveDirectoryGroupType + +# LDAP search query to find users. +AUTH_LDAP_USER_SEARCH = LDAPSearch( + 'OU=Users,DC=example,DC=com', # Base DN + ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE + '(sAMAccountName=%(user)s)', # Query +) + +# Alternative to user search, if user DNs are all of the same format. +#AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,OU=Users,DC=example,DC=com' + +# Mapping of LDAP to user atrributes (key is user attribute name, value is LDAP +# attribute name). +AUTH_LDAP_USER_ATTR_MAP = { + 'first_name': 'givenName', + 'last_name': 'sn', + 'email': 'mail', +} + +# LDAP search query to find groups. Does not support LDAPSearchUnion. +AUTH_LDAP_GROUP_SEARCH = LDAPSearch( + 'DC=example,DC=com', # Base DN + ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE + '(objectClass=group)', # Query +) +# Type of group returned by the search above. Should be one of the types +# listed at: http://pythonhosted.org/django-auth-ldap/groups.html#types-of-groups +AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType() + +# Group DN required to login. If specified, user must be a member of this +# group to login via LDAP. +#AUTH_LDAP_REQUIRE_GROUP = '' + +# Group DN denied from login. If specified, user will not be allowed to login +# if a member of this group. +#AUTH_LDAP_DENY_GROUP = '' + +# User profile flags updated from group membership (key is user attribute name, +# value is group DN). +AUTH_LDAP_USER_FLAGS_BY_GROUP = { + #'is_superuser': 'CN=Domain Admins,CN=Users,DC=example,DC=com', +} + +# Mapping between organization admins/users and LDAP groups. Keys are +# organization names (will be created if not present). Values are dictionaries +# of options for each organization's membership, where each can contain the +# following parameters: +# - remove: True/False. Defaults to False. Specifies the default for +# remove_admins or remove_users if those parameters aren't explicitly set. +# - admins: None, True/False, string or list/tuple of strings. +# If None, organization admins will not be updated. +# If True/False, all LDAP users will be added/removed as admins. +# If a string or list of strings, specifies the group DN(s). User will be +# added as an org admin if the user is a member of ANY of these groups. +# - remove_admins: True/False. Defaults to False. If True, a user who is not a +# member of the given groups will be removed from the organization's admins. +# - users: None, True/False, string or list/tuple of strings. Same rules apply +# as for admins. +# - remove_users: True/False. Defaults to False. If True, a user who is not a +# member of the given groups will be removed from the organization's users. +AUTH_LDAP_ORGANIZATION_MAP = { + #'Test Org': { + # 'admins': 'CN=Domain Admins,CN=Users,DC=example,DC=com', + # 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'], + #}, + #'Test Org 2': { + # 'admins': ['CN=Administrators,CN=Builtin,DC=example,DC=com'], + # 'users': True, + #}, +} + +# Mapping between team members (users) and LDAP groups. Keys are team names +# (will be created if not present). Values are dictionaries of options for +# each team's membership, where each can contain the following parameters: +# - organization: string. The name of the organization to which the team +# belongs. The team will be created if the combination of organization and +# team name does not exist. The organization will first be created if it +# does not exist. +# - users: None, True/False, string or list/tuple of strings. +# If None, team members will not be updated. +# If True/False, all LDAP users will be added/removed as team members. +# If a string or list of strings, specifies the group DN(s). User will be +# added as a team member if the user is a member of ANY of these groups. +# - remove: True/False. Defaults to False. If True, a user who is not a member +# of the given groups