* fix: do not create multiple mappers for lists of emails or usernames
* fix: create multiple matchers, don't rely on matches_or
* fix tests
* truncate mapper names to a max of 128 chars
* better naming scheme for matchers
* Add LDAP support to gateway_mapping and expand test coverage
- Add new process_ldap_user_list function for LDAP group processing
- Add auth_type parameter to org_map_to_gateway_format and team_map_to_gateway_format
- Support both 'sso' and 'ldap' authentication types in mapping functions
- Fix syntax error and logic bug in existing code
- Add comprehensive unit tests for process_ldap_user_list function (13 test cases)
- Add unit tests for auth_type parameter functionality
- Update helper functions to support new auth_type parameter
- All tests pass and maintain backward compatibility
Technical changes:
- process_ldap_user_list handles None, boolean, string, and list inputs
- Proper type hints with mypy compatibility
- LDAP groups use 'has_or' trigger format vs SSO attribute matching
- Boolean True/False create Always/Never Allow triggers for LDAP
- Maintains proper ordering and mapper structure
Co-authored-by: Claude (Anthropic AI Assistant) <claude@anthropic.com>
* Fix empty list bug in process_ldap_user_list and add comprehensive tests
- Fix process_ldap_user_list to return empty list for empty input instead of creating invalid trigger
- Empty list [] now correctly returns no triggers instead of trigger with empty has_or array
- Add test case for empty list behavior in both LDAP and SSO functions
- Update existing test_empty_list to expect correct behavior (0 triggers)
- Maintain backward compatibility for all other input types
- Comprehensive testing confirms no regression in existing functionality
Bug Details:
- Before: process_ldap_user_list([]) returned [{'name': 'Match User Groups', 'trigger': {'groups': {'has_or': []}}}]
- After: process_ldap_user_list([]) returns [] (correct behavior)
- SSO function already handled this correctly
This prevents potential Gateway issues with empty has_or arrays and ensures logical consistency.
Co-authored-by: Claude (Anthropic AI Assistant) <claude@anthropic.com>
* Add comprehensive LDAP migrator tests and fix category handling
- Add comprehensive unit test suite for LDAPMigrator class (26 tests)
- Test LDAP configuration scenarios including multiple instances, mappings, and edge cases
- Add tests for mixed boolean/group mappings, special characters in org names, and empty configs
- Fix LDAP authenticator category to always be 'ldap' (not 'ldap<suffix>')
- Add auth_type='ldap' parameter to org_map_to_gateway_format and team_map_to_gateway_format calls
- Include AAP-51531 reference comments for specific test cases
- All tests passing (26/26)
Co-authored-by: Claude <claude@anthropic.com>
---------
Co-authored-by: Claude (Anthropic AI Assistant) <claude@anthropic.com>
- Added missing Pattern and Any imports from typing
- Fixed users parameter type hint to include Pattern[str]
- Simplified overly complex return type annotation to use Any
- Added proper type narrowing with isinstance() and cast()
- Resolved mypy errors about incompatible list item types
Co-authored-by: Claude (Anthropic AI Assistant) <claude@anthropic.com>
This commit completely refactors how SSO organization and team mappings are processed
and exported for Gateway authentication, moving from a group-based approach to a more
flexible attribute-based system.
Key Changes:
- Introduced new process_sso_user_list() function for centralized user processing
- Enhanced boolean handling to support both native booleans and string representations
- Added email detection and regex pattern support for flexible user matching
- Refactored trigger generation from groups-based to attributes-based system
Gateway Mapping Enhancements (awx/main/utils/gateway_mapping.py):
- Added email regex detection for automatic email vs username classification
- Added pattern_to_slash_format() for regex pattern conversion
- Enhanced process_sso_user_list() with support for:
- Boolean values: True/False and ["true"]/["false"]
- String usernames and email addresses with automatic detection
- Regex patterns with both username and email matching
- Custom email_attr and username_attr parameters
- Refactored team_map_to_gateway_format() to use new processing system
- Refactored org_map_to_gateway_format() to use new processing system
- Changed trigger structure from {"groups": {"has_or": [...]}} to attribute-based triggers
- Improved naming convention to include trigger type in mapping names
Comprehensive Test Coverage (awx/main/tests/unit/utils/test_auth_migration.py):
- Added complete TestProcessSSOUserList class with 8 comprehensive test methods
- Enhanced TestOrgMapToGatewayFormat with string boolean and new functionality tests
- Enhanced TestTeamMapToGatewayFormat with string boolean and new functionality tests
- Added tests for email detection, regex patterns, and custom attributes
- Verified backward compatibility and integration functionality
- All existing tests updated to work with new attribute-based trigger system
Breaking Changes:
- Trigger structure changed from group-based to attribute-based
- Mapping names now include trigger descriptions for better clarity
- Function signatures updated to include email_attr and username_attr parameters
Co-Authored with Claude-4 via Cursor
Co-authored-by: Peter Braun <pbraun@redhat.com>
Syncing from new rbac to old rbac locally calls the
disable_rbac_sync() context manager.
