Create and register page types for the new RBAC endpoints

Co-authored-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>

Makefile

@@ -53,6 +53,8 @@ OTEL ?= false
 LOKI ?= false
 # If set to true docker-compose will install editable dependencies
 EDITABLE_DEPENDENCIES ?= false
+# If set to true, use tls for postgres connection
+PG_TLS ?= false
 
 VENV_BASE ?= /var/lib/awx/venv
 
@@ -69,7 +71,7 @@ RECEPTOR_IMAGE ?= quay.io/ansible/receptor:devel
 SRC_ONLY_PKGS ?= cffi,pycparser,psycopg,twilio
 # These should be upgraded in the AWX and Ansible venv before attempting
 # to install the actual requirements
-VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==69.0.2 setuptools_scm[toml]==8.0.4 wheel==0.42.0
+VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==69.0.2 setuptools_scm[toml]==8.0.4 wheel==0.42.0 cython==0.29.37
 
 NAME ?= awx
 
@@ -542,6 +544,7 @@ docker-compose-sources: .git/hooks/pre-commit
 	    -e enable_otel=$(OTEL) \
 	    -e enable_loki=$(LOKI) \
 	    -e install_editable_dependencies=$(EDITABLE_DEPENDENCIES) \
+	    -e pg_tls=$(PG_TLS) \
 	    $(EXTRA_SOURCES_ANSIBLE_OPTS)
 
 docker-compose: awx/projects docker-compose-sources

awx/api/generics.py

@@ -33,6 +33,7 @@ from rest_framework.negotiation import DefaultContentNegotiation
 # django-ansible-base
 from ansible_base.rest_filters.rest_framework.field_lookup_backend import FieldLookupBackend
 from ansible_base.lib.utils.models import get_all_field_names
+from ansible_base.lib.utils.requests import get_remote_host
 from ansible_base.rbac.models import RoleEvaluation, RoleDefinition
 from ansible_base.rbac.permission_registry import permission_registry
 
@@ -93,8 +94,9 @@ class LoggedLoginView(auth_views.LoginView):
 
     def post(self, request, *args, **kwargs):
         ret = super(LoggedLoginView, self).post(request, *args, **kwargs)
+        ip = get_remote_host(request)  # request.META.get('REMOTE_ADDR', None)
         if request.user.is_authenticated:
-            logger.info(smart_str(u"User {} logged in from {}".format(self.request.user.username, request.META.get('REMOTE_ADDR', None))))
+            logger.info(smart_str(u"User {} logged in from {}".format(self.request.user.username, ip)))
             ret.set_cookie(
                 'userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax')
             )
@@ -103,7 +105,7 @@ class LoggedLoginView(auth_views.LoginView):
             return ret
         else:
             if 'username' in self.request.POST:
-                logger.warning(smart_str(u"Login failed for user {} from {}".format(self.request.POST.get('username'), request.META.get('REMOTE_ADDR', None))))
+                logger.warning(smart_str(u"Login failed for user {} from {}".format(self.request.POST.get('username'), ip)))
             ret.status_code = 401
             return ret
 
@@ -211,11 +213,12 @@ class APIView(views.APIView):
             return response
 
         if response.status_code >= 400:
+            ip = get_remote_host(request)  # request.META.get('REMOTE_ADDR', None)
             msg_data = {
                 'status_code': response.status_code,
                 'user_name': request.user,
                 'url_path': request.path,
-                'remote_addr': request.META.get('REMOTE_ADDR', None),
+                'remote_addr': ip,
             }
 
             if type(response.data) is dict:

awx/api/views/__init__.py

@@ -62,6 +62,7 @@ from wsgiref.util import FileWrapper
 
 # django-ansible-base
 from ansible_base.rbac.models import RoleEvaluation, ObjectRole
+from ansible_base.resource_registry.shared_types import OrganizationType, TeamType, UserType
 
 # AWX
 from awx.main.tasks.system import send_notifications, update_inventory_computed_fields
@@ -128,6 +129,7 @@ from awx.api.views.mixin import (
 from awx.api.pagination import UnifiedJobEventPagination
 from awx.main.utils import set_environ
 
+
 logger = logging.getLogger('awx.api.views')
 
 
@@ -710,16 +712,81 @@ class AuthView(APIView):
         return Response(data)
 
 
+def immutablesharedfields(cls):
+    '''
+    Class decorator to prevent modifying shared resources when ALLOW_LOCAL_RESOURCE_MANAGEMENT setting is set to False.
+
+    Works by overriding these view methods:
+    - create
+    - delete
+    - perform_update
+    create and delete are overridden to raise a PermissionDenied exception.
+    perform_update is overridden to check if any shared fields are being modified,
+    and raise a PermissionDenied exception if so.
+    '''
+    # create instead of perform_create because some of our views
+    # override create instead of perform_create
+    if hasattr(cls, 'create'):
+        cls.original_create = cls.create
+
+        @functools.wraps(cls.create)
+        def create_wrapper(*args, **kwargs):
+            if settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT:
+                return cls.original_create(*args, **kwargs)
+            raise PermissionDenied({'detail': _('Creation of this resource is not allowed. Create this resource via the platform ingress.')})
+
+        cls.create = create_wrapper
+
+    if hasattr(cls, 'delete'):
+        cls.original_delete = cls.delete
+
+        @functools.wraps(cls.delete)
+        def delete_wrapper(*args, **kwargs):
+            if settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT:
+                return cls.original_delete(*args, **kwargs)
+            raise PermissionDenied({'detail': _('Deletion of this resource is not allowed. Delete this resource via the platform ingress.')})
+
+        cls.delete = delete_wrapper
+
+    if hasattr(cls, 'perform_update'):
+        cls.original_perform_update = cls.perform_update
+
+        @functools.wraps(cls.perform_update)
+        def update_wrapper(*args, **kwargs):
+            if not settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT:
+                view, serializer = args
+                instance = view.get_object()
+                if instance:
+                    if isinstance(instance, models.Organization):
+                        shared_fields = OrganizationType._declared_fields.keys()
+                    elif isinstance(instance, models.User):
+                        shared_fields = UserType._declared_fields.keys()
+                    elif isinstance(instance, models.Team):
+                        shared_fields = TeamType._declared_fields.keys()
+                    attrs = serializer.validated_data
+                    for field in shared_fields:
+                        if field in attrs and getattr(instance, field) != attrs[field]:
+                            raise PermissionDenied({field: _(f"Cannot change shared field '{field}'. Alter this field via the platform ingress.")})
+            return cls.original_perform_update(*args, **kwargs)
+
+        cls.perform_update = update_wrapper
+
+    return cls
+
+
+@immutablesharedfields
 class TeamList(ListCreateAPIView):
     model = models.Team
     serializer_class = serializers.TeamSerializer
 
 
+@immutablesharedfields
 class TeamDetail(RetrieveUpdateDestroyAPIView):
     model = models.Team
     serializer_class = serializers.TeamSerializer
 
 
+@immutablesharedfields
 class TeamUsersList(BaseUsersList):
     model = models.User
     serializer_class = serializers.UserSerializer
@@ -1101,6 +1168,7 @@ class ProjectCopy(CopyAPIView):
     copy_return_serializer_class = serializers.ProjectSerializer
 
 
+@immutablesharedfields
 class UserList(ListCreateAPIView):
     model = models.User
     serializer_class = serializers.UserSerializer
@@ -1271,7 +1339,16 @@ class UserRolesList(SubListAttachDetachAPIView):
         user = get_object_or_400(models.User, pk=self.kwargs['pk'])
         role = get_object_or_400(models.Role, pk=sub_id)
 
-        credential_content_type = ContentType.objects.get_for_model(models.Credential)
+        content_types = ContentType.objects.get_for_models(models.Organization, models.Team, models.Credential)  # dict of {model: content_type}
+        # Prevent user to be associated with team/org when ALLOW_LOCAL_RESOURCE_MANAGEMENT is False
+        if not settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT:
+            for model in [models.Organization, models.Team]:
+                ct = content_types[model]
+                if role.content_type == ct and role.role_field in ['member_role', 'admin_role']:
+                    data = dict(msg=_(f"Cannot directly modify user membership to {ct.model}. Direct shared resource management disabled"))
+                    return Response(data, status=status.HTTP_403_FORBIDDEN)
+
+        credential_content_type = content_types[models.Credential]
         if role.content_type == credential_content_type:
             if 'disassociate' not in request.data and role.content_object.organization and user not in role.content_object.organization.member_role:
                 data = dict(msg=_("You cannot grant credential access to a user not in the credentials' organization"))
@@ -1343,6 +1420,7 @@ class UserActivityStreamList(SubListAPIView):
         return qs.filter(Q(actor=parent) | Q(user__in=[parent]))
 
