Update PR template

Signed-off-by: David O Neill <daoneill@redhat.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -7,6 +7,14 @@ commit message and your description; but you should still explain what
 the change does.
 -->
 
+##### Depends on
+<!--- 
+Please provide links to any other PR dependanices.
+Indicating these should be merged first prior to this PR.  
+-->
+ - #12345
+ - https://github.com/xxx/yyy/pulls/1234
+
 ##### ISSUE TYPE
 <!--- Pick one below and delete the rest: -->
  - Breaking Change 

.github/actions/awx_devel_image/action.yml

@@ -24,7 +24,7 @@ runs:
 
     - name: Pre-pull latest devel image to warm cache
       shell: bash
-      run: docker pull -q ghcr.io/${OWNER_LC}/awx_devel:${{ github.base_ref }}
+      run: docker pull ghcr.io/${OWNER_LC}/awx_devel:${{ github.base_ref }}
 
     - name: Build image for current source checkout
       shell: bash

.github/actions/run_awx_devel/action.yml

@@ -57,11 +57,21 @@ runs:
           awx-manage update_password --username=admin --password=password
         EOSH
 
+    - name: Build UI
+      # This must be a string comparison in composite actions:
+      # https://github.com/actions/runner/issues/2238
+      if: ${{ inputs.build-ui == 'true' }}
+      shell: bash
+      run: |
+        docker exec -i tools_awx_1 sh <<-EOSH
+          make ui-devel
+        EOSH
+
     - name: Get instance data
       id: data
       shell: bash
       run: |
-        AWX_IP=$(docker inspect -f '{{.NetworkSettings.Networks.awx.IPAddress}}' tools_awx_1)
+        AWX_IP=$(docker inspect -f '{{.NetworkSettings.Networks._sources_awx.IPAddress}}' tools_awx_1)
         ADMIN_TOKEN=$(docker exec -i tools_awx_1 awx-manage create_oauth2_token --user admin)
         echo "ip=$AWX_IP" >> $GITHUB_OUTPUT
         echo "admin_token=$ADMIN_TOKEN" >> $GITHUB_OUTPUT

.github/issue_labeler.yml

@@ -6,6 +6,8 @@ needs_triage:
   - "Feature Summary"
 "component:ui":
   - "\\[X\\] UI"
+"component:ui_next":
+  - "\\[X\\] UI \\(tech preview\\)"
 "component:api":
   - "\\[X\\] API"
 "component:docs":

.github/pr_labeler.yml

@@ -1,5 +1,8 @@
 "component:api":
-  - any: ["awx/**/*"]
+  - any: ["awx/**/*", "!awx/ui/**"]
+
+"component:ui":
+  - any: ["awx/ui/**/*"]
 
 "component:docs":
   - any: ["docs/**/*"]
@@ -11,4 +14,5 @@
   - any: ["awx_collection/**/*"]
 
 "dependencies":
+  - any: ["awx/ui/package.json"]
   - any: ["requirements/*"]

.github/triage_replies.md

@@ -1,7 +1,7 @@
 ## General
 - For the roundup of all the different mailing lists available from AWX, Ansible, and beyond visit: https://docs.ansible.com/ansible/latest/community/communication.html
 - Hello, we think your question is answered in our FAQ. Does this: https://www.ansible.com/products/awx-project/faq cover your question?
-- You can find the latest documentation here: https://ansible.readthedocs.io/projects/awx/en/latest/userguide/index.html
+- You can find the latest documentation here: https://docs.ansible.com/automation-controller/latest/html/userguide/index.html
 
 
 

.github/workflows/ci.yml

@@ -31,11 +31,14 @@ jobs:
             command: /start_tests.sh test_collection_all
           - name: api-schema
             command: /start_tests.sh detect-schema-change SCHEMA_DIFF_BASE_BRANCH=${{ github.event.pull_request.base.ref }}
-
+          - name: ui-lint
+            command: make ui-lint
+          - name: ui-test-screens
+            command: make ui-test-screens
+          - name: ui-test-general
+            command: make ui-test-general
     steps:
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
+      - uses: actions/checkout@v3
 
       - name: Build awx_devel image for running checks
         uses: ./.github/actions/awx_devel_image
@@ -49,9 +52,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
+      - uses: actions/checkout@v3
 
       - uses: ./.github/actions/run_awx_devel
         id: awx
@@ -65,19 +66,15 @@ jobs:
   awx-operator:
     runs-on: ubuntu-latest
     timeout-minutes: 60
-    env:
-      DEBUG_OUTPUT_DIR: /tmp/awx_operator_molecule_test
     steps:
       - name: Checkout awx
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
-          show-progress: false
           path: awx
 
       - name: Checkout awx-operator
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
-          show-progress: false\
           repository: ansible/awx-operator
           path: awx-operator
 
@@ -97,11 +94,11 @@ jobs:
       - name: Build AWX image
         working-directory: awx
         run: |
-          VERSION=`make version-for-buildyml` make awx-kube-build
-        env:
-          COMPOSE_TAG: ci
-          DEV_DOCKER_TAG_BASE: local
-          HEADLESS: yes
+          ansible-playbook -v tools/ansible/build.yml \
+            -e headless=yes \
+            -e awx_image=awx \
+            -e awx_image_tag=ci \
+            -e ansible_python_interpreter=$(which python3)
 
       - name: Run test deployment with awx-operator
         working-directory: awx-operator
@@ -112,17 +109,8 @@ jobs:
           make kustomize
           KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule -v test -s kind -- --skip-tags=replicas
         env:
-          AWX_TEST_IMAGE: local/awx
+          AWX_TEST_IMAGE: awx
           AWX_TEST_VERSION: ci
-          AWX_EE_TEST_IMAGE: quay.io/ansible/awx-ee:latest
-          STORE_DEBUG_OUTPUT: true
-
-      - name: Upload debug output
-        if: failure()
-        uses: actions/upload-artifact@v3
-        with:
-          name: awx-operator-debug-output
-          path: ${{ env.DEBUG_OUTPUT_DIR }}
 
   collection-sanity:
     name: awx_collection sanity
@@ -131,9 +119,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
+      - uses: actions/checkout@v3
 
       # The containers that GitHub Actions use have Ansible installed, so upgrade to make sure we have the latest version.
       - name: Upgrade ansible-core
@@ -157,9 +143,7 @@ jobs:
           - name: r-z0-9
             regex: ^[r-z0-9]
     steps:
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
+      - uses: actions/checkout@v3
 
       - uses: ./.github/actions/run_awx_devel
         id: awx
@@ -205,9 +189,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
+      - uses: actions/checkout@v3
 
       - name: Upgrade ansible-core
         run: python3 -m pip install --upgrade ansible-core

.github/workflows/dab-release.yml

@@ -1,57 +0,0 @@
----
-name: django-ansible-base requirements update
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 6 * * *' # once an day @ 6 AM
-permissions:
-  pull-requests: write
-  contents: write
-jobs:
-  dab-pin-newest:
-    if: (github.repository_owner == 'ansible' && endsWith(github.repository, 'awx')) || github.event_name != 'schedule'
-    runs-on: ubuntu-latest
-    steps:
-      - id: dab-release
-        name: Get current django-ansible-base release version
-        uses: pozetroninc/github-action-get-latest-release@2a61c339ea7ef0a336d1daa35ef0cb1418e7676c # v0.8.0
-        with:
-          owner: ansible
-          repo: django-ansible-base
-          excludes: prerelease, draft
-
-      - name: Check out respository code
-        uses: actions/checkout@v4
-
-      - id: dab-pinned
-        name: Get current django-ansible-base pinned version
-        run:
-          echo "version=$(requirements/django-ansible-base-pinned-version.sh)" >> "$GITHUB_OUTPUT"
-
-      - name: Update django-ansible-base pinned version to upstream release
-        run:
-          requirements/django-ansible-base-pinned-version.sh -s ${{ steps.dab-release.outputs.release }}
-
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6
-        with:
-          base: devel
-          branch: bump-django-ansible-base
-          title: Bump django-ansible-base to ${{ steps.dab-release.outputs.release }}
-          body: |
-            ##### SUMMARY
-            Automated .github/workflows/dab-release.yml
-
-            django-ansible-base upstream released version == ${{ steps.dab-release.outputs.release }}
-            requirements_git.txt django-ansible-base pinned version ==  ${{ steps.dab-pinned.outputs.version }}
-
-            ##### ISSUE TYPE
-            - Bug, Docs Fix or other nominal change
-
-            ##### COMPONENT NAME
-            - API
-
-          commit-message: |
-            Update django-ansible-base version to ${{ steps.dab-pinned.outputs.version }}
-          add-paths:
-            requirements/requirements_git.txt

.github/workflows/devel_images.yml

@@ -2,7 +2,6 @@
 name: Build/Push Development Images
 env:
   LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
-  DOCKER_CACHE: "--no-cache" # using the cache will not rebuild git requirements and other things
 on:
   workflow_dispatch:
   push:
@@ -35,9 +34,7 @@ jobs:
           exit 0
         if: matrix.build-targets.image-name == 'awx' && !endsWith(github.repository, '/awx')
 
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
+      - uses: actions/checkout@v3
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -62,15 +59,17 @@ jobs:
         run: |
           echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
-      - name: Setup node and npm for the new UI build
+      - name: Setup node and npm
         uses: actions/setup-node@v2
         with:
-          node-version: '18'
+          node-version: '16.13.1'
         if: matrix.build-targets.image-name == 'awx'
 
-      - name: Prebuild new UI for awx image (to speed up build process)
+      - name: Prebuild UI for awx image (to speed up build process)
         run: |
-          make ui
+          sudo apt-get install gettext
+          make ui-release
+          make ui-next
         if: matrix.build-targets.image-name == 'awx'
 
       - name: Build and push AWX devel images

.github/workflows/docs.yml

@@ -8,9 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
+      - uses: actions/checkout@v3
 
