From c013d656c8967c4b8444bdb5df0b3114f62c74df Mon Sep 17 00:00:00 2001
From: Graham Mainwaring <gmainwaring@ansible.com>
Date: Mon, 21 Oct 2019 16:10:25 -0400
Subject: [PATCH] Add UI toggle to disable public Galaxy (#3867)

---
 awx/main/conf.py                              | 10 +++++++++
 awx/main/redact.py                            |  8 ++++---
 awx/main/tasks.py                             | 12 +++++++---
 awx/settings/defaults.py                      | 22 ++++++++++---------
 .../jobs-form/configuration-jobs.form.js      |  3 +++
 5 files changed, 39 insertions(+), 16 deletions(-)

diff --git a/awx/main/conf.py b/awx/main/conf.py
index cce5e0a5de..f63fee564f 100644
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@@ -513,6 +513,16 @@ register(
     category_slug='jobs'
 )
 
+register(
+    'PUBLIC_GALAXY_ENABLED',
+    field_class=fields.BooleanField,
+    default=True,
+    label=_('Allow Access to Public Galaxy'),
+    help_text=_('Allow or deny access to the public Ansible Galaxy during project updates.'),
+    category=_('Jobs'),
+    category_slug='jobs'
+)
+
 register(
     'STDOUT_MAX_BYTES_DISPLAY',
     field_class=fields.IntegerField,
diff --git a/awx/main/redact.py b/awx/main/redact.py
index ae60684377..77fc062135 100644
--- a/awx/main/redact.py
+++ b/awx/main/redact.py
@@ -12,10 +12,12 @@ class UriCleaner(object):
 
     @staticmethod
     def remove_sensitive(cleartext):
+        # exclude_list contains the items that will _not_ be redacted
+        exclude_list = [settings.PUBLIC_GALAXY_SERVER['url']]
         if settings.PRIMARY_GALAXY_URL:
-            exclude_list = [settings.PRIMARY_GALAXY_URL] + [server['url'] for server in settings.FALLBACK_GALAXY_SERVERS]
-        else:
-            exclude_list = [server['url'] for server in settings.FALLBACK_GALAXY_SERVERS]
+            exclude_list += [settings.PRIMARY_GALAXY_URL]
+        if settings.FALLBACK_GALAXY_SERVERS:
+            exclude_list += [server['url'] for server in settings.FALLBACK_GALAXY_SERVERS]
         redactedtext = cleartext
         text_index = 0
         while True:
diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index ff53cd00ac..a91a4cf4b2 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -1959,9 +1959,15 @@ class RunProjectUpdate(BaseTask):
         env['PROJECT_UPDATE_ID'] = str(project_update.pk)
         env['ANSIBLE_CALLBACK_PLUGINS'] = self.get_path_to('..', 'plugins', 'callback')
         env['ANSIBLE_GALAXY_IGNORE'] = True
-        # Set up the fallback server, which is the normal Ansible Galaxy by default
-        galaxy_servers = list(settings.FALLBACK_GALAXY_SERVERS)
-        # If private galaxy URL is non-blank, that means this feature is enabled
+        # Set up the public Galaxy server, if enabled
+        if settings.PUBLIC_GALAXY_ENABLED:
+            galaxy_servers = [settings.PUBLIC_GALAXY_SERVER]
+        else:
+            galaxy_servers = []
+        # Set up fallback Galaxy servers, if configured
+        if settings.FALLBACK_GALAXY_SERVERS:
+            galaxy_servers = settings.FALLBACK_GALAXY_SERVERS + galaxy_servers
+        # Set up the primary Galaxy server, if configured
         if settings.PRIMARY_GALAXY_URL:
             galaxy_servers = [{'id': 'primary_galaxy'}] + galaxy_servers
             for key in GALAXY_SERVER_FIELDS:
diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 658d41d6b3..ab8a5492e8 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -635,16 +635,18 @@ PRIMARY_GALAXY_USERNAME = ''
 PRIMARY_GALAXY_TOKEN = ''
 PRIMARY_GALAXY_PASSWORD = ''
 PRIMARY_GALAXY_AUTH_URL = ''
-# Settings for the fallback galaxy server(s), normally this is the
-# actual Ansible Galaxy site.
-# server options: 'id', 'url', 'username', 'password', 'token', 'auth_url'
-# To not use any fallback servers set this to []
-FALLBACK_GALAXY_SERVERS = [
-    {
-        'id': 'galaxy',
-        'url': 'https://galaxy.ansible.com'
-    }
-]
+
+# Settings for the public galaxy server(s).
+PUBLIC_GALAXY_ENABLED = True
+PUBLIC_GALAXY_SERVER = {
+    'id': 'galaxy',
+    'url': 'https://galaxy.ansible.com'
+}
+
+# List of dicts of fallback (additional) Galaxy servers.  If configured, these
+# will be higher precedence than public Galaxy, but lower than primary Galaxy.
+# Available options: 'id', 'url', 'username', 'password', 'token', 'auth_url'
+FALLBACK_GALAXY_SERVERS = []
 
 # Enable bubblewrap support for running jobs (playbook runs only).
 # Note: This setting may be overridden by database settings.
diff --git a/awx/ui/client/src/configuration/forms/jobs-form/configuration-jobs.form.js b/awx/ui/client/src/configuration/forms/jobs-form/configuration-jobs.form.js
index 445b0864a2..ab3aa7404c 100644
--- a/awx/ui/client/src/configuration/forms/jobs-form/configuration-jobs.form.js
+++ b/awx/ui/client/src/configuration/forms/jobs-form/configuration-jobs.form.js
@@ -89,6 +89,9 @@ export default ['i18n', function(i18n) {
                 type: 'text',
                 reset: 'PRIMARY_GALAXY_AUTH_URL',
             },
+            PUBLIC_GALAXY_ENABLED: {
+                type: 'toggleSwitch',
+            },
             AWX_TASK_ENV: {
                 type: 'textarea',
                 reset: 'AWX_TASK_ENV',