 
+@immutablesharedfields
 class UserDetail(RetrieveUpdateDestroyAPIView):
     model = models.User
     serializer_class = serializers.UserSerializer
@@ -4295,7 +4373,15 @@ class RoleUsersList(SubListAttachDetachAPIView):
         user = get_object_or_400(models.User, pk=sub_id)
         role = self.get_parent_object()
 
-        credential_content_type = ContentType.objects.get_for_model(models.Credential)
+        content_types = ContentType.objects.get_for_models(models.Organization, models.Team, models.Credential)  # dict of {model: content_type}
+        if not settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT:
+            for model in [models.Organization, models.Team]:
+                ct = content_types[model]
+                if role.content_type == ct and role.role_field in ['member_role', 'admin_role']:
+                    data = dict(msg=_(f"Cannot directly modify user membership to {ct.model}. Direct shared resource management disabled"))
+                    return Response(data, status=status.HTTP_403_FORBIDDEN)
+
+        credential_content_type = content_types[models.Credential]
         if role.content_type == credential_content_type:
             if 'disassociate' not in request.data and role.content_object.organization and user not in role.content_object.organization.member_role:
                 data = dict(msg=_("You cannot grant credential access to a user not in the credentials' organization"))

awx/api/views/organization.py

@@ -53,15 +53,18 @@ from awx.api.serializers import (
     CredentialSerializer,
 )
 from awx.api.views.mixin import RelatedJobsPreventDeleteMixin, OrganizationCountsMixin
+from awx.api.views import immutablesharedfields
 
 logger = logging.getLogger('awx.api.views.organization')
 
 
+@immutablesharedfields
 class OrganizationList(OrganizationCountsMixin, ListCreateAPIView):
     model = Organization
     serializer_class = OrganizationSerializer
 
 
+@immutablesharedfields
 class OrganizationDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
     model = Organization
     serializer_class = OrganizationSerializer
@@ -104,6 +107,7 @@ class OrganizationInventoriesList(SubListAPIView):
     relationship = 'inventories'
 
 
+@immutablesharedfields
 class OrganizationUsersList(BaseUsersList):
     model = User
     serializer_class = UserSerializer
@@ -112,6 +116,7 @@ class OrganizationUsersList(BaseUsersList):
     ordering = ('username',)
 
 
+@immutablesharedfields
 class OrganizationAdminsList(BaseUsersList):
     model = User
     serializer_class = UserSerializer
@@ -150,6 +155,7 @@ class OrganizationWorkflowJobTemplatesList(SubListCreateAPIView):
     parent_key = 'organization'
 
 
+@immutablesharedfields
 class OrganizationTeamsList(SubListCreateAttachDetachAPIView):
     model = Team
     serializer_class = TeamSerializer

awx/main/constants.py

@@ -14,7 +14,7 @@ __all__ = [
     'STANDARD_INVENTORY_UPDATE_ENV',
 ]
 
-CLOUD_PROVIDERS = ('azure_rm', 'ec2', 'gce', 'vmware', 'openstack', 'rhv', 'satellite6', 'controller', 'insights', 'terraform')
+CLOUD_PROVIDERS = ('azure_rm', 'ec2', 'gce', 'vmware', 'openstack', 'rhv', 'satellite6', 'controller', 'insights', 'terraform', 'openshift_virtualization')
 PRIVILEGE_ESCALATION_METHODS = [
     ('sudo', _('Sudo')),
     ('su', _('Su')),

awx/main/fields.py

@@ -252,7 +252,7 @@ class ImplicitRoleField(models.ForeignKey):
         kwargs.setdefault('related_name', '+')
         kwargs.setdefault('null', 'True')
         kwargs.setdefault('editable', False)
-        kwargs.setdefault('on_delete', models.CASCADE)
+        kwargs.setdefault('on_delete', models.SET_NULL)
         super(ImplicitRoleField, self).__init__(*args, **kwargs)
 
     def deconstruct(self):

awx/main/migrations/0021_v330_declare_new_rbac_roles.py

@@ -17,49 +17,49 @@ class Migration(migrations.Migration):
             model_name='organization',
             name='execute_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='job_template_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
+                editable=False, null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='credential_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='inventory_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='project_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='workflow_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='notification_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AlterField(
@@ -67,7 +67,7 @@ class Migration(migrations.Migration):
             name='admin_role',
             field=awx.main.fields.ImplicitRoleField(
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['singleton:system_administrator', 'organization.credential_admin_role'],
                 related_name='+',
                 to='main.Role',
@@ -77,7 +77,7 @@ class Migration(migrations.Migration):
             model_name='inventory',
             name='admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='organization.inventory_admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='organization.inventory_admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AlterField(
@@ -85,7 +85,7 @@ class Migration(migrations.Migration):
             name='admin_role',
             field=awx.main.fields.ImplicitRoleField(
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['organization.project_admin_role', 'singleton:system_administrator'],
                 related_name='+',
                 to='main.Role',
@@ -96,7 +96,7 @@ class Migration(migrations.Migration):
             name='admin_role',
             field=awx.main.fields.ImplicitRoleField(
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['singleton:system_administrator', 'organization.workflow_admin_role'],
                 related_name='+',
                 to='main.Role',
@@ -107,7 +107,7 @@ class Migration(migrations.Migration):
             name='execute_role',
             field=awx.main.fields.ImplicitRoleField(
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['admin_role', 'organization.execute_role'],
                 related_name='+',
                 to='main.Role',
@@ -119,7 +119,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['project.organization.job_template_admin_role', 'inventory.organization.job_template_admin_role'],
                 related_name='+',
                 to='main.Role',
@@ -130,7 +130,7 @@ class Migration(migrations.Migration):
             name='execute_role',
             field=awx.main.fields.ImplicitRoleField(
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['admin_role', 'project.organization.execute_role', 'inventory.organization.execute_role'],
                 related_name='+',
                 to='main.Role',
@@ -142,7 +142,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=[
                     'admin_role',
                     'execute_role',

awx/main/migrations/0042_v330_org_member_role_deparent.py

@@ -18,7 +18,7 @@ class Migration(migrations.Migration):
             model_name='organization',
             name='member_role',
             field=awx.main.fields.ImplicitRoleField(
-                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role=['admin_role'], related_name='+', to='main.Role'
+                editable=False, null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role=['admin_role'], related_name='+', to='main.Role'
             ),
         ),
         migrations.AlterField(
@@ -27,7 +27,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=[
                     'member_role',
                     'auditor_role',

awx/main/migrations/0086_v360_workflow_approval.py

@@ -36,7 +36,7 @@ class Migration(migrations.Migration):
             model_name='organization',
             name='approval_role',
             field=awx.main.fields.ImplicitRoleField(
-                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
+                editable=False, null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
             ),
             preserve_default='True',
         ),
@@ -46,7 +46,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['organization.approval_role', 'admin_role'],
                 related_name='+',
                 to='main.Role',
@@ -116,7 +116,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=[
                     'member_role',
                     'auditor_role',
@@ -139,7 +139,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['singleton:system_auditor', 'organization.auditor_role', 'execute_role', 'admin_role', 'approval_role'],
                 related_name='+',
                 to='main.Role',

awx/main/migrations/0109_v370_job_template_organization_field.py

@@ -80,7 +80,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['organization.job_template_admin_role'],
                 related_name='+',
                 to='main.Role',
@@ -92,7 +92,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['admin_role', 'organization.execute_role'],
                 related_name='+',
                 to='main.Role',
@@ -104,7 +104,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['organization.auditor_role', 'inventory.organization.auditor_role', 'execute_role', 'admin_role'],
                 related_name='+',
                 to='main.Role',

awx/main/migrations/0125_more_ee_modeling_changes.py

@@ -26,7 +26,7 @@ class Migration(migrations.Migration):
             model_name='organization',
             name='execution_environment_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
+                editable=False, null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
             ),
             preserve_default='True',
         ),

awx/main/migrations/0128_organiaztion_read_roles_ee_admin.py

@@ -17,7 +17,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=[
                     'member_role',
                     'auditor_role',