       - name: install tox
         run: pip install tox

.github/workflows/e2e_test.yml

@@ -0,0 +1,75 @@
+---
+name: E2E Tests
+env:
+  LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
+
+on:
+  pull_request_target:
+    types: [labeled]
+jobs:
+  e2e-test:
+    if: contains(github.event.pull_request.labels.*.name, 'qe:e2e')
+    runs-on: ubuntu-latest
+    timeout-minutes: 40
+    permissions:
+      packages: write
+      contents: read
+    strategy:
+      matrix:
+        job: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/run_awx_devel
+        id: awx
+        with:
+          build-ui: true
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull awx_cypress_base image
+        run: |
+          docker pull quay.io/awx/awx_cypress_base:latest
+
+      - name: Checkout test project
+        uses: actions/checkout@v3
+        with:
+          repository: ${{ github.repository_owner }}/tower-qa
+          ssh-key: ${{ secrets.QA_REPO_KEY }}
+          path: tower-qa
+          ref: devel
+
+      - name: Build cypress
+        run: |
+          cd ${{ secrets.E2E_PROJECT }}/ui-tests/awx-pf-tests
+          docker build -t awx-pf-tests .
+
+      - name: Run E2E tests
+        env:
+          CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
+        run: |
+          export COMMIT_INFO_BRANCH=$GITHUB_HEAD_REF
+          export COMMIT_INFO_AUTHOR=$GITHUB_ACTOR
+          export COMMIT_INFO_SHA=$GITHUB_SHA
+          export COMMIT_INFO_REMOTE=$GITHUB_REPOSITORY_OWNER
+          cd ${{ secrets.E2E_PROJECT }}/ui-tests/awx-pf-tests
+          AWX_IP=${{ steps.awx.outputs.ip }}
+          printenv > .env
+          echo "Executing tests:"
+          docker run \
+          --network '_sources_default' \
+          --ipc=host \
+          --env-file=.env \
+          -e CYPRESS_baseUrl="https://$AWX_IP:8043" \
+          -e CYPRESS_AWX_E2E_USERNAME=admin \
+          -e CYPRESS_AWX_E2E_PASSWORD='password' \
+          -e COMMAND="npm run cypress-concurrently-gha" \
+          -v /dev/shm:/dev/shm \
+          -v $PWD:/e2e \
+          -w /e2e \
+          awx-pf-tests run --project .
+
+      - uses: ./.github/actions/upload_awx_devel_logs
+        if: always()
+        with:
+          log-filename: e2e-${{ matrix.job }}.log

.github/workflows/label_issue.yml

@@ -30,10 +30,7 @@ jobs:
     timeout-minutes: 20
     name: Label Issue - Community
     steps:
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
-
+      - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
       - name: Install python requests
         run: pip install requests

.github/workflows/label_pr.yml

@@ -29,10 +29,7 @@ jobs:
     timeout-minutes: 20
     name: Label PR - Community
     steps:
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
-
+      - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
       - name: Install python requests
         run: pip install requests

.github/workflows/promote.yml

@@ -7,11 +7,7 @@ env:
 on:
   release:
     types: [published]
-  workflow_dispatch:
-    inputs:
-      tag_name:
-        description: 'Name for the tag of the release.'
-        required: true
+
 permissions:
   contents: read # to fetch code (actions/checkout)
 
@@ -21,20 +17,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 90
     steps:
-      - name: Set GitHub Env vars for workflow_dispatch event
-        if: ${{ github.event_name == 'workflow_dispatch' }}
-        run: |
-          echo "TAG_NAME=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
-
-      - name: Set GitHub Env vars if release event
-        if: ${{ github.event_name == 'release' }}
-        run: |
-          echo "TAG_NAME=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
-
       - name: Checkout awx
-        uses: actions/checkout@v4
-        with:
-          show-progress: false
+        uses: actions/checkout@v3
 
       - name: Get python version from Makefile
         run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
@@ -59,21 +43,16 @@ jobs:
       - name: Build collection and publish to galaxy
         env:
           COLLECTION_NAMESPACE: ${{ env.collection_namespace }}
-          COLLECTION_VERSION: ${{ env.TAG_NAME }}
+          COLLECTION_VERSION: ${{ github.event.release.tag_name }}
           COLLECTION_TEMPLATE_VERSION: true
         run: |
-          sudo apt-get install jq
           make build_collection
-          count=$(curl -s https://galaxy.ansible.com/api/v3/plugin/ansible/search/collection-versions/\?namespace\=${COLLECTION_NAMESPACE}\&name\=awx\&version\=${COLLECTION_VERSION} | jq .meta.count)
-          if [[ "$count" == "1" ]]; then
-              echo "Galaxy release already done";
-          elif [[ "$count" == "0" ]]; then
+          if [ "$(curl -L --head -sw '%{http_code}' https://galaxy.ansible.com/download/${{ env.collection_namespace }}-awx-${{ github.event.release.tag_name }}.tar.gz | tail -1)" == "302" ] ; then \
+              echo "Galaxy release already done"; \
+          else \
               ansible-galaxy collection publish \
                 --token=${{ secrets.GALAXY_TOKEN }} \
-                awx_collection_build/${COLLECTION_NAMESPACE}-awx-${COLLECTION_VERSION}.tar.gz;
-          else
-              echo "Unexpected count from galaxy search: $count";
-              exit 1;
+                awx_collection_build/${{ env.collection_namespace }}-awx-${{ github.event.release.tag_name }}.tar.gz; \
           fi
 
       - name: Set official pypi info
@@ -85,8 +64,6 @@ jobs:
         if: ${{ github.repository_owner != 'ansible' }}
 
       - name: Build awxkit and upload to pypi
-        env:
-          SETUPTOOLS_SCM_PRETEND_VERSION: ${{ env.TAG_NAME }}
         run: |
           git reset --hard
           cd awxkit && python3 setup.py sdist bdist_wheel
@@ -107,14 +84,14 @@ jobs:
       - name: Re-tag and promote awx image
         run: |
           docker buildx imagetools create \
-            ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \
-            --tag quay.io/${{ github.repository }}:${{ env.TAG_NAME }}
+            ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} \
+            --tag quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
           docker buildx imagetools create \
-            ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} \
+            ghcr.io/${{ github.repository }}:${{ github.event.release.tag_name }} \
             --tag quay.io/${{ github.repository }}:latest
 
       - name: Re-tag and promote awx-ee image
         run: |
           docker buildx imagetools create \
-            ghcr.io/${{ github.repository_owner }}/awx-ee:${{ env.TAG_NAME }} \
-            --tag quay.io/${{ github.repository_owner }}/awx-ee:${{ env.TAG_NAME }}
+            ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }} \
+            --tag quay.io/${{ github.repository_owner }}/awx-ee:${{ github.event.release.tag_name }}

.github/workflows/stage.yml

@@ -45,27 +45,11 @@ jobs:
           exit 0
 
       - name: Checkout awx
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
         with:
-          show-progress: false
           path: awx
 
-      - name: Checkout awx-operator
-        uses: actions/checkout@v4
-        with:
-          show-progress: false
-          repository: ${{ github.repository_owner }}/awx-operator
-          path: awx-operator
-
-      - name: Checkout awx-logos
-        uses: actions/checkout@v4
-        with:
-          show-progress: false
-          repository: ansible/awx-logos
-          path: awx-logos
-
       - name: Get python version from Makefile
-        working-directory: awx
         run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
 
       - name: Install python ${{ env.py_version }}
@@ -73,73 +57,63 @@ jobs:
         with:
           python-version: ${{ env.py_version }}
 
+      - name: Checkout awx-logos
+        uses: actions/checkout@v3
+        with:
+          repository: ansible/awx-logos
+          path: awx-logos
+
+      - name: Checkout awx-operator
+        uses: actions/checkout@v3
+        with:
+          repository: ${{ github.repository_owner }}/awx-operator
+          path: awx-operator
+
       - name: Install playbook dependencies
         run: |
           python3 -m pip install docker
 
+      - name: Build and stage AWX
+        working-directory: awx
+        run: |
+          ansible-playbook -v tools/ansible/build.yml \
+            -e registry=ghcr.io \
+            -e registry_username=${{ github.actor }} \
+            -e registry_password=${{ secrets.GITHUB_TOKEN }} \
+            -e awx_image=${{ github.repository }} \
+            -e awx_version=${{ github.event.inputs.version }} \
+            -e ansible_python_interpreter=$(which python3) \
+            -e push=yes \
+            -e awx_official=yes
+
       - name: Log into registry ghcr.io
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d    # v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Copy logos for inclusion in sdist for official build
-        working-directory: awx
-        run: |
-          cp ../awx-logos/awx/ui/client/assets/* awx/ui/public/static/media/
-
-      - name: Setup node and npm for new UI build
-        uses: actions/setup-node@v2
+      - name: Log into registry quay.io
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d    # v3.0.0
         with:
-          node-version: '18'
-
-      - name: Prebuild new UI for awx image (to speed up build process)
-        working-directory: awx
-        run: make ui
-
-      - name: Set build env variables
-        run: |
-          echo "DEV_DOCKER_TAG_BASE=ghcr.io/${OWNER,,}" >> $GITHUB_ENV
-          echo "COMPOSE_TAG=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "AWX_TEST_VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "AWX_TEST_IMAGE=ghcr.io/${OWNER,,}/awx" >> $GITHUB_ENV
-          echo "AWX_EE_TEST_IMAGE=ghcr.io/${OWNER,,}/awx-ee:${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "AWX_OPERATOR_TEST_IMAGE=ghcr.io/${OWNER,,}/awx-operator:${{ github.event.inputs.operator_version }}" >> $GITHUB_ENV
-        env:
-          OWNER: ${{ github.repository_owner }}
-
-      - name: Build and stage AWX
-        working-directory: awx
-        env:
-          DOCKER_BUILDX_PUSH: true
-          HEADLESS: false
-          PLATFORMS: linux/amd64,linux/arm64
-        run: |
-          make awx-kube-buildx
+          registry: quay.io
+          username: ${{ secrets.QUAY_USER }}
+          password: ${{ secrets.QUAY_TOKEN }}
 
