From 31650bb0bd99ecf689f08497faa935ffd47ab869 Mon Sep 17 00:00:00 2001
From: Shane McDonald <me@shanemcd.com>
Date: Fri, 22 Nov 2019 11:39:08 -0500
Subject: [PATCH 01/36] Remove usage of idle_timeout when checking status of
 isolated / containerized jobs

---
 awx/main/isolated/manager.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/awx/main/isolated/manager.py b/awx/main/isolated/manager.py
index 642ba373a4..ae09176cbc 100644
--- a/awx/main/isolated/manager.py
+++ b/awx/main/isolated/manager.py
@@ -40,7 +40,6 @@ class IsolatedManager(object):
         """
         self.cancelled_callback = cancelled_callback
         self.check_callback = check_callback
-        self.idle_timeout = max(60, 2 * settings.AWX_ISOLATED_CONNECTION_TIMEOUT)
         self.started_at = None
         self.captured_command_artifact = False
         self.instance = None
@@ -108,7 +107,6 @@ class IsolatedManager(object):
             'verbosity': verbosity,
             'cancel_callback': self.cancelled_callback,
             'settings': {
-                'idle_timeout': self.idle_timeout,
                 'job_timeout': settings.AWX_ISOLATED_LAUNCH_TIMEOUT,
                 'pexpect_timeout': getattr(settings, 'PEXPECT_TIMEOUT', 5),
                 'suppress_ansible_output': True,
@@ -118,7 +116,7 @@ class IsolatedManager(object):
     def path_to(self, *args):
         return os.path.join(self.private_data_dir, *args)
 
-    def run_management_playbook(self, playbook, private_data_dir, **kw):
+    def run_management_playbook(self, playbook, private_data_dir, idle_timeout=None, **kw):
         iso_dir = tempfile.mkdtemp(
             prefix=playbook,
             dir=private_data_dir
@@ -126,6 +124,8 @@ class IsolatedManager(object):
         params = self.runner_params.copy()
         params['playbook'] = playbook
         params['private_data_dir'] = iso_dir
+        if idle_timeout:
+            params['settings']['idle_timeout'] = idle_timeout
         params.update(**kw)
         if all([
             getattr(settings, 'AWX_ISOLATED_KEY_GENERATION', False) is True,
@@ -177,6 +177,7 @@ class IsolatedManager(object):
         logger.debug('Starting job {} on isolated host with `run_isolated.yml` playbook.'.format(self.instance.id))
         runner_obj = self.run_management_playbook('run_isolated.yml',
                                                   self.private_data_dir,
+                                                  idle_timeout=max(60, 2 * settings.AWX_ISOLATED_CONNECTION_TIMEOUT),
                                                   extravars=extravars)
 
         if runner_obj.status == 'failed':

From ee8775a08d96081c875d41f62daaa155b54957bf Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Thu, 21 Nov 2019 11:05:06 -0500
Subject: [PATCH 02/36] Adds link to docs on container groups add/edit forms to
 match instance groups.  Updates instance groups link.

---
 .../add-edit/add-instance-group.controller.js               | 4 ++--
 .../add-edit/edit-instance-group.controller.js              | 4 ++--
 .../container-groups/add-container-group.controller.js      | 5 +++++
 .../container-groups/add-container-group.view.html          | 6 +++++-
 .../container-groups/edit-container-group.controller.js     | 5 +++++
 .../client/src/instance-groups/instance-groups.strings.js   | 3 ++-
 6 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/awx/ui/client/src/instance-groups/add-edit/add-instance-group.controller.js b/awx/ui/client/src/instance-groups/add-edit/add-instance-group.controller.js
index 537096996b..d556c6dbbe 100644
--- a/awx/ui/client/src/instance-groups/add-edit/add-instance-group.controller.js
+++ b/awx/ui/client/src/instance-groups/add-edit/add-instance-group.controller.js
@@ -7,8 +7,8 @@ function AddController ($state, models, strings) {
     vm.panelTitle = strings.get('state.ADD_BREADCRUMB_LABEL');
 
     vm.docs = {
-        url: 'https://docs.ansible.com/ansible-tower/latest/html/administration/clustering.html',
-        help_text: vm.strings.get('tooltips.DOCS_HELP_TEXT')
+        url: 'https://docs.ansible.com/ansible-tower/latest/html/userguide/instance_groups.html',
+        help_text: vm.strings.get('tooltips.IG_DOCS_HELP_TEXT')
     };
 
     vm.tab = {
diff --git a/awx/ui/client/src/instance-groups/add-edit/edit-instance-group.controller.js b/awx/ui/client/src/instance-groups/add-edit/edit-instance-group.controller.js
index 18401ca08e..55972e36fe 100644
--- a/awx/ui/client/src/instance-groups/add-edit/edit-instance-group.controller.js
+++ b/awx/ui/client/src/instance-groups/add-edit/edit-instance-group.controller.js
@@ -17,8 +17,8 @@ function EditController ($rootScope, $state, models, strings) {
     vm.panelTitle = instanceGroup.get('name');
 
     vm.docs = {
-        url: 'https://docs.ansible.com/ansible-tower/latest/html/administration/clustering.html',
-        help_text: vm.strings.get('tooltips.DOCS_HELP_TEXT')
+        url: 'https://docs.ansible.com/ansible-tower/latest/html/userguide/instance_groups.html',
+        help_text: vm.strings.get('tooltips.IG_DOCS_HELP_TEXT')
     };
 
     vm.tab = {
diff --git a/awx/ui/client/src/instance-groups/container-groups/add-container-group.controller.js b/awx/ui/client/src/instance-groups/container-groups/add-container-group.controller.js
index fc6bfaf846..cdab0e89fc 100644
--- a/awx/ui/client/src/instance-groups/container-groups/add-container-group.controller.js
+++ b/awx/ui/client/src/instance-groups/container-groups/add-container-group.controller.js
@@ -10,6 +10,11 @@ function AddContainerGroupController(ToJSON, $scope, $state, models, strings, i1
   vm.panelTitle = strings.get('state.ADD_CONTAINER_GROUP_BREADCRUMB_LABEL');
   vm.lookUpTitle = strings.get('container.LOOK_UP_TITLE');
 
+  vm.docs = {
+    url: 'https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#ag-container-groups',
+    help_text: vm.strings.get('tooltips.CG_DOCS_HELP_TEXT')
+  };
+
   vm.form = instanceGroup.createFormSchema('post');
   vm.form.name.required = true;
   delete vm.form.name.help_text;
diff --git a/awx/ui/client/src/instance-groups/container-groups/add-container-group.view.html b/awx/ui/client/src/instance-groups/container-groups/add-container-group.view.html
index a7c3dcb446..3e27ee18bf 100644
--- a/awx/ui/client/src/instance-groups/container-groups/add-container-group.view.html
+++ b/awx/ui/client/src/instance-groups/container-groups/add-container-group.view.html
@@ -6,7 +6,11 @@
   </div>
 </a>
 <at-panel>
-  <at-panel-heading title="{{:: vm.panelTitle }}"></at-panel-heading>
+  <at-panel-heading title="{{:: vm.panelTitle }}">
+    <a class="Panel-docsLink" ng-href="{{ vm.docs.url }}" target="_blank" aw-tool-tip="{{:: vm.docs.help_text }}">
+      <i class="fa fa-book"></i>
+    </a>
+  </at-panel-heading>
   <at-tab-group>
       <at-tab state="vm.tab.details">{{:: vm.strings.get('tab.DETAILS') }}</at-tab>
       <at-tab state="vm.tab.jobs">{{:: vm.strings.get('tab.JOBS') }}</at-tab>
diff --git a/awx/ui/client/src/instance-groups/container-groups/edit-container-group.controller.js b/awx/ui/client/src/instance-groups/container-groups/edit-container-group.controller.js
index 62740a559d..45b6f9a3b1 100644
--- a/awx/ui/client/src/instance-groups/container-groups/edit-container-group.controller.js
+++ b/awx/ui/client/src/instance-groups/container-groups/edit-container-group.controller.js
@@ -23,6 +23,11 @@ function EditContainerGroupController($rootScope, $scope, $state, models, string
   vm.panelTitle = EditContainerGroupDataset.data.name;
   vm.lookUpTitle = strings.get('container.LOOK_UP_TITLE');
 
+  vm.docs = {
+    url: 'https://docs.ansible.com/ansible-tower/latest/html/administration/external_execution_envs.html#ag-container-groups',
+    help_text: vm.strings.get('tooltips.CG_DOCS_HELP_TEXT')
+  };
+
   vm.form = instanceGroup.createFormSchema('post');
   vm.switchDisabled = false;
   vm.form.disabled = !instanceGroup.has('options', 'actions.PUT');
diff --git a/awx/ui/client/src/instance-groups/instance-groups.strings.js b/awx/ui/client/src/instance-groups/instance-groups.strings.js
index 6e1e118f08..74fd210350 100644
--- a/awx/ui/client/src/instance-groups/instance-groups.strings.js
+++ b/awx/ui/client/src/instance-groups/instance-groups.strings.js
@@ -32,7 +32,8 @@ function InstanceGroupsStrings(BaseString) {
     ns.tooltips = {
         ADD_INSTANCE_GROUP: t.s('Create a new Instance Group'),
         ASSOCIATE_INSTANCES: t.s('Associate an existing Instance'),
-        DOCS_HELP_TEXT: t.s('Instance Groups Help')
+        IG_DOCS_HELP_TEXT: t.s('Instance Groups Help'),
+        CG_DOCS_HELP_TEXT: t.s('Container Groups Help')
     };
 
     ns.instance = {

From 12363ae1753eddf33e00a7d9526daa2896a6bbeb Mon Sep 17 00:00:00 2001
From: Shane McDonald <me@shanemcd.com>
Date: Mon, 25 Nov 2019 11:32:41 -0500
Subject: [PATCH 03/36] Fix Docker build caching

The flow will need to be:

- Pre-pull image you want to use
- Re-tag as image:$(COMPOSE_TAG)
- COMPOSE_TAG=mytag make docker-compose-build
---
 Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Makefile b/Makefile
index 98caaba7df..03f6f21941 100644
--- a/Makefile
+++ b/Makefile
@@ -654,7 +654,6 @@ docker-compose-build: awx-devel-build
 # Base development image build
 awx-devel-build:
 	docker build -t ansible/awx_devel -f tools/docker-compose/Dockerfile \
-		--cache-from=$(DEV_DOCKER_TAG_BASE)/awx_devel:devel \
 		--cache-from=$(DEV_DOCKER_TAG_BASE)/awx_devel:$(COMPOSE_TAG) .
 	docker tag ansible/awx_devel $(DEV_DOCKER_TAG_BASE)/awx_devel:$(COMPOSE_TAG)
 	#docker push $(DEV_DOCKER_TAG_BASE)/awx_devel:$(COMPOSE_TAG)

From ce8c0066d048bf4d91a53a51ebbbd6dc9a241b64 Mon Sep 17 00:00:00 2001
From: Shane McDonald <me@shanemcd.com>
Date: Mon, 25 Nov 2019 12:51:49 -0500
Subject: [PATCH 04/36] Fix downstream tests

I backported how we do the VERSION detection in 3.5.something. This should
already be fixed upstream.
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 03f6f21941..8f9716e64b 100644
--- a/Makefile
+++ b/Makefile
@@ -364,7 +364,7 @@ check: flake8 pep8 # pyflakes pylint
 
 awx-link:
 	cp -R /tmp/awx.egg-info /awx_devel/ || true
-	sed -i "s/placeholder/$(shell git describe --long | sed 's/\./\\./g')/" /awx_devel/awx.egg-info/PKG-INFO
+	sed -i "s/placeholder/$(shell cat VERSION)/" /awx_devel/awx.egg-info/PKG-INFO
 	cp -f /tmp/awx.egg-link /venv/awx/lib/python$(PYTHON_VERSION)/site-packages/awx.egg-link
 
 TEST_DIRS ?= awx/main/tests/unit awx/main/tests/functional awx/conf/tests awx/sso/tests

From 695eab1fdd5856c74d71a075ef97b78d0fd6984f Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Tue, 26 Nov 2019 09:39:05 -0500
Subject: [PATCH 05/36] fix duplicate exception sanity error

