Fix controller_oauthtoken regression and more

* aap_token now functions like controller_oauthtoken * lookup('awx.awx.controller_api', ...) fixed
2026-01-11 01:57:35 -03:30 · 2025-08-14 13:58:17 -04:00 · 2025-08-14 13:58:17 -04:00 · e82de50edb
commit e82de50edb
parent 11f31ef796
4 changed files with 54 additions and 10 deletions
--- a/awx_collection/plugins/doc_fragments/auth.py
+++ b/awx_collection/plugins/doc_fragments/auth.py
@ -40,6 +40,7 @@ options:
    - A dictionary structure as returned by the token module.
    - If value not set, will try environment variable C(CONTROLLER_OAUTH_TOKEN) and then config files
    type: raw
+    aliases: [ controller_oauthtoken ]
    version_added: "3.7.0"
  validate_certs:
    description:
--- a/awx_collection/plugins/doc_fragments/auth_plugin.py
+++ b/awx_collection/plugins/doc_fragments/auth_plugin.py
@ -40,15 +40,18 @@ options:
        version: '4.0.0'
        why: Collection name change
        alternatives: 'TOWER_PASSWORD, AAP_PASSWORD'
-  aap_token:
+  oauth_token:
    description:
    - The OAuth token to use.
    env:
    - name: AAP_TOKEN
+    - name: CONTROLLER_OAUTH_TOKEN
+    - name: TOWER_OAUTH_TOKEN
      deprecated:
        collection_name: 'awx.awx'
        version: '4.0.0'
        why: Collection name change
+        alternatives: 'CONTROLLER_OAUTH_TOKEN'
  verify_ssl:
    description:
    - Specify whether Ansible should verify the SSL certificate of the controller host.
--- a/awx_collection/plugins/module_utils/controller_api.py
+++ b/awx_collection/plugins/module_utils/controller_api.py
@ -73,6 +73,7 @@ class ControllerModule(AnsibleModule):
        aap_token=dict(
            type='raw',
            no_log=True,
+            aliases=['controller_oauthtoken',],
            required=False,
            fallback=(env_fallback, ['CONTROLLER_OAUTH_TOKEN', 'TOWER_OAUTH_TOKEN', 'AAP_TOKEN'])
        ),
@ -129,18 +130,18 @@ class ControllerModule(AnsibleModule):
            if direct_value is not None:
                setattr(self, short_param, direct_value)

-        # Perform magic depending on whether controller_oauthtoken is a string or a dict
-        if self.params.get('controller_oauthtoken'):
-            token_param = self.params.get('controller_oauthtoken')
+        # Perform magic depending on whether aap_token is a string or a dict
+        if self.params.get('aap_token'):
+            token_param = self.params.get('aap_token')
            if isinstance(token_param, dict):
                if 'token' in token_param:
-                    self.oauth_token = self.params.get('controller_oauthtoken')['token']
+                    self.oauth_token = self.params.get('aap_token')['token']
                else:
-                    self.fail_json(msg="The provided dict in controller_oauthtoken did not properly contain the token entry")
+                    self.fail_json(msg="The provided dict in aap_token did not properly contain the token entry")
            elif isinstance(token_param, string_types):
-                self.oauth_token = self.params.get('controller_oauthtoken')
+                self.oauth_token = self.params.get('aap_token')
            else:
-                error_msg = "The provided controller_oauthtoken type was not valid ({0}). Valid options are str or dict.".format(type(token_param).__name__)
+                error_msg = "The provided aap_token type was not valid ({0}). Valid options are str or dict.".format(type(token_param).__name__)
                self.fail_json(msg=error_msg)

        # Perform some basic validation
--- a/awx_collection/tests/integration/targets/token/tasks/main.yml
+++ b/awx_collection/tests/integration/targets/token/tasks/main.yml
@ -18,7 +18,7 @@
 - assert:
    that:
      - results is failed
-      - '"The provided dict in controller_oauthtoken did not properly contain the token entry" == results.msg'
+      - '"The provided dict in aap_token did not properly contain the token entry" == results.msg'

 - name: Try to use a token as a list
  job_list:
@ -30,7 +30,7 @@
 - assert:
    that:
      - results is failed
-      - '"The provided controller_oauthtoken type was not valid (list). Valid options are str or dict." == results.msg'
+      - '"The provided aap_token type was not valid (list). Valid options are str or dict." == results.msg'

 - name: Try to delete a token with no existing_token or existing_token_id
  token:
@ -113,3 +113,42 @@
    - assert:
        that:
          - results is changed or resuslts is skipped
+
+- block:
+    - name: Create a less privileged token (read)
+      token:
+        description: '{{ token_description }}'
+        scope: "read"
+        state: present
+      register: read_only_token
+
+    - debug:
+        msg: "{{read_only_token}}"
+
+    - name: Exercise the aap_token parameter with the new token.
+      job_list:
+        aap_token: "{{ read_only_token.ansible_facts.controller_token.token }}"
+
+    - name: Ensure the new token is being used and not the default token for the tests.
+      token:
+        aap_token: "{{ read_only_token.ansible_facts.controller_token.token }}"
+        scope: "write"
+        state: present
+      ignore_errors: true
+      register: result
+
+    - assert:
+        that:
+          - "'You don\\'t have permission to POST' in result.msg"
+
+  always:
+    - name: Delete the less privileged token
+      token:
+        existing_token_id: "{{ read_only_token['id'] }}"
+        state: absent
+      when: read_only_token is defined
+      register: result
+
+    - assert:
+        that:
+          - result is changed