       - name: tag awx-ee:latest with version input
         run: |
           docker buildx imagetools create \
             quay.io/ansible/awx-ee:latest \
-            --tag ${AWX_EE_TEST_IMAGE}
+            --tag ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.inputs.version }}
 
       - name: Stage awx-operator image
         working-directory: awx-operator
         run: |
           BUILD_ARGS="--build-arg DEFAULT_AWX_VERSION=${{ github.event.inputs.version}} \
               --build-arg OPERATOR_VERSION=${{ github.event.inputs.operator_version }}" \
-          IMG=${AWX_OPERATOR_TEST_IMAGE} \
+          IMG=ghcr.io/${{ github.repository_owner }}/awx-operator:${{ github.event.inputs.operator_version }} \
           make docker-buildx
 
-      - name: Pulling images for test deployment with awx-operator
-        # awx operator molecue test expect to kind load image and buildx exports image to registry and not local
-        run: |
-          docker pull -q ${AWX_OPERATOR_TEST_IMAGE}
-          docker pull -q ${AWX_EE_TEST_IMAGE}
-          docker pull -q ${AWX_TEST_IMAGE}:${AWX_TEST_VERSION}
-
       - name: Run test deployment with awx-operator
         working-directory: awx-operator
         run: |
@@ -148,6 +122,10 @@ jobs:
           sudo rm -f $(which kustomize)
           make kustomize
           KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
+        env:
+          AWX_TEST_IMAGE: ${{ github.repository }}
+          AWX_TEST_VERSION: ${{ github.event.inputs.version }}
+          AWX_EE_TEST_IMAGE: ghcr.io/${{ github.repository_owner }}/awx-ee:${{ github.event.inputs.version }}
 
       - name: Create draft release for AWX
         working-directory: awx

.github/workflows/update_dependabot_prs.yml

@@ -13,9 +13,7 @@ jobs:
 
     steps:
       - name: Checkout branch
-        uses: actions/checkout@v4
-        with:
-          show-progress: false
+        uses: actions/checkout@v3
 
       - name: Update PR Body
         env:

.github/workflows/upload_schema.yml

@@ -18,9 +18,7 @@ jobs:
       packages: write
       contents: read
     steps:
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
+      - uses: actions/checkout@v3
 
       - name: Get python version from Makefile
         run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
@@ -36,7 +34,7 @@ jobs:
 
       - name: Pre-pull image to warm build cache
         run: |
-          docker pull -q ghcr.io/${{ github.repository_owner }}/awx_devel:${GITHUB_REF##*/} || :
+          docker pull ghcr.io/${{ github.repository_owner }}/awx_devel:${GITHUB_REF##*/} || :
 
       - name: Build image
         run: |

.gitignore

@@ -20,10 +20,23 @@ awx/projects
 awx/job_output
 awx/public/media
 awx/public/static
+awx/ui/tests/test-results.xml
+awx/ui/client/src/local_settings.json
 awx/main/fixtures
 awx/*.log
 tower/tower_warnings.log
 celerybeat-schedule
+awx/ui/static
+awx/ui/build_test
+awx/ui/client/languages
+awx/ui/templates/ui/index.html
+awx/ui/templates/ui/installing.html
+awx/ui/node_modules/
+awx/ui/src/locales/*/messages.js
+awx/ui/coverage/
+awx/ui/build
+awx/ui/.env.local
+awx/ui/instrumented
 rsyslog.pid
 tools/docker-compose/ansible/awx_dump.sql
 tools/docker-compose/Dockerfile
@@ -66,6 +79,11 @@ __pycache__
 /tmp
 **/npm-debug.log*
 
+# UI build flag files
+awx/ui/.deps_built
+awx/ui/.release_built
+awx/ui/.release_deps_built
+
 # Testing
 .cache
 .coverage
@@ -143,14 +161,15 @@ use_dev_supervisor.txt
 .idea/*
 *.unison.tmp
 *.#
+/awx/ui/.ui-built
 /_build/
 /_build_kube_dev/
 /Dockerfile
 /Dockerfile.dev
 /Dockerfile.kube-dev
 
-awx/ui/src
-awx/ui/build
+awx/ui_next/src
+awx/ui_next/build
 
 # Docs build stuff
 docs/docsite/build/

.yamllint

@@ -5,12 +5,12 @@ ignore: |
   awx/main/tests/data/inventory/plugins/**
   # vault files
   awx/main/tests/data/ansible_utils/playbooks/valid/vault.yml
+  awx/ui/test/e2e/tests/smoke-vars.yml
+  awx/ui/node_modules
   tools/docker-compose/_sources
   # django template files
   awx/api/templates/instance_install_bundle/**
   .readthedocs.yaml
-  tools/loki
-  tools/otel
 
 extends: default
 

CONTRIBUTING.md

@@ -67,7 +67,7 @@ If you're not using Docker for Mac, or Docker for Windows, you may need, or choo
 
 #### Frontend Development
 
-See [the ansible-ui development documentation](https://github.com/ansible/ansible-ui/blob/main/CONTRIBUTING.md).
+See [the ui development documentation](awx/ui/CONTRIBUTING.md).
 
 #### Fork and clone the AWX repo
 
@@ -121,18 +121,18 @@ If it has someone assigned to it then that person is the person responsible for
 
 **NOTES**
 
-> Issue assignment will only be done for maintainers of the project. If you decide to work on an issue, please feel free to add a comment in the issue to let others know that you are working on it; but know that we will accept the first pull request from whomever is able to fix an issue. Once your PR is accepted we can add you as an assignee to an issue upon request.
+> Issue assignment will only be done for maintainers of the project. If you decide to work on an issue, please feel free to add a comment in the issue to let others know that you are working on it; but know that we will accept the first pull request from whomever is able to fix an issue. Once your PR is accepted we can add you as an assignee to an issue upon request. 
 
 
 > If you work in a part of the codebase that is going through active development, your changes may be rejected, or you may be asked to `rebase`. A good idea before starting work is to have a discussion with us in the `#ansible-awx` channel on irc.libera.chat, or on the [mailing list](https://groups.google.com/forum/#!forum/awx-project).
 
-> If you're planning to develop features or fixes for the UI, please review the [UI Developer doc](https://github.com/ansible/ansible-ui/blob/main/CONTRIBUTING.md).
+> If you're planning to develop features or fixes for the UI, please review the [UI Developer doc](./awx/ui/README.md).
 
 ### Translations
 
 At this time we do not accept PRs for adding additional language translations as we have an automated process for generating our translations. This is because translations require constant care as new strings are added and changed in the code base. Because of this the .po files are overwritten during every translation release cycle. We also can't support a lot of translations on AWX as its an open source project and each language adds time and cost to maintain. If you would like to see AWX translated into a new language please create an issue and ask others you know to upvote the issue. Our translation team will review the needs of the community and see what they can do around supporting additional language.
 
-If you find an issue with an existing translation, please see the [Reporting Issues](#reporting-issues) section to open an issue and our translation team will work with you on a resolution.
+If you find an issue with an existing translation, please see the [Reporting Issues](#reporting-issues) section to open an issue and our translation team will work with you on a resolution. 
 
 
 ## Submitting Pull Requests
@@ -143,8 +143,10 @@ Here are a few things you can do to help the visibility of your change, and incr
 
 - No issues when running linters/code checkers
   - Python: black: `(container)/awx_devel$ make black`
+  - Javascript: `(container)/awx_devel$ make ui-lint`
 - No issues from unit tests
   - Python: py.test: `(container)/awx_devel$ make test`
+  - JavaScript: `(container)/awx_devel$ make ui-test`
 - Write tests for new functionality, update/add tests for bug fixes
 - Make the smallest change possible
 - Write good commit messages. See [How to write a Git commit message](https://chris.beams.io/posts/git-commit/).
@@ -159,7 +161,7 @@ Sometimes it might take us a while to fully review your PR. We try to keep the `
 When your PR is initially submitted the checks will not be run until a maintainer allows them to be. Once a maintainer has done a quick review of your work the PR will have the linter and unit tests run against them via GitHub Actions, and the status reported in the PR.
 
 ## Reporting Issues
-
+ 
 We welcome your feedback, and encourage you to file an issue when you run into a problem. But before opening a new issues, we ask that you please view our [Issues guide](./ISSUES.md).
 
 ## Getting Help

ISSUES.md

@@ -80,7 +80,7 @@ If any of those items are missing your pull request will still get the `needs_tr
 Currently you can expect awxbot to add common labels such as `state:needs_triage`, `type:bug`, `component:docs`, etc...
 These labels are determined by the template data. Please use the template and fill it out as accurately as possible.
 
-The `state:needs_triage` label will remain on your pull request until a person has looked at it.
+The `state:needs_triage` label will will remain on your pull request until a person has looked at it.
 
 You can also expect the bot to CC maintainers of specific areas of the code, this will notify them that there is a pull request by placing a comment on the pull request.
 The comment will look something like `CC @matburt @wwitzel3 ...`.