---
 awx_collection/plugins/modules/tower_credential.py | 2 +-
 awx_collection/plugins/modules/tower_group.py      | 2 +-
 awx_collection/plugins/modules/tower_label.py      | 2 +-
 awx_collection/plugins/modules/tower_team.py       | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/awx_collection/plugins/modules/tower_credential.py b/awx_collection/plugins/modules/tower_credential.py
index a87d76fecb..d2f2d9bd5f 100644
--- a/awx_collection/plugins/modules/tower_credential.py
+++ b/awx_collection/plugins/modules/tower_credential.py
@@ -404,7 +404,7 @@ def main():
                 result = credential.delete(**params)
         except (exc.NotFound) as excinfo:
             module.fail_json(msg='Failed to update credential, organization not found: {0}'.format(excinfo), changed=False)
-        except (exc.ConnectionError, exc.BadRequest, exc.NotFound, exc.AuthError) as excinfo:
+        except (exc.ConnectionError, exc.BadRequest, exc.AuthError) as excinfo:
             module.fail_json(msg='Failed to update credential: {0}'.format(excinfo), changed=False)
 
     json_output['changed'] = result['changed']
diff --git a/awx_collection/plugins/modules/tower_group.py b/awx_collection/plugins/modules/tower_group.py
index bd9feaf91f..0b4269b5f7 100644
--- a/awx_collection/plugins/modules/tower_group.py
+++ b/awx_collection/plugins/modules/tower_group.py
@@ -180,7 +180,7 @@ def main():
                 result = group.delete(**params)
         except (exc.NotFound) as excinfo:
             module.fail_json(msg='Failed to update the group, inventory not found: {0}'.format(excinfo), changed=False)
-        except (exc.ConnectionError, exc.BadRequest, exc.NotFound, exc.AuthError) as excinfo:
+        except (exc.ConnectionError, exc.BadRequest, exc.AuthError) as excinfo:
             module.fail_json(msg='Failed to update the group: {0}'.format(excinfo), changed=False)
 
     json_output['changed'] = result['changed']
diff --git a/awx_collection/plugins/modules/tower_label.py b/awx_collection/plugins/modules/tower_label.py
index 254d9d4986..e5085cfd27 100644
--- a/awx_collection/plugins/modules/tower_label.py
+++ b/awx_collection/plugins/modules/tower_label.py
@@ -94,7 +94,7 @@ def main():
                 result = label.delete(name=name, organization=org['id'])
         except (exc.NotFound) as excinfo:
             module.fail_json(msg='Failed to update label, organization not found: {0}'.format(excinfo), changed=False)
-        except (exc.ConnectionError, exc.BadRequest, exc.NotFound, exc.AuthError) as excinfo:
+        except (exc.ConnectionError, exc.BadRequest, exc.AuthError) as excinfo:
             module.fail_json(msg='Failed to update label: {0}'.format(excinfo), changed=False)
 
     json_output['changed'] = result['changed']
diff --git a/awx_collection/plugins/modules/tower_team.py b/awx_collection/plugins/modules/tower_team.py
index 80aff36f04..dc34f4d706 100644
--- a/awx_collection/plugins/modules/tower_team.py
+++ b/awx_collection/plugins/modules/tower_team.py
@@ -103,7 +103,7 @@ def main():
                 result = team.delete(name=name, organization=org['id'])
         except (exc.NotFound) as excinfo:
             module.fail_json(msg='Failed to update team, organization not found: {0}'.format(excinfo), changed=False)
-        except (exc.ConnectionError, exc.BadRequest, exc.NotFound, exc.AuthError) as excinfo:
+        except (exc.ConnectionError, exc.BadRequest, exc.AuthError) as excinfo:
             module.fail_json(msg='Failed to update team: {0}'.format(excinfo), changed=False)
 
     json_output['changed'] = result['changed']

From 68f17eb370b114f837d627793f7cde2c43e15d09 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Tue, 26 Nov 2019 23:29:50 -0500
Subject: [PATCH 06/36] bump asgi-amqp dependency

---
 requirements/requirements.in  | 2 +-
 requirements/requirements.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements/requirements.in b/requirements/requirements.in
index e26d228bd4..eb61733474 100644
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@@ -1,6 +1,6 @@
 ansible-runner==1.4.4
 appdirs==1.4.2
-asgi-amqp==1.1.3
+asgi-amqp==1.1.4
 azure-keyvault==1.1.0
 boto==2.47.0
 channels==1.1.8
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 89d1ef12ac..e446994ee9 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -3,7 +3,7 @@ amqp==2.4.2               # via kombu
 ansible-runner==1.4.4
 appdirs==1.4.2
 argparse==1.4.0           # via uwsgitop
-asgi-amqp==1.1.3
+asgi-amqp==1.1.4
 asgiref==1.1.2            # via asgi-amqp, channels, daphne
 asn1crypto==0.24.0        # via cryptography
 attrs==19.1.0             # via automat, service-identity, twisted

From ffdcb2f8eb7e2dc43aa0d05dd8a5d817d28da759 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Tue, 19 Nov 2019 09:21:04 -0500
Subject: [PATCH 07/36] fix busted tests

---
 awx/main/tests/functional/models/test_notifications.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/awx/main/tests/functional/models/test_notifications.py b/awx/main/tests/functional/models/test_notifications.py
index 1b671efdcb..00cc217a82 100644
--- a/awx/main/tests/functional/models/test_notifications.py
+++ b/awx/main/tests/functional/models/test_notifications.py
@@ -88,6 +88,9 @@ class TestJobNotificationMixin(object):
                                  'verbosity': int},
                          'job_friendly_name': str,
                          'job_metadata': str,
+                         'approval_status': str,
+                         'approval_node_name': str,
+                         'workflow_url': str,
                          'url': str}
 
 

From ea5d4293995b4eadc517ee75d3b85eed46c3ed29 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Mon, 25 Nov 2019 11:50:09 -0500
Subject: [PATCH 08/36] fix a few bugs with the session and oauth2 cleanup
 scheduled jobs

see: https://github.com/ansible/tower/issues/3940
---
 awx/api/serializers.py                        |  4 +++
 awx/main/models/jobs.py                       | 25 ++++++++++---------
 awx/main/tasks.py                             |  9 ++++---
 .../tests/unit/models/test_system_jobs.py     | 12 ++++++---
 4 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index a3d8d43306..d95a754e71 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -4658,6 +4658,10 @@ class ScheduleSerializer(LaunchConfigurationBaseSerializer, SchedulePreviewSeria
 
     def get_summary_fields(self, obj):
         summary_fields = super(ScheduleSerializer, self).get_summary_fields(obj)
+
+        if isinstance(obj.unified_job_template, SystemJobTemplate):
+            summary_fields['unified_job_template']['job_type'] = obj.unified_job_template.job_type
+
         if 'inventory' in summary_fields:
             return summary_fields
 
diff --git a/awx/main/models/jobs.py b/awx/main/models/jobs.py
index d573d1ed96..ae2f772526 100644
--- a/awx/main/models/jobs.py
+++ b/awx/main/models/jobs.py
@@ -1179,18 +1179,19 @@ class SystemJobTemplate(UnifiedJobTemplate, SystemJobOptions):
             for key in unallowed_vars:
                 rejected[key] = data.pop(key)
 
-        if 'days' in data:
-            try:
-                if type(data['days']) is bool:
-                    raise ValueError
-                if float(data['days']) != int(data['days']):
-                    raise ValueError
-                days = int(data['days'])
-                if days < 0:
-                    raise ValueError
-            except ValueError:
-                errors_list.append(_("days must be a positive integer."))
-                rejected['days'] = data.pop('days')
+        if self.job_type in ('cleanup_jobs', 'cleanup_activitystream'):
+            if 'days' in data:
+                try:
+                    if isinstance(data['days'], (bool, type(None))):
+                        raise ValueError
+                    if float(data['days']) != int(data['days']):
+                        raise ValueError
+                    days = int(data['days'])
+                    if days < 0:
+                        raise ValueError
+                except ValueError:
+                    errors_list.append(_("days must be a positive integer."))
+                    rejected['days'] = data.pop('days')
 
         if errors_list:
             errors['extra_vars'] = errors_list
diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index 7429f8f458..37ef703a29 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -2761,10 +2761,11 @@ class RunSystemJob(BaseTask):
                 json_vars = {}
             else:
                 json_vars = json.loads(system_job.extra_vars)
-            if 'days' in json_vars:
-                args.extend(['--days', str(json_vars.get('days', 60))])
-            if 'dry_run' in json_vars and json_vars['dry_run']:
-                args.extend(['--dry-run'])
+            if system_job.job_type in ('cleanup_jobs', 'cleanup_activitystream'):
+                if 'days' in json_vars:
+                    args.extend(['--days', str(json_vars.get('days', 60))])
+                if 'dry_run' in json_vars and json_vars['dry_run']:
+                    args.extend(['--dry-run'])
             if system_job.job_type == 'cleanup_jobs':
                 args.extend(['--jobs', '--project-updates', '--inventory-updates',
                              '--management-jobs', '--ad-hoc-commands', '--workflow-jobs',
diff --git a/awx/main/tests/unit/models/test_system_jobs.py b/awx/main/tests/unit/models/test_system_jobs.py
index 045928be07..2ed9204adb 100644
--- a/awx/main/tests/unit/models/test_system_jobs.py
+++ b/awx/main/tests/unit/models/test_system_jobs.py
@@ -12,7 +12,9 @@ from awx.main.models import SystemJobTemplate
     {"days": 13435},
 ])
 def test_valid__clean_extra_data_system_jobs(extra_data):
-    accepted, rejected, errors = SystemJobTemplate().accept_or_ignore_variables(extra_data)
+    accepted, rejected, errors = SystemJobTemplate(
+        job_type='cleanup_jobs'
+    ).accept_or_ignore_variables(extra_data)
     assert not rejected
     assert not errors
 
@@ -32,12 +34,14 @@ def test_valid__clean_extra_data_system_jobs(extra_data):
     {"days": "foobar"},
 ])
 def test_invalid__extra_data_system_jobs(extra_data):
-    accepted, rejected, errors = SystemJobTemplate().accept_or_ignore_variables(extra_data)
+    accepted, rejected, errors = SystemJobTemplate(
+        job_type='cleanup_jobs'
+    ).accept_or_ignore_variables(extra_data)
     assert str(errors['extra_vars'][0]) == u'days must be a positive integer.'
 
 
 def test_unallowed_system_job_data():
-    sjt = SystemJobTemplate()
+    sjt = SystemJobTemplate(job_type='cleanup_jobs')
     accepted, ignored, errors = sjt.accept_or_ignore_variables({
         'days': 34,
         'foobar': 'baz'
@@ -54,7 +58,7 @@ def test_reject_other_prommpts():
 
 
 def test_reject_some_accept_some():
-    sjt = SystemJobTemplate()
+    sjt = SystemJobTemplate(job_type='cleanup_jobs')
     accepted, ignored, errors = sjt._accept_or_ignore_job_kwargs(limit="", extra_vars={
         'days': 34,
         'foobar': 'baz'

From ee6e28e0661f1e3a6d55cf02dc6e6ef76543c4e1 Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Tue, 26 Nov 2019 15:05:45 -0500
Subject: [PATCH 09/36] Only show the days to keep input on the scheduler for
 system jobs that require it.  Hides this field for cleaning up tokens and
 sessions.

---
 awx/ui/client/src/management-jobs/card/card.controller.js  | 1 -
 .../management-jobs/scheduler/schedulerForm.partial.html   | 2 +-
 .../src/scheduler/factories/schedule-post.factory.js       | 2 +-
 awx/ui/client/src/scheduler/schedulerAdd.controller.js     | 5 ++++-
 awx/ui/client/src/scheduler/schedulerEdit.controller.js    | 7 +++++--
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/awx/ui/client/src/management-jobs/card/card.controller.js b/awx/ui/client/src/management-jobs/card/card.controller.js
index 930f04cd51..d266900ea5 100644
--- a/awx/ui/client/src/management-jobs/card/card.controller.js
+++ b/awx/ui/client/src/management-jobs/card/card.controller.js
@@ -31,7 +31,6 @@ export default
                 };
                 getManagementJobs();
 
-                $scope.cleanupJob = true;
                 // This handles the case where the user refreshes the management job notifications page.
                 if($state.current.name === 'managementJobsList.notifications') {
                     $scope.activeCard = parseInt($state.params.management_id);
diff --git a/awx/ui/client/src/management-jobs/scheduler/schedulerForm.partial.html b/awx/ui/client/src/management-jobs/scheduler/schedulerForm.partial.html
index 065a78d4e3..58dfbff4c9 100644
--- a/awx/ui/client/src/management-jobs/scheduler/schedulerForm.partial.html
+++ b/awx/ui/client/src/management-jobs/scheduler/schedulerForm.partial.html
@@ -164,7 +164,7 @@
                     ng-show="sheduler_frequency_error">
                 </div>
             </div>
-            <div class="form-group SchedulerForm-formGroup" ng-if="cleanupJob">
+            <div class="form-group SchedulerForm-formGroup" ng-if="askDaysToKeep">
                 <label class="Form-inputLabel">
                     <span class="red-text">*</span>
                     <span translate>Days of data to keep</span>
diff --git a/awx/ui/client/src/scheduler/factories/schedule-post.factory.js b/awx/ui/client/src/scheduler/factories/schedule-post.factory.js
index 619d2670a9..b4338ab63f 100644
--- a/awx/ui/client/src/scheduler/factories/schedule-post.factory.js
+++ b/awx/ui/client/src/scheduler/factories/schedule-post.factory.js
@@ -18,7 +18,7 @@ export default
                 scheduleData.rrule = RRuleToAPI(rrule.toString(), scope);
                 scheduleData.description = (/error/.test(rrule.toText())) ? '' : rrule.toText();
 
-                if (scope.cleanupJob) {
+                if (scope.askDaysToKeep) {
                     extra_vars = {
                         "days" : scope.scheduler_form.schedulerPurgeDays.$viewValue
                     };
diff --git a/awx/ui/client/src/scheduler/schedulerAdd.controller.js b/awx/ui/client/src/scheduler/schedulerAdd.controller.js
index b3da96058d..66e367056c 100644
--- a/awx/ui/client/src/scheduler/schedulerAdd.controller.js
+++ b/awx/ui/client/src/scheduler/schedulerAdd.controller.js
@@ -347,7 +347,10 @@ export default ['$filter', '$state', '$stateParams', '$http', 'Wait',
         }
     } else if (base === 'system_job_templates') {
         schedule_url = GetBasePath(base) + $stateParams.id + '/schedules/';
-        $scope.cleanupJob = true;
+        let parentJobType = _.get($scope.parentObject, 'job_type')
+        if (parentJobType !== 'cleanup_tokens' && parentJobType !== 'cleanup_sessions') {
+            $scope.askDaysToKeep = true;
+        }
     }
 