If rbac sync is disabled, we do not need to remote
sync, as we can assume the remote syncing already
occurred in the viewset.
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
* fix: tacacs+ -> TACACSPLUS
Gateway doesn't allow `+` to be used in slug.
AAP-50774
* Fixed assertion
---------
Co-authored-by: Andrew Potozniak <potozniak@redhat.com>
* Slightly better error handling for non 200 status codes from Gateway.
* Apply suggestion from @chrismeyersfsu
Co-authored-by: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
---------
Co-authored-by: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
* Added better error handling and messaging when the service token authentication is broken. Allowed for GATEWAY_BASE_URL to override the service token's base url if it is set in the environment variables.
Co-Authored-By: Cursor (claude-4-sonnet)
* Removed GATEWAY_BASE_URL override for service token auth.
* Working branch for testing DAB RBAC changes
* AAP-48392 Handle DAB RBAC either before or after new type model (for merge) (#16045)
* Handle DAB RBAC either before or after new type model
* Translate CT to DAB CT
* Fix for rearrangement of post_migration methods
* Directly include RBAC service URLs
* Add a run before remote permission additions
* Sync old rbac to remote rbac (#7025)
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
* Set DAB requirement back to devel
---------
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
* migrate settings using the existing authenticator framework
* add method to get settings value to gateway client
* add transformer functions for settings
* Switched back to PUT for settings updates
* Started wiring in testing changes
* Added settings_* aggregation results. Added skip-github option. Added tests.
Assisted-by: Cursor
* Added --skip-all-authenticators command line argument. Added GoogleOAuth testing. Added tests for skipping all authenticators.
Assisted-by: Cursor
* wip: migrate other missing settings
* update login_redirect_override in google_oauth2
* impement login redirect for azuread
* implement login redirect for github
* implement login redirect for saml
* set LOGIN_REDIRECT_OVERRIDE even if no authenticator matched
* extract logic for login redirect override to base class
* use urlparse to compare valid redirect urls
* Preserve the original query parameters
* Fix flake8 issues
* Preserve the query parameter in sso_login_url
Gateway sets the sso_login_url to
/api/gateway/social/login/aap-saml-keycloak/?idp=IdP
The idp needs to be preserved when creating the redirect
* Update awx/main/utils/gateway_client.py
Co-authored-by: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
* Update awx/main/management/commands/import_auth_config_to_gateway.py
Co-authored-by: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
* list of settings updated
* Update awx/main/utils/gateway_client.py
Co-authored-by: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
* Update awx/sso/utils/base_migrator.py
Co-authored-by: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
* fix tests
---------
Co-authored-by: Andrew Potozniak <potozniak@redhat.com>
Co-authored-by: Madhu Kanoor <mkanoor@redhat.com>
Co-authored-by: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
* migrate team on team users
add setting to prevent team on team cases. remove tests that should fail now
* adjust tests for disallowing team on teams
* use RoleUserAssignment to retrieve users
* assign users with RoleUserAssignment instead
* fix broken test
* move methods out to utils file. add tests
* add missed positional arg
* test old rbac system also consolidates
* fix test
* feat: AAP-48498 Radius authenticator migrator
Issue: AAP-48498
* fix: Namingm Style and tests
* enabled by default
* test: SECRET is now ignored unless --force is set
* add force flag to enforce updates even when authenticator already exists
* remove cleartext field
* update list of encrypted fields
* show updated and unchanged authenticators in report
* collect controller ldap configuration
* translate role mapping and submit ldap authenticator
* implement require and deny group mapping
* remove all references of awx in the naming
* fix linter issues
* address PR feedback
* update ldap authenticator naming
* update github authenticator naming
* assume that server_uri is always a string
* update order of evaluation for require and deny groups
* cleanup and move ldap related functions into the ldap migrator
* add skip option for saml
* update saml authenticator to new slug format
* update azuread authenticator to new slug format
This PR migrates the SAML configuration from the Controller
to the Gateway, it intentionally skips setting the CALLBACK_URL
so that the Gateway can fill in the appropriate URL.