MANIFEST.in

@@ -4,7 +4,9 @@ recursive-include awx *.mo
 recursive-include awx/static *
 recursive-include awx/templates *.html
 recursive-include awx/api/templates *.md *.html *.yml
+recursive-include awx/ui/build *.html
 recursive-include awx/ui/build *
+recursive-include awx/ui_next/build *
 recursive-include awx/playbooks *.yml
 recursive-include awx/lib/site-packages *
 recursive-include awx/plugins *.ps1
@@ -15,6 +17,7 @@ recursive-include licenses *
 recursive-exclude awx devonly.py*
 recursive-exclude awx/api/tests *
 recursive-exclude awx/main/tests *
+recursive-exclude awx/ui/client *
 recursive-exclude awx/settings local_settings.py*
 include tools/scripts/request_tower_configuration.sh
 include tools/scripts/request_tower_configuration.ps1

Makefile

@@ -1,8 +1,8 @@
--include awx/ui/Makefile
+-include awx/ui_next/Makefile
 
 PYTHON := $(notdir $(shell for i in python3.11 python3; do command -v $$i; done|sed 1q))
 SHELL := bash
-DOCKER_COMPOSE ?= docker compose
+DOCKER_COMPOSE ?= docker-compose
 OFFICIAL ?= no
 NODE ?= node
 NPM_BIN ?= npm
@@ -47,14 +47,8 @@ VAULT ?= false
 VAULT_TLS ?= false
 # If set to true docker-compose will also start a tacacs+ instance
 TACACS ?= false
-# If set to true docker-compose will also start an OpenTelemetry Collector instance
-OTEL ?= false
-# If set to true docker-compose will also start a Loki instance
-LOKI ?= false
 # If set to true docker-compose will install editable dependencies
 EDITABLE_DEPENDENCIES ?= false
-# If set to true, use tls for postgres connection
-PG_TLS ?= false
 
 VENV_BASE ?= /var/lib/awx/venv
 
@@ -63,11 +57,6 @@ DEV_DOCKER_OWNER ?= ansible
 DEV_DOCKER_OWNER_LOWER = $(shell echo $(DEV_DOCKER_OWNER) | tr A-Z a-z)
 DEV_DOCKER_TAG_BASE ?= ghcr.io/$(DEV_DOCKER_OWNER_LOWER)
 DEVEL_IMAGE_NAME ?= $(DEV_DOCKER_TAG_BASE)/awx_devel:$(COMPOSE_TAG)
-IMAGE_KUBE_DEV=$(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG)
-IMAGE_KUBE=$(DEV_DOCKER_TAG_BASE)/awx:$(COMPOSE_TAG)
-
-# Common command to use for running ansible-playbook
-ANSIBLE_PLAYBOOK ?= ansible-playbook -e ansible_python_interpreter=$(PYTHON)
 
 RECEPTOR_IMAGE ?= quay.io/ansible/receptor:devel
 
@@ -76,7 +65,7 @@ RECEPTOR_IMAGE ?= quay.io/ansible/receptor:devel
 SRC_ONLY_PKGS ?= cffi,pycparser,psycopg,twilio
 # These should be upgraded in the AWX and Ansible venv before attempting
 # to install the actual requirements
-VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==69.0.2 setuptools_scm[toml]==8.0.4 wheel==0.42.0 cython==0.29.37
+VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==69.0.2 setuptools_scm[toml]==8.0.4 wheel==0.42.0
 
 NAME ?= awx
 
@@ -91,22 +80,11 @@ I18N_FLAG_FILE = .i18n_built
 ## PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple
 PLATFORMS ?= linux/amd64,linux/arm64  # linux/ppc64le,linux/s390x
 
-# Set up cache variables for image builds, allowing to control whether cache is used or not, ex:
-# DOCKER_CACHE=--no-cache make docker-compose-build
-ifeq ($(DOCKER_CACHE),)
- DOCKER_DEVEL_CACHE_FLAG=--cache-from=$(DEVEL_IMAGE_NAME)
- DOCKER_KUBE_DEV_CACHE_FLAG=--cache-from=$(IMAGE_KUBE_DEV)
- DOCKER_KUBE_CACHE_FLAG=--cache-from=$(IMAGE_KUBE)
-else
- DOCKER_DEVEL_CACHE_FLAG=$(DOCKER_CACHE)
- DOCKER_KUBE_DEV_CACHE_FLAG=$(DOCKER_CACHE)
- DOCKER_KUBE_CACHE_FLAG=$(DOCKER_CACHE)
-endif
-
 .PHONY: awx-link clean clean-tmp clean-venv requirements requirements_dev \
 	develop refresh adduser migrate dbchange \
 	receiver test test_unit test_coverage coverage_html \
 	sdist \
+	ui-release ui-devel \
 	VERSION PYTHON_VERSION docker-compose-sources \
 	.git/hooks/pre-commit
 
@@ -129,7 +107,7 @@ clean-languages:
 	find ./awx/locale/ -type f -regex '.*\.mo$$' -delete
 
 ## Remove temporary build files, compiled Python files.
-clean: clean-api clean-awxkit clean-dist
+clean: clean-ui clean-api clean-awxkit clean-dist
 	rm -rf awx/public
 	rm -rf awx/lib/site-packages
 	rm -rf awx/job_status
@@ -384,7 +362,7 @@ symlink_collection:
 	ln -s $(shell pwd)/awx_collection $(COLLECTION_INSTALL)
 
 awx_collection_build: $(shell find awx_collection -type f)
-	$(ANSIBLE_PLAYBOOK) -i localhost, awx_collection/tools/template_galaxy.yml \
+	ansible-playbook -i localhost, awx_collection/tools/template_galaxy.yml \
 	  -e collection_package=$(COLLECTION_PACKAGE) \
 	  -e collection_namespace=$(COLLECTION_NAMESPACE) \
 	  -e collection_version=$(COLLECTION_VERSION) \
@@ -438,7 +416,76 @@ bulk_data:
 	fi; \
 	$(PYTHON) tools/data_generators/rbac_dummy_data_generator.py --preset=$(DATA_GEN_PRESET)
 
+
+# UI TASKS
+# --------------------------------------
+
+UI_BUILD_FLAG_FILE = awx/ui/.ui-built
+
+clean-ui:
+	rm -rf node_modules
+	rm -rf awx/ui/node_modules
+	rm -rf awx/ui/build
+	rm -rf awx/ui/src/locales/_build
+	rm -rf $(UI_BUILD_FLAG_FILE)
+        # the collectstatic command doesn't like it if this dir doesn't exist.
+	mkdir -p awx/ui/build/static
+
+awx/ui/node_modules:
+	NODE_OPTIONS=--max-old-space-size=6144 $(NPM_BIN) --prefix awx/ui --loglevel warn --force ci
+
+$(UI_BUILD_FLAG_FILE):
+	$(MAKE) awx/ui/node_modules
+	$(PYTHON) tools/scripts/compilemessages.py
+	$(NPM_BIN) --prefix awx/ui --loglevel warn run compile-strings
+	$(NPM_BIN) --prefix awx/ui --loglevel warn run build
+	touch $@
+
+ui-release: $(UI_BUILD_FLAG_FILE)
+
+ui-devel: awx/ui/node_modules
+	@$(MAKE) -B $(UI_BUILD_FLAG_FILE)
+	@if [ -d "/var/lib/awx" ] ; then \
+		mkdir -p /var/lib/awx/public/static/css; \
+		mkdir -p /var/lib/awx/public/static/js; \
+		mkdir -p /var/lib/awx/public/static/media; \
+		cp -r awx/ui/build/static/css/* /var/lib/awx/public/static/css; \
+		cp -r awx/ui/build/static/js/* /var/lib/awx/public/static/js; \
+		cp -r awx/ui/build/static/media/* /var/lib/awx/public/static/media; \
+	fi
+
+ui-devel-instrumented: awx/ui/node_modules
+	$(NPM_BIN) --prefix awx/ui --loglevel warn run start-instrumented
+
+ui-devel-test: awx/ui/node_modules
+	$(NPM_BIN) --prefix awx/ui --loglevel warn run start
+
+ui-lint:
+	$(NPM_BIN) --prefix awx/ui install
+	$(NPM_BIN) run --prefix awx/ui lint
+	$(NPM_BIN) run --prefix awx/ui prettier-check
+
+ui-test:
+	$(NPM_BIN) --prefix awx/ui install
+	$(NPM_BIN) run --prefix awx/ui test
+
+ui-test-screens:
+	$(NPM_BIN) --prefix awx/ui install
+	$(NPM_BIN) run --prefix awx/ui pretest
+	$(NPM_BIN) run --prefix awx/ui test-screens --runInBand
+
+ui-test-general:
+	$(NPM_BIN) --prefix awx/ui install
+	$(NPM_BIN) run --prefix awx/ui pretest
+	$(NPM_BIN) run --prefix awx/ui/ test-general --runInBand
+
+# NOTE: The make target ui-next is imported from awx/ui_next/Makefile
+HEADLESS ?= no
+ifeq ($(HEADLESS), yes)
 dist/$(SDIST_TAR_FILE):
+else
+dist/$(SDIST_TAR_FILE): $(UI_BUILD_FLAG_FILE) ui-next
+endif
 	$(PYTHON) -m build -s
 	ln -sf $(SDIST_TAR_FILE) dist/awx.tar.gz
 
@@ -469,10 +516,10 @@ endif
 
 docker-compose-sources: .git/hooks/pre-commit
 	@if [ $(MINIKUBE_CONTAINER_GROUP) = true ]; then\
-	    $(ANSIBLE_PLAYBOOK) -i tools/docker-compose/inventory -e minikube_setup=$(MINIKUBE_SETUP) tools/docker-compose-minikube/deploy.yml; \
+	    ansible-playbook -i tools/docker-compose/inventory -e minikube_setup=$(MINIKUBE_SETUP) tools/docker-compose-minikube/deploy.yml; \
 	fi;
 