awx/main/migrations/0177_instance_group_role_addition.py

@@ -17,7 +17,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['singleton:system_administrator'],
                 related_name='+',
                 to='main.role',
@@ -30,7 +30,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.CASCADE,
+                on_delete=django.db.models.deletion.SET_NULL,
                 parent_role=['singleton:system_auditor', 'use_role', 'admin_role'],
                 related_name='+',
                 to='main.role',
@@ -41,7 +41,7 @@ class Migration(migrations.Migration):
             model_name='instancegroup',
             name='use_role',
             field=awx.main.fields.ImplicitRoleField(
-                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role=['admin_role'], related_name='+', to='main.role'
+                editable=False, null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role=['admin_role'], related_name='+', to='main.role'
             ),
             preserve_default='True',
         ),

awx/main/migrations/0194_alter_inventorysource_source_and_more.py

@@ -0,0 +1,61 @@
+# Generated by Django 4.2.10 on 2024-06-12 19:59
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0193_alter_notification_notification_type_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='inventorysource',
+            name='source',
+            field=models.CharField(
+                choices=[
+                    ('file', 'File, Directory or Script'),
+                    ('constructed', 'Template additional groups and hostvars at runtime'),
+                    ('scm', 'Sourced from a Project'),
+                    ('ec2', 'Amazon EC2'),
+                    ('gce', 'Google Compute Engine'),
+                    ('azure_rm', 'Microsoft Azure Resource Manager'),
+                    ('vmware', 'VMware vCenter'),
+                    ('satellite6', 'Red Hat Satellite 6'),
+                    ('openstack', 'OpenStack'),
+                    ('rhv', 'Red Hat Virtualization'),
+                    ('controller', 'Red Hat Ansible Automation Platform'),
+                    ('insights', 'Red Hat Insights'),
+                    ('terraform', 'Terraform State'),
+                    ('openshift_virtualization', 'OpenShift Virtualization'),
+                ],
+                default=None,
+                max_length=32,
+            ),
+        ),
+        migrations.AlterField(
+            model_name='inventoryupdate',
+            name='source',
+            field=models.CharField(
+                choices=[
+                    ('file', 'File, Directory or Script'),
+                    ('constructed', 'Template additional groups and hostvars at runtime'),
+                    ('scm', 'Sourced from a Project'),
+                    ('ec2', 'Amazon EC2'),
+                    ('gce', 'Google Compute Engine'),
+                    ('azure_rm', 'Microsoft Azure Resource Manager'),
+                    ('vmware', 'VMware vCenter'),
+                    ('satellite6', 'Red Hat Satellite 6'),
+                    ('openstack', 'OpenStack'),
+                    ('rhv', 'Red Hat Virtualization'),
+                    ('controller', 'Red Hat Ansible Automation Platform'),
+                    ('insights', 'Red Hat Insights'),
+                    ('terraform', 'Terraform State'),
+                    ('openshift_virtualization', 'OpenShift Virtualization'),
+                ],
+                default=None,
+                max_length=32,
+            ),
+        ),
+    ]

awx/main/models/events.py

@@ -4,11 +4,12 @@ import datetime
 from datetime import timezone
 import logging
 from collections import defaultdict
+import itertools
 import time
 
 from django.conf import settings
 from django.core.exceptions import ObjectDoesNotExist
-from django.db import models, DatabaseError
+from django.db import models, DatabaseError, transaction
 from django.db.models.functions import Cast
 from django.utils.dateparse import parse_datetime
 from django.utils.text import Truncator
@@ -605,19 +606,23 @@ class JobEvent(BasePlaybookEvent):
     def _update_host_metrics(updated_hosts_list):
         from awx.main.models import HostMetric  # circular import
 
-        # bulk-create
         current_time = now()
-        HostMetric.objects.bulk_create(
-            [HostMetric(hostname=hostname, last_automation=current_time) for hostname in updated_hosts_list], ignore_conflicts=True, batch_size=100
-        )
-        # bulk-update
-        batch_start, batch_size = 0, 1000
-        while batch_start <= len(updated_hosts_list):
-            batched_host_list = updated_hosts_list[batch_start : (batch_start + batch_size)]
-            HostMetric.objects.filter(hostname__in=batched_host_list).update(
-                last_automation=current_time, automated_counter=models.F('automated_counter') + 1, deleted=False
-            )
-            batch_start += batch_size
+
+        # FUTURE:
+        #   - Hand-rolled implementation of itertools.batched(), introduced in Python 3.12.  Replace.
+        #   - Ability to do ORM upserts *may* have been introduced in Django 5.0.
+        #     See the entry about `create_defaults` in https://docs.djangoproject.com/en/5.0/releases/5.0/#models.
+        #     Hopefully this will be fully ready for batch use by 5.2 LTS.
+
+        args = [iter(updated_hosts_list)] * 500
+        for hosts in itertools.zip_longest(*args):
+            with transaction.atomic():
+                HostMetric.objects.bulk_create(
+                    [HostMetric(hostname=hostname, last_automation=current_time) for hostname in hosts if hostname is not None], ignore_conflicts=True
+                )
+                HostMetric.objects.filter(hostname__in=hosts).update(
+                    last_automation=current_time, automated_counter=models.F('automated_counter') + 1, deleted=False
+                )
 
     @property
     def job_verbosity(self):

awx/main/models/inventory.py

@@ -933,6 +933,7 @@ class InventorySourceOptions(BaseModel):
         ('controller', _('Red Hat Ansible Automation Platform')),
         ('insights', _('Red Hat Insights')),
         ('terraform', _('Terraform State')),
+        ('openshift_virtualization', _('OpenShift Virtualization')),
     ]
 
     # From the options of the Django management base command
@@ -1042,7 +1043,7 @@ class InventorySourceOptions(BaseModel):
     def cloud_credential_validation(source, cred):
         if not source:
             return None
-        if cred and source not in ('custom', 'scm'):
+        if cred and source not in ('custom', 'scm', 'openshift_virtualization'):
             # If a credential was provided, it's important that it matches
             # the actual inventory source being used (Amazon requires Amazon
             # credentials; Rackspace requires Rackspace credentials; etc...)
@@ -1051,12 +1052,14 @@ class InventorySourceOptions(BaseModel):
         # Allow an EC2 source to omit the credential.  If Tower is running on
         # an EC2 instance with an IAM Role assigned, boto will use credentials
         # from the instance metadata instead of those explicitly provided.
-        elif source in CLOUD_PROVIDERS and source != 'ec2':
+        elif source in CLOUD_PROVIDERS and source not in ['ec2', 'openshift_virtualization']:
             return _('Credential is required for a cloud source.')
         elif source == 'custom' and cred and cred.credential_type.kind in ('scm', 'ssh', 'insights', 'vault'):
             return _('Credentials of type machine, source control, insights and vault are disallowed for custom inventory sources.')
         elif source == 'scm' and cred and cred.credential_type.kind in ('insights', 'vault'):
             return _('Credentials of type insights and vault are disallowed for scm inventory sources.')
+        elif source == 'openshift_virtualization' and cred and cred.credential_type.kind != 'kubernetes':
+            return _('Credentials of type kubernetes is requred for openshift_virtualization inventory sources.')
         return None
 
     def get_cloud_credential(self):
@@ -1693,6 +1696,16 @@ class insights(PluginFileInjector):
     use_fqcn = True
 
 
+class openshift_virtualization(PluginFileInjector):
+    plugin_name = 'kubevirt'
+    base_injector = 'template'
+    namespace = 'kubevirt'
+    collection = 'core'
+    downstream_namespace = 'redhat'
+    downstream_collection = 'openshift_virtualization'
+    use_fqcn = True
+
+
 class constructed(PluginFileInjector):
     plugin_name = 'constructed'
     namespace = 'ansible'

awx/main/models/unified_jobs.py

@@ -17,7 +17,7 @@ from collections import OrderedDict
 
 # Django
 from django.conf import settings
-from django.db import models, connection
+from django.db import models, connection, transaction
 from django.core.exceptions import NON_FIELD_ERRORS
 from django.utils.translation import gettext_lazy as _
 from django.utils.timezone import now
@@ -273,7 +273,14 @@ class UnifiedJobTemplate(PolymorphicModel, CommonModelNameNotUnique, ExecutionEn
         if new_next_schedule:
             if new_next_schedule.pk == self.next_schedule_id and new_next_schedule.next_run == self.next_job_run:
                 return  # no-op, common for infrequent schedules
-            self.next_schedule = new_next_schedule
+
+            # If in a transaction, use select_for_update to lock the next schedule row, which
+            # prevents a race condition if new_next_schedule is deleted elsewhere during this transaction
+            if transaction.get_autocommit():
+                self.next_schedule = related_schedules.first()
+            else:
+                self.next_schedule = related_schedules.select_for_update().first()
+
             self.next_job_run = new_next_schedule.next_run
             self.save(update_fields=['next_schedule', 'next_job_run'])
 

awx/main/tasks/system.py

@@ -36,6 +36,9 @@ import ansible_runner.cleanup
 # dateutil
 from dateutil.parser import parse as parse_date
 
