This PR migrates the SAML configuration from the Controller
to the Gateway, it intentionally skips setting the CALLBACK_URL
so that the Gateway can fill in the appropriate URL.
Remove Controller specific roles
Removes
- Controller Organization Admin
- Controller Organization Member
- Controller Team Admin
- Controller Team Member
- Controller System Auditor
Going forward the platform role definitions
will be used, e.g. Organization Member
The migration will take care of any assignments
with those controller specific roles and use
the platform roles instead.
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
* compare authenticators and mappers before recreating them
* add unit tests
* fix linter errors
* refactor and improve: better implementation for get_authenticator_by_slug and removal of redundant code
* add submit_authenticator method to handle create vs. update in a generic way
* remove unused import
Remove ALLOW_LOCAL_RESOURCE_MANAGEMENT setting and enable local resource management
This commit removes the ALLOW_LOCAL_RESOURCE_MANAGEMENT setting and all associated
functionality, making the behavior as if the setting is always enabled.
Changes:
- Remove ALLOW_LOCAL_RESOURCE_MANAGEMENT setting from defaults.py
- Remove @immutablesharedfields decorator and all related logic
- Remove decorator applications from Organization, Team, and User API views
- Remove role assignment restrictions in UserRolesList and RoleUsersList
- Remove test file for immutablesharedfields functionality
- Clean up unused imports
Result: Organizations, Teams, and Users can now always be created, modified,
and deleted via the API without platform ingress restrictions.
* wip: management command for authenticator export to GateWay
* wip: implement ldap auth config migration
* refactor: split concerns into gathering config and converting / recreating config
* refactor: dry run by default
* use the authenticator slug for idempotency
* move to correct utils path
* use env vars instead of flags, fix linter errors
* remove unused import
* Fix issue where export module does not honor CONTROLLER_OPTIONAL_API_URLPATTERN_PREFIX
* Add unit test and handle leading/trailing slashes
* Reformat
* Refactor for clarity
* Remove unused import
* Move logic to unified job model instead of view
* Refine logic to only apply to double escaped characters to prevent touching unicord chars
* Refine logic to only apply to stdout so that it does not impact webhook notifications
* Revise naming to reflect correction to escapes, not just escape quotes
* Update code comments to reflect fixing double escapes vs double escaped quotes specifically
* Add regex for 5 most common python escape chars to make fix more robust
* Fix issue where export module does not honor CONTROLLER_OPTIONAL_API_URLPATTERN_PREFIX
* Add unit test and handle leading/trailing slashes
* Reformat
* Refactor for clarity
* Remove unused import
* the workflow has been failing silently without catching a merge
conflict. this removes the fail pretty logic previously implemented.
* just fail if a merge conflict is encountered
* Revise start_fact_cache and finish_fact_cache to use JSON file (#15970)
* Revise start_fact_cache and finish_fact_cache to use JSON file with host list inside it
* Revise artifacts path to be relative to the job private_data_dir
* Update calls to start_fact_cache and finish_fact_cache to agree with new reference to artifacts_dir
* Prevents unnecessary updates to ansible_facts_modified, fixing timestamp-related test failures.
* Import bulk_update_sorted_by_id
* Removed assert that calls ansible_facts_new which was removed in the backported pr
* Add import of Host back
* Fix some patterns in collection test playbooks
* Revert change to ansible.builtin.user
* Revert change to WFJT for dup label error
* Add error handling and fix references
* Add back lookup organization
* Fix all remainingfailing syntax in workflow_job_template
* Allow creating galaxy credential types without an organization (#16077)
* remove requirement for galaxy credentials to belong to an organization
* remove organization check for galaxy credential type
---------
Co-authored-by: AlanCoding <arominge@redhat.com>
Co-authored-by: Peter Braun <pbraun@redhat.com>
* Update requirements for setuptools
* first pass and need to commit
* update makefile and run updater script
* updated makefile per readme
* ran updater script
* Patch irc backend to avoid namespace collision w/ jaraco
When importing the IRC backend, jaraco resolves to
the version vendored inside setuptools:
1) importing irc backend…
irc_backend ERROR: ModuleNotFoundError("No module named 'jaraco.stream'")
2) sys.modules['jaraco'] after failure:
present: True
type: <class 'module'>
__file__: /var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco/__init__.py
__path__: ['/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco']
__spec__: ModuleSpec(name='jaraco',
loader=<_frozen_importlib_external.SourceFileLoader object at 0x7f006a0eccd0>,
origin='/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco/__init__.py',
submodule_search_locations=['/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco'])
Since setuptools does not vendor jaraco.stream, it blew up. This patch ensures
jaraco.stream gets imported *before* attempting to import the irc modules.
* Revert "[4.6][dependency] CVE 2025 47273 (#7020)" (#7027)
This reverts commit e8b2920aec95de2c51308ce2fb14773ef676d01a.
* reformatted irc backend with black
* ran black to fix linting issues
* Reapply "[4.6][dependency] CVE 2025 47273 (#7020)" (#7027)
This reverts commit 0c6df9b13398a93569fae7558e1a0e72cbe8fb6c.
