properly migrate settings.FALLBACK_GALAXY_SERVERS

awx/main/migrations/_galaxy.py

@@ -4,6 +4,7 @@ import logging
 
 from awx.main.utils.encryption import encrypt_field, decrypt_field
 
+from django.conf import settings
 from django.utils.timezone import now
 
 from awx.main.models import CredentialType as ModernCredentialType
@@ -69,6 +70,41 @@ def migrate_galaxy_settings(apps, schema_editor):
                 cred.inputs['token'] = encrypt_field(cred, 'token')
                 cred.save()
             org.galaxy_credentials.add(cred)
+
+        fallback_servers = getattr(settings, 'FALLBACK_GALAXY_SERVERS', [])
+        for fallback in fallback_servers:
+            url = fallback.get('url', None)
+            auth_url = fallback.get('auth_url', None)
+            username = fallback.get('username', None)
+            password = fallback.get('password', None)
+            token = fallback.get('token', None)
+            if username or password:
+                logger.error(
+                    f'Specifying HTTP basic auth for the Ansible Galaxy API '
+                    f'({url}) is no longer supported. '
+                    'Please provide an API token instead after your upgrade '
+                    'has completed',
+                )
+            inputs = {'url': url}
+            if token:
+                inputs['token'] = token
+            if auth_url:
+                inputs['auth_url'] = auth_url
+            cred = Credential(
+                created=now(),
+                modified=now(),
+                name=f'Ansible Galaxy ({url})',
+                organization=org,
+                credential_type=galaxy_type,
+                inputs=inputs
+            )
+            cred.save()
+            if token:
+                # encrypt based on the primary key from the prior save
+                cred.inputs['token'] = encrypt_field(cred, 'token')
+                cred.save()
+            org.galaxy_credentials.add(cred)
+
         if public_galaxy_enabled:
             # If public Galaxy was enabled, make a credential for it
             cred = Credential(

awx/main/tests/functional/test_galaxy_credential_migration.py

@@ -1,5 +1,6 @@
 import importlib
 
+from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
 import pytest
 
@@ -76,3 +77,35 @@ def test_multiple_galaxies():
 
         assert creds[1].name == 'Ansible Galaxy'
         assert creds[1].inputs['url'] == 'https://galaxy.ansible.com/'
+
+
+@pytest.mark.django_db
+def test_fallback_galaxies():
+    org = Organization.objects.create()
+    assert org.galaxy_credentials.count() == 0
+    Setting.objects.create(key='PRIMARY_GALAXY_URL', value='https://example.org/')
+    Setting.objects.create(key='PRIMARY_GALAXY_AUTH_URL', value='https://auth.example.org/')
+    Setting.objects.create(key='PRIMARY_GALAXY_TOKEN', value='secret123')
+    try:
+        settings.FALLBACK_GALAXY_SERVERS = [{
+            'id': 'abc123',
+            'url': 'https://some-other-galaxy.example.org/',
+            'auth_url': 'https://some-other-galaxy.sso.example.org/',
+            'username': 'user',
+            'password': 'pass',
+            'token': 'fallback123',
+        }]
+        galaxy.migrate_galaxy_settings(apps, None)
+    finally:
+        settings.FALLBACK_GALAXY_SERVERS = []
+    assert org.galaxy_credentials.count() == 3
+    creds = org.galaxy_credentials.all()
+    assert creds[0].name == 'Private Galaxy (https://example.org/)'
+    assert creds[0].inputs['url'] == 'https://example.org/'
+    assert creds[1].name == 'Ansible Galaxy (https://some-other-galaxy.example.org/)'
+    assert creds[1].inputs['url'] == 'https://some-other-galaxy.example.org/'
+    assert creds[1].inputs['auth_url'] == 'https://some-other-galaxy.sso.example.org/'
+    assert creds[1].inputs['token'].startswith('$encrypted$')
+    assert creds[1].get_input('token') == 'fallback123'
+    assert creds[2].name == 'Ansible Galaxy'
+    assert creds[2].inputs['url'] == 'https://galaxy.ansible.com/'