     Wait('start');
diff --git a/awx/ui/client/src/scheduler/schedulerEdit.controller.js b/awx/ui/client/src/scheduler/schedulerEdit.controller.js
index 57714dc671..e2b28418ac 100644
--- a/awx/ui/client/src/scheduler/schedulerEdit.controller.js
+++ b/awx/ui/client/src/scheduler/schedulerEdit.controller.js
@@ -186,7 +186,10 @@ function($filter, $state, $stateParams, Wait, $scope, moment,
 
         if (_.has(schedule, 'summary_fields.unified_job_template.unified_job_type') &&
             schedule.summary_fields.unified_job_template.unified_job_type === 'system_job'){
-            $scope.cleanupJob = true;
+            let scheduleJobType = _.get(schedule.summary_fields.unified_job_template, 'job_type')
+            if (scheduleJobType !== 'cleanup_tokens' && scheduleJobType !== 'cleanup_sessions') {
+                $scope.askDaysToKeep = true;
+            }
         }
 
         $scope.schedule_obj = scheduleResolve;
@@ -256,7 +259,7 @@ function($filter, $state, $stateParams, Wait, $scope, moment,
         $scope.noVars = true;
         scheduler.scope.timeZones = timezonesResolve;
         scheduler.scope.schedulerTimeZone = scheduleResolve.timezone;
-        if ($scope.cleanupJob){
+        if ($scope.askDaysToKeep){
             $scope.schedulerPurgeDays = Number(schedule.extra_data.days);
         }
 

From 93a9a0354f7b7ddaea4c24efd90c5d63f61be568 Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Tue, 26 Nov 2019 15:59:19 -0500
Subject: [PATCH 10/36] Adds missing semicolons to make linter happy

---
 awx/ui/client/src/scheduler/schedulerAdd.controller.js  | 2 +-
 awx/ui/client/src/scheduler/schedulerEdit.controller.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/awx/ui/client/src/scheduler/schedulerAdd.controller.js b/awx/ui/client/src/scheduler/schedulerAdd.controller.js
index 66e367056c..803a4c473e 100644
--- a/awx/ui/client/src/scheduler/schedulerAdd.controller.js
+++ b/awx/ui/client/src/scheduler/schedulerAdd.controller.js
@@ -347,7 +347,7 @@ export default ['$filter', '$state', '$stateParams', '$http', 'Wait',
         }
     } else if (base === 'system_job_templates') {
         schedule_url = GetBasePath(base) + $stateParams.id + '/schedules/';
-        let parentJobType = _.get($scope.parentObject, 'job_type')
+        let parentJobType = _.get($scope.parentObject, 'job_type');
         if (parentJobType !== 'cleanup_tokens' && parentJobType !== 'cleanup_sessions') {
             $scope.askDaysToKeep = true;
         }
diff --git a/awx/ui/client/src/scheduler/schedulerEdit.controller.js b/awx/ui/client/src/scheduler/schedulerEdit.controller.js
index e2b28418ac..d0cd7e1090 100644
--- a/awx/ui/client/src/scheduler/schedulerEdit.controller.js
+++ b/awx/ui/client/src/scheduler/schedulerEdit.controller.js
@@ -186,7 +186,7 @@ function($filter, $state, $stateParams, Wait, $scope, moment,
 
         if (_.has(schedule, 'summary_fields.unified_job_template.unified_job_type') &&
             schedule.summary_fields.unified_job_template.unified_job_type === 'system_job'){
-            let scheduleJobType = _.get(schedule.summary_fields.unified_job_template, 'job_type')
+            let scheduleJobType = _.get(schedule.summary_fields.unified_job_template, 'job_type');
             if (scheduleJobType !== 'cleanup_tokens' && scheduleJobType !== 'cleanup_sessions') {
                 $scope.askDaysToKeep = true;
             }

From c3734209824c5a8bb6ba924e7ba4d6095592e346 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Tue, 26 Nov 2019 23:13:39 -0500
Subject: [PATCH 11/36] fix incorrect SystemJob.job_type choices

---
 awx/main/migrations/0078_v360_clear_sessions_tokens_jt.py | 4 ++--
 awx/main/models/jobs.py                                   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/awx/main/migrations/0078_v360_clear_sessions_tokens_jt.py b/awx/main/migrations/0078_v360_clear_sessions_tokens_jt.py
index 83095d2056..c6a00a24c1 100644
--- a/awx/main/migrations/0078_v360_clear_sessions_tokens_jt.py
+++ b/awx/main/migrations/0078_v360_clear_sessions_tokens_jt.py
@@ -19,11 +19,11 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='systemjob',
             name='job_type',
-            field=models.CharField(blank=True, choices=[('cleanup_jobs', 'Remove jobs older than a certain number of days'), ('cleanup_activitystream', 'Remove activity stream entries older than a certain number of days'), ('clearsessions', 'Removes expired browser sessions from the database'), ('cleartokens', 'Removes expired OAuth 2 access tokens and refresh tokens')], default='', max_length=32),
+            field=models.CharField(blank=True, choices=[('cleanup_jobs', 'Remove jobs older than a certain number of days'), ('cleanup_activitystream', 'Remove activity stream entries older than a certain number of days'), ('cleanup_sessions', 'Removes expired browser sessions from the database'), ('cleanup_tokens', 'Removes expired OAuth 2 access tokens and refresh tokens')], default='', max_length=32),
         ),
         migrations.AlterField(
             model_name='systemjobtemplate',
             name='job_type',
-            field=models.CharField(blank=True, choices=[('cleanup_jobs', 'Remove jobs older than a certain number of days'), ('cleanup_activitystream', 'Remove activity stream entries older than a certain number of days'), ('clearsessions', 'Removes expired browser sessions from the database'), ('cleartokens', 'Removes expired OAuth 2 access tokens and refresh tokens')], default='', max_length=32),
+            field=models.CharField(blank=True, choices=[('cleanup_jobs', 'Remove jobs older than a certain number of days'), ('cleanup_activitystream', 'Remove activity stream entries older than a certain number of days'), ('cleanup_sessions', 'Removes expired browser sessions from the database'), ('cleanup_tokens', 'Removes expired OAuth 2 access tokens and refresh tokens')], default='', max_length=32),
         ),
     ]
diff --git a/awx/main/models/jobs.py b/awx/main/models/jobs.py
index ae2f772526..c5ed46bb3e 100644
--- a/awx/main/models/jobs.py
+++ b/awx/main/models/jobs.py
@@ -1103,8 +1103,8 @@ class SystemJobOptions(BaseModel):
     SYSTEM_JOB_TYPE = [
         ('cleanup_jobs', _('Remove jobs older than a certain number of days')),
         ('cleanup_activitystream', _('Remove activity stream entries older than a certain number of days')),
-        ('clearsessions', _('Removes expired browser sessions from the database')),
-        ('cleartokens', _('Removes expired OAuth 2 access tokens and refresh tokens'))
+        ('cleanup_sessions', _('Removes expired browser sessions from the database')),
+        ('cleanup_tokens', _('Removes expired OAuth 2 access tokens and refresh tokens'))
     ]
 
     class Meta:

From 9cdb281f069cf6eb11684f5ac77cdee9ff81b293 Mon Sep 17 00:00:00 2001
From: Marliana Lara <mlara@redhat.com>
Date: Wed, 27 Nov 2019 11:36:51 -0500
Subject: [PATCH 12/36] Check inventory use permissions to disable workflow
 inventory lookup

---
 .../edit-workflow/workflow-edit.controller.js | 21 ++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/awx/ui/client/src/templates/workflows/edit-workflow/workflow-edit.controller.js b/awx/ui/client/src/templates/workflows/edit-workflow/workflow-edit.controller.js
index 45b7b95c52..01e0cdd868 100644
--- a/awx/ui/client/src/templates/workflows/edit-workflow/workflow-edit.controller.js
+++ b/awx/ui/client/src/templates/workflows/edit-workflow/workflow-edit.controller.js
@@ -533,9 +533,24 @@ export default [
         }
 
         if(workflowJobTemplateData.inventory) {
-            OrgAdminLookup.checkForRoleLevelAdminAccess(workflowJobTemplateData.inventory, 'workflow_admin_role')
-            .then(function(canEditInventory){
-                $scope.canEditInventory = canEditInventory;
+            let params = {
+              role_level: 'use_role',
+              id: workflowJobTemplateData.inventory
+            };
+            Rest.setUrl(GetBasePath('inventory'));
+            Rest.get({ params: params })
+              .then(({ data }) => {
+                if (data.count && data.count > 0) {
+                  $scope.canEditInventory = true;
+                } else {
+                  $scope.canEditInventory = false;
+                }
+              })
+              .catch(({ data, status }) => {
+                ProcessErrors(null, data, status, null, {
+                  hdr: 'Error!',
+                  msg: 'Failed to get inventory data based on role_level. Return status: ' + status
+              });
             });
         }
         else {

From 208e36f83b92f6b0ddf02839fce1ea38e86c8ec6 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Fri, 18 Oct 2019 14:14:19 -0400
Subject: [PATCH 13/36] add an awx-manage command for re-generating SECRET_KEY

---
 .../commands/regenerate_secret_key.py         | 129 +++++++++++++
 .../commands/test_secret_key_regeneration.py  | 173 ++++++++++++++++++
 awx/main/utils/encryption.py                  |  65 ++++++-
 3 files changed, 359 insertions(+), 8 deletions(-)
 create mode 100644 awx/main/management/commands/regenerate_secret_key.py
 create mode 100644 awx/main/tests/functional/commands/test_secret_key_regeneration.py