+# django-ansible-base
+from ansible_base.resource_registry.tasks.sync import SyncExecutor
+
 # AWX
 from awx import __version__ as awx_application_version
 from awx.main.access import access_registry
@@ -964,3 +967,17 @@ def deep_copy_model_obj(model_module, model_name, obj_pk, new_obj_pk, user_pk, p
             permission_check_func(creater, copy_mapping.values())
     if isinstance(new_obj, Inventory):
         update_inventory_computed_fields.delay(new_obj.id)
+
+
+@task(queue=get_task_queuename)
+def periodic_resource_sync():
+    if not getattr(settings, 'RESOURCE_SERVER', None):
+        logger.debug("Skipping periodic resource_sync, RESOURCE_SERVER not configured")
+        return
+
+    with advisory_lock('periodic_resource_sync', wait=False) as acquired:
+        if acquired is False:
+            logger.debug("Not running periodic_resource_sync, another task holds lock")
+            return
+
+        SyncExecutor().run()

awx/main/tests/data/inventory/plugins/openshift_virtualization/env.json

@@ -0,0 +1,5 @@
+{
+    "K8S_AUTH_HOST": "https://foo.invalid",
+    "K8S_AUTH_API_KEY": "fooo",
+    "K8S_AUTH_VERIFY_SSL": "False"
+}

awx/main/tests/functional/api/test_immutablesharedfields.py

@@ -0,0 +1,66 @@
+import pytest
+
+from awx.api.versioning import reverse
+from awx.main.models import Organization
+
+
+@pytest.mark.django_db
+class TestImmutableSharedFields:
+    @pytest.fixture(autouse=True)
+    def configure_settings(self, settings):
+        settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT = False
+
+    def test_create_raises_permission_denied(self, admin_user, post):
+        orgA = Organization.objects.create(name='orgA')
+        resp = post(
+            url=reverse('api:team_list'),
+            data={'name': 'teamA', 'organization': orgA.id},
+            user=admin_user,
+            expect=403,
+        )
+        assert "Creation of this resource is not allowed" in resp.data['detail']
+
+    def test_perform_delete_raises_permission_denied(self, admin_user, delete):
+        orgA = Organization.objects.create(name='orgA')
+        team = orgA.teams.create(name='teamA')
+        resp = delete(
+            url=reverse('api:team_detail', kwargs={'pk': team.id}),
+            user=admin_user,
+            expect=403,
+        )
+        assert "Deletion of this resource is not allowed" in resp.data['detail']
+
+    def test_perform_update(self, admin_user, patch):
+        orgA = Organization.objects.create(name='orgA')
+        team = orgA.teams.create(name='teamA')
+        # allow patching non-shared fields
+        patch(
+            url=reverse('api:team_detail', kwargs={'pk': team.id}),
+            data={"description": "can change this field"},
+            user=admin_user,
+            expect=200,
+        )
+        orgB = Organization.objects.create(name='orgB')
+        # prevent patching shared fields
+        resp = patch(url=reverse('api:team_detail', kwargs={'pk': team.id}), data={"organization": orgB.id}, user=admin_user, expect=403)
+        assert "Cannot change shared field" in resp.data['organization']
+
+    @pytest.mark.parametrize(
+        'role',
+        ['admin_role', 'member_role'],
+    )
+    @pytest.mark.parametrize('resource', ['organization', 'team'])
+    def test_prevent_assigning_member_to_organization_or_team(self, admin_user, post, resource, role):
+        orgA = Organization.objects.create(name='orgA')
+        if resource == 'organization':
+            role = getattr(orgA, role)
+        elif resource == 'team':
+            teamA = orgA.teams.create(name='teamA')
+            role = getattr(teamA, role)
+        resp = post(
+            url=reverse('api:user_roles_list', kwargs={'pk': admin_user.id}),
+            data={'id': role.id},
+            user=admin_user,
+            expect=403,
+        )
+        assert f"Cannot directly modify user membership to {resource}." in resp.data['msg']

awx/main/tests/functional/test_inventory_source_injectors.py

@@ -46,6 +46,8 @@ def generate_fake_var(element):
 
 def credential_kind(source):
     """Given the inventory source kind, return expected credential kind"""
+    if source == 'openshift_virtualization':
+        return 'kubernetes_bearer_token'
     return source.replace('ec2', 'aws')
 
 

awx/settings/defaults.py

@@ -492,6 +492,7 @@ CELERYBEAT_SCHEDULE = {
     'cleanup_images': {'task': 'awx.main.tasks.system.cleanup_images_and_files', 'schedule': timedelta(hours=3)},
     'cleanup_host_metrics': {'task': 'awx.main.tasks.host_metrics.cleanup_host_metrics', 'schedule': timedelta(hours=3, minutes=30)},
     'host_metric_summary_monthly': {'task': 'awx.main.tasks.host_metrics.host_metric_summary_monthly', 'schedule': timedelta(hours=4)},
+    'periodic_resource_sync': {'task': 'awx.main.tasks.system.periodic_resource_sync', 'schedule': timedelta(minutes=15)},
 }
 
 # Django Caching Configuration
@@ -656,6 +657,10 @@ AWX_ANSIBLE_CALLBACK_PLUGINS = ""
 # Automatically remove nodes that have missed their heartbeats after some time
 AWX_AUTO_DEPROVISION_INSTANCES = False
 
+# If False, do not allow creation of resources that are shared with the platform ingress
+# e.g. organizations, teams, and users
+ALLOW_LOCAL_RESOURCE_MANAGEMENT = True
+
 # Enable Pendo on the UI, possible values are 'off', 'anonymous', and 'detailed'
 # Note: This setting may be overridden by database settings.
 PENDO_TRACKING_STATE = "off"
@@ -778,6 +783,11 @@ INSIGHTS_EXCLUDE_EMPTY_GROUPS = False
 TERRAFORM_INSTANCE_ID_VAR = 'id'
 TERRAFORM_EXCLUDE_EMPTY_GROUPS = True
 
+# ------------------------
+# OpenShift Virtualization
+# ------------------------
+OPENSHIFT_VIRTUALIZATION_EXCLUDE_EMPTY_GROUPS = True
+
 # ---------------------
 # ----- Custom -----
 # ---------------------

awx/ui/src/screens/Inventory/InventorySourceAdd/InventorySourceAdd.test.js

@@ -56,6 +56,10 @@ describe('<InventorySourceAdd />', () => {
                 ['satellite6', 'Red Hat Satellite 6'],
                 ['openstack', 'OpenStack'],
                 ['rhv', 'Red Hat Virtualization'],
+                [
+                  'openshift_virtualization',
+                  'Red Hat OpenShift Virtualization',
+                ],
                 ['controller', 'Red Hat Ansible Automation Platform'],
               ],
             },

awx/ui/src/screens/Inventory/shared/Inventory.helptext.js

@@ -23,6 +23,8 @@ const ansibleDocUrls = {
     'https://docs.ansible.com/ansible/latest/collections/ansible/builtin/constructed_inventory.html',
   terraform:
     'https://github.com/ansible-collections/cloud.terraform/blob/main/docs/cloud.terraform.terraform_state_inventory.rst',
+  openshift_virtualization:
+    'https://kubevirt.io/kubevirt.core/latest/plugins/kubevirt.html',
 };
 
