move fix into get_job_kwargs

fix: empty string vs nil handling for limit parameter
Fix OpenAPI schema validation message mismatch (#16372 )
2026-03-31 15:55:07 -02:30 · 2026-03-30 12:46:23 +02:00 · 2026-03-30 12:46:22 +02:00 · 2026-03-25 12:36:10 -06:00 · 2026-03-25 10:57:01 -04:00 · 2026-03-25 11:03:11 +01:00
8 changed files with 155 additions and 15 deletions
--- a/2
+++ b/2
@@ -581,7 +581,7 @@ detect-schema-change: genschema

 validate-openapi-schema: genschema
 	@echo "Validating OpenAPI schema from schema.json..."
-	@python3 -c "from openapi_spec_validator import validate; import json; spec = json.load(open('schema.json')); validate(spec); print('✓ OpenAPI Schema is valid!')"
+	@python3 -c "from openapi_spec_validator import validate; import json; spec = json.load(open('schema.json')); validate(spec); print('✓ Schema is valid')"

 docker-compose-clean: awx/projects
 	$(DOCKER_COMPOSE) -f tools/docker-compose/_sources/docker-compose.yml rm -sf
--- a/awx/main/management/commands/inventory_import.py
+++ b/awx/main/management/commands/inventory_import.py
@@ -409,10 +409,12 @@ class Command(BaseCommand):
            del_child_group_pks = list(set(db_children_name_pk_map.values()))
            for offset in range(0, len(del_child_group_pks), self._batch_size):
                child_group_pks = del_child_group_pks[offset : (offset + self._batch_size)]
-                for db_child in db_children.filter(pk__in=child_group_pks):
-                    group_group_count += 1
-                    db_group.children.remove(db_child)
-                    logger.debug('Group "%s" removed from group "%s"', db_child.name, db_group.name)
+                children_to_remove = list(db_children.filter(pk__in=child_group_pks))
+                if children_to_remove:
+                    group_group_count += len(children_to_remove)
+                    db_group.children.remove(*children_to_remove)
+                    for db_child in children_to_remove:
+                        logger.debug('Group "%s" removed from group "%s"', db_child.name, db_group.name)
            # FIXME: Inventory source group relationships
            # Delete group/host relationships not present in imported data.
            db_hosts = db_group.hosts
@@ -441,12 +443,12 @@ class Command(BaseCommand):
            del_host_pks = list(del_host_pks)
            for offset in range(0, len(del_host_pks), self._batch_size):
                del_pks = del_host_pks[offset : (offset + self._batch_size)]
-                for db_host in db_hosts.filter(pk__in=del_pks):
-                    group_host_count += 1
-                    if db_host not in db_group.hosts.all():
-                        continue
-                    db_group.hosts.remove(db_host)
-                    logger.debug('Host "%s" removed from group "%s"', db_host.name, db_group.name)
+                hosts_to_remove = list(db_hosts.filter(pk__in=del_pks))
+                if hosts_to_remove:
+                    group_host_count += len(hosts_to_remove)
+                    db_group.hosts.remove(*hosts_to_remove)
+                    for db_host in hosts_to_remove:
+                        logger.debug('Host "%s" removed from group "%s"', db_host.name, db_group.name)
        if settings.SQL_DEBUG:
            logger.warning(
                'group-group and group-host deletions took %d queries for %d relationships',
--- a/awx/main/models/credential.py
+++ b/awx/main/models/credential.py
@@ -531,6 +531,7 @@ class CredentialType(CommonModelNameNotUnique):
            existing = ct_class.objects.filter(name=default.name, kind=default.kind).first()
            if existing is not None:
                existing.namespace = default.namespace
+                existing.description = getattr(default, 'description', '')
                existing.inputs = {}
                existing.injectors = {}
                existing.save()
@@ -570,7 +571,14 @@ class CredentialType(CommonModelNameNotUnique):
    @classmethod
    def load_plugin(cls, ns, plugin):
        # TODO: User "side-loaded" credential custom_injectors isn't supported
-        ManagedCredentialType.registry[ns] = SimpleNamespace(namespace=ns, name=plugin.name, kind='external', inputs=plugin.inputs, backend=plugin.backend)
+        ManagedCredentialType.registry[ns] = SimpleNamespace(
+            namespace=ns,
+            name=plugin.name,
+            kind='external',
+            inputs=plugin.inputs,
+            backend=plugin.backend,
+            description=getattr(plugin, 'plugin_description', ''),
+        )

    def inject_credential(self, credential, env, safe_env, args, private_data_dir, container_root=None):
        from awx_plugins.interfaces._temporary_private_inject_api import inject_credential
@@ -582,7 +590,13 @@ class CredentialTypeHelper:
    @classmethod
    def get_creation_params(cls, cred_type):
        if cred_type.kind == 'external':
-            return dict(namespace=cred_type.namespace, kind=cred_type.kind, name=cred_type.name, managed=True)
+            return {
+                'namespace': cred_type.namespace,
+                'kind': cred_type.kind,
+                'name': cred_type.name,
+                'managed': True,
+                'description': getattr(cred_type, 'description', ''),
+            }
        return dict(
            namespace=cred_type.namespace,
            kind=cred_type.kind,
--- a/awx/main/models/workflow.py
+++ b/awx/main/models/workflow.py
@@ -335,7 +335,9 @@ class WorkflowJobNode(WorkflowNodeBase):
            # or labels, because they do not propogate WFJT-->node at all