diff --git a/awx/main/management/commands/regenerate_secret_key.py b/awx/main/management/commands/regenerate_secret_key.py
new file mode 100644
index 0000000000..2e3d1a127d
--- /dev/null
+++ b/awx/main/management/commands/regenerate_secret_key.py
@@ -0,0 +1,129 @@
+import base64
+import json
+import os
+
+from django.core.management.base import BaseCommand
+from django.conf import settings
+from django.db import transaction
+from django.db.models.signals import post_save
+
+from awx.conf import settings_registry
+from awx.conf.models import Setting
+from awx.conf.signals import on_post_save_setting
+from awx.main.models import (
+    UnifiedJob, Credential, NotificationTemplate, Job, JobTemplate, WorkflowJob,
+    WorkflowJobTemplate, OAuth2Application
+)
+from awx.main.utils.encryption import (
+    encrypt_field, decrypt_field, encrypt_value, decrypt_value, get_encryption_key
+)
+
+
+class Command(BaseCommand):
+    """
+    Regenerate a new SECRET_KEY value and re-encrypt every secret in the
+    Tower database.
+    """
+
+    @transaction.atomic
+    def handle(self, **options):
+        self.old_key = settings.SECRET_KEY
+        self.new_key = base64.encodebytes(os.urandom(33)).decode().rstrip()
+        self._notification_templates()
+        self._credentials()
+        self._unified_jobs()
+        self._oauth2_app_secrets()
+        self._settings()
+        self._survey_passwords()
+        return self.new_key
+
+    def _notification_templates(self):
+        for nt in NotificationTemplate.objects.iterator():
+            CLASS_FOR_NOTIFICATION_TYPE = dict([(x[0], x[2]) for x in NotificationTemplate.NOTIFICATION_TYPES])
+            notification_class = CLASS_FOR_NOTIFICATION_TYPE[nt.notification_type]
+            for field in filter(lambda x: notification_class.init_parameters[x]['type'] == "password",
+                                notification_class.init_parameters):
+                nt.notification_configuration[field] = decrypt_field(nt, 'notification_configuration', subfield=field, secret_key=self.old_key)
+                nt.notification_configuration[field] = encrypt_field(nt, 'notification_configuration', subfield=field, secret_key=self.new_key)
+            nt.save()
+
+    def _credentials(self):
+        for credential in Credential.objects.iterator():
+            for field_name in credential.credential_type.secret_fields:
+                if field_name in credential.inputs:
+                    credential.inputs[field_name] = decrypt_field(
+                        credential,
+                        field_name,
+                        secret_key=self.old_key
+                    )
+                    credential.inputs[field_name] = encrypt_field(
+                        credential,
+                        field_name,
+                        secret_key=self.new_key
+                    )
+                credential.save()
+
+    def _unified_jobs(self):
+        for uj in UnifiedJob.objects.iterator():
+            if uj.start_args:
+                uj.start_args = decrypt_field(
+                    uj,
+                    'start_args',
+                    secret_key=self.old_key
+                )
+                uj.start_args = encrypt_field(uj, 'start_args', secret_key=self.new_key)
+                uj.save()
+
+    def _oauth2_app_secrets(self):
+        for app in OAuth2Application.objects.iterator():
+            raw = app.client_secret
+            app.client_secret = raw
+            encrypted = encrypt_value(raw, secret_key=self.new_key)
+            OAuth2Application.objects.filter(pk=app.pk).update(client_secret=encrypted)
+
+    def _settings(self):
+        # don't update memcached, the *actual* value isn't changing
+        post_save.disconnect(on_post_save_setting, sender=Setting)
+        for setting in Setting.objects.filter().order_by('pk'):
+            if settings_registry.is_setting_encrypted(setting.key):
+                setting.value = decrypt_field(setting, 'value', secret_key=self.old_key)
+                setting.value = encrypt_field(setting, 'value', secret_key=self.new_key)
+                setting.save()
+
+    def _survey_passwords(self):
+        for _type in (JobTemplate, WorkflowJobTemplate):
+            for jt in _type.objects.exclude(survey_spec={}):
+                changed = False
+                if jt.survey_spec.get('spec', []):
+                    for field in jt.survey_spec['spec']:
+                        if field.get('type') == 'password' and field.get('default', ''):
+                            raw = decrypt_value(
+                                get_encryption_key('value', None, secret_key=self.old_key),
+                                field['default']
+                            )
+                            field['default'] = encrypt_value(
+                                raw,
+                                pk=None,
+                                secret_key=self.new_key
+                            )
+                            changed = True
+                if changed:
+                    jt.save(update_fields=["survey_spec"])
+
+        for _type in (Job, WorkflowJob):
+            for job in _type.objects.exclude(survey_passwords={}).iterator():
+                changed = False
+                for key in job.survey_passwords:
+                    if key in job.extra_vars:
+                        extra_vars = json.loads(job.extra_vars)
+                        if not extra_vars.get(key):
+                            continue
+                        raw = decrypt_value(
+                            get_encryption_key('value', None, secret_key=self.old_key),
+                            extra_vars[key]
+                        )
+                        extra_vars[key] = encrypt_value(raw, pk=None, secret_key=self.new_key)
+                        job.extra_vars = json.dumps(extra_vars)
+                        changed = True
+                if changed:
+                    job.save(update_fields=["extra_vars"])
diff --git a/awx/main/tests/functional/commands/test_secret_key_regeneration.py b/awx/main/tests/functional/commands/test_secret_key_regeneration.py
new file mode 100644
index 0000000000..811363ee47
--- /dev/null
+++ b/awx/main/tests/functional/commands/test_secret_key_regeneration.py
@@ -0,0 +1,173 @@
+import json
+
+from cryptography.fernet import InvalidToken
+from django.test.utils import override_settings
+from django.conf import settings
+import pytest
+
+from awx.main import models
+from awx.conf.models import Setting
+from awx.main.management.commands import regenerate_secret_key
+from awx.main.utils.encryption import encrypt_field, decrypt_field, encrypt_value
+
+
+PREFIX = '$encrypted$UTF8$AESCBC$'
+
+
+@pytest.mark.django_db
+class TestKeyRegeneration:
+
+    def test_encrypted_ssh_password(self, credential):
+        # test basic decryption
+        assert credential.inputs['password'].startswith(PREFIX)
+        assert credential.get_input('password') == 'secret'
+
+        # re-key the credential
+        new_key = regenerate_secret_key.Command().handle()
+        new_cred = models.Credential.objects.get(pk=credential.pk)
+        assert credential.inputs['password'] != new_cred.inputs['password']
+
+        # verify that the old SECRET_KEY doesn't work
+        with pytest.raises(InvalidToken):
+            new_cred.get_input('password')
+
+        # verify that the new SECRET_KEY *does* work
+        with override_settings(SECRET_KEY=new_key):
+            assert new_cred.get_input('password') == 'secret'
+
+    def test_encrypted_setting_values(self):
+        # test basic decryption
+        settings.LOG_AGGREGATOR_PASSWORD = 'sensitive'
+        s = Setting.objects.filter(key='LOG_AGGREGATOR_PASSWORD').first()
+        assert s.value.startswith(PREFIX)
+        assert settings.LOG_AGGREGATOR_PASSWORD == 'sensitive'
+
+        # re-key the setting value
+        new_key = regenerate_secret_key.Command().handle()
+        new_setting = Setting.objects.filter(key='LOG_AGGREGATOR_PASSWORD').first()
+        assert s.value != new_setting.value
+
+        # wipe out the local cache so the value is pulled from the DB again
+        settings.cache.delete('LOG_AGGREGATOR_PASSWORD')
+
+        # verify that the old SECRET_KEY doesn't work
+        with pytest.raises(InvalidToken):
+            settings.LOG_AGGREGATOR_PASSWORD
+
+        # verify that the new SECRET_KEY *does* work
+        with override_settings(SECRET_KEY=new_key):
+            assert settings.LOG_AGGREGATOR_PASSWORD == 'sensitive'
+
+    def test_encrypted_notification_secrets(self, notification_template_with_encrypt):
+        # test basic decryption
+        nt = notification_template_with_encrypt
+        nc = nt.notification_configuration
+        assert nc['token'].startswith(PREFIX)
+
+        Slack = nt.CLASS_FOR_NOTIFICATION_TYPE[nt.notification_type]
+        class TestBackend(Slack):
+
+            def __init__(self, *args, **kw):
+                assert kw['token'] == 'token'
+
+            def send_messages(self, messages):
+                pass
+
+        nt.CLASS_FOR_NOTIFICATION_TYPE['test'] = TestBackend
+        nt.notification_type = 'test'
+        nt.send('Subject', 'Body')
+
+        # re-key the notification config
+        new_key = regenerate_secret_key.Command().handle()
+        new_nt = models.NotificationTemplate.objects.get(pk=nt.pk)
+        assert nt.notification_configuration['token'] != new_nt.notification_configuration['token']
+
+        # verify that the old SECRET_KEY doesn't work
+        with pytest.raises(InvalidToken):
+            new_nt.CLASS_FOR_NOTIFICATION_TYPE['test'] = TestBackend
+            new_nt.notification_type = 'test'
+            new_nt.send('Subject', 'Body')
+
+        # verify that the new SECRET_KEY *does* work
+        with override_settings(SECRET_KEY=new_key):
+            new_nt.send('Subject', 'Body')
+
+    def test_job_start_args(self, job_factory):
+        # test basic decryption
+        job = job_factory()
+        job.start_args = json.dumps({'foo': 'bar'})
+        job.start_args = encrypt_field(job, field_name='start_args')
+        job.save()
+        assert job.start_args.startswith(PREFIX)
+
+        # re-key the start_args
+        new_key = regenerate_secret_key.Command().handle()
+        new_job = models.Job.objects.get(pk=job.pk)
+        assert new_job.start_args != job.start_args
+
+        # verify that the old SECRET_KEY doesn't work
+        with pytest.raises(InvalidToken):
+            decrypt_field(new_job, field_name='start_args')
+
+        # verify that the new SECRET_KEY *does* work
+        with override_settings(SECRET_KEY=new_key):
+            assert json.loads(
+                decrypt_field(new_job, field_name='start_args')
+            ) == {'foo': 'bar'}
+
+    @pytest.mark.parametrize('cls', ('JobTemplate', 'WorkflowJobTemplate'))
+    def test_survey_spec(self, inventory, project, survey_spec_factory, cls):
+        params = {}
+        if cls == 'JobTemplate':
+            params['inventory'] = inventory
+            params['project'] = project
+        # test basic decryption
+        jt = getattr(models, cls).objects.create(
+            name='Example Template',
+            survey_spec=survey_spec_factory([{
+                'variable': 'secret_key',
+                'default': encrypt_value('donttell', pk=None),
+                'type': 'password'
+            }]),
+            survey_enabled=True,
+            **params
+        )
+        job = jt.create_unified_job()
+        assert jt.survey_spec['spec'][0]['default'].startswith(PREFIX)
+        assert job.survey_passwords == {'secret_key': '$encrypted$'}
+        assert json.loads(job.decrypted_extra_vars())['secret_key'] == 'donttell'
+
+        # re-key the extra_vars
+        new_key = regenerate_secret_key.Command().handle()
+        new_job = models.UnifiedJob.objects.get(pk=job.pk)
+        assert new_job.extra_vars != job.extra_vars
+
+        # verify that the old SECRET_KEY doesn't work
+        with pytest.raises(InvalidToken):
+            new_job.decrypted_extra_vars()
+
+        # verify that the new SECRET_KEY *does* work
+        with override_settings(SECRET_KEY=new_key):
+            assert json.loads(
+                new_job.decrypted_extra_vars()
+            )['secret_key'] == 'donttell'
+
+    def test_oauth2_application_client_secret(self, oauth_application):
+        # test basic decryption
+        secret = oauth_application.client_secret
+        assert len(secret) == 128
+
+        # re-key the client_secret
+        new_key = regenerate_secret_key.Command().handle()
+
+        # verify that the old SECRET_KEY doesn't work
+        with pytest.raises(InvalidToken):
+            models.OAuth2Application.objects.get(
+                pk=oauth_application.pk
+            ).client_secret
+
+        # verify that the new SECRET_KEY *does* work
+        with override_settings(SECRET_KEY=new_key):
+            assert models.OAuth2Application.objects.get(
+                pk=oauth_application.pk
+            ).client_secret == secret
diff --git a/awx/main/utils/encryption.py b/awx/main/utils/encryption.py
index 9ad89d7de4..3725243a8e 100644
--- a/awx/main/utils/encryption.py
+++ b/awx/main/utils/encryption.py
@@ -1,3 +1,5 @@
+# -*- coding: utf-8 -*-
+
 import base64
 import hashlib
 import logging
@@ -35,7 +37,7 @@ class Fernet256(Fernet):
         self._backend = backend
 
 
-def get_encryption_key(field_name, pk=None):
+def get_encryption_key(field_name, pk=None, secret_key=None):
     '''
     Generate key for encrypted password based on field name,
     ``settings.SECRET_KEY``, and instance pk (if available).
@@ -46,19 +48,58 @@ def get_encryption_key(field_name, pk=None):
     '''
     from django.conf import settings
     h = hashlib.sha512()
-    h.update(smart_bytes(settings.SECRET_KEY))
+    h.update(smart_bytes(secret_key or settings.SECRET_KEY))
     if pk is not None:
         h.update(smart_bytes(str(pk)))
     h.update(smart_bytes(field_name))
     return base64.urlsafe_b64encode(h.digest())
 
 
-def encrypt_value(value, pk=None):
+def encrypt_value(value, pk=None, secret_key=None):
+    #
+    # ⚠️  D-D-D-DANGER ZONE ⚠️
+    #
+    # !!! BEFORE USING THIS FUNCTION PLEASE READ encrypt_field !!!
+    #
     TransientField = namedtuple('TransientField', ['pk', 'value'])
-    return encrypt_field(TransientField(pk=pk, value=value), 'value')
+    return encrypt_field(TransientField(pk=pk, value=value), 'value', secret_key=secret_key)
 
 
-def encrypt_field(instance, field_name, ask=False, subfield=None):
+def encrypt_field(instance, field_name, ask=False, subfield=None, secret_key=None):
+    #
+    # ⚠️  D-D-D-DANGER ZONE ⚠️
+    #
+    # !!! PLEASE READ BEFORE USING THIS FUNCTION ANYWHERE !!!
+    #
+    # You should know that this function is used in various places throughout
+    # AWX for symmetric encryption - generally it's used to encrypt sensitive
+    # values that we store in the AWX database (such as SSH private keys for
+    # credentials).
+    #
+    # If you're reading this function's code because you're thinking about
+    # using it to encrypt *something new*, please remember that AWX has
+    # official support for *regenerating* the SECRET_KEY (on which the
+    # symmetric key is based):
+    #
+    # $ awx-manage regenerate_secret_key
+    # $ setup.sh -k
+    #
+    # ...so you'll need to *also* add code to support the
+    # migration/re-encryption of these values (the code in question lives in
+    # `awx.main.management.commands.regenerate_secret_key`):
+    #
+    # For example, if you find that you're adding a new database column that is
+    # encrypted, in addition to calling `encrypt_field` in the appropriate
+    # places, you would also need to update the `awx-manage regenerate_secret_key`
+    # so that values are properly migrated when the SECRET_KEY changes.
+    #
+    # This process *generally* involves adding Python code to the
+    # `regenerate_secret_key` command, i.e.,
+    #
+    # 1.  Query the database for existing encrypted values on the appropriate object(s)
+    # 2.  Decrypting them using the *old* SECRET_KEY
+    # 3.  Storing newly encrypted values using the *newly generated* SECRET_KEY
+    #
     '''
     Return content of the given instance and field name encrypted.
     '''
@@ -76,7 +117,11 @@ def encrypt_field(instance, field_name, ask=False, subfield=None):
     value = smart_str(value)
     if not value or value.startswith('$encrypted$') or (ask and value == 'ASK'):
         return value
-    key = get_encryption_key(field_name, getattr(instance, 'pk', None))
+    key = get_encryption_key(
+        field_name,
+        getattr(instance, 'pk', None),
+        secret_key=secret_key
+    )
     f = Fernet256(key)
     encrypted = f.encrypt(smart_bytes(value))
     b64data = smart_str(base64.b64encode(encrypted))
@@ -99,7 +144,7 @@ def decrypt_value(encryption_key, value):
     return smart_str(value)
 
 
-def decrypt_field(instance, field_name, subfield=None):
+def decrypt_field(instance, field_name, subfield=None, secret_key=None):
     '''
     Return content of the given instance and field name decrypted.
     '''
@@ -115,7 +160,11 @@ def decrypt_field(instance, field_name, subfield=None):
     value = smart_str(value)
     if not value or not value.startswith('$encrypted$'):
         return value
-    key = get_encryption_key(field_name, getattr(instance, 'pk', None))
+    key = get_encryption_key(
+        field_name,
+        getattr(instance, 'pk', None),
+        secret_key=secret_key
+    )
 
     try:
         return smart_str(decrypt_value(key, value))

From afadfa939dfde34c73d9279afcd12e54f506411e Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Wed, 4 Dec 2019 08:38:22 -0500
Subject: [PATCH 14/36] fix an nuanced bug which can cause OAuth2 migrations to
 fail

---
 awx/__init__.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/awx/__init__.py b/awx/__init__.py
index b97a5694af..433892edbf 100644
--- a/awx/__init__.py
+++ b/awx/__init__.py
@@ -86,7 +86,14 @@ def oauth2_getattribute(self, attr):
     # Custom method to override
     # oauth2_provider.settings.OAuth2ProviderSettings.__getattribute__
     from django.conf import settings
-    val = settings.OAUTH2_PROVIDER.get(attr)
+    val = None
+    if 'migrate' not in sys.argv:
+        # certain Django OAuth Toolkit migrations actually reference
+        # setting lookups for references to model classes (e.g.,
+        # oauth2_settings.REFRESH_TOKEN_MODEL)
+        # If we're doing an OAuth2 setting lookup *while running* a migration,
+        # don't do our usual "Configure Tower in Tower" database setting lookup
+        val = settings.OAUTH2_PROVIDER.get(attr)
     if val is None:
         val = object.__getattribute__(self, attr)
     return val