 const getInventoryHelpTextStrings = () => ({
@@ -121,7 +123,7 @@ const getInventoryHelpTextStrings = () => ({
         <br />
         {value && (
           <div>
-            {t`If you want the Inventory Source to update on launch , click on Update on Launch, 
+            {t`If you want the Inventory Source to update on launch , click on Update on Launch,
             and also go to `}
             <Link to={`/projects/${value.id}/details`}> {value.name} </Link>
             {t`and click on Update Revision on Launch.`}
@@ -140,7 +142,7 @@ const getInventoryHelpTextStrings = () => ({
         <br />
         {value && (
           <div>
-            {t`If you want the Inventory Source to update on launch , click on Update on Launch, 
+            {t`If you want the Inventory Source to update on launch , click on Update on Launch,
             and also go to `}
             <Link to={`/projects/${value.id}/details`}> {value.name} </Link>
             {t`and click on Update Revision on Launch`}

awx/ui/src/screens/Inventory/shared/InventorySourceForm.js

@@ -26,6 +26,7 @@ import {
   TerraformSubForm,
   VMwareSubForm,
   VirtualizationSubForm,
+  OpenShiftVirtualizationSubForm,
 } from './InventorySourceSubForms';
 
 const buildSourceChoiceOptions = (options) => {
@@ -231,6 +232,15 @@ const InventorySourceFormFields = ({
                     sourceOptions={sourceOptions}
                   />
                 ),
+                openshift_virtualization: (
+                  <OpenShiftVirtualizationSubForm
+                    autoPopulateCredential={
+                      !source?.id ||
+                      source?.source !== 'openshift_virtualization'
+                    }
+                    sourceOptions={sourceOptions}
+                  />
+                ),
               }[sourceField.value]
             }
           </FormColumnLayout>

awx/ui/src/screens/Inventory/shared/InventorySourceSubForms/OpenShiftVirtualizationSubForm.js

@@ -0,0 +1,64 @@
+import React, { useCallback } from 'react';
+import { useField, useFormikContext } from 'formik';
+
+import { t } from '@lingui/macro';
+import { useConfig } from 'contexts/Config';
+import getDocsBaseUrl from 'util/getDocsBaseUrl';
+import CredentialLookup from 'components/Lookup/CredentialLookup';
+import { required } from 'util/validators';
+import {
+  OptionsField,
+  VerbosityField,
+  EnabledVarField,
+  EnabledValueField,
+  HostFilterField,
+  SourceVarsField,
+} from './SharedFields';
+import getHelpText from '../Inventory.helptext';
+
+const OpenShiftVirtualizationSubForm = ({ autoPopulateCredential }) => {
+  const helpText = getHelpText();
+  const { setFieldValue, setFieldTouched } = useFormikContext();
+  const [credentialField, credentialMeta, credentialHelpers] =
+    useField('credential');
+  const config = useConfig();
+
+  const handleCredentialUpdate = useCallback(
+    (value) => {
+      setFieldValue('credential', value);
+      setFieldTouched('credential', true, false);
+    },
+    [setFieldValue, setFieldTouched]
+  );
+
+  const docsBaseUrl = getDocsBaseUrl(config);
+  return (
+    <>
+      <CredentialLookup
+        credentialTypeNamespace="kubernetes_bearer_token"
+        label={t`Credential`}
+        helperTextInvalid={credentialMeta.error}
+        isValid={!credentialMeta.touched || !credentialMeta.error}
+        onBlur={() => credentialHelpers.setTouched()}
+        onChange={handleCredentialUpdate}
+        value={credentialField.value}
+        required
+        autoPopulate={autoPopulateCredential}
+        validate={required(t`Select a value for this field`)}
+      />
+      <VerbosityField />
+      <HostFilterField />
+      <EnabledVarField />
+      <EnabledValueField />
+      <OptionsField />
+      <SourceVarsField
+        popoverContent={helpText.sourceVars(
+          docsBaseUrl,
+          'openshift_virtualization'
+        )}
+      />
+    </>
+  );
+};
+
+export default OpenShiftVirtualizationSubForm;

awx/ui/src/screens/Inventory/shared/InventorySourceSubForms/OpenShiftVirtualizationSubForm.test.js

@@ -0,0 +1,65 @@
+import React from 'react';
+import { act } from 'react-dom/test-utils';
+import { Formik } from 'formik';
+import { CredentialsAPI } from 'api';
+import { mountWithContexts } from '../../../../../testUtils/enzymeHelpers';
+import VirtualizationSubForm from './VirtualizationSubForm';
+
+jest.mock('../../../../api');
+
+const initialValues = {
+  credential: null,
+  overwrite: false,
+  overwrite_vars: false,
+  source_path: '',
+  source_project: null,
+  source_script: null,
+  source_vars: '---\n',
+  update_cache_timeout: 0,
+  update_on_launch: true,
+  verbosity: 1,
+};
+
+describe('<VirtualizationSubForm />', () => {
+  let wrapper;
+
+  beforeEach(async () => {
+    CredentialsAPI.read.mockResolvedValue({
+      data: { count: 0, results: [] },
+    });
+
+    await act(async () => {
+      wrapper = mountWithContexts(
+        <Formik initialValues={initialValues}>
+          <VirtualizationSubForm />
+        </Formik>
+      );
+    });
+  });
+
+  afterAll(() => {
+    jest.clearAllMocks();
+  });
+
+  test('should render subform fields', () => {
+    expect(wrapper.find('FormGroup[label="Credential"]')).toHaveLength(1);
+    expect(wrapper.find('FormGroup[label="Verbosity"]')).toHaveLength(1);
+    expect(wrapper.find('FormGroup[label="Update options"]')).toHaveLength(1);
+    expect(
+      wrapper.find('FormGroup[label="Cache timeout (seconds)"]')
+    ).toHaveLength(1);
+    expect(
+      wrapper.find('VariablesField[label="Source variables"]')
+    ).toHaveLength(1);
+  });
+
+  test('should make expected api calls', () => {
+    expect(CredentialsAPI.read).toHaveBeenCalledTimes(1);
+    expect(CredentialsAPI.read).toHaveBeenCalledWith({
+      credential_type__namespace: 'rhv',
+      order_by: 'name',
+      page: 1,
+      page_size: 5,
+    });
+  });
+});

awx/ui/src/screens/Inventory/shared/InventorySourceSubForms/index.js

@@ -9,3 +9,4 @@ export { default as ControllerSubForm } from './ControllerSubForm';
 export { default as TerraformSubForm } from './TerraformSubForm';
 export { default as VMwareSubForm } from './VMwareSubForm';
 export { default as VirtualizationSubForm } from './VirtualizationSubForm';
+export { default as OpenShiftVirtualizationSubForm } from './OpenShiftVirtualizationSubForm';

awx/ui/src/screens/NotificationTemplate/NotificationTemplateList/NotificationTemplateList.js

@@ -120,7 +120,7 @@ function NotificationTemplatesList() {
             toolbarSearchColumns={[
               {
                 name: t`Name`,
-                key: 'name',
+                key: 'name__icontains',
                 isDefault: true,
               },
               {

awx_collection/plugins/modules/inventory_source.py

@@ -42,7 +42,8 @@ options:
     source:
       description:
         - The source to use for this group.
-      choices: [ "scm", "ec2", "gce", "azure_rm", "vmware", "satellite6", "openstack", "rhv", "controller", "insights" ]
+      choices: [ "scm", "ec2", "gce", "azure_rm", "vmware", "satellite6", "openstack", "rhv", "controller", "insights", "terraform",
+                 "openshift_virtualization" ]
       type: str
     source_path:
       description:
@@ -170,7 +171,22 @@ def main():
         #
         # How do we handle manual and file? The controller does not seem to be able to activate them
         #
-        source=dict(choices=["scm", "ec2", "gce", "azure_rm", "vmware", "satellite6", "openstack", "rhv", "controller", "insights"]),
+        source=dict(
+            choices=[
+                "scm",
+                "ec2",
+                "gce",
+                "azure_rm",
+                "vmware",
+                "satellite6",
+                "openstack",
+                "rhv",
+                "controller",
+                "insights",
+                "terraform",
+                "openshift_virtualization",
+            ]
+        ),
         source_path=dict(),
         source_vars=dict(type='dict'),
         enabled_var=dict(),

awxkit/awxkit/api/pages/api.py

@@ -317,7 +317,10 @@ class ApiV2(base.Base):
                     if asset['natural_key']['type'] == 'project' and 'local_path' in post_data and _page['scm_type'] == post_data['scm_type']:
                         del post_data['local_path']
 