* add flake8 ignore since jaraco.stream is needed
* jaraco.stream is not directly called in the file but is needed by irc
so ignore the linter failure
---------
Co-authored-by: Shane McDonald <me@shanemcd.com>
* clear LICENSE from cache on change
* Adds tests for license cache clearing
Generated by Cursor (claude-4-sonnet)
* test fixes
Generated with Cursor (claude-4-sonnet)
---------
Signed-off-by: Robin Y Bobbitt <rbobbitt@redhat.com>
Co-authored-by: Jake Jackson <jljacks93@gmail.com>
* fixes UnboundLocalError in POST /attach
* bust cache for credentials before attaching subscription
---------
Signed-off-by: Robin Y Bobbitt <rbobbitt@redhat.com>
* clear LICENSE from cache on change
Signed-off-by: Robin Y Bobbitt <rbobbitt@redhat.com>
* Adds tests for license cache clearing
Generated by Cursor (claude-4-sonnet)
Signed-off-by: Robin Y Bobbitt <rbobbitt@redhat.com>
* test fixes
Generated with Cursor (claude-4-sonnet)
Signed-off-by: Robin Y Bobbitt <rbobbitt@redhat.com>
---------
Signed-off-by: Robin Y Bobbitt <rbobbitt@redhat.com>
Co-authored-by: Jake Jackson <jljacks93@gmail.com>
* fixes UnboundLocalError in POST /attach
Signed-off-by: Robin Y Bobbitt <rbobbitt@redhat.com>
* bust cache for credentials before attaching subscription
Signed-off-by: Robin Y Bobbitt <rbobbitt@redhat.com>
---------
Signed-off-by: Robin Y Bobbitt <rbobbitt@redhat.com>
* Bug fix for AAP-47771 this data migration updates existing CredentialType entries
in the database and changes the kind from github_app to github_app_lookup
* Combine migration 0203 into 0202
* Add test to ensure reconciliation issue has been resolved
* Fix collection task breaking collection ci checks
* Patch ansible.module_utils.basic._ANSIBLE_PROFILE directly
* Conditionalize other santity assertions
* Remove added blank lines and identifier from Fail if absent and no identifier set
* Update collection args (#16025)
* update collection arguments
* Add integration testing for new param
* fix: sanity check failures
---------
Co-authored-by: Sean Sullivan <ssulliva@redhat.com>
Co-authored-by: Alan Rominger <arominge@redhat.com>
* update formatting for sanity testing
* fixing indentation for sanity suite
* adjust tests to use new token name
* update tests to use aap_token instead of controller_oauthtoken
* add back aliases for backward compat
* we have integration tests that still leverage the old token name
* while we can rename these, this tells me that customers might still
have them in the wild and breaking them in a z stream is no bueno
* revert alias changes
---------
Co-authored-by: Peter Braun <pbraun@redhat.com>
Co-authored-by: Sean Sullivan <ssulliva@redhat.com>
Co-authored-by: Alan Rominger <arominge@redhat.com>
* wfjt migration to catch renaming
* Added rename_wfjt function to template constraint migration
* Add test to add duplicate names and verify that the duplicates are renamed
* move object creation
* add missing rename_wfjt operation
* fix linter issues
* fix tox issues
* test manually and move operation
* added back credential type validation code
* Handle DAB RBAC either before or after new type model
* Translate CT to DAB CT
* Fixes for content type switch
* Use more compatible coding pattern
* Deeper purge of content_type_id
* revert, turns out that did not work
* More content type replacements
* Revert changes to serializer
* Revert another content_type change
* Fix for rearrangement of post_migration methods
* Remove thing I am not going to do
* Revert branch pin that was temporary
* add branch sync between release_4.6 and stable-2.6
* add a new workflow to force push commits in release_4.6 to
stable-2.6
* Update workflow to use matrix keyword
---------
Co-authored-by: Jake Jackson
Remove ALLOW_LOCAL_RESOURCE_MANAGEMENT setting and enable local resource management
This commit removes the ALLOW_LOCAL_RESOURCE_MANAGEMENT setting and all associated
functionality, making the behavior as if the setting is always enabled.
Changes:
- Remove ALLOW_LOCAL_RESOURCE_MANAGEMENT setting from defaults.py
- Remove @immutablesharedfields decorator and all related logic
- Remove decorator applications from Organization, Team, and User API views
- Remove role assignment restrictions in UserRolesList and RoleUsersList
- Remove test file for immutablesharedfields functionality
- Clean up unused imports
Result: Organizations, Teams, and Users can now always be created, modified,
and deleted via the API without platform ingress restrictions.
* Mark the collection role module as deprecated
* Mark deprecated in DOCUMENTATION
* Add deprecation info
* Resolve validate-modules deprecation errors
---------
Co-authored-by: Luis <lvilla@redhat.com>
Sort both bulk updates and add batch size to facts bulk update to resolve deadlock issue
Update tests to expect batch_size to agree with changes
Add utility method to bulk update and sort hosts and applied that to the appropriate locations
Update functional tests to use bulk_update_sorted_by_id since update_hosts has been deleted
Add comment NOSONAR to get rid of Sonarqube warning since this is just a test and it's not actually a security issue
Fix failing test test_finish_job_fact_cache_clear & test_finish_job_fact_cache_with_existing_data
---------
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
Co-authored-by: Alan Rominger <arominge@redhat.com>
Co-authored-by: Seth Foster <fosterbseth@gmail.com>
They are only surfaced under pytest 8.4, with `pytest-cov` and
`pytest-xdist` being both active [[1]]. Or equivalent situations
This is a follow-up for #16015 which attempted ignoring the warning
on the runtime level in pytest. Instead, the patch tells `coveragepy`
not to emit said warnings in the first place.
[1]: pytest-dev/pytest-cov#693
It should ideally match perfectly or at least come close, for best
responsiveness. This setting is currently used to prevent Codecov
from publishing incomplete coverage metrics too early.