Remove Controller specific roles
Removes
- Controller Organization Admin
- Controller Organization Member
- Controller Team Admin
- Controller Team Member
- Controller System Auditor
Going forward the platform role definitions
will be used, e.g. Organization Member
The migration will take care of any assignments
with those controller specific roles and use
the platform roles instead.
Signed-off-by: Seth Foster <fosterbseth@gmail.com>
* compare authenticators and mappers before recreating them
* add unit tests
* fix linter errors
* refactor and improve: better implementation for get_authenticator_by_slug and removal of redundant code
* add submit_authenticator method to handle create vs. update in a generic way
* remove unused import
Remove ALLOW_LOCAL_RESOURCE_MANAGEMENT setting and enable local resource management
This commit removes the ALLOW_LOCAL_RESOURCE_MANAGEMENT setting and all associated
functionality, making the behavior as if the setting is always enabled.
Changes:
- Remove ALLOW_LOCAL_RESOURCE_MANAGEMENT setting from defaults.py
- Remove @immutablesharedfields decorator and all related logic
- Remove decorator applications from Organization, Team, and User API views
- Remove role assignment restrictions in UserRolesList and RoleUsersList
- Remove test file for immutablesharedfields functionality
- Clean up unused imports
Result: Organizations, Teams, and Users can now always be created, modified,
and deleted via the API without platform ingress restrictions.
* wip: management command for authenticator export to GateWay
* wip: implement ldap auth config migration
* refactor: split concerns into gathering config and converting / recreating config
* refactor: dry run by default
* use the authenticator slug for idempotency
* move to correct utils path
* use env vars instead of flags, fix linter errors
* remove unused import
* Fix issue where export module does not honor CONTROLLER_OPTIONAL_API_URLPATTERN_PREFIX
* Add unit test and handle leading/trailing slashes
* Reformat
* Refactor for clarity
* Remove unused import
* Move logic to unified job model instead of view
* Refine logic to only apply to double escaped characters to prevent touching unicord chars
* Refine logic to only apply to stdout so that it does not impact webhook notifications
* Revise naming to reflect correction to escapes, not just escape quotes
* Update code comments to reflect fixing double escapes vs double escaped quotes specifically
* Add regex for 5 most common python escape chars to make fix more robust
* the workflow has been failing silently without catching a merge
conflict. this removes the fail pretty logic previously implemented.
* just fail if a merge conflict is encountered
* Revise start_fact_cache and finish_fact_cache to use JSON file (#15970)
* Revise start_fact_cache and finish_fact_cache to use JSON file with host list inside it
* Revise artifacts path to be relative to the job private_data_dir
* Update calls to start_fact_cache and finish_fact_cache to agree with new reference to artifacts_dir
* Prevents unnecessary updates to ansible_facts_modified, fixing timestamp-related test failures.
* Import bulk_update_sorted_by_id
* Removed assert that calls ansible_facts_new which was removed in the backported pr
* Add import of Host back
* Update requirements for setuptools
* first pass and need to commit
* update makefile and run updater script
* updated makefile per readme
* ran updater script
* Patch irc backend to avoid namespace collision w/ jaraco
When importing the IRC backend, jaraco resolves to
the version vendored inside setuptools:
1) importing irc backend…
irc_backend ERROR: ModuleNotFoundError("No module named 'jaraco.stream'")
2) sys.modules['jaraco'] after failure:
present: True
type: <class 'module'>
__file__: /var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco/__init__.py
__path__: ['/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco']
__spec__: ModuleSpec(name='jaraco',
loader=<_frozen_importlib_external.SourceFileLoader object at 0x7f006a0eccd0>,
origin='/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco/__init__.py',
submodule_search_locations=['/var/lib/awx/venv/awx/lib64/python3.11/site-packages/setuptools/_vendor/jaraco'])
Since setuptools does not vendor jaraco.stream, it blew up. This patch ensures
jaraco.stream gets imported *before* attempting to import the irc modules.
* Revert "[4.6][dependency] CVE 2025 47273 (#7020)" (#7027)
This reverts commit e8b2920aec95de2c51308ce2fb14773ef676d01a.
* reformatted irc backend with black
* ran black to fix linting issues
* Reapply "[4.6][dependency] CVE 2025 47273 (#7020)" (#7027)
This reverts commit 0c6df9b13398a93569fae7558e1a0e72cbe8fb6c.
* add flake8 ignore since jaraco.stream is needed
* jaraco.stream is not directly called in the file but is needed by irc
so ignore the linter failure
---------
Co-authored-by: Shane McDonald <me@shanemcd.com>