-                    _page = _page.put(post_data)
+                    if asset['natural_key']['type'] == 'user':
+                        _page = _page.patch(**post_data)
+                    else:
+                        _page = _page.put(post_data)
                     changed = True
             except (exc.Common, AssertionError) as e:
                 identifier = asset.get("name", None) or asset.get("username", None) or asset.get("hostname", None)

awxkit/awxkit/api/pages/role_assignments.py

@@ -0,0 +1,48 @@
+import logging
+
+# from awxkit.api.mixins import DSAdapter, HasCreate, HasCopy
+# from awxkit.api.pages import (
+#     Credential,
+#     Organization,
+# )
+from awxkit.api.resources import resources
+
+# from awxkit.utils import random_title, PseudoNamespace, filter_by_class
+
+from . import base
+from . import page
+
+
+log = logging.getLogger(__name__)
+
+
+class RoleTeamAssignment(base.Base):
+    NATURAL_KEY = ('team', 'content_object', 'role_definition')
+
+
+page.register_page(
+    [resources.role_team_assignment, (resources.role_definition_team_assignments, 'post'), (resources.role_team_assignments, 'post')], RoleTeamAssignment
+)
+
+
+class RoleUserAssignment(base.Base):
+    NATURAL_KEY = ('user', 'content_object', 'role_definition')
+
+
+page.register_page(
+    [resources.role_user_assignment, (resources.role_definition_user_assignments, 'post'), (resources.role_user_assignments, 'post')], RoleUserAssignment
+)
+
+
+class RoleTeamAssignments(page.PageList, RoleTeamAssignment):
+    pass
+
+
+page.register_page([resources.role_definition_team_assignments, resources.role_team_assignments], RoleTeamAssignments)
+
+
+class RoleUserAssignments(page.PageList, RoleUserAssignment):
+    pass
+
+
+page.register_page([resources.role_definition_user_assignments, resources.role_user_assignments], RoleUserAssignments)

awxkit/awxkit/api/pages/role_definitions.py

@@ -0,0 +1,30 @@
+import logging
+
+# from awxkit.api.mixins import DSAdapter, HasCreate, HasCopy
+# from awxkit.api.pages import (
+#     Credential,
+#     Organization,
+# )
+from awxkit.api.resources import resources
+
+# from awxkit.utils import random_title, PseudoNamespace, filter_by_class
+
+from . import base
+from . import page
+
+
+log = logging.getLogger(__name__)
+
+
+class RoleDefinition(base.Base):
+    NATURAL_KEY = ('name',)
+
+
+page.register_page([resources.role_definition, (resources.role_definitions, 'post')], RoleDefinition)
+
+
+class RoleDefinitions(page.PageList, RoleDefinition):
+    pass
+
+
+page.register_page([resources.role_definitions], RoleDefinitions)

awxkit/awxkit/api/resources.py

@@ -197,6 +197,14 @@ class Resources(object):
     _related_users = r'\w+/\d+/users/'
     _related_workflow_job_templates = r'\w+/\d+/workflow_job_templates/'
     _role = r'roles/\d+/'
+    _role_definition = r'role_definitions/\d+/'
+    _role_definitions = r'role_definitions/'
+    _role_definition_team_assignments = r'role_definitions/\d+/team_assignments/'
+    _role_definition_user_assignments = r'role_definitions/\d+/user_assignments/'
+    _role_team_assignment = r'role_team_assignments/\d+/'
+    _role_team_assignments = r'role_team_assignments/'
+    _role_user_assignment = r'role_user_assignments/\d+/'
+    _role_user_assignments = r'role_user_assignments/'
     _roles = 'roles/'
     _roles_related_teams = r'roles/\d+/teams/'
     _schedule = r'schedules/\d+/'

requirements/requirements.in

@@ -1,4 +1,4 @@
-aiohttp>=3.8.6  # CVE-2023-47627
+aiohttp>=3.9.4 # CVE-2024-30251
 ansiconv==1.0.0  # UPGRADE BLOCKER: from 2013, consider replacing instead of upgrading
 asciichartpy
 asn1

requirements/requirements.txt

@@ -1,6 +1,6 @@
 adal==1.2.7
     # via msrestazure
-aiohttp==3.9.3
+aiohttp==3.9.5
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   aiohttp-retry

tools/docker-compose/ansible/roles/sources/defaults/main.yml

@@ -4,6 +4,7 @@ awx_image: 'ghcr.io/ansible/awx_devel'
 pg_port: 5432
 pg_username: 'awx'
 pg_database: 'awx'
+pg_tls: false
 control_plane_node_count: 1
 minikube_container_group: false
 receptor_socket_file: /var/run/awx-receptor/receptor.sock

tools/docker-compose/ansible/roles/sources/templates/database.py.j2

@@ -5,6 +5,9 @@ DATABASES = {
         'NAME': "{{ pg_database }}",
         'USER': "{{ pg_username }}",
         'PASSWORD': "{{ pg_password }}",
+{% if pg_tls|bool %}
+        'OPTIONS': {'sslmode': 'require'},
+{% endif %}
 {% if enable_pgbouncer|bool %}
         'HOST': "pgbouncer",
         'PORT': "{{ pgbouncer_port }}",

tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2

@@ -237,13 +237,24 @@ services:
     image: quay.io/sclorg/postgresql-15-c9s
     container_name: tools_postgres_1
     # additional logging settings for postgres can be found https://www.postgresql.org/docs/current/runtime-config-logging.html
-    command: run-postgresql -c log_destination=stderr -c log_min_messages=info -c log_min_duration_statement={{ pg_log_min_duration_statement|default(1000) }} -c max_connections={{ pg_max_connections|default(1024) }}
+    command: >
+        bash -c "
+{% if pg_tls|bool %}
+        mkdir -p /opt/app-root/src/certs
+        && openssl genrsa -out /opt/app-root/src/certs/tls.key 2048
+        && openssl req -new -x509 -key /opt/app-root/src/certs/tls.key -out /opt/app-root/src/certs/tls.crt -subj '/CN=postgres'
+        && chmod 600 /opt/app-root/src/certs/tls.crt /opt/app-root/src/certs/tls.key &&
+{% endif %}
+        run-postgresql -c log_destination=stderr -c log_min_messages=info -c log_min_duration_statement={{ pg_log_min_duration_statement|default(1000) }} -c max_connections={{ pg_max_connections|default(1024) }}"
     environment:
       POSTGRESQL_USER: {{ pg_username }}
       POSTGRESQL_DATABASE: {{ pg_database }}
       POSTGRESQL_PASSWORD: {{ pg_password }}
     volumes:
       - "awx_db_15:/var/lib/pgsql/data"
+{% if pg_tls|bool %}
+      - "../../docker-compose/pgssl.conf:/opt/app-root/src/postgresql-cfg/pgssl.conf"
+{% endif %}
     networks:
       - awx
     ports:

tools/docker-compose/pgssl.conf

@@ -0,0 +1,5 @@
+ssl = on
+ssl_cert_file = '/opt/app-root/src/certs/tls.crt' # server certificate
+ssl_key_file =  '/opt/app-root/src/certs/tls.key' # server private key
+#ssl_ca_file                                   # trusted certificate authorities
+#ssl_crl_file                                  # certificates revoked by certificate authorities

tools/scripts/ig-hotfix/.gitignore

@@ -0,0 +1,7 @@
+*~
+customer-backup.tar.*
+*.db
+*.log
+*.dot
+*.png
+*.tar.*

tools/scripts/ig-hotfix/README.md

@@ -0,0 +1,36 @@
+# Hotfix for Instance Groups and Roles after backup/restore corruption #
+
+## role_check.py ##
+
+`awx-manage shell < role_check.py 2> role_check.log > fix.py`
+
+This checks the roles and resources on the system, and constructs a
+fix.py file that will change the linkages of the roles that it finds
+are incorrect. The command line above also redirects logging output to
+a file. The fix.py file (and the log file) can then be examined (and
+potentially modified) before performing the actual fix.
+
+`awx-manage shell < fix.py > fix.log 2>&1`
+
+This performs the fix, while redirecting all output to another log
+file. Ideally, this file should wind up being empty after execution
+completes.
+
+`awx-manage shell < role_check.py 2> role_check2.log > fix2.py`
+
+Re-run the check script in order to see that there are no remaining
+problems. Ideally the log file will only consist of the equal-sign
+lines.
+
+
+## foreignkeys.sql ##
+
+This script uses Postgres internals to determine all of the foreign
+keys that cross the boundaries established by our (old) backup/restore
+logic.  Users have no need to run this.
+
+
+## scenarios/test*.py ##
+
+These files were used to set up corruption similar to that caused by
+faulty backup/restore, for testing purposes.  Do not use.