From 93b49f314d33017ab1cfd57b691c02e7bac14dc6 Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Wed, 4 Dec 2019 11:03:24 -0500
Subject: [PATCH 15/36] Upgrades angular and auxiliary deps to 1.7.9

---
 awx/ui/package-lock.json | 51 ++++++++++++++++++++++++++++++----------
 awx/ui/package.json      |  8 +++----
 2 files changed, 43 insertions(+), 16 deletions(-)

diff --git a/awx/ui/package-lock.json b/awx/ui/package-lock.json
index 2fe59f36fa..eba5f35816 100644
--- a/awx/ui/package-lock.json
+++ b/awx/ui/package-lock.json
@@ -149,9 +149,9 @@
       "integrity": "sha1-SlKCrBZHKek2Gbz9OtFR+BfOkfU="
     },
     "angular": {
-      "version": "1.6.10",
-      "resolved": "https://registry.npmjs.org/angular/-/angular-1.6.10.tgz",
-      "integrity": "sha512-PCZ5/hVdvPQiYyH0VwsPjrErPHRcITnaXxhksceOXgtJeesKHLA7KDu4X/yvcAi+1zdGgGF+9pDxkJvghXI9Wg=="
+      "version": "1.7.9",
+      "resolved": "https://registry.npmjs.org/angular/-/angular-1.7.9.tgz",
+      "integrity": "sha512-5se7ZpcOtu0MBFlzGv5dsM1quQDoDeUTwZrWjGtTNA7O88cD8TEk5IEKCTDa3uECV9XnvKREVUr7du1ACiWGFQ=="
     },
     "angular-breadcrumb": {
       "version": "git+https://git@github.com/ansible/angular-breadcrumb.git#6c2b1ad45ad5fbe7adf39af1ef3b294ca8e207a9",
@@ -166,6 +166,11 @@
         "jquery": "^3.2.1"
       },
       "dependencies": {
+        "angular": {
+          "version": "1.6.10",
+          "resolved": "https://registry.npmjs.org/angular/-/angular-1.6.10.tgz",
+          "integrity": "sha512-PCZ5/hVdvPQiYyH0VwsPjrErPHRcITnaXxhksceOXgtJeesKHLA7KDu4X/yvcAi+1zdGgGF+9pDxkJvghXI9Wg=="
+        },
         "jquery": {
           "version": "3.3.1",
           "resolved": "https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz",
@@ -174,9 +179,9 @@
       }
     },
     "angular-cookies": {
-      "version": "1.6.10",
-      "resolved": "https://registry.npmjs.org/angular-cookies/-/angular-cookies-1.6.10.tgz",
-      "integrity": "sha512-ADfbqXLhwcaecAiWIaxpl8XWFJgWsrDl/ksSEkYm5dSoXHYlj3HKlAhPbjBv/foYS7pdI0apmSGHWrBPqdjF/g=="
+      "version": "1.7.9",
+      "resolved": "https://registry.npmjs.org/angular-cookies/-/angular-cookies-1.7.9.tgz",
+      "integrity": "sha512-3eRq/aPrtCZKDWQnc3nW3sFoMbLiHkCkyDF2O9u7VXnqvVsUPaipk5R1ZqahgcSQHQrN/F5IU4T4nrz52qAZmA=="
     },
     "angular-drag-and-drop-lists": {
       "version": "git+https://git@github.com/ansible/angular-drag-and-drop-lists.git#cceda38b836402ed4ce77fc287c23c8d02e950f6",
@@ -213,9 +218,9 @@
       }
     },
     "angular-mocks": {
-      "version": "1.6.10",
-      "resolved": "https://registry.npmjs.org/angular-mocks/-/angular-mocks-1.6.10.tgz",
-      "integrity": "sha512-1865/NmqHNogibNoglY1MGBjx882iu2hI46BBhYDWyz0C4TDM5ER8H8SnYwQKUUG4RXMDsJizszEQ2BEoYKV9w==",
+      "version": "1.7.9",
+      "resolved": "https://registry.npmjs.org/angular-mocks/-/angular-mocks-1.7.9.tgz",
+      "integrity": "sha512-LQRqqiV3sZ7NTHBnNmLT0bXtE5e81t97+hkJ56oU0k3dqKv1s6F+nBWRlOVzqHWPGFOiPS8ZJVdrS8DFzHyNIA==",
       "dev": true
     },
     "angular-moment": {
@@ -236,9 +241,9 @@
       }
     },
     "angular-sanitize": {
-      "version": "1.6.10",
-      "resolved": "https://registry.npmjs.org/angular-sanitize/-/angular-sanitize-1.6.10.tgz",
-      "integrity": "sha512-01i1Xoq9ykUrsoYQMSB6dWZmPp9Df5hfCqMAGGzJBWZ7L2WY0OtUphdI0YvR8ZF9lAsWtGNtsEFilObjq5nTgQ=="
+      "version": "1.7.9",
+      "resolved": "https://registry.npmjs.org/angular-sanitize/-/angular-sanitize-1.7.9.tgz",
+      "integrity": "sha512-nB/xe7JQWF9nLvhHommAICQ3eWrfRETo0EVGFESi952CDzDa+GAJ/2BFBNw44QqQPxj1Xua/uYKrbLsOGWZdbQ=="
     },
     "angular-scheduler": {
       "version": "git+https://git@github.com/ansible/angular-scheduler.git#7628cb2fc9e6280811baa464f0020a636e65d702",
@@ -253,6 +258,11 @@
         "rrule": "github:jkbrzt/rrule#4ff63b2f8524fd6d5ba6e80db770953b5cd08a0c"
       },
       "dependencies": {
+        "angular": {
+          "version": "1.6.10",
+          "resolved": "https://registry.npmjs.org/angular/-/angular-1.6.10.tgz",
+          "integrity": "sha512-PCZ5/hVdvPQiYyH0VwsPjrErPHRcITnaXxhksceOXgtJeesKHLA7KDu4X/yvcAi+1zdGgGF+9pDxkJvghXI9Wg=="
+        },
         "angular-tz-extensions": {
           "version": "github:ansible/angular-tz-extensions#fc60660f43ee9ff84da94ca71ab27ef0c20fd77d",
           "from": "github:ansible/angular-tz-extensions#fc60660f43ee9ff84da94ca71ab27ef0c20fd77d",
@@ -301,6 +311,11 @@
         "timezone-js": "github:ansible/timezone-js#6937de14ce0c193961538bb5b3b12b7ef62a358f"
       },
       "dependencies": {
+        "angular": {
+          "version": "1.6.10",
+          "resolved": "https://registry.npmjs.org/angular/-/angular-1.6.10.tgz",
+          "integrity": "sha512-PCZ5/hVdvPQiYyH0VwsPjrErPHRcITnaXxhksceOXgtJeesKHLA7KDu4X/yvcAi+1zdGgGF+9pDxkJvghXI9Wg=="
+        },
         "jquery": {
           "version": "3.3.1",
           "resolved": "https://registry.npmjs.org/jquery/-/jquery-3.3.1.tgz",
@@ -9468,6 +9483,18 @@
       "requires": {
         "angular": "~1.6.6",
         "angular-sanitize": "~1.6.6"
+      },
+      "dependencies": {
+        "angular": {
+          "version": "1.6.10",
+          "resolved": "https://registry.npmjs.org/angular/-/angular-1.6.10.tgz",
+          "integrity": "sha512-PCZ5/hVdvPQiYyH0VwsPjrErPHRcITnaXxhksceOXgtJeesKHLA7KDu4X/yvcAi+1zdGgGF+9pDxkJvghXI9Wg=="
+        },
+        "angular-sanitize": {
+          "version": "1.6.10",
+          "resolved": "https://registry.npmjs.org/angular-sanitize/-/angular-sanitize-1.6.10.tgz",
+          "integrity": "sha512-01i1Xoq9ykUrsoYQMSB6dWZmPp9Df5hfCqMAGGzJBWZ7L2WY0OtUphdI0YvR8ZF9lAsWtGNtsEFilObjq5nTgQ=="
+        }
       }
     },
     "ngtemplate-loader": {
diff --git a/awx/ui/package.json b/awx/ui/package.json
index 84e37568fa..35a12f8646 100644
--- a/awx/ui/package.json
+++ b/awx/ui/package.json
@@ -35,7 +35,7 @@
     "pre-check": "npm run lint && npm run jshint && npm run unit && npm run test"
   },
   "devDependencies": {
-    "angular-mocks": "~1.6.6",
+    "angular-mocks": "^1.7.9",
     "archiver": "^2.1.1",
     "axios": "^0.16.2",
     "babel-core": "^6.26.0",
@@ -97,16 +97,16 @@
   },
   "dependencies": {
     "@uirouter/angularjs": "1.0.18",
-    "angular": "~1.6.6",
+    "angular": "^1.7.9",
     "angular-breadcrumb": "git+https://git@github.com/ansible/angular-breadcrumb#0.4.1",
     "angular-codemirror": "git+https://git@github.com/ansible/angular-codemirror#v1.1.2",
-    "angular-cookies": "~1.6.6",
+    "angular-cookies": "^1.7.9",
     "angular-drag-and-drop-lists": "git+https://git@github.com/ansible/angular-drag-and-drop-lists#v1.4.1",
     "angular-duration-format": "^1.0.1",
     "angular-gettext": "^2.3.5",
     "angular-moment": "^1.3.0",
     "angular-mousewheel": "^1.0.5",
-    "angular-sanitize": "~1.6.6",
+    "angular-sanitize": "^1.7.9",
     "angular-scheduler": "git+https://git@github.com/ansible/angular-scheduler#v0.3.3",
     "angular-tz-extensions": "git+https://git@github.com/ansible/angular-tz-extensions#v0.5.2",
     "angular-xeditable": "~0.8.0",

From 2d4df3d50efbc050ac2782be5de366c3fe6fa3c7 Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Wed, 4 Dec 2019 13:44:20 -0500
Subject: [PATCH 16/36] Fixes bug where permissions checkboxes had inverse
 effect after upgrading angular to 1.7.x.

---
 .../multi-select-list/select-list-item.directive.js   | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/awx/ui/client/src/shared/multi-select-list/select-list-item.directive.js b/awx/ui/client/src/shared/multi-select-list/select-list-item.directive.js
index 20b9c4e0a0..31d64431f0 100644
--- a/awx/ui/client/src/shared/multi-select-list/select-list-item.directive.js
+++ b/awx/ui/client/src/shared/multi-select-list/select-list-item.directive.js
@@ -31,20 +31,17 @@ export default
                 disabled: '='
             },
             require: '^multiSelectList',
-            template: '<input type="checkbox" data-multi-select-list-item ng-model="item.isSelected" ng-click="userInteractionSelect()" ng-disabled=disabled>',
+            template: '<input type="checkbox" data-multi-select-list-item ng-model="item.isSelected" ng-change="userInteractionSelect(item)" ng-disabled=disabled>',
             link: function(scope, element, attrs, multiSelectList) {
 
                 scope.decoratedItem = multiSelectList.registerItem(scope.item);
 
-                scope.$watch('item.isSelected', function(value) {
-                    if (value === true) {
+                scope.userInteractionSelect = function(item) {
+                    if (item.isSelected === true) {
                         multiSelectList.selectItem(scope.decoratedItem);
-                    } else if (value === false) {
+                    } else if (item.isSelected === false) {
                         multiSelectList.deselectItem(scope.decoratedItem);
                     }
-                });
-
-                scope.userInteractionSelect = function() {
                     scope.$emit("selectedOrDeselected", scope.decoratedItem);
                 };
 

From 6f54044cc6b4fcca2b83df898ea65fc991aac2dc Mon Sep 17 00:00:00 2001
From: beeankha <beeankha@gmail.com>
Date: Wed, 27 Nov 2019 16:20:56 -0500
Subject: [PATCH 17/36] Enable approval-related email notifications to send
 properly

---
 .../notifications/custom_notification_base.py | 26 ++++++++++++-------
 awx/main/notifications/email_backend.py       | 20 +++++++++++---
 2 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/awx/main/notifications/custom_notification_base.py b/awx/main/notifications/custom_notification_base.py
index b7038ec867..d7a6ff898e 100644
--- a/awx/main/notifications/custom_notification_base.py
+++ b/awx/main/notifications/custom_notification_base.py
@@ -6,15 +6,23 @@ class CustomNotificationBase(object):
     DEFAULT_MSG = "{{ job_friendly_name }} #{{ job.id }} '{{ job.name }}' {{ job.status }}: {{ url }}"
     DEFAULT_BODY = "{{ job_friendly_name }} #{{ job.id }} had status {{ job.status }}, view details at {{ url }}\n\n{{ job_metadata }}"
 