-	$(ANSIBLE_PLAYBOOK) -i tools/docker-compose/inventory tools/docker-compose/ansible/sources.yml \
+	ansible-playbook -i tools/docker-compose/inventory tools/docker-compose/ansible/sources.yml \
 	    -e awx_image=$(DEV_DOCKER_TAG_BASE)/awx_devel \
 	    -e awx_image_tag=$(COMPOSE_TAG) \
 	    -e receptor_image=$(RECEPTOR_IMAGE) \
@@ -488,15 +535,12 @@ docker-compose-sources: .git/hooks/pre-commit
 	    -e enable_vault=$(VAULT) \
 	    -e vault_tls=$(VAULT_TLS) \
 	    -e enable_tacacs=$(TACACS) \
-	    -e enable_otel=$(OTEL) \
-	    -e enable_loki=$(LOKI) \
 	    -e install_editable_dependencies=$(EDITABLE_DEPENDENCIES) \
-	    -e pg_tls=$(PG_TLS) \
 	    $(EXTRA_SOURCES_ANSIBLE_OPTS)
 
 docker-compose: awx/projects docker-compose-sources
 	ansible-galaxy install --ignore-certs -r tools/docker-compose/ansible/requirements.yml;
-	$(ANSIBLE_PLAYBOOK) -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \
+	ansible-playbook -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \
 	    -e enable_vault=$(VAULT) \
 	    -e vault_tls=$(VAULT_TLS) \
 	    -e enable_ldap=$(LDAP); \
@@ -539,7 +583,7 @@ docker-compose-container-group-clean:
 .PHONY: Dockerfile.dev
 ## Generate Dockerfile.dev for awx_devel image
 Dockerfile.dev: tools/ansible/roles/dockerfile/templates/Dockerfile.j2
-	$(ANSIBLE_PLAYBOOK) tools/ansible/dockerfile.yml \
+	ansible-playbook tools/ansible/dockerfile.yml \
 		-e dockerfile_name=Dockerfile.dev \
 		-e build_dev=True \
 		-e receptor_image=$(RECEPTOR_IMAGE)
@@ -550,7 +594,8 @@ docker-compose-build: Dockerfile.dev
 		-f Dockerfile.dev \
 		-t $(DEVEL_IMAGE_NAME) \
 		--build-arg BUILDKIT_INLINE_CACHE=1 \
-		$(DOCKER_DEVEL_CACHE_FLAG) .
+		--cache-from=$(DEV_DOCKER_TAG_BASE)/awx_devel:$(COMPOSE_TAG) .
+
 
 .PHONY: docker-compose-buildx
 ## Build awx_devel image for docker compose development environment for multiple architectures
@@ -560,7 +605,7 @@ docker-compose-buildx: Dockerfile.dev
 	- docker buildx build \
 		--push \
 		--build-arg BUILDKIT_INLINE_CACHE=1 \
-		$(DOCKER_DEVEL_CACHE_FLAG) \
+		--cache-from=$(DEV_DOCKER_TAG_BASE)/awx_devel:$(COMPOSE_TAG) \
 		--platform=$(PLATFORMS) \
 		--tag $(DEVEL_IMAGE_NAME) \
 		-f Dockerfile.dev .
@@ -571,7 +616,7 @@ docker-clean:
 	-$(foreach image_id,$(shell docker images --filter=reference='*/*/*awx_devel*' --filter=reference='*/*awx_devel*' --filter=reference='*awx_devel*' -aq),docker rmi --force $(image_id);)
 
 docker-clean-volumes: docker-compose-clean docker-compose-container-group-clean
-	docker volume rm -f tools_var_lib_awx tools_awx_db tools_awx_db_15 tools_vault_1 tools_ldap_1 tools_grafana_storage tools_prometheus_storage $(shell docker volume ls --filter name=tools_redis_socket_ -q)
+	docker volume rm -f tools_var_lib_awx tools_awx_db tools_vault_1 tools_ldap_1 tools_grafana_storage tools_prometheus_storage $(docker volume ls --filter name=tools_redis_socket_ -q)
 
 docker-refresh: docker-clean docker-compose
 
@@ -613,7 +658,7 @@ version-for-buildyml:
 .PHONY: Dockerfile
 ## Generate Dockerfile for awx image
 Dockerfile: tools/ansible/roles/dockerfile/templates/Dockerfile.j2
-	$(ANSIBLE_PLAYBOOK) tools/ansible/dockerfile.yml \
+	ansible-playbook tools/ansible/dockerfile.yml \
 		-e receptor_image=$(RECEPTOR_IMAGE) \
 		-e headless=$(HEADLESS)
 
@@ -623,8 +668,7 @@ awx-kube-build: Dockerfile
 		--build-arg VERSION=$(VERSION) \
 		--build-arg SETUPTOOLS_SCM_PRETEND_VERSION=$(VERSION) \
 		--build-arg HEADLESS=$(HEADLESS) \
-		$(DOCKER_KUBE_CACHE_FLAG) \
-		-t $(IMAGE_KUBE) .
+		-t $(DEV_DOCKER_TAG_BASE)/awx:$(COMPOSE_TAG) .
 
 ## Build multi-arch awx image for deployment on Kubernetes environment.
 awx-kube-buildx: Dockerfile
@@ -636,8 +680,7 @@ awx-kube-buildx: Dockerfile
 		--build-arg SETUPTOOLS_SCM_PRETEND_VERSION=$(VERSION) \
 		--build-arg HEADLESS=$(HEADLESS) \
 		--platform=$(PLATFORMS) \
-		$(DOCKER_KUBE_CACHE_FLAG) \
-		--tag $(IMAGE_KUBE) \
+		--tag $(DEV_DOCKER_TAG_BASE)/awx:$(COMPOSE_TAG) \
 		-f Dockerfile .
 	- docker buildx rm awx-kube-buildx
 
@@ -645,7 +688,7 @@ awx-kube-buildx: Dockerfile
 .PHONY: Dockerfile.kube-dev
 ## Generate Docker.kube-dev for awx_kube_devel image
 Dockerfile.kube-dev: tools/ansible/roles/dockerfile/templates/Dockerfile.j2
-	$(ANSIBLE_PLAYBOOK) tools/ansible/dockerfile.yml \
+	ansible-playbook tools/ansible/dockerfile.yml \
 	    -e dockerfile_name=Dockerfile.kube-dev \
 	    -e kube_dev=True \
 	    -e template_dest=_build_kube_dev \
@@ -655,8 +698,8 @@ Dockerfile.kube-dev: tools/ansible/roles/dockerfile/templates/Dockerfile.j2
 awx-kube-dev-build: Dockerfile.kube-dev
 	DOCKER_BUILDKIT=1 docker build -f Dockerfile.kube-dev \
 	    --build-arg BUILDKIT_INLINE_CACHE=1 \
-	     $(DOCKER_KUBE_DEV_CACHE_FLAG) \
-	    -t $(IMAGE_KUBE_DEV) .
+	    --cache-from=$(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG) \
+	    -t $(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG) .
 
 ## Build and push multi-arch awx_kube_devel image for development on local Kubernetes environment.
 awx-kube-dev-buildx: Dockerfile.kube-dev
@@ -665,18 +708,28 @@ awx-kube-dev-buildx: Dockerfile.kube-dev
 	- docker buildx build \
 		--push \
 		--build-arg BUILDKIT_INLINE_CACHE=1 \
-		$(DOCKER_KUBE_DEV_CACHE_FLAG) \
+		--cache-from=$(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG) \
 		--platform=$(PLATFORMS) \
-		--tag $(IMAGE_KUBE_DEV) \
+		--tag $(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG) \
 		-f Dockerfile.kube-dev .
 	- docker buildx rm awx-kube-dev-buildx
 
 kind-dev-load: awx-kube-dev-build
-	$(KIND_BIN) load docker-image $(IMAGE_KUBE_DEV)
+	$(KIND_BIN) load docker-image $(DEV_DOCKER_TAG_BASE)/awx_kube_devel:$(COMPOSE_TAG)
 
 # Translation TASKS
 # --------------------------------------
 
+## generate UI .pot file, an empty template of strings yet to be translated
+pot: $(UI_BUILD_FLAG_FILE)
+	$(NPM_BIN) --prefix awx/ui --loglevel warn run extract-template --clean
+	$(NPM_BIN) --prefix awx/ui_next --loglevel warn run extract-template --clean
+
+## generate UI .po files for each locale (will update translated strings for `en`)
+po: $(UI_BUILD_FLAG_FILE)
+	$(NPM_BIN) --prefix awx/ui --loglevel warn run extract-strings -- --clean
+	$(NPM_BIN) --prefix awx/ui_next --loglevel warn run extract-strings -- --clean
+
 ## generate API django .pot .po
 messages:
 	@if [ "$(VENV_BASE)" ]; then \
@@ -723,6 +776,6 @@ help/generate:
 	{ lastLine = $$0 }' $(MAKEFILE_LIST) | sort -u
 	@printf "\n"
 
-## Display help for ui targets
-help/ui:
-	@$(MAKE) -s help MAKEFILE_LIST="awx/ui/Makefile"
+## Display help for ui-next targets
+help/ui-next:
+	@$(MAKE) -s help MAKEFILE_LIST="awx/ui_next/Makefile"

awx/api/generics.py

@@ -30,21 +30,14 @@ from rest_framework.permissions import IsAuthenticated
 from rest_framework.renderers import StaticHTMLRenderer
 from rest_framework.negotiation import DefaultContentNegotiation
 
-# django-ansible-base
 from ansible_base.rest_filters.rest_framework.field_lookup_backend import FieldLookupBackend
 from ansible_base.lib.utils.models import get_all_field_names
-from ansible_base.lib.utils.requests import get_remote_host
-from ansible_base.rbac.models import RoleEvaluation, RoleDefinition
-from ansible_base.rbac.permission_registry import permission_registry
-from ansible_base.jwt_consumer.common.util import validate_x_trusted_proxy_header
 