tools/scripts/ig-hotfix/foreignkeys.sql

@@ -0,0 +1,38 @@
+DO $$
+DECLARE
+    -- add table names here when they get excluded from main / included in topology dump
+    topology text[] := ARRAY['main_instance', 'main_instancegroup', 'main_instancegroup_instances'];
+
+    -- add table names here when they are handled by the special-case mapping
+    mapping text[] := ARRAY['main_organizationinstancegroupmembership', 'main_unifiedjobtemplateinstancegroupmembership', 'main_inventoryinstancegroupmembership'];
+BEGIN
+    CREATE TABLE tmp_fk_from AS (
+        SELECT DISTINCT
+            tc.table_name, 
+            ccu.table_name AS foreign_table_name
+        FROM information_schema.table_constraints AS tc 
+        JOIN information_schema.constraint_column_usage AS ccu
+            ON ccu.constraint_name = tc.constraint_name
+        WHERE tc.constraint_type = 'FOREIGN KEY'
+            AND tc.table_name = ANY (topology)
+            AND NOT ccu.table_name = ANY (topology || mapping)
+    );
+
+    CREATE TABLE tmp_fk_into AS (
+        SELECT DISTINCT
+            tc.table_name, 
+            ccu.table_name AS foreign_table_name
+        FROM information_schema.table_constraints AS tc 
+        JOIN information_schema.constraint_column_usage AS ccu
+            ON ccu.constraint_name = tc.constraint_name
+        WHERE tc.constraint_type = 'FOREIGN KEY'
+            AND ccu.table_name = ANY (topology)
+            AND NOT tc.table_name = ANY (topology || mapping)
+    );
+END $$;
+
+SELECT * FROM tmp_fk_from;
+SELECT * FROM tmp_fk_into;
+
+DROP TABLE tmp_fk_from;
+DROP TABLE tmp_fk_into;

tools/scripts/ig-hotfix/role_check.py

@@ -0,0 +1,187 @@
+from collections import defaultdict
+import json
+import sys
+
+from django.contrib.contenttypes.models import ContentType
+from django.db.models.fields.related_descriptors import ManyToManyDescriptor
+
+from awx.main.fields import ImplicitRoleField
+from awx.main.models.rbac import Role
+
+
+team_ct = ContentType.objects.get(app_label='main', model='team')
+
+crosslinked = defaultdict(lambda: defaultdict(dict))
+crosslinked_parents = defaultdict(list)
+orphaned_roles = set()
+
+
+def resolve(obj, path):
+    fname, _, path = path.partition('.')
+    new_obj = getattr(obj, fname, None)
+    if new_obj is None:
+        return set()
+    if not path:
+        return {new_obj,}
+
+    if isinstance(new_obj, ManyToManyDescriptor):
+        return {x for o in new_obj.all() for x in resolve(o, path)}
+
+    return resolve(new_obj, path)
+
+
+for ct in ContentType.objects.order_by('id'):
+    cls = ct.model_class()
+    if cls is None:
+        sys.stderr.write(f"{ct!r} does not have a corresponding model class in the codebase. Skipping.\n")
+        continue
+    if not any(isinstance(f, ImplicitRoleField) for f in cls._meta.fields):
+        continue
+    for obj in cls.objects.all():
+        for f in cls._meta.fields:
+            if not isinstance(f, ImplicitRoleField):
+                continue
+            r_id = getattr(obj, f'{f.name}_id', None)
+            try:
+                r = getattr(obj, f.name, None)
+            except Role.DoesNotExist:
+                sys.stderr.write(f"{cls} id={obj.id} {f.name} points to Role id={r_id}, which is not in the database.\n")
+                crosslinked[ct.id][obj.id][f'{f.name}_id'] = None
+                continue
+            if not r:
+                sys.stderr.write(f"{cls} id={obj.id} {f.name} does not have a Role object\n")
+                crosslinked[ct.id][obj.id][f'{f.name}_id'] = None
+                continue
+            if r.content_object != obj:
+                sys.stderr.write(f"{cls.__name__} id={obj.id} {f.name} is pointing to a Role that is assigned to a different object: role.id={r.id} {r.content_type!r} {r.object_id} {r.role_field}\n")
+                crosslinked[ct.id][obj.id][f'{f.name}_id'] = None
+                continue
+
+
+sys.stderr.write('===================================\n')
+for r in Role.objects.exclude(role_field__startswith='system_').order_by('id'):
+
+    # The ancestor list should be a superset of both parents and implicit_parents.
+    # Also, parents should be a superset of implicit_parents.
+    parents = set(r.parents.values_list('id', flat=True))
+    ancestors = set(r.ancestors.values_list('id', flat=True))
+    implicit = set(json.loads(r.implicit_parents))
+
+    if not implicit:
+        sys.stderr.write(f"Role id={r.id} has no implicit_parents\n")
+    if not parents <= ancestors:
+        sys.stderr.write(f"Role id={r.id} has parents that are not in the ancestor list: {parents - ancestors}\n")
+        crosslinked[r.content_type_id][r.object_id][f'{r.role_field}_id'] = r.id
+    if not implicit <= parents:
+        sys.stderr.write(f"Role id={r.id} has implicit_parents that are not in the parents list: {implicit - parents}\n")
+        crosslinked[r.content_type_id][r.object_id][f'{r.role_field}_id'] = r.id
+    if not implicit <= ancestors:
+        sys.stderr.write(f"Role id={r.id} has implicit_parents that are not in the ancestor list: {implicit - ancestors}\n")
+        crosslinked[r.content_type_id][r.object_id][f'{r.role_field}_id'] = r.id
+
+    # Check that the Role's generic foreign key points to a legitimate object
+    if not r.content_object:
+        sys.stderr.write(f"Role id={r.id} is missing a valid content_object: {r.content_type!r} {r.object_id} {r.role_field}\n")
+        orphaned_roles.add(r.id)
+        continue
+
+    # Check the resource's role field parents for consistency with Role.parents.all().
+    f = r.content_object._meta.get_field(r.role_field)
+    f_parent = set(f.parent_role) if isinstance(f.parent_role, list) else {f.parent_role,}
+    dotted = {x for p in f_parent if '.' in p for x in resolve(r.content_object, p)}
+    plus = set()
+    for p in r.parents.all():
+        if p.singleton_name:
+            if f'singleton:{p.singleton_name}' not in f_parent:
+                plus.add(p)
+        elif (p.content_type, p.role_field) == (team_ct, 'member_role'):
+            # Team has been granted this role; probably legitimate.
+            continue
+        elif (p.content_type, p.object_id) == (r.content_type, r.object_id):
+            if p.role_field not in f_parent:
+                plus.add(p)
+        elif p in dotted:
+            continue
+        else:
+            plus.add(p)
+
+    if plus:
+        plus_repr = [f"{x.content_type!r} {x.object_id} {x.role_field}" for x in plus]
+        sys.stderr.write(f"Role id={r.id} has cross-linked parents: {plus_repr}\n")
+        crosslinked_parents[r.id].extend(x.id for x in plus)
+
+    try:
+        rev = getattr(r.content_object, r.role_field, None)
+    except Role.DoesNotExist:
+        sys.stderr.write(f"Role id={r.id} {r.content_type!r} {r.object_id} {r.role_field} points at an object with a broken role.\n")
+        crosslinked[r.content_type_id][r.object_id][f'{r.role_field}_id'] = r.id
+        continue
+    if rev is None or r.id != rev.id:
+        if rev and (r.content_type_id, r.object_id, r.role_field) == (rev.content_type_id, rev.object_id, rev.role_field):
+            sys.stderr.write(f"Role id={r.id} {r.content_type!r} {r.object_id} {r.role_field} is an orphaned duplicate of Role id={rev.id}, which is actually being used by the assigned resource\n")
+            orphaned_roles.add(r.id)
+        elif not rev:
+            sys.stderr.write(f"Role id={r.id} {r.content_type!r} {r.object_id} {r.role_field} is pointing to an object currently using no role\n")
+            crosslinked[r.content_type_id][r.object_id][f'{r.role_field}_id'] = r.id
+        else:
+            sys.stderr.write(f"Role id={r.id} {r.content_type!r} {r.object_id} {r.role_field} is pointing to an object using a different role: id={rev.id} {rev.content_type!r} {rev.object_id} {rev.role_field}\n")
+            crosslinked[r.content_type_id][r.object_id][f'{r.role_field}_id'] = r.id
+        continue
+
+
+sys.stderr.write('===================================\n')
+
+
+print(f"""\
+from collections import Counter
+
+from django.contrib.contenttypes.models import ContentType
+
+from awx.main.fields import ImplicitRoleField
+from awx.main.models.rbac import Role
+
+
+delete_counts = Counter()
+update_counts = Counter()
+
+""")
+
+
+print("# Resource objects that are pointing to the wrong Role.  Some of these")
+print("# do not have corresponding Roles anywhere, so delete the foreign key.")
+print("# For those, new Roles will be constructed upon save.\n")
+print("queue = set()\n")
+for ct, objs in crosslinked.items():
+    print(f"cls = ContentType.objects.get(id={ct}).model_class()\n")
+    for obj, kv in objs.items():
+        print(f"c = cls.objects.filter(id={obj}).update(**{kv!r})")
+        print("update_counts.update({cls._meta.label: c})")
+        print(f"queue.add((cls, {obj}))")
+
+print("\n# Role objects that are assigned to objects that do not exist")
+for r in orphaned_roles:
+    print(f"c = Role.objects.filter(id={r}).update(object_id=None)")
+    print("update_counts.update({'main.Role': c})")
+    print(f"_, c = Role.objects.filter(id={r}).delete()")
+    print("delete_counts.update(c)")
+
+print('\n\n')
+for child, parents in crosslinked_parents.items():
+    print(f"r = Role.objects.get(id={child})")
+    print(f"r.parents.remove(*Role.objects.filter(id__in={parents!r}))")
+    print(f"queue.add((r.content_object.__class__, r.object_id))")
+
+print('\n\n')
+print('print("Objects deleted:", dict(delete_counts.most_common()))')
+print('print("Objects updated:", dict(update_counts.most_common()))')
+
+print("\n\nfor cls, obj_id in queue:")
+print("    role_fields = [f for f in cls._meta.fields if isinstance(f, ImplicitRoleField)]")
+print("    obj = cls.objects.get(id=obj_id)")
+print("    for f in role_fields:")
+print("        r = getattr(obj, f.name, None)")
+print("        if r is not None:")
+print("            print(f'updating implicit parents on Role {r.id}')")
+print("            r.implicit_parents = '[]'")
+print("            r.save()")
+print("    obj.save()")