+    DEFAULT_APPROVAL_RUNNING_MSG = "The approval node '{{ approval_node_name }}' needs review. This node can be viewed at: {{ workflow_url }}"
+    DEFAULT_APPROVAL_RUNNING_BODY = "'{{ approval_node_name }}' needs review. This approval node can be viewed at: {{ workflow_url }}\n\n{{ job_metadata }}"
+
+    DEFAULT_APPROVAL_APPROVED_MSG = "The approval node '{{ approval_node_name }}' was approved. {{ workflow_url }}"
+    DEFAULT_APPROVAL_APPROVED_BODY = "The approval node '{{ approval_node_name }}' was approved. {{ workflow_url }}\n\n{{ job_metadata }}"
+
+    DEFAULT_APPROVAL_TIMEOUT_MSG = "The approval node '{{ approval_node_name }}' has timed out. {{ workflow_url }}"
+    DEFAULT_APPROVAL_TIMEOUT_BODY = "The approval node '{{ approval_node_name }}' has timed out. {{ workflow_url }}\n\n{{ job_metadata }}"
+
+    DEFAULT_APPROVAL_DENIED_MSG = "The approval node '{{ approval_node_name }}' was denied. {{ workflow_url }}"
+    DEFAULT_APPROVAL_DENIED_BODY = "The approval node '{{ approval_node_name }}' was denied. {{ workflow_url }}\n\n{{ job_metadata }}"
+
+
     default_messages = {"started": {"message": DEFAULT_MSG, "body": None},
                         "success": {"message": DEFAULT_MSG, "body": None},
                         "error": {"message": DEFAULT_MSG, "body": None},
-                        "workflow_approval": {"running": {"message": 'The approval node "{{ approval_node_name }}" needs review. '
-                                                                     'This node can be viewed at: {{ workflow_url }}',
-                                                                     "body": None},
-                                              "approved": {"message": 'The approval node "{{ approval_node_name }}" was approved. {{ workflow_url }}',
-                                                           "body": None},
-                                              "timed_out": {"message": 'The approval node "{{ approval_node_name }}" has timed out. {{ workflow_url }}',
-                                                            "body": None},
-                                              "denied": {"message": 'The approval node "{{ approval_node_name }}" was denied. {{ workflow_url }}',
-                                                         "body": None}}}
+                        "workflow_approval": {"running": {"message": DEFAULT_APPROVAL_RUNNING_MSG, "body": None},
+                                              "approved": {"message": DEFAULT_APPROVAL_APPROVED_MSG, "body": None},
+                                              "timed_out": {"message": DEFAULT_APPROVAL_TIMEOUT_MSG, "body": None},
+                                              "denied": {"message": DEFAULT_APPROVAL_DENIED_MSG, "body": None}}}
diff --git a/awx/main/notifications/email_backend.py b/awx/main/notifications/email_backend.py
index 2b9c7d8d58..657b18d282 100644
--- a/awx/main/notifications/email_backend.py
+++ b/awx/main/notifications/email_backend.py
@@ -8,6 +8,18 @@ from awx.main.notifications.custom_notification_base import CustomNotificationBa
 DEFAULT_MSG = CustomNotificationBase.DEFAULT_MSG
 DEFAULT_BODY = CustomNotificationBase.DEFAULT_BODY
 
+DEFAULT_APPROVAL_RUNNING_MSG = CustomNotificationBase.DEFAULT_APPROVAL_RUNNING_MSG
+DEFAULT_APPROVAL_RUNNING_BODY = CustomNotificationBase.DEFAULT_APPROVAL_RUNNING_BODY
+
+DEFAULT_APPROVAL_APPROVED_MSG = CustomNotificationBase.DEFAULT_APPROVAL_APPROVED_MSG
+DEFAULT_APPROVAL_APPROVED_BODY = CustomNotificationBase.DEFAULT_APPROVAL_APPROVED_BODY
+
+DEFAULT_APPROVAL_TIMEOUT_MSG = CustomNotificationBase.DEFAULT_APPROVAL_TIMEOUT_MSG
+DEFAULT_APPROVAL_TIMEOUT_BODY = CustomNotificationBase.DEFAULT_APPROVAL_TIMEOUT_BODY
+
+DEFAULT_APPROVAL_DENIED_MSG = CustomNotificationBase.DEFAULT_APPROVAL_DENIED_MSG
+DEFAULT_APPROVAL_DENIED_BODY = CustomNotificationBase.DEFAULT_APPROVAL_DENIED_BODY
+
 
 class CustomEmailBackend(EmailBackend, CustomNotificationBase):
 
@@ -26,10 +38,10 @@ class CustomEmailBackend(EmailBackend, CustomNotificationBase):
     default_messages = {"started": {"message": DEFAULT_MSG, "body": DEFAULT_BODY},
                         "success": {"message": DEFAULT_MSG, "body": DEFAULT_BODY},
                         "error": {"message": DEFAULT_MSG, "body": DEFAULT_BODY},
-                        "workflow_approval": {"running": {"message": DEFAULT_MSG, "body": DEFAULT_BODY},
-                                              "approved": {"message": DEFAULT_MSG, "body": DEFAULT_BODY},
-                                              "timed_out": {"message": DEFAULT_MSG, "body": DEFAULT_BODY},
-                                              "denied": {"message": DEFAULT_MSG, "body": DEFAULT_BODY}}}
+                        "workflow_approval": {"running": {"message": DEFAULT_APPROVAL_RUNNING_MSG, "body": DEFAULT_APPROVAL_RUNNING_BODY},
+                                              "approved": {"message": DEFAULT_APPROVAL_APPROVED_MSG, "body": DEFAULT_APPROVAL_APPROVED_BODY},
+                                              "timed_out": {"message": DEFAULT_APPROVAL_TIMEOUT_MSG, "body": DEFAULT_APPROVAL_TIMEOUT_BODY},
+                                              "denied": {"message": DEFAULT_APPROVAL_DENIED_MSG, "body": DEFAULT_APPROVAL_DENIED_BODY}}}
 
     def format_body(self, body):
         # leave body unchanged (expect a string)

From b46a2b43b09f3cc0e5ff8d3e3f784bb76de6e8de Mon Sep 17 00:00:00 2001
From: beeankha <beeankha@gmail.com>
Date: Wed, 4 Dec 2019 12:07:49 -0500
Subject: [PATCH 18/36] Change quotation mark format for sconsistency and also
 to comply with qa tests

---
 .../notifications/custom_notification_base.py | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/awx/main/notifications/custom_notification_base.py b/awx/main/notifications/custom_notification_base.py
index d7a6ff898e..39e711540c 100644
--- a/awx/main/notifications/custom_notification_base.py
+++ b/awx/main/notifications/custom_notification_base.py
@@ -3,20 +3,21 @@
 
 
 class CustomNotificationBase(object):
-    DEFAULT_MSG = "{{ job_friendly_name }} #{{ job.id }} '{{ job.name }}' {{ job.status }}: {{ url }}"
-    DEFAULT_BODY = "{{ job_friendly_name }} #{{ job.id }} had status {{ job.status }}, view details at {{ url }}\n\n{{ job_metadata }}"
+    DEFAULT_MSG = '{{ job_friendly_name }} #{{ job.id }} "{{ job.name }}" {{ job.status }}: {{ url }}'
+    DEFAULT_BODY = '{{ job_friendly_name }} #{{ job.id }} had status {{ job.status }}, view details at {{ url }}\n\n{{ job_metadata }}'
 
-    DEFAULT_APPROVAL_RUNNING_MSG = "The approval node '{{ approval_node_name }}' needs review. This node can be viewed at: {{ workflow_url }}"
-    DEFAULT_APPROVAL_RUNNING_BODY = "'{{ approval_node_name }}' needs review. This approval node can be viewed at: {{ workflow_url }}\n\n{{ job_metadata }}"
+    DEFAULT_APPROVAL_RUNNING_MSG = 'The approval node "{{ approval_node_name }}" needs review. This node can be viewed at: {{ workflow_url }}'
+    DEFAULT_APPROVAL_RUNNING_BODY = ('The approval node "{{ approval_node_name }}" needs review. '
+                                     'This approval node can be viewed at: {{ workflow_url }}\n\n{{ job_metadata }}')
 
-    DEFAULT_APPROVAL_APPROVED_MSG = "The approval node '{{ approval_node_name }}' was approved. {{ workflow_url }}"
-    DEFAULT_APPROVAL_APPROVED_BODY = "The approval node '{{ approval_node_name }}' was approved. {{ workflow_url }}\n\n{{ job_metadata }}"
+    DEFAULT_APPROVAL_APPROVED_MSG = 'The approval node "{{ approval_node_name }}" was approved. {{ workflow_url }}'
+    DEFAULT_APPROVAL_APPROVED_BODY = 'The approval node "{{ approval_node_name }}" was approved. {{ workflow_url }}\n\n{{ job_metadata }}'
 
-    DEFAULT_APPROVAL_TIMEOUT_MSG = "The approval node '{{ approval_node_name }}' has timed out. {{ workflow_url }}"
-    DEFAULT_APPROVAL_TIMEOUT_BODY = "The approval node '{{ approval_node_name }}' has timed out. {{ workflow_url }}\n\n{{ job_metadata }}"
+    DEFAULT_APPROVAL_TIMEOUT_MSG = 'The approval node "{{ approval_node_name }}" has timed out. {{ workflow_url }}'
+    DEFAULT_APPROVAL_TIMEOUT_BODY = 'The approval node "{{ approval_node_name }}" has timed out. {{ workflow_url }}\n\n{{ job_metadata }}'
 
-    DEFAULT_APPROVAL_DENIED_MSG = "The approval node '{{ approval_node_name }}' was denied. {{ workflow_url }}"
-    DEFAULT_APPROVAL_DENIED_BODY = "The approval node '{{ approval_node_name }}' was denied. {{ workflow_url }}\n\n{{ job_metadata }}"
+    DEFAULT_APPROVAL_DENIED_MSG = 'The approval node "{{ approval_node_name }}" was denied. {{ workflow_url }}'
+    DEFAULT_APPROVAL_DENIED_BODY = 'The approval node "{{ approval_node_name }}" was denied. {{ workflow_url }}\n\n{{ job_metadata }}'
 
 
     default_messages = {"started": {"message": DEFAULT_MSG, "body": None},

From d6e5eb356b62aa4f0db53cc3a385c3afaa5b4183 Mon Sep 17 00:00:00 2001
From: beeankha <beeankha@gmail.com>
Date: Wed, 4 Dec 2019 22:05:23 -0500
Subject: [PATCH 19/36] Revert original quotation mark configuration for
 non-approval default msg and body

---
 awx/main/notifications/custom_notification_base.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/awx/main/notifications/custom_notification_base.py b/awx/main/notifications/custom_notification_base.py
index 39e711540c..f8da2dab52 100644
--- a/awx/main/notifications/custom_notification_base.py
+++ b/awx/main/notifications/custom_notification_base.py
@@ -3,8 +3,8 @@
 
 
 class CustomNotificationBase(object):
-    DEFAULT_MSG = '{{ job_friendly_name }} #{{ job.id }} "{{ job.name }}" {{ job.status }}: {{ url }}'
-    DEFAULT_BODY = '{{ job_friendly_name }} #{{ job.id }} had status {{ job.status }}, view details at {{ url }}\n\n{{ job_metadata }}'
+    DEFAULT_MSG = "{{ job_friendly_name }} #{{ job.id }} '{{ job.name }}' {{ job.status }}: {{ url }}"
+    DEFAULT_BODY = "{{ job_friendly_name }} #{{ job.id }} had status {{ job.status }}, view details at {{ url }}\n\n{{ job_metadata }}"
 
     DEFAULT_APPROVAL_RUNNING_MSG = 'The approval node "{{ approval_node_name }}" needs review. This node can be viewed at: {{ workflow_url }}'
     DEFAULT_APPROVAL_RUNNING_BODY = ('The approval node "{{ approval_node_name }}" needs review. '

From b5724adae5cc551cf3c9284a5533e1cac097af41 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Thu, 5 Dec 2019 11:30:12 -0500
Subject: [PATCH 20/36] fix situation were error happened before lock was
 released

---
 awx/main/tasks.py | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index 37ef703a29..ca8db3480f 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -2246,22 +2246,25 @@ class RunProjectUpdate(BaseTask):
             copy_tree(project_path, destination_folder)
 
     def post_run_hook(self, instance, status):
-        if self.job_private_data_dir:
-            # copy project folder before resetting to default branch
-            # because some git-tree-specific resources (like submodules) might matter
-            self.make_local_copy(
-                instance.get_project_path(check_if_exists=False), os.path.join(self.job_private_data_dir, 'project'),
-                instance.scm_type, self.playbook_new_revision
-            )
-            if self.original_branch:
-                # for git project syncs, non-default branches can be problems
-                # restore to branch the repo was on before this run
-                try:
-                    self.original_branch.checkout()
-                except Exception:
-                    # this could have failed due to dirty tree, but difficult to predict all cases
-                    logger.exception('Failed to restore project repo to prior state after {}'.format(instance.log_format))
-        self.release_lock(instance)
+        # To avoid hangs, very important to release lock even if errors happen here
+        try:
+            if self.job_private_data_dir:
+                # copy project folder before resetting to default branch
+                # because some git-tree-specific resources (like submodules) might matter
+                self.make_local_copy(
+                    instance.get_project_path(check_if_exists=False), os.path.join(self.job_private_data_dir, 'project'),
+                    instance.scm_type, self.playbook_new_revision
+                )
+                if self.original_branch:
+                    # for git project syncs, non-default branches can be problems
+                    # restore to branch the repo was on before this run
+                    try:
+                        self.original_branch.checkout()
+                    except Exception:
+                        # this could have failed due to dirty tree, but difficult to predict all cases
+                        logger.exception('Failed to restore project repo to prior state after {}'.format(instance.log_format))
+        finally:
+            self.release_lock(instance)
         p = instance.project
         if self.playbook_new_revision:
             instance.scm_revision = self.playbook_new_revision

From 5ae7df7757dc218397c6c279acef33ac040be06c Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Fri, 6 Dec 2019 12:44:50 -0500
Subject: [PATCH 21/36] fix a bug in isolated check timeout handling

---
 awx/main/isolated/manager.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/awx/main/isolated/manager.py b/awx/main/isolated/manager.py
index ae09176cbc..5e807aeb9a 100644
--- a/awx/main/isolated/manager.py
+++ b/awx/main/isolated/manager.py
@@ -126,6 +126,8 @@ class IsolatedManager(object):
         params['private_data_dir'] = iso_dir
         if idle_timeout:
             params['settings']['idle_timeout'] = idle_timeout
+        else:
+            params['settings'].pop('idle_timeout', None)
         params.update(**kw)
         if all([
             getattr(settings, 'AWX_ISOLATED_KEY_GENERATION', False) is True,