            # Combine WFJT prompts with node here, WFJT at higher level
-            node_prompts_data.update(wj_prompts_data)
+            # Empty string values on the workflow job (e.g. from IaC setting limit: "")
+            # should not override a node's explicit non-empty prompt value
+            node_prompts_data.update({k: v for k, v in wj_prompts_data.items() if v != ''})
            accepted_fields, ignored_fields, errors = ujt_obj._accept_or_ignore_job_kwargs(**node_prompts_data)
            if errors:
                logger.info(
--- a/awx/main/tests/functional/commands/test_inventory_import.py
+++ b/awx/main/tests/functional/commands/test_inventory_import.py
@@ -305,6 +305,47 @@ class TestINIImports:
        has_host_group = inventory.groups.get(name='has_a_host')
        assert has_host_group.hosts.count() == 1

+    @mock.patch.object(inventory_import, 'AnsibleInventoryLoader', MockLoader)
+    def test_overwrite_removes_stale_memberships(self, inventory):
+        """When overwrite is enabled, host-group and group-group memberships
+        that are no longer in the imported data should be removed."""
+        # First import: parent_group has two children, host_group has two hosts
+        inventory_import.AnsibleInventoryLoader._data = {
+            "_meta": {"hostvars": {"host1": {}, "host2": {}}},
+            "all": {"children": ["ungrouped", "parent_group", "child_a", "child_b", "host_group"]},
+            "parent_group": {"children": ["child_a", "child_b"]},
+            "host_group": {"hosts": ["host1", "host2"]},
+            "ungrouped": {"hosts": []},
+        }
+        cmd = inventory_import.Command()
+        cmd.handle(inventory_id=inventory.pk, source=__file__, overwrite=True)
+
+        parent = inventory.groups.get(name='parent_group')
+        assert set(parent.children.values_list('name', flat=True)) == {'child_a', 'child_b'}
+        host_grp = inventory.groups.get(name='host_group')
+        assert set(host_grp.hosts.values_list('name', flat=True)) == {'host1', 'host2'}
+
+        # Second import: child_b removed from parent_group, host2 moved out of host_group
+        inventory_import.AnsibleInventoryLoader._data = {
+            "_meta": {"hostvars": {"host1": {}, "host2": {}}},
+            "all": {"children": ["ungrouped", "parent_group", "child_a", "child_b", "host_group"]},
+            "parent_group": {"children": ["child_a"]},
+            "host_group": {"hosts": ["host1"]},
+            "ungrouped": {"hosts": ["host2"]},
+        }
+        cmd = inventory_import.Command()
+        cmd.handle(inventory_id=inventory.pk, source=__file__, overwrite=True)
+
+        parent.refresh_from_db()
+        host_grp.refresh_from_db()
+        # child_b should be removed from parent_group
+        assert set(parent.children.values_list('name', flat=True)) == {'child_a'}
+        # host2 should be removed from host_group
+        assert set(host_grp.hosts.values_list('name', flat=True)) == {'host1'}
+        # host2 and child_b should still exist in the inventory, just not in those groups
+        assert inventory.hosts.filter(name='host2').exists()
+        assert inventory.groups.filter(name='child_b').exists()
+
    @mock.patch.object(inventory_import, 'AnsibleInventoryLoader', MockLoader)
    def test_recursive_group_error(self, inventory):
        inventory_import.AnsibleInventoryLoader._data = {
--- a/awx/main/tests/functional/models/test_workflow.py
+++ b/awx/main/tests/functional/models/test_workflow.py
@@ -291,6 +291,33 @@ class TestWorkflowJob:
        assert set(data['labels']) == set(node_labels)  # as exception, WFJT labels not applied
        assert data['limit'] == 'wj_limit'

+    def test_node_limit_not_overridden_by_empty_string_wj_limit(self, project, inventory):
+        """
+        When the workflow job has an empty string limit (e.g., set via IaC with limit: ""),
+        the node-level limit should still be passed to the spawned job, not silently suppressed.
+        """
+        jt = JobTemplate.objects.create(
+            project=project,
+            inventory=inventory,
+            ask_limit_on_launch=True,
+        )
+        # Simulate a workflow job whose WFJT was created via IaC with `limit: ""`
+        # (e.g. awx.awx.workflow_job_template: ... limit: "")
+        # This stores '' in char_prompts instead of treating it as None/"no limit".
+        wj = WorkflowJob.objects.create(name='test-wf-job')
+        wj.limit = ''  # stores {'limit': ''} in char_prompts - the IaC bug scenario
+        wj.save()
+
+        node = WorkflowJobNode.objects.create(workflow_job=wj, unified_job_template=jt)
+        node.limit = 'web_servers'
+        node.save()
+
+        data = node.get_job_kwargs()
+        # The node-level limit should be applied; the WJ's empty string limit is not meaningful
+        assert data.get('limit') == 'web_servers', (
+            "Node-level limit 'web_servers' was not passed to the job. " "Likely caused by an empty string WJ limit overriding the node limit"
+        )
+