will be removed from the team. +AUTH_LDAP_TEAM_MAP = { + 'My Team': { + 'organization': 'Test Org', + 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'], + 'remove': True, + }, + 'Other Team': { + 'organization': 'Test Org 2', + 'users': 'CN=Other Users,CN=Users,DC=example,DC=com', + 'remove': False, + }, +} + +############################################################################### +# SCM TEST SETTINGS +############################################################################### + +# Define these variables to enable more complete testing of project support for +# SCM updates. The test repositories listed do not have to contain any valid +# playbooks. + +try: + path = os.path.expanduser(os.path.expandvars('~/.ssh/id_rsa')) + TEST_SSH_KEY_DATA = file(path, 'rb').read() +except IOError: + TEST_SSH_KEY_DATA = '' + +TEST_GIT_USERNAME = '' +TEST_GIT_PASSWORD = '' +TEST_GIT_KEY_DATA = TEST_SSH_KEY_DATA +TEST_GIT_PUBLIC_HTTPS = 'https://github.com/ansible/ansible.github.com.git' +TEST_GIT_PRIVATE_HTTPS = 'https://github.com/ansible/product-docs.git' +TEST_GIT_PRIVATE_SSH = 'git@github.com:ansible/product-docs.git' + +TEST_HG_USERNAME = '' +TEST_HG_PASSWORD = '' +TEST_HG_KEY_DATA = TEST_SSH_KEY_DATA +TEST_HG_PUBLIC_HTTPS = 'https://bitbucket.org/cchurch/django-hotrunner' +TEST_HG_PRIVATE_HTTPS = '' +TEST_HG_PRIVATE_SSH = '' + +TEST_SVN_USERNAME = '' +TEST_SVN_PASSWORD = '' +TEST_SVN_PUBLIC_HTTPS = 'https://github.com/ansible/ansible.github.com' +TEST_SVN_PRIVATE_HTTPS = 'https://github.com/ansible/product-docs' + +# To test repo access via SSH login to localhost. +import getpass +TEST_SSH_LOOPBACK_USERNAME = getpass.getuser() +TEST_SSH_LOOPBACK_PASSWORD = '' + +############################################################################### +# LDAP TEST SETTINGS +############################################################################### + +# LDAP connection and authentication settings for unit tests only. LDAP tests +# will be skipped if TEST_AUTH_LDAP_SERVER_URI is not configured. + +TEST_AUTH_LDAP_SERVER_URI = '' +TEST_AUTH_LDAP_BIND_DN = '' +TEST_AUTH_LDAP_BIND_PASSWORD = '' +TEST_AUTH_LDAP_START_TLS = False + +# LDAP username/password for testing authentication. +TEST_AUTH_LDAP_USERNAME = '' +TEST_AUTH_LDAP_PASSWORD = '' + +# LDAP search query to find users. +TEST_AUTH_LDAP_USER_SEARCH = LDAPSearch( + 'CN=Users,DC=example,DC=com', + ldap.SCOPE_SUBTREE, + '(sAMAccountName=%(user)s)', +) + +# Alternative to user search. +#TEST_AUTH_LDAP_USER_DN_TEMPLATE = 'sAMAccountName=%(user)s,OU=Users,DC=example,DC=com' + +# Mapping of LDAP attributes to user attributes. +TEST_AUTH_LDAP_USER_ATTR_MAP = { + 'first_name': 'givenName', + 'last_name': 'sn', + 'email': 'mail', +} + +# LDAP search query for finding groups. +TEST_AUTH_LDAP_GROUP_SEARCH = LDAPSearch( + 'DC=example,DC=com', + ldap.SCOPE_SUBTREE, + '(objectClass=group)', +) +# Type of group returned by the search above. +TEST_AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType() + +# Test DNs for a group required to login. User should be a member of the first +# group, but not a member of the second. +TEST_AUTH_LDAP_REQUIRE_GROUP = 'CN=Domain Admins,CN=Users,DC=example,DC=com' +TEST_AUTH_LDAP_REQUIRE_GROUP_FAIL = 'CN=Guest,CN=Users,DC=example,DC=com' + +# Test DNs for a group denied from login. User should not be a member of the +# first group, but should be a member of the second. +TEST_AUTH_LDAP_DENY_GROUP = 'CN=Guest,CN=Users,DC=example,DC=com' +TEST_AUTH_LDAP_DENY_GROUP_FAIL = 'CN=Domain Admins,CN=Users,DC=example,DC=com' + +# User profile flags updated from group membership. Test user should be a +# member of the group. +TEST_AUTH_LDAP_USER_FLAGS_BY_GROUP = { + 'is_superuser': 'CN=Domain Admins,CN=Users,DC=example,DC=com', +} + +# Test mapping between organization admins/users and LDAP groups. +TEST_AUTH_LDAP_ORGANIZATION_MAP = { + 'Test