From c4d358b870976d75d2008feb6a6fcf4b9631b0be Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Fri, 6 Dec 2019 12:56:18 -0500
Subject: [PATCH 22/36] use a computed inventory field for task impact math

see: https://github.com/ansible/tower/issues/4022
---
 awx/main/models/jobs.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/awx/main/models/jobs.py b/awx/main/models/jobs.py
index c5ed46bb3e..05cd84be8f 100644
--- a/awx/main/models/jobs.py
+++ b/awx/main/models/jobs.py
@@ -634,7 +634,7 @@ class Job(UnifiedJob, JobOptions, SurveyJobMixin, JobNotificationMixin, TaskMana
         else:
             # If for some reason we can't count the hosts then lets assume the impact as forks
             if self.inventory is not None:
-                count_hosts = self.inventory.hosts.count()
+                count_hosts = self.inventory.total_hosts
                 if self.job_slice_count > 1:
                     # Integer division intentional
                     count_hosts = (count_hosts + self.job_slice_count - self.job_slice_number) // self.job_slice_count

From 55a19ffe6a1cb55e0c8a3528c989948322d5080c Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Thu, 5 Dec 2019 14:26:24 -0500
Subject: [PATCH 23/36] Fix project sync errors when project branch is commit

---
 awx/main/tasks.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index ca8db3480f..6be7a0d8ad 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -2214,7 +2214,10 @@ class RunProjectUpdate(BaseTask):
             project_path = instance.project.get_project_path(check_if_exists=False)
             if os.path.exists(project_path):
                 git_repo = git.Repo(project_path)
-                self.original_branch = git_repo.active_branch
+                if git_repo.head.is_detached:
+                    self.original_branch = git_repo.head.commit
+                else:
+                    self.original_branch = git_repo.active_branch
 
     @staticmethod
     def make_local_copy(project_path, destination_folder, scm_type, scm_revision):

From be5a12a3188c7b679b1f9a11babe32504c25e6ab Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Mon, 9 Dec 2019 10:51:25 -0500
Subject: [PATCH 24/36] Compute fields in smart task_impact tests

---
 awx/main/tests/functional/conftest.py            | 16 ++++++++++++++++
 .../tests/functional/models/test_unified_job.py  | 10 +++++++---
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/awx/main/tests/functional/conftest.py b/awx/main/tests/functional/conftest.py
index ee44aad84a..a18cc60890 100644
--- a/awx/main/tests/functional/conftest.py
+++ b/awx/main/tests/functional/conftest.py
@@ -122,6 +122,22 @@ def project_playbooks():
     mocked.start()
 
 
+@pytest.fixture
+def run_computed_fields_right_away(request):
+
+    def run_me(inventory_id, should_update_hosts=True):
+        i = Inventory.objects.get(id=inventory_id)
+        i.update_computed_fields(update_hosts=should_update_hosts)
+
+    mocked = mock.patch(
+        'awx.main.signals.update_inventory_computed_fields.delay',
+        new=run_me
+    )
+    mocked.start()
+
+    request.addfinalizer(mocked.stop)
+
+
 @pytest.fixture
 @mock.patch.object(Project, "update", lambda self, **kwargs: None)
 def project(instance, organization):
diff --git a/awx/main/tests/functional/models/test_unified_job.py b/awx/main/tests/functional/models/test_unified_job.py
index 4d0418c498..c1d0967583 100644
--- a/awx/main/tests/functional/models/test_unified_job.py
+++ b/awx/main/tests/functional/models/test_unified_job.py
@@ -281,15 +281,18 @@ class TestTaskImpact:
             return job
         return r
 
-    def test_limit_task_impact(self, job_host_limit):
+    def test_limit_task_impact(self, job_host_limit, run_computed_fields_right_away):
         job = job_host_limit(5, 2)
+        job.inventory.refresh_from_db()  # FIXME: computed fields operates on reloaded inventory
+        assert job.inventory.total_hosts == 5
         assert job.task_impact == 2 + 1  # forks becomes constraint
 
-    def test_host_task_impact(self, job_host_limit):
+    def test_host_task_impact(self, job_host_limit, run_computed_fields_right_away):
         job = job_host_limit(3, 5)
+        job.inventory.refresh_from_db()  # FIXME: computed fields operates on reloaded inventory
         assert job.task_impact == 3 + 1  # hosts becomes constraint
 
-    def test_shard_task_impact(self, slice_job_factory):
+    def test_shard_task_impact(self, slice_job_factory, run_computed_fields_right_away):
         # factory creates on host per slice
         workflow_job = slice_job_factory(3, jt_kwargs={'forks': 50}, spawn=True)
         # arrange the jobs by their number
@@ -308,4 +311,5 @@ class TestTaskImpact:
             len(jobs[0].inventory.get_script_data(slice_number=i + 1, slice_count=3)['all']['hosts'])
             for i in range(3)
         ] == [2, 1, 1]
+        jobs[0].inventory.refresh_from_db()  # FIXME: computed fields operates on reloaded inventory
         assert [job.task_impact for job in jobs] == [3, 2, 2]

From b58bff4686d834454ede2a967619fb04ac689e0e Mon Sep 17 00:00:00 2001
From: Graham Mainwaring <gmainwar@redhat.com>
Date: Tue, 10 Dec 2019 13:09:46 -0500
Subject: [PATCH 25/36] Add setting for configurable login redirect URL

---
 awx/api/conf.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/awx/api/conf.py b/awx/api/conf.py
index 688aad162f..b2cb2a641c 100644
--- a/awx/api/conf.py
+++ b/awx/api/conf.py
@@ -62,3 +62,14 @@ register(
     category=_('Authentication'),
     category_slug='authentication',
 )
+register(
+    'LOGIN_REDIRECT_OVERRIDE',
+    field_class=fields.CharField,
+    allow_blank=True,
+    required=False,
+    label=_('Login redirect override URL'),
+    help_text=_('URL to which unauthorized users will be redirected to log in. '
+                'If blank, users will be sent to the Tower login page.'),
+    category=_('Authentication'),
+    category_slug='authentication',
+)

From 2569ec4f4fa6373be993ae0a17bae15ea2592a05 Mon Sep 17 00:00:00 2001
From: Graham Mainwaring <gmainwar@redhat.com>
Date: Tue, 10 Dec 2019 14:57:03 -0500
Subject: [PATCH 26/36] Add default for LOGIN_REDIRECT_OVERRIDE

---
 awx/settings/defaults.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 617ac2e440..ed3a4dfdcb 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -379,6 +379,10 @@ TACACSPLUS_AUTH_PROTOCOL = 'ascii'
 # Note: This setting may be overridden by database settings.
 AUTH_BASIC_ENABLED = True
 
+# If set, specifies a URL that unauthenticated users will be redirected to
+# when trying to access a UI page that requries authentication.
+LOGIN_REDIRECT_OVERRIDE = None
+
 # If set, serve only minified JS for UI.
 USE_MINIFIED_JS = False
 

From f94438cf9b10e734a25fbaa4d86d172249f70b41 Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Tue, 10 Dec 2019 15:07:12 -0500
Subject: [PATCH 27/36] Adds login redirect override field to the System (Misc
 System) Settings interface

---
 .../forms/system-form/sub-forms/system-misc.form.js           | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/awx/ui/client/src/configuration/forms/system-form/sub-forms/system-misc.form.js b/awx/ui/client/src/configuration/forms/system-form/sub-forms/system-misc.form.js
index b283107729..22f2b8bdc0 100644
--- a/awx/ui/client/src/configuration/forms/system-form/sub-forms/system-misc.form.js
+++ b/awx/ui/client/src/configuration/forms/system-form/sub-forms/system-misc.form.js
@@ -43,6 +43,10 @@ export default ['i18n', function(i18n) {
             ALLOW_OAUTH2_FOR_EXTERNAL_USERS: {
                 type: 'toggleSwitch',
             },
+            LOGIN_REDIRECT_OVERRIDE: {
+                type: 'text',
+                reset: 'LOGIN_REDIRECT_OVERRIDE'
+            },
             ACCESS_TOKEN_EXPIRE_SECONDS: {
                 type: 'text',
                 reset: 'ACCESS_TOKEN_EXPIRE_SECONDS'

From ab2f212b044560492d2ca343ecdff79bd3d71f87 Mon Sep 17 00:00:00 2001
From: Graham Mainwaring <gmainwar@redhat.com>
Date: Tue, 10 Dec 2019 15:29:21 -0500
Subject: [PATCH 28/36] Add /login convenience URL

---
 awx/main/views.py | 5 ++++-
 awx/urls.py       | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/awx/main/views.py b/awx/main/views.py
index 1947bd001c..bc791976db 100644
--- a/awx/main/views.py
+++ b/awx/main/views.py
@@ -4,7 +4,7 @@
 import json
 
 # Django
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponseRedirect
 from django.shortcuts import render
 from django.utils.html import format_html
 from django.utils.translation import ugettext_lazy as _
@@ -97,3 +97,6 @@ def handle_csp_violation(request):
     logger = logging.getLogger('awx')
     logger.error(json.loads(request.body))
     return HttpResponse(content=None)
+
+def handle_login_redirect(request):
+    return HttpResponseRedirect("/#/login")
diff --git a/awx/urls.py b/awx/urls.py
index 970047151d..ba0f0ee421 100644
--- a/awx/urls.py
+++ b/awx/urls.py
@@ -9,6 +9,7 @@ from awx.main.views import (
     handle_404,
     handle_500,
     handle_csp_violation,
+    handle_login_redirect,
 )
 
 
@@ -22,6 +23,7 @@ urlpatterns = [
     url(r'^(?:api/)?404.html$', handle_404),
     url(r'^(?:api/)?500.html$', handle_500),
     url(r'^csp-violation/', handle_csp_violation),
+    url(r'^login/', handle_login_redirect),
 ]
 
 if settings.SETTINGS_MODULE == 'awx.settings.development':

From 732da522393c53929cd137e37fb034d8b25e7933 Mon Sep 17 00:00:00 2001
From: Graham Mainwaring <gmainwar@redhat.com>
Date: Tue, 10 Dec 2019 15:46:56 -0500
Subject: [PATCH 29/36] Expose login redirect URL in unauthenticated /api view

---
 awx/api/views/root.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/awx/api/views/root.py b/awx/api/views/root.py
index 91f6b62149..e4e0657652 100644
--- a/awx/api/views/root.py
+++ b/awx/api/views/root.py
@@ -60,6 +60,7 @@ class ApiRootView(APIView):
         data['oauth2'] = drf_reverse('api:oauth_authorization_root_view')
         data['custom_logo'] = settings.CUSTOM_LOGO
         data['custom_login_info'] = settings.CUSTOM_LOGIN_INFO
+        data['login_redirect_override'] = settings.LOGIN_REDIRECT_OVERRIDE
         return Response(data)
 
 

From d899e75ad7c223d6ec9302f3a9069cf3f5874af4 Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Wed, 11 Dec 2019 09:19:38 -0500
Subject: [PATCH 30/36] Adds logic to redirect unauthenticated user if
 LOGIN_REDIRECT_OVERRIDE is set as long as the user is not navigating to
 /login or /#/login.  Also redirects on logout if LOGIN_REDIRECT_OVERRIDE is
 set.

---
 awx/ui/client/src/app.js                           | 14 ++++++++++++--
 awx/ui/client/src/login/logout.route.js            |  6 +++++-
 .../src/shared/load-config/load-config.factory.js  | 10 ++++++----
 3 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/awx/ui/client/src/app.js b/awx/ui/client/src/app.js
index 54e05c4a1e..e6902339e2 100644
--- a/awx/ui/client/src/app.js
+++ b/awx/ui/client/src/app.js
@@ -375,7 +375,13 @@ angular
                     if (!/^\/(login|logout)/.test($location.path())) {
                         $rootScope.preAuthUrl = $location.path();
                     }
-                    $location.path('/login');
+                    if ($location.path() !== '/login') {
+                        if (global.$AnsibleConfig.login_redirect_override) {
+                            window.location.replace(global.$AnsibleConfig.login_redirect_override);
+                        } else {
+                            $location.path('/login');
+                        }
+                    }
                 } else {
                     var lastUser = $cookies.getObject('current_user'),
                         timestammp = Store('sessionTime');
@@ -383,7 +389,11 @@ angular
                         var stime = timestammp[lastUser.id].time,
                             now = new Date().getTime();
                         if ((stime - now) <= 0) {
-                            $location.path('/login');
+                            if (global.$AnsibleConfig.login_redirect_override) {
+                                window.location.replace(global.$AnsibleConfig.login_redirect_override);
+                            } else {
+                                $location.path('/login');
+                            }
                         }
                     }
                     // If browser refresh, set the user_is_superuser value
diff --git a/awx/ui/client/src/login/logout.route.js b/awx/ui/client/src/login/logout.route.js
index 47da767ec5..cf5c228a30 100644
--- a/awx/ui/client/src/login/logout.route.js
+++ b/awx/ui/client/src/login/logout.route.js
@@ -11,7 +11,11 @@ export default {
     route: '/logout',
     controller: ['Authorization', '$state', function(Authorization, $state) {
         Authorization.logout().then( () =>{
-            $state.go('signIn');
+            if (global.$AnsibleConfig.login_redirect_override) {
+                window.location.replace(global.$AnsibleConfig.login_redirect_override);
+            } else {
+                $state.go('signIn');
+            }
         });
 
     }],
diff --git a/awx/ui/client/src/shared/load-config/load-config.factory.js b/awx/ui/client/src/shared/load-config/load-config.factory.js
index ca12f1739b..38a2d8b3b7 100644
--- a/awx/ui/client/src/shared/load-config/load-config.factory.js
+++ b/awx/ui/client/src/shared/load-config/load-config.factory.js
@@ -2,7 +2,6 @@ export default
     function LoadConfig($log, $rootScope, $http, Store) {
         return function() {
 
-
             var configSettings = {};
 
             var configInit = function() {
@@ -10,12 +9,11 @@ export default
                 if ($rootScope.loginConfig) {
                     $rootScope.loginConfig.resolve('config loaded');
                 }
+                global.$AnsibleConfig = configSettings;
+                Store('AnsibleConfig', global.$AnsibleConfig);
                 $rootScope.$emit('ConfigReady');
 
                 // Load new hardcoded settings from above
-
-                global.$AnsibleConfig = configSettings;
-                Store('AnsibleConfig', global.$AnsibleConfig);
                 $rootScope.$emit('LoadConfig');
             };
 
@@ -39,6 +37,10 @@ export default
                         configSettings.custom_login_info = false;
                     }
 
+                    if (data.login_redirect_override) {
+                        configSettings.login_redirect_override = data.login_redirect_override;
+                    }
+
                     configInit();
 
                 }).catch(({error}) => {

From 25cc34188870af55e0e31f6ba42d4240df3cf253 Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Wed, 11 Dec 2019 10:56:46 -0500
Subject: [PATCH 31/36] Reverts changes to logout logic.  We don't want to
 redirect to an override url if the user explicitly logs out.