@pytest.mark.django_db
 class TestWorkflowJobTemplate:
--- a/awx/main/tests/unit/models/test_credential.py
+++ b/awx/main/tests/unit/models/test_credential.py
@@ -2,7 +2,11 @@

 import pytest

+from types import SimpleNamespace
+from unittest import mock
+
 from awx.main.models import Credential, CredentialType
+from awx.main.models.credential import CredentialTypeHelper, ManagedCredentialType

 from django.apps import apps

@@ -78,3 +82,53 @@ def test_credential_context_property_independent_instances():
    assert cred1.context == {'key1': 'value1'}
    assert cred2.context == {'key2': 'value2'}
    assert cred1.context is not cred2.context
+
+
+def test_load_plugin_passes_description():
+    plugin = SimpleNamespace(name='test_plugin', inputs={'fields': []}, backend=None, plugin_description='A test plugin')
+    CredentialType.load_plugin('test_ns', plugin)
+    entry = ManagedCredentialType.registry['test_ns']
+    assert entry.description == 'A test plugin'
+    del ManagedCredentialType.registry['test_ns']
+
+
+def test_load_plugin_missing_description():
+    plugin = SimpleNamespace(name='test_plugin', inputs={'fields': []}, backend=None)
+    CredentialType.load_plugin('test_ns', plugin)
+    entry = ManagedCredentialType.registry['test_ns']
+    assert entry.description == ''
+    del ManagedCredentialType.registry['test_ns']
+
+
+def test_get_creation_params_external_includes_description():
+    cred_type = SimpleNamespace(namespace='test_ns', kind='external', name='Test', description='My description')
+    params = CredentialTypeHelper.get_creation_params(cred_type)
+    assert params['description'] == 'My description'
+
+
+def test_get_creation_params_external_missing_description():
+    cred_type = SimpleNamespace(namespace='test_ns', kind='external', name='Test')
+    params = CredentialTypeHelper.get_creation_params(cred_type)
+    assert params['description'] == ''
+
+
+@pytest.mark.django_db
+def test_setup_tower_managed_defaults_updates_description():
+    registry_entry = SimpleNamespace(
+        namespace='test_ns',
+        kind='external',
+        name='Test Plugin',
+        inputs={'fields': []},
+        backend=None,
+        description='Updated description',
+    )
+    # Create an existing credential type with no description
+    ct = CredentialType.objects.create(name='Test Plugin', kind='external', namespace='old_ns')
+    assert ct.description == ''
+
+    with mock.patch.dict(ManagedCredentialType.registry, {'test_ns': registry_entry}, clear=True):
+        CredentialType._setup_tower_managed_defaults()
+
+    ct.refresh_from_db()
+    assert ct.description == 'Updated description'
+    assert ct.namespace == 'test_ns'
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -116,7 +116,7 @@ cython==3.1.3
    # via -r /awx_devel/requirements/requirements.in
 daphne==4.2.1
    # via -r /awx_devel/requirements/requirements.in
-dispatcherd[pg-notify]==2026.02.26
+dispatcherd[pg-notify]==2026.3.25
    # via -r /awx_devel/requirements/requirements.in
 distro==1.9.0
    # via -r /awx_devel/requirements/requirements.in
Author	SHA1	Message	Date
Peter Braun	4f231aea44	move fix into get_job_kwargs	2026-03-30 12:46:23 +02:00
Peter Braun	0a80c91a96	fix: empty string vs nil handling for limit parameter	2026-03-30 12:46:22 +02:00
TVo	cd7f6f602f	Fix OpenAPI schema validation message mismatch (#16372 )	2026-03-25 12:36:10 -06:00
Chris Meyers	310dd3e18f	Update dispatcherd to version 2026.3.25 (#16369 ) Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>	2026-03-25 10:57:01 -04:00
Matthew Sandoval	7c75788b0a	AAP-67740 Pass plugin_description through to CredentialType.description (#16364 ) * Pass plugin_description through to CredentialType.description Propagate the plugin_description field from credential plugins into the CredentialType description when loading and creating managed credential types, including updates to existing records. Assisted-by: Claude * Add unit tests for plugin_description passthrough to CredentialType Tests cover load_plugin, get_creation_params, and _setup_tower_managed_defaults handling of the description field. Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: PabloHiro <palonso@redhat.com>	2026-03-25 11:03:11 +01:00
Peter Braun	ab294385ad	fix: avoid delete in loop in inventory import (#16366 )	2026-03-24 15:37:59 +00:00