Org': { + 'admins': 'CN=Domain Admins,CN=Users,DC=example,DC=com', + 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'], + }, + 'Test Org 2': { + 'admins': ['CN=Administrators,CN=Builtin,DC=example,DC=com'], + 'users': True, + }, +} +# Expected results from organization mapping. After login, should user be an +# admin/user in the given organization? +TEST_AUTH_LDAP_ORGANIZATION_MAP_RESULT = { + 'Test Org': {'admins': True, 'users': False}, + 'Test Org 2': {'admins': False, 'users': True}, +} + +# Second test mapping to test remove parameters. +TEST_AUTH_LDAP_ORGANIZATION_MAP_2 = { + 'Test Org': { + 'admins': 'CN=Domain Users,CN=Users,DC=example,DC=com', + 'users': True, + 'remove_admins': True, + 'remove_users': False, + }, + 'Test Org 2': { + 'admins': ['CN=Domain Admins,CN=Users,DC=example,DC=com', + 'CN=Administrators,CN=Builtin,DC=example,DC=com'], + 'users': False, + 'remove': True, + }, +} + +# Expected results from second organization mapping. +TEST_AUTH_LDAP_ORGANIZATION_MAP_2_RESULT = { + 'Test Org': {'admins': False, 'users': True}, + 'Test Org 2': {'admins': True, 'users': False}, +} + +# Test mapping between team users and LDAP groups. +TEST_AUTH_LDAP_TEAM_MAP = { + 'Domain Users Team': { + 'organization': 'Test Org', + 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'], + 'remove': False, + }, + 'Admins Team': { + 'organization': 'Admins Org', + 'users': 'CN=Domain Admins,CN=Users,DC=example,DC=com', + 'remove': True, + }, + 'Everyone Team': { + 'organization': 'Test Org 2', + 'users': True, + }, +} +# Expected results from team mapping. After login, should user be a member of +# the given team? +TEST_AUTH_LDAP_TEAM_MAP_RESULT = { + 'Domain Users Team': {'users': False}, + 'Admins Team': {'users': True}, + 'Everyone Team': {'users': True}, +} + +# Second test mapping for teams to remove user. +TEST_AUTH_LDAP_TEAM_MAP_2 = { + 'Domain Users Team': { + 'organization': 'Test Org', + 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'], + 'remove': False, + }, + 'Admins Team': { + 'organization': 'Admins Org', + 'users': 'CN=Administrators,CN=Builtin,DC=example,DC=com', + 'remove': True, + }, + 'Everyone Team': { + 'organization': 'Test Org 2', + 'users': False, + 'remove': False, + }, +} +# Expected results from second team mapping. After login, should user be a +# member of the given team? +TEST_AUTH_LDAP_TEAM_MAP_2_RESULT = { + 'Domain Users Team': {'users': False}, + 'Admins Team': {'users': False}, + 'Everyone Team': {'users': True}, +} + +############################################################################### +# INVENTORY IMPORT TEST SETTINGS +############################################################################### + +# Define these variables to enable more complete testing of inventory import +# from cloud providers. + +# EC2 credentials +TEST_AWS_ACCESS_KEY_ID = '' +TEST_AWS_SECRET_ACCESS_KEY = '' +TEST_AWS_REGIONS = 'all' +# Check IAM STS credentials +TEST_AWS_SECURITY_TOKEN = '' + +# Rackspace credentials +TEST_RACKSPACE_USERNAME = '' +TEST_RACKSPACE_API_KEY = '' +TEST_RACKSPACE_REGIONS = 'all' + +# VMware credentials +TEST_VMWARE_HOST = '' +TEST_VMWARE_USER = '' +TEST_VMWARE_PASSWORD = '' + +# OpenStack credentials +TEST_OPENSTACK_HOST = '' +TEST_OPENSTACK_USER = '' +TEST_OPENSTACK_PASSWORD = '' +TEST_OPENSTACK_PROJECT = '' + +# Azure credentials. +TEST_AZURE_USERNAME = '' +TEST_AZURE_KEY_DATA = '' diff --git a/awx/settings/local_settings.py.example b/awx/settings/local_settings.py.example index 042614c32d..34d65e163f 100644 --- a/awx/settings/local_settings.py.example +++ b/awx/settings/local_settings.py.example @@ -481,6 +481,9 @@ TEST_AUTH_LDAP_TEAM_MAP_2_RESULT = { TEST_AWS_ACCESS_KEY_ID = '' TEST_AWS_SECRET_ACCESS_KEY = '' TEST_AWS_REGIONS = 'all' +# Check IAM STS credentials +TEST_AWS_SECURITY_TOKEN = '' + # Rackspace credentials TEST_RACKSPACE_USERNAME = ''