---
 awx/ui/client/src/login/logout.route.js | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/awx/ui/client/src/login/logout.route.js b/awx/ui/client/src/login/logout.route.js
index cf5c228a30..47da767ec5 100644
--- a/awx/ui/client/src/login/logout.route.js
+++ b/awx/ui/client/src/login/logout.route.js
@@ -11,11 +11,7 @@ export default {
     route: '/logout',
     controller: ['Authorization', '$state', function(Authorization, $state) {
         Authorization.logout().then( () =>{
-            if (global.$AnsibleConfig.login_redirect_override) {
-                window.location.replace(global.$AnsibleConfig.login_redirect_override);
-            } else {
-                $state.go('signIn');
-            }
+            $state.go('signIn');
         });
 
     }],

From bf6c16197ca3fec33d8363ebb5866a586eda6e01 Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Wed, 11 Dec 2019 11:19:55 -0500
Subject: [PATCH 32/36] Moves config request out to block of code that gets
 executed before the app is bootstrapped.  This should allow us to redirect to
 the override url before the app begins to render, improving the UX.

---
 awx/ui/client/src/app.js                      |  8 +--
 awx/ui/client/src/app.start.js                | 23 ++++++-
 .../shared/load-config/load-config.factory.js | 69 +++++++------------
 3 files changed, 49 insertions(+), 51 deletions(-)

diff --git a/awx/ui/client/src/app.js b/awx/ui/client/src/app.js
index e6902339e2..071db41067 100644
--- a/awx/ui/client/src/app.js
+++ b/awx/ui/client/src/app.js
@@ -375,13 +375,7 @@ angular
                     if (!/^\/(login|logout)/.test($location.path())) {
                         $rootScope.preAuthUrl = $location.path();
                     }
-                    if ($location.path() !== '/login') {
-                        if (global.$AnsibleConfig.login_redirect_override) {
-                            window.location.replace(global.$AnsibleConfig.login_redirect_override);
-                        } else {
-                            $location.path('/login');
-                        }
-                    }
+                    $location.path('/login');
                 } else {
                     var lastUser = $cookies.getObject('current_user'),
                         timestammp = Store('sessionTime');
diff --git a/awx/ui/client/src/app.start.js b/awx/ui/client/src/app.start.js
index 44f8113567..61c8ac5bb4 100644
--- a/awx/ui/client/src/app.start.js
+++ b/awx/ui/client/src/app.start.js
@@ -15,7 +15,9 @@ function bootstrap (callback) {
             angular.module('I18N').constant('LOCALE', locale);
         }
 
-        angular.element(document).ready(() => callback());
+        fetchConfig((config) => {
+            angular.element(document).ready(() => callback());
+        });
     });
 }
 
@@ -49,6 +51,25 @@ function fetchLocaleStrings (callback) {
     request.fail(() => callback({ code: DEFAULT_LOCALE }));
 }
 
+function fetchConfig (callback) {
+    const request = $.ajax(`/api`);
+
+    request.done(res => {
+        angular.module('awApp').constant('ConfigSettings', res);
+        if (res.login_redirect_override) {
+            if (!document.cookie.split(';').filter((item) => item.includes('userLoggedIn=true')).length && !window.location.href.includes('/#/login')) {
+                window.location.replace(res.login_redirect_override);
+            } else {
+                callback();
+            }
+        } else {
+            callback();
+        }
+    });
+
+    request.fail(() => callback());
+}
+
 /**
  * Grabs the language off of navigator for browser compatibility.
  * If the language isn't set, then it falls back to the DEFAULT_LOCALE. The
diff --git a/awx/ui/client/src/shared/load-config/load-config.factory.js b/awx/ui/client/src/shared/load-config/load-config.factory.js
index 38a2d8b3b7..c1adfeee8f 100644
--- a/awx/ui/client/src/shared/load-config/load-config.factory.js
+++ b/awx/ui/client/src/shared/load-config/load-config.factory.js
@@ -1,57 +1,40 @@
 export default
-    function LoadConfig($log, $rootScope, $http, Store) {
+    function LoadConfig($rootScope, Store, ConfigSettings) {
         return function() {
 
             var configSettings = {};
 
-            var configInit = function() {
-                // Auto-resolving what used to be found when attempting to load local_setting.json
-                if ($rootScope.loginConfig) {
-                    $rootScope.loginConfig.resolve('config loaded');
-                }
-                global.$AnsibleConfig = configSettings;
-                Store('AnsibleConfig', global.$AnsibleConfig);
-                $rootScope.$emit('ConfigReady');
+            if(ConfigSettings.custom_logo) {
+                configSettings.custom_logo = true;
+                $rootScope.custom_logo = ConfigSettings.custom_logo;
+            } else {
+                configSettings.custom_logo = false;
+            }
 
-                // Load new hardcoded settings from above
-                $rootScope.$emit('LoadConfig');
-            };
+            if(ConfigSettings.custom_login_info) {
+                configSettings.custom_login_info = ConfigSettings.custom_login_info;
+                $rootScope.custom_login_info = ConfigSettings.custom_login_info;
+            } else {
+                configSettings.custom_login_info = false;
+            }
 
-            // Retrieve the custom logo information - update configSettings from above
-            $http({
-                method: 'GET',
-                url: '/api/',
-            })
-                .then(function({data}) {
-                    if(data.custom_logo) {
-                        configSettings.custom_logo = true;
-                        $rootScope.custom_logo = data.custom_logo;
-                    } else {
-                        configSettings.custom_logo = false;
-                    }
+            if (ConfigSettings.login_redirect_override) {
+                configSettings.login_redirect_override = ConfigSettings.login_redirect_override;
+            }
 
-                    if(data.custom_login_info) {
-                        configSettings.custom_login_info = data.custom_login_info;
-                        $rootScope.custom_login_info = data.custom_login_info;
-                    } else {
-                        configSettings.custom_login_info = false;
-                    }
+            // Auto-resolving what used to be found when attempting to load local_setting.json
+            if ($rootScope.loginConfig) {
+                $rootScope.loginConfig.resolve('config loaded');
+            }
+            global.$AnsibleConfig = configSettings;
+            Store('AnsibleConfig', global.$AnsibleConfig);
+            $rootScope.$emit('ConfigReady');
 
-                    if (data.login_redirect_override) {
-                        configSettings.login_redirect_override = data.login_redirect_override;
-                    }
-
-                    configInit();
-
-                }).catch(({error}) => {
-                    $log.debug(error);
-                    configInit();
-                });
+            // Load new hardcoded settings from above
+            $rootScope.$emit('LoadConfig');
 
         };
     }
 
 LoadConfig.$inject =
-    [   '$log', '$rootScope', '$http',
-        'Store'
-    ];
+    [ '$rootScope', 'Store', 'ConfigSettings' ];

From 425d1168b9e37a834839b9173e75399e1ada9568 Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Wed, 11 Dec 2019 13:33:54 -0500
Subject: [PATCH 33/36] Adds trailing slash to /api request

---
 awx/ui/client/src/app.start.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/awx/ui/client/src/app.start.js b/awx/ui/client/src/app.start.js
index 61c8ac5bb4..310fae9de3 100644
--- a/awx/ui/client/src/app.start.js
+++ b/awx/ui/client/src/app.start.js
@@ -52,7 +52,7 @@ function fetchLocaleStrings (callback) {
 }
 
 function fetchConfig (callback) {
-    const request = $.ajax(`/api`);
+    const request = $.ajax('/api/');
 
     request.done(res => {
         angular.module('awApp').constant('ConfigSettings', res);

From c16ad89ff9e74ac281c113eb66a184ef6b21274e Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Wed, 11 Dec 2019 13:37:39 -0500
Subject: [PATCH 34/36] Fix linting error (unused var)

---
 awx/ui/client/src/app.start.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/awx/ui/client/src/app.start.js b/awx/ui/client/src/app.start.js
index 310fae9de3..026ee0162c 100644
--- a/awx/ui/client/src/app.start.js
+++ b/awx/ui/client/src/app.start.js
@@ -15,7 +15,7 @@ function bootstrap (callback) {
             angular.module('I18N').constant('LOCALE', locale);
         }
 
-        fetchConfig((config) => {
+        fetchConfig(() => {
             angular.element(document).ready(() => callback());
         });
     });

From 475e2605d4daed13c1ee673e992ebe86f62e1d6a Mon Sep 17 00:00:00 2001
From: mabashian <mabashia@redhat.com>
Date: Wed, 11 Dec 2019 16:31:39 -0500
Subject: [PATCH 35/36] Changes redirect logic slightly to lean on a global var
 to store the config response rather than a constant on the awApp module. 
 This should allow us to avoid test changes.

---
 awx/ui/client/src/app.js                       |  2 ++
 awx/ui/client/src/app.start.js                 |  2 +-
 .../shared/load-config/load-config.factory.js  | 18 +++++++++---------
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/awx/ui/client/src/app.js b/awx/ui/client/src/app.js
index 071db41067..5ba84826d4 100644
--- a/awx/ui/client/src/app.js
+++ b/awx/ui/client/src/app.js
@@ -3,6 +3,8 @@ global.$AnsibleConfig = null;
 // Provided via Webpack DefinePlugin in webpack.config.js
 global.$ENV = {};
 
+global.$ConfigResponse = {};
+
 var urlPrefix;
 
 if ($basePath) {
diff --git a/awx/ui/client/src/app.start.js b/awx/ui/client/src/app.start.js
index 026ee0162c..ef0c4a8fd5 100644
--- a/awx/ui/client/src/app.start.js
+++ b/awx/ui/client/src/app.start.js
@@ -55,7 +55,7 @@ function fetchConfig (callback) {
     const request = $.ajax('/api/');
 
     request.done(res => {
-        angular.module('awApp').constant('ConfigSettings', res);
+        global.$ConfigResponse = res;
         if (res.login_redirect_override) {
             if (!document.cookie.split(';').filter((item) => item.includes('userLoggedIn=true')).length && !window.location.href.includes('/#/login')) {
                 window.location.replace(res.login_redirect_override);
diff --git a/awx/ui/client/src/shared/load-config/load-config.factory.js b/awx/ui/client/src/shared/load-config/load-config.factory.js
index c1adfeee8f..56916cd7a4 100644
--- a/awx/ui/client/src/shared/load-config/load-config.factory.js
+++ b/awx/ui/client/src/shared/load-config/load-config.factory.js
@@ -1,25 +1,25 @@
 export default
-    function LoadConfig($rootScope, Store, ConfigSettings) {
+    function LoadConfig($rootScope, Store) {
         return function() {
 
             var configSettings = {};
 
-            if(ConfigSettings.custom_logo) {
+            if(global.$ConfigResponse.custom_logo) {
                 configSettings.custom_logo = true;
-                $rootScope.custom_logo = ConfigSettings.custom_logo;
+                $rootScope.custom_logo = global.$ConfigResponse.custom_logo;
             } else {
                 configSettings.custom_logo = false;
             }
 
-            if(ConfigSettings.custom_login_info) {
-                configSettings.custom_login_info = ConfigSettings.custom_login_info;
-                $rootScope.custom_login_info = ConfigSettings.custom_login_info;
+            if(global.$ConfigResponse.custom_login_info) {
+                configSettings.custom_login_info = global.$ConfigResponse.custom_login_info;
+                $rootScope.custom_login_info = global.$ConfigResponse.custom_login_info;
             } else {
                 configSettings.custom_login_info = false;
             }
 
-            if (ConfigSettings.login_redirect_override) {
-                configSettings.login_redirect_override = ConfigSettings.login_redirect_override;
+            if (global.$ConfigResponse.login_redirect_override) {
+                configSettings.login_redirect_override = global.$ConfigResponse.login_redirect_override;
             }
 
             // Auto-resolving what used to be found when attempting to load local_setting.json
@@ -37,4 +37,4 @@ export default
     }
 
 LoadConfig.$inject =
-    [ '$rootScope', 'Store', 'ConfigSettings' ];
+    [ '$rootScope', 'Store' ];

From e4145b580c23f5419beeb1975dbf1f25958d0f1d Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Thu, 12 Dec 2019 15:43:23 -0500
Subject: [PATCH 36/36] fix a flake8 nit

---
 awx/main/views.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/awx/main/views.py b/awx/main/views.py
index bc791976db..887d44318c 100644
--- a/awx/main/views.py
+++ b/awx/main/views.py
@@ -98,5 +98,6 @@ def handle_csp_violation(request):
     logger.error(json.loads(request.body))
     return HttpResponse(content=None)
 
+
 def handle_login_redirect(request):
     return HttpResponseRedirect("/#/login")