 # AWX
 from awx.main.models import UnifiedJob, UnifiedJobTemplate, User, Role, Credential, WorkflowJobTemplateNode, WorkflowApprovalTemplate
-from awx.main.models.rbac import give_creator_permissions
 from awx.main.access import optimize_queryset
 from awx.main.utils import camelcase_to_underscore, get_search_fields, getattrd, get_object_or_400, decrypt_field, get_awx_version
 from awx.main.utils.licensing import server_product_name
-from awx.main.utils.proxy import is_proxy_in_headers, delete_headers_starting_with_http
 from awx.main.views import ApiErrorView
 from awx.api.serializers import ResourceAccessListElementSerializer, CopySerializer
 from awx.api.versioning import URLPathVersioning
@@ -96,26 +89,20 @@ class LoggedLoginView(auth_views.LoginView):
 
     def post(self, request, *args, **kwargs):
         ret = super(LoggedLoginView, self).post(request, *args, **kwargs)
-        ip = get_remote_host(request)  # request.META.get('REMOTE_ADDR', None)
         if request.user.is_authenticated:
-            logger.info(smart_str(u"User {} logged in from {}".format(self.request.user.username, ip)))
-            ret.set_cookie(
-                'userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax')
-            )
+            logger.info(smart_str(u"User {} logged in from {}".format(self.request.user.username, request.META.get('REMOTE_ADDR', None))))
+            ret.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False))
             ret.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid'))
 
             return ret
         else:
             if 'username' in self.request.POST:
-                logger.warning(smart_str(u"Login failed for user {} from {}".format(self.request.POST.get('username'), ip)))
+                logger.warning(smart_str(u"Login failed for user {} from {}".format(self.request.POST.get('username'), request.META.get('REMOTE_ADDR', None))))
             ret.status_code = 401
             return ret
 
 
 class LoggedLogoutView(auth_views.LogoutView):
-
-    success_url_allowed_hosts = set(settings.LOGOUT_ALLOWED_HOSTS.split(",")) if settings.LOGOUT_ALLOWED_HOSTS else set()
-
     def dispatch(self, request, *args, **kwargs):
         original_user = getattr(request, 'user', None)
         ret = super(LoggedLogoutView, self).dispatch(request, *args, **kwargs)
@@ -155,23 +142,22 @@ class APIView(views.APIView):
         Store the Django REST Framework Request object as an attribute on the
         normal Django request, store time the request started.
         """
-        remote_headers = ['REMOTE_ADDR', 'REMOTE_HOST']
-
         self.time_started = time.time()
         if getattr(settings, 'SQL_DEBUG', False):
             self.queries_before = len(connection.queries)
 
-        if 'HTTP_X_TRUSTED_PROXY' in request.environ:
-            if validate_x_trusted_proxy_header(request.environ['HTTP_X_TRUSTED_PROXY']):
-                remote_headers = settings.REMOTE_HOST_HEADERS
-            else:
-                logger.warning("Request appeared to be a trusted upstream proxy but failed to provide a matching shared secret.")
-
         # If there are any custom headers in REMOTE_HOST_HEADERS, make sure
         # they respect the allowed proxy list
-        if settings.PROXY_IP_ALLOWED_LIST:
-            if not is_proxy_in_headers(self.request, settings.PROXY_IP_ALLOWED_LIST, remote_headers):
-                delete_headers_starting_with_http(request, settings.REMOTE_HOST_HEADERS)
+        if all(
+            [
+                settings.PROXY_IP_ALLOWED_LIST,
+                request.environ.get('REMOTE_ADDR') not in settings.PROXY_IP_ALLOWED_LIST,
+                request.environ.get('REMOTE_HOST') not in settings.PROXY_IP_ALLOWED_LIST,
+            ]
+        ):
+            for custom_header in settings.REMOTE_HOST_HEADERS:
+                if custom_header.startswith('HTTP_'):
+                    request.environ.pop(custom_header, None)
 
         drf_request = super(APIView, self).initialize_request(request, *args, **kwargs)
         request.drf_request = drf_request
@@ -216,21 +202,17 @@ class APIView(views.APIView):
             return response
 
         if response.status_code >= 400:
-            ip = get_remote_host(request)  # request.META.get('REMOTE_ADDR', None)
             msg_data = {
                 'status_code': response.status_code,
                 'user_name': request.user,
                 'url_path': request.path,
-                'remote_addr': ip,
+                'remote_addr': request.META.get('REMOTE_ADDR', None),
             }
 
             if type(response.data) is dict:
                 msg_data['error'] = response.data.get('error', response.status_text)
             elif type(response.data) is list:
-                if len(response.data) > 0 and isinstance(response.data[0], str):
-                    msg_data['error'] = str(response.data[0])
-                else:
-                    msg_data['error'] = ", ".join(list(map(lambda x: x.get('error', response.status_text), response.data)))
+                msg_data['error'] = ", ".join(list(map(lambda x: x.get('error', response.status_text), response.data)))
             else:
                 msg_data['error'] = response.status_text
 
@@ -490,11 +472,7 @@ class ListAPIView(generics.ListAPIView, GenericAPIView):
 
 class ListCreateAPIView(ListAPIView, generics.ListCreateAPIView):
     # Base class for a list view that allows creating new objects.
-    def perform_create(self, serializer):
-        super().perform_create(serializer)
-        if serializer.Meta.model in permission_registry.all_registered_models:
-            if self.request and self.request.user:
-                give_creator_permissions(self.request.user, serializer.instance)
+    pass
 
 
 class ParentMixin(object):
@@ -814,7 +792,6 @@ class RetrieveUpdateDestroyAPIView(RetrieveUpdateAPIView, DestroyAPIView):
 
 
 class ResourceAccessList(ParentMixin, ListAPIView):
-    deprecated = True
     serializer_class = ResourceAccessListElementSerializer
     ordering = ('username',)
 
@@ -822,15 +799,6 @@ class ResourceAccessList(ParentMixin, ListAPIView):
         obj = self.get_parent_object()
 
         content_type = ContentType.objects.get_for_model(obj)
-
-        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-            ancestors = set(RoleEvaluation.objects.filter(content_type_id=content_type.id, object_id=obj.id).values_list('role_id', flat=True))
-            qs = User.objects.filter(has_roles__in=ancestors) | User.objects.filter(is_superuser=True)
-            auditor_role = RoleDefinition.objects.filter(name="System Auditor").first()
-            if auditor_role:
-                qs |= User.objects.filter(role_assignments__role_definition=auditor_role)
-            return qs.distinct()
-
         roles = set(Role.objects.filter(content_type=content_type, object_id=obj.id))
 
         ancestors = set()
@@ -990,7 +958,7 @@ class CopyAPIView(GenericAPIView):
             None, None, self.model, obj, request.user, create_kwargs=create_kwargs, copy_name=serializer.validated_data.get('name', '')
         )
         if hasattr(new_obj, 'admin_role') and request.user not in new_obj.admin_role.members.all():
-            give_creator_permissions(request.user, new_obj)
+            new_obj.admin_role.members.add(request.user)
         if sub_objs:
             permission_check_func = None
             if hasattr(type(self), 'deep_copy_permission_check_func'):

awx/api/metadata.py

@@ -103,7 +103,7 @@ class Metadata(metadata.SimpleMetadata):
             default = field.get_default()
             if type(default) is UUID:
                 default = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
-            if field.field_name == 'TOWER_URL_BASE' and default == 'https://platformhost':
+            if field.field_name == 'TOWER_URL_BASE' and default == 'https://towerhost':
                 default = '{}://{}'.format(self.request.scheme, self.request.get_host())
             field_info['default'] = default
         except serializers.SkipField:

awx/api/serializers.py

@@ -43,14 +43,11 @@ from rest_framework.utils.serializer_helpers import ReturnList
 # Django-Polymorphic
 from polymorphic.models import PolymorphicModel
 
-# django-ansible-base
 from ansible_base.lib.utils.models import get_type_for_model
-from ansible_base.rbac.models import RoleEvaluation, ObjectRole
-from ansible_base.rbac import permission_registry
 
 # AWX
 from awx.main.access import get_user_capabilities
-from awx.main.constants import ACTIVE_STATES, CENSOR_VALUE, org_role_to_permission
+from awx.main.constants import ACTIVE_STATES, CENSOR_VALUE
 from awx.main.models import (
     ActivityStream,
     AdHocCommand,
@@ -105,7 +102,7 @@ from awx.main.models import (
     CLOUD_INVENTORY_SOURCES,
 )
 from awx.main.models.base import VERBOSITY_CHOICES, NEW_JOB_TYPE_CHOICES
-from awx.main.models.rbac import role_summary_fields_generator, give_creator_permissions, get_role_codenames, to_permissions, get_role_from_object_role
+from awx.main.models.rbac import role_summary_fields_generator, RoleAncestorEntry
 from awx.main.fields import ImplicitRoleField
 from awx.main.utils import (
     get_model_for_type,
@@ -1038,9 +1035,7 @@ class UserSerializer(BaseSerializer):
             # as the modified user then inject a session key derived from
             # the updated user to prevent logout. This is the logic used by
             # the Django admin's own user_change_password view.
-            if self.instance and self.context['request'].user.username == obj.username:
-                update_session_auth_hash(self.context['request'], obj)
-
+            update_session_auth_hash(self.context['request'], obj)
         elif not obj.password:
             obj.set_unusable_password()
             obj.save(update_fields=['password'])
@@ -2768,26 +2763,13 @@ class ResourceAccessListElementSerializer(UserSerializer):
         team_content_type = ContentType.objects.get_for_model(Team)
         content_type = ContentType.objects.get_for_model(obj)
 