tools/scripts/ig-hotfix/scenarios/test.py

@@ -0,0 +1,19 @@
+from django.db import connection
+from awx.main.models import InstanceGroup
+
+InstanceGroup.objects.filter(name__in=('green', 'yellow', 'red')).delete()
+
+green = InstanceGroup.objects.create(name='green')
+red = InstanceGroup.objects.create(name='red')
+yellow = InstanceGroup.objects.create(name='yellow')
+
+for ig in InstanceGroup.objects.all():
+    print((ig.id, ig.name, ig.use_role_id))
+
+with connection.cursor() as cursor:
+    cursor.execute("UPDATE main_instancegroup SET use_role_id = NULL WHERE name = 'red'")
+    cursor.execute(f"UPDATE main_instancegroup SET use_role_id = {green.use_role_id} WHERE name = 'yellow'")
+
+print("=====================================")
+for ig in InstanceGroup.objects.all():
+    print((ig.id, ig.name, ig.use_role_id))

tools/scripts/ig-hotfix/scenarios/test2.py

@@ -0,0 +1,20 @@
+from django.db import connection
+from awx.main.models import InstanceGroup
+
+InstanceGroup.objects.filter(name__in=('green', 'yellow', 'red')).delete()
+
+green = InstanceGroup.objects.create(name='green')
+red = InstanceGroup.objects.create(name='red')
+yellow = InstanceGroup.objects.create(name='yellow')
+
+for ig in InstanceGroup.objects.all():
+    print((ig.id, ig.name, ig.use_role_id))
+
+with connection.cursor() as cursor:
+    cursor.execute(f"UPDATE main_rbac_roles SET object_id = NULL WHERE id = {red.use_role_id}")
+    cursor.execute("UPDATE main_instancegroup SET use_role_id = NULL WHERE name = 'red'")
+    cursor.execute(f"UPDATE main_instancegroup SET use_role_id = {green.use_role_id} WHERE name = 'yellow'")
+
+print("=====================================")
+for ig in InstanceGroup.objects.all():
+    print((ig.id, ig.name, ig.use_role_id))

tools/scripts/ig-hotfix/scenarios/test3.py

@@ -0,0 +1,28 @@
+from django.db import connection
+from awx.main.models import InstanceGroup
+
+InstanceGroup.objects.filter(name__in=('green', 'yellow', 'red', 'blue')).delete()
+
+green = InstanceGroup.objects.create(name='green')
+red = InstanceGroup.objects.create(name='red')
+yellow = InstanceGroup.objects.create(name='yellow')
+blue = InstanceGroup.objects.create(name='blue')
+
+for ig in InstanceGroup.objects.all():
+    print((ig.id, ig.name, ig.use_role_id))
+
+with connection.cursor() as cursor:
+    cursor.execute("ALTER TABLE main_instancegroup DROP CONSTRAINT main_instancegroup_use_role_id_48ea7ecc_fk_main_rbac_roles_id")
+
+    cursor.execute(f"UPDATE main_rbac_roles SET object_id = NULL WHERE id = {red.use_role_id}")
+    cursor.execute(f"DELETE FROM main_rbac_roles_parents WHERE from_role_id = {blue.use_role_id} OR to_role_id = {blue.use_role_id}")
+    cursor.execute(f"DELETE FROM main_rbac_role_ancestors WHERE ancestor_id = {blue.use_role_id} OR descendent_id = {blue.use_role_id}")
+    cursor.execute(f"DELETE FROM main_rbac_roles WHERE id = {blue.use_role_id}")
+    cursor.execute("UPDATE main_instancegroup SET use_role_id = NULL WHERE name = 'red'")
+    cursor.execute(f"UPDATE main_instancegroup SET use_role_id = {green.use_role_id} WHERE name = 'yellow'")
+
+    cursor.execute("ALTER TABLE main_instancegroup ADD CONSTRAINT main_instancegroup_use_role_id_48ea7ecc_fk_main_rbac_roles_id FOREIGN KEY (use_role_id) REFERENCES public.main_rbac_roles(id) DEFERRABLE INITIALLY DEFERRED NOT VALID")
+
+print("=====================================")
+for ig in InstanceGroup.objects.all():
+    print((ig.id, ig.name, ig.use_role_id))

tools/scripts/ig-hotfix/scenarios/test4.py

@@ -0,0 +1,26 @@
+from django.db import connection
+from awx.main.models import InstanceGroup
+
+InstanceGroup.objects.filter(name__in=('green', 'yellow', 'red')).delete()
+
+green = InstanceGroup.objects.create(name='green')
+red = InstanceGroup.objects.create(name='red')
+yellow = InstanceGroup.objects.create(name='yellow')
+
+for ig in InstanceGroup.objects.all():
+    print((ig.id, ig.name, ig.use_role_id))
+
+with connection.cursor() as cursor:
+    cursor.execute("UPDATE main_instancegroup SET use_role_id = NULL WHERE name = 'red'")
+    cursor.execute(f"UPDATE main_instancegroup SET use_role_id = {green.use_role_id} WHERE name = 'yellow'")
+
+green.refresh_from_db()
+red.refresh_from_db()
+yellow.refresh_from_db()
+green.save()
+red.save()
+yellow.save()
+
+print("=====================================")
+for ig in InstanceGroup.objects.all():
+    print((ig.id, ig.name, ig.use_role_id))

tools/sosreport/controller.py

@@ -25,6 +25,7 @@ SOSREPORT_CONTROLLER_COMMANDS = [
     "ls -ll /var/run/awx-receptor",  # list contents of dirctory where receptor socket should be
     "ls -ll /etc/receptor",
     "receptorctl --socket /var/run/awx-receptor/receptor.sock status",  # Get information about the status of the mesh
+    "receptorctl --socket /var/run/awx-receptor/receptor.sock work list",  # Get list of receptor work units
     "umask -p",  # check current umask
 ]