-        reversed_org_map = {}
-        for k, v in org_role_to_permission.items():
-            reversed_org_map[v] = k
-        reversed_role_map = {}
-        for k, v in to_permissions.items():
-            reversed_role_map[v] = k
-
-        def get_roles_from_perms(perm_list):
-            """given a list of permission codenames return a list of role names"""
-            role_names = set()
-            for codename in perm_list:
-                action = codename.split('_', 1)[0]
-                if action in reversed_role_map:
-                    role_names.add(reversed_role_map[action])
-                elif codename in reversed_org_map:
-                    if isinstance(obj, Organization):
-                        role_names.add(reversed_org_map[codename])
-                        if 'view_organization' not in role_names:
-                            role_names.add('read_role')
-            return list(role_names)
+        def get_roles_on_resource(parent_role):
+            "Returns a string list of the roles a parent_role has for current obj."
+            return list(
+                RoleAncestorEntry.objects.filter(ancestor=parent_role, content_type_id=content_type.id, object_id=obj.id)
+                .values_list('role_field', flat=True)
+                .distinct()
+            )
 
         def format_role_perm(role):
             role_dict = {'id': role.id, 'name': role.name, 'description': role.description}
@@ -2804,21 +2786,13 @@ class ResourceAccessListElementSerializer(UserSerializer):
             else:
                 # Singleton roles should not be managed from this view, as per copy/edit rework spec
                 role_dict['user_capabilities'] = {'unattach': False}
-
-            model_name = content_type.model
-            if isinstance(obj, Organization):
-                descendant_perms = [codename for codename in get_role_codenames(role) if codename.endswith(model_name) or codename.startswith('add_')]
-            else:
-                descendant_perms = [codename for codename in get_role_codenames(role) if codename.endswith(model_name)]
-
-            return {'role': role_dict, 'descendant_roles': get_roles_from_perms(descendant_perms)}
+            return {'role': role_dict, 'descendant_roles': get_roles_on_resource(role)}
 
         def format_team_role_perm(naive_team_role, permissive_role_ids):
             ret = []
-            team = naive_team_role.content_object
             team_role = naive_team_role
             if naive_team_role.role_field == 'admin_role':
-                team_role = team.member_role
+                team_role = naive_team_role.content_object.member_role
             for role in team_role.children.filter(id__in=permissive_role_ids).all():
                 role_dict = {
                     'id': role.id,
@@ -2838,87 +2812,10 @@ class ResourceAccessListElementSerializer(UserSerializer):
                 else:
                     # Singleton roles should not be managed from this view, as per copy/edit rework spec
                     role_dict['user_capabilities'] = {'unattach': False}
-
-                descendant_perms = list(
-                    RoleEvaluation.objects.filter(role__in=team.has_roles.all(), object_id=obj.id, content_type_id=content_type.id)
-                    .values_list('codename', flat=True)
-                    .distinct()
-                )
-
-                ret.append({'role': role_dict, 'descendant_roles': get_roles_from_perms(descendant_perms)})
-            return ret
-
-        gfk_kwargs = dict(content_type_id=content_type.id, object_id=obj.id)
-        direct_permissive_role_ids = Role.objects.filter(**gfk_kwargs).values_list('id', flat=True)
-
-        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-            ret['summary_fields']['direct_access'] = []
-            ret['summary_fields']['indirect_access'] = []
-
-            new_roles_seen = set()
-            all_team_roles = set()
-            all_permissive_role_ids = set()
-            for evaluation in RoleEvaluation.objects.filter(role__in=user.has_roles.all(), **gfk_kwargs).prefetch_related('role'):
-                new_role = evaluation.role
-                if new_role.id in new_roles_seen:
-                    continue
-                new_roles_seen.add(new_role.id)
-                old_role = get_role_from_object_role(new_role)
-                all_permissive_role_ids.add(old_role.id)
-
-                if int(new_role.object_id) == obj.id and new_role.content_type_id == content_type.id:
-                    ret['summary_fields']['direct_access'].append(format_role_perm(old_role))
-                elif new_role.content_type_id == team_content_type.id:
-                    all_team_roles.add(old_role)
-                else:
-                    ret['summary_fields']['indirect_access'].append(format_role_perm(old_role))
-
-            # Lazy role creation gives us a big problem, where some intermediate roles are not easy to find
-            # like when a team has indirect permission, so here we get all roles the users teams have
-            # these contribute to all potential permission-granting roles of the object
-            user_teams_qs = permission_registry.team_model.objects.filter(member_roles__in=ObjectRole.objects.filter(users=user))
-            team_obj_roles = ObjectRole.objects.filter(teams__in=user_teams_qs)
-            for evaluation in RoleEvaluation.objects.filter(role__in=team_obj_roles, **gfk_kwargs).prefetch_related('role'):
-                new_role = evaluation.role
-                if new_role.id in new_roles_seen:
-                    continue
-                new_roles_seen.add(new_role.id)
-                old_role = get_role_from_object_role(new_role)
-                all_permissive_role_ids.add(old_role.id)
-
-            # In DAB RBAC, superuser is strictly a user flag, and global roles are not in the RoleEvaluation table
-            if user.is_superuser:
-                ret['summary_fields'].setdefault('indirect_access', [])
-                all_role_names = [field.name for field in obj._meta.get_fields() if isinstance(field, ImplicitRoleField)]
-                ret['summary_fields']['indirect_access'].append(
-                    {
-                        "role": {
-                            "id": None,
-                            "name": _("System Administrator"),
-                            "description": _("Can manage all aspects of the system"),
-                            "user_capabilities": {"unattach": False},
-                        },
-                        "descendant_roles": all_role_names,
-                    }
-                )
-            elif user.is_system_auditor:
-                ret['summary_fields'].setdefault('indirect_access', [])
-                ret['summary_fields']['indirect_access'].append(
-                    {
-                        "role": {
-                            "id": None,
-                            "name": _("System Auditor"),
-                            "description": _("Can view all aspects of the system"),
-                            "user_capabilities": {"unattach": False},
-                        },
-                        "descendant_roles": ["read_role"],
-                    }
-                )
-
-            ret['summary_fields']['direct_access'].extend([y for x in (format_team_role_perm(r, all_permissive_role_ids) for r in all_team_roles) for y in x])
-
+                ret.append({'role': role_dict, 'descendant_roles': get_roles_on_resource(team_role)})
             return ret
 
+        direct_permissive_role_ids = Role.objects.filter(content_type=content_type, object_id=obj.id).values_list('id', flat=True)
         all_permissive_role_ids = Role.objects.filter(content_type=content_type, object_id=obj.id).values_list('ancestors__id', flat=True)
 
         direct_access_roles = user.roles.filter(id__in=direct_permissive_role_ids).all()
@@ -3187,7 +3084,7 @@ class CredentialSerializerCreate(CredentialSerializer):
         credential = super(CredentialSerializerCreate, self).create(validated_data)
 
         if user:
-            give_creator_permissions(user, credential)
+            credential.admin_role.members.add(user)
         if team:
             if not credential.organization or team.organization.id != credential.organization.id:
                 raise serializers.ValidationError({"detail": _("Credential organization must be set and match before assigning to a team")})
@@ -5383,7 +5280,7 @@ class NotificationSerializer(BaseSerializer):
         )
 
     def get_body(self, obj):
-        if obj.notification_type in ('webhook', 'pagerduty', 'awssns'):
+        if obj.notification_type in ('webhook', 'pagerduty'):
             if isinstance(obj.body, dict):
                 if 'body' in obj.body:
                     return obj.body['body']
@@ -5405,9 +5302,9 @@ class NotificationSerializer(BaseSerializer):
     def to_representation(self, obj):
         ret = super(NotificationSerializer, self).to_representation(obj)
 
-        if obj.notification_type in ('webhook', 'awssns'):
+        if obj.notification_type == 'webhook':
             ret.pop('subject')
-        if obj.notification_type not in ('email', 'webhook', 'pagerduty', 'awssns'):
+        if obj.notification_type not in ('email', 'webhook', 'pagerduty'):
             ret.pop('body')
         return ret
 

awx/api/templates/instance_install_bundle/install_receptor.yml

@@ -2,12 +2,6 @@
 - hosts: all
   become: yes
   tasks:
-    - name: Create the receptor group
-      group:
-{% verbatim %}
-        name: "{{ receptor_group }}"
-{% endverbatim %}
-        state: present
     - name: Create the receptor user
       user:
 {% verbatim %}

awx/api/versioning.py

@@ -2,21 +2,32 @@
 # All Rights Reserved.
 
 from django.conf import settings
+from django.urls import NoReverseMatch
 
-from rest_framework.reverse import reverse as drf_reverse
+from rest_framework.reverse import _reverse
 from rest_framework.versioning import URLPathVersioning as BaseVersioning
 
 
-def is_optional_api_urlpattern_prefix_request(request):
+def drf_reverse(viewname, args=None, kwargs=None, request=None, format=None, **extra):
+    """
+    Copy and monkey-patch `rest_framework.reverse.reverse` to prevent adding unwarranted
+    query string parameters.
+    """
+    scheme = getattr(request, 'versioning_scheme', None)
+    if scheme is not None:
+        try:
+            url = scheme.reverse(viewname, args, kwargs, request, format, **extra)
+        except NoReverseMatch:
+            # In case the versioning scheme reversal fails, fallback to the
+            # default implementation
+            url = _reverse(viewname, args, kwargs, request, format, **extra)
+    else:
+        url = _reverse(viewname, args, kwargs, request, format, **extra)
+
     if settings.OPTIONAL_API_URLPATTERN_PREFIX and request:
         if request.path.startswith(f"/api/{settings.OPTIONAL_API_URLPATTERN_PREFIX}"):
-            return True
-    return False
+            url = url.replace('/api', f"/api/{settings.OPTIONAL_API_URLPATTERN_PREFIX}")
 
-
-def transform_optional_api_urlpattern_prefix_url(request, url):
-    if is_optional_api_urlpattern_prefix_request(request):
-        url = url.replace('/api', f"/api/{settings.OPTIONAL_API_URLPATTERN_PREFIX}")
     return url
 
 

awx/api/views/__init__.py

@@ -33,6 +33,7 @@ from django.http import HttpResponse, HttpResponseRedirect
 from django.contrib.contenttypes.models import ContentType
 from django.utils.translation import gettext_lazy as _
 
+
 # Django REST Framework
 from rest_framework.exceptions import APIException, PermissionDenied, ParseError, NotFound
 from rest_framework.parsers import FormParser
@@ -47,8 +48,8 @@ from rest_framework import status
 from rest_framework_yaml.parsers import YAMLParser
 from rest_framework_yaml.renderers import YAMLRenderer
 
-# ansi2html
-from ansi2html import Ansi2HTMLConverter
+# ANSIConv
+import ansiconv
 
 # Python Social Auth
 from social_core.backends.utils import load_backends
@@ -59,11 +60,6 @@ from oauth2_provider.models import get_access_token_model
 import pytz
 from wsgiref.util import FileWrapper
 
-# django-ansible-base
-from ansible_base.lib.utils.requests import get_remote_hosts
-from ansible_base.rbac.models import RoleEvaluation, ObjectRole
-from ansible_base.resource_registry.shared_types import OrganizationType, TeamType, UserType
-
 # AWX
 from awx.main.tasks.system import send_notifications, update_inventory_computed_fields
 from awx.main.access import get_user_queryset
@@ -91,7 +87,6 @@ from awx.api.generics import (
 from awx.api.views.labels import LabelSubListCreateAttachDetachView
 from awx.api.versioning import reverse
 from awx.main import models
-from awx.main.models.rbac import get_role_definition
 from awx.main.utils import (
     camelcase_to_underscore,
     extract_ansible_vars,
@@ -541,7 +536,6 @@ class InstanceGroupAccessList(ResourceAccessList):
 
 
 class InstanceGroupObjectRolesList(SubListAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializer
     parent_model = models.InstanceGroup
@@ -711,81 +705,16 @@ class AuthView(APIView):
         return Response(data)
 
 
-def immutablesharedfields(cls):
-    '''
-    Class decorator to prevent modifying shared resources when ALLOW_LOCAL_RESOURCE_MANAGEMENT setting is set to False.
-
-    Works by overriding these view methods:
-    - create
-    - delete
-    - perform_update
-    create and delete are overridden to raise a PermissionDenied exception.
-    perform_update is overridden to check if any shared fields are being modified,
-    and raise a PermissionDenied exception if so.
-    '''
-    # create instead of perform_create because some of our views
-    # override create instead of perform_create
-    if hasattr(cls, 'create'):
-        cls.original_create = cls.create
-
-        @functools.wraps(cls.create)
-        def create_wrapper(*args, **kwargs):
-            if settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT:
-                return cls.original_create(*args, **kwargs)
-            raise PermissionDenied({'detail': _('Creation of this resource is not allowed. Create this resource via the platform ingress.')})
-
-        cls.create = create_wrapper
-
-    if hasattr(cls, 'delete'):
-        cls.original_delete = cls.delete
-
-        @functools.wraps(cls.delete)
-        def delete_wrapper(*args, **kwargs):
-            if settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT:
-                return cls.original_delete(*args, **kwargs)
-            raise PermissionDenied({'detail': _('Deletion of this resource is not allowed. Delete this resource via the platform ingress.')})
-
-        cls.delete = delete_wrapper
-
-    if hasattr(cls, 'perform_update'):
-        cls.original_perform_update = cls.perform_update
-
-        @functools.wraps(cls.perform_update)
-        def update_wrapper(*args, **kwargs):
-            if not settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT:
-                view, serializer = args
-                instance = view.get_object()
-                if instance:
-                    if isinstance(instance, models.Organization):
-                        shared_fields = OrganizationType._declared_fields.keys()
-                    elif isinstance(instance, models.User):
-                        shared_fields = UserType._declared_fields.keys()
-                    elif isinstance(instance, models.Team):
-                        shared_fields = TeamType._declared_fields.keys()
-                    attrs = serializer.validated_data
-                    for field in shared_fields:
-                        if field in attrs and getattr(instance, field) != attrs[field]:
-                            raise PermissionDenied({field: _(f"Cannot change shared field '{field}'. Alter this field via the platform ingress.")})
-            return cls.original_perform_update(*args, **kwargs)
-
-        cls.perform_update = update_wrapper
-
-    return cls
-
-
-@immutablesharedfields
 class TeamList(ListCreateAPIView):
     model = models.Team
     serializer_class = serializers.TeamSerializer
 
 
-@immutablesharedfields
 class TeamDetail(RetrieveUpdateDestroyAPIView):
     model = models.Team
     serializer_class = serializers.TeamSerializer
 
 
-@immutablesharedfields
 class TeamUsersList(BaseUsersList):
     model = models.User
     serializer_class = serializers.UserSerializer
@@ -795,7 +724,6 @@ class TeamUsersList(BaseUsersList):
 
 
 class TeamRolesList(SubListAttachDetachAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializerWithParentAccess
     metadata_class = RoleMetadata
@@ -835,12 +763,10 @@ class TeamRolesList(SubListAttachDetachAPIView):
 
 
 class TeamObjectRolesList(SubListAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializer
     parent_model = models.Team
     search_fields = ('role_field', 'content_type__model')
-    deprecated = True
 
     def get_queryset(self):
         po = self.get_parent_object()
@@ -858,15 +784,8 @@ class TeamProjectsList(SubListAPIView):
         self.check_parent_access(team)
         model_ct = ContentType.objects.get_for_model(self.model)
         parent_ct = ContentType.objects.get_for_model(self.parent_model)
-
-        rd = get_role_definition(team.member_role)
-        role = ObjectRole.objects.filter(object_id=team.id, content_type=parent_ct, role_definition=rd).first()
-        if role is None:
-            # Team has no permissions, therefore team has no projects
-            return self.model.objects.none()
-        else:
-            project_qs = self.model.accessible_objects(self.request.user, 'read_role')
-            return project_qs.filter(id__in=RoleEvaluation.objects.filter(content_type_id=model_ct.id, role=role).values_list('object_id'))
+        proj_roles = models.Role.objects.filter(Q(ancestors__content_type=parent_ct) & Q(ancestors__object_id=team.pk), content_type=model_ct)
+        return self.model.accessible_objects(self.request.user, 'read_role').filter(pk__in=[t.content_object.pk for t in proj_roles])
 
 
 class TeamActivityStreamList(SubListAPIView):
@@ -881,23 +800,10 @@ class TeamActivityStreamList(SubListAPIView):
         self.check_parent_access(parent)
 
         qs = self.request.user.get_queryset(self.model)
-
         return qs.filter(
             Q(team=parent)
-            | Q(
-                project__in=RoleEvaluation.objects.filter(
-                    role__in=parent.has_roles.all(), content_type_id=ContentType.objects.get_for_model(models.Project).id, codename='view_project'
-                )
-                .values_list('object_id')
-                .distinct()
-            )
-            | Q(
-                credential__in=RoleEvaluation.objects.filter(
-                    role__in=parent.has_roles.all(), content_type_id=ContentType.objects.get_for_model(models.Credential).id, codename='view_credential'
-                )
-                .values_list('object_id')
-                .distinct()
-            )
+            | Q(project__in=models.Project.accessible_objects(parent.member_role, 'read_role'))
+            | Q(credential__in=models.Credential.accessible_objects(parent.member_role, 'read_role'))
         )
 
 
@@ -1149,12 +1055,10 @@ class ProjectAccessList(ResourceAccessList):
 
 
 class ProjectObjectRolesList(SubListAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializer
     parent_model = models.Project
     search_fields = ('role_field', 'content_type__model')
-    deprecated = True
 
     def get_queryset(self):
         po = self.get_parent_object()
@@ -1167,7 +1071,6 @@ class ProjectCopy(CopyAPIView):
     copy_return_serializer_class = serializers.ProjectSerializer
 
 
-@immutablesharedfields
 class UserList(ListCreateAPIView):
     model = models.User
     serializer_class = serializers.UserSerializer
@@ -1313,7 +1216,6 @@ class UserTeamsList(SubListAPIView):
 
 
 class UserRolesList(SubListAttachDetachAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializerWithParentAccess
     metadata_class = RoleMetadata
@@ -1338,16 +1240,7 @@ class UserRolesList(SubListAttachDetachAPIView):
         user = get_object_or_400(models.User, pk=self.kwargs['pk'])
         role = get_object_or_400(models.Role, pk=sub_id)
 
-        content_types = ContentType.objects.get_for_models(models.Organization, models.Team, models.Credential)  # dict of {model: content_type}
-        # Prevent user to be associated with team/org when ALLOW_LOCAL_RESOURCE_MANAGEMENT is False
-        if not settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT:
-            for model in [models.Organization, models.Team]:
-                ct = content_types[model]
-                if role.content_type == ct and role.role_field in ['member_role', 'admin_role']:
-                    data = dict(msg=_(f"Cannot directly modify user membership to {ct.model}. Direct shared resource management disabled"))
-                    return Response(data, status=status.HTTP_403_FORBIDDEN)
-
-        credential_content_type = content_types[models.Credential]
+        credential_content_type = ContentType.objects.get_for_model(models.Credential)
         if role.content_type == credential_content_type:
             if 'disassociate' not in request.data and role.content_object.organization and user not in role.content_object.organization.member_role:
                 data = dict(msg=_("You cannot grant credential access to a user not in the credentials' organization"))
@@ -1419,7 +1312,6 @@ class UserActivityStreamList(SubListAPIView):
         return qs.filter(Q(actor=parent) | Q(user__in=[parent]))
 
 
-@immutablesharedfields
 class UserDetail(RetrieveUpdateDestroyAPIView):
     model = models.User
     serializer_class = serializers.UserSerializer
@@ -1598,12 +1490,10 @@ class CredentialAccessList(ResourceAccessList):
 
 
 class CredentialObjectRolesList(SubListAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializer
     parent_model = models.Credential
     search_fields = ('role_field', 'content_type__model')
-    deprecated = True
 
     def get_queryset(self):
         po = self.get_parent_object()
@@ -2390,16 +2280,12 @@ class JobTemplateList(ListCreateAPIView):
     serializer_class = serializers.JobTemplateSerializer
     always_allow_superuser = False
 
-    def check_permissions(self, request):
-        if request.method == 'POST':
-            if request.user.is_anonymous:
-                self.permission_denied(request)
-            else:
-                can_access, messages = request.user.can_access_with_errors(self.model, 'add', request.data)
-                if not can_access:
-                    self.permission_denied(request, message=messages)
-
-        super(JobTemplateList, self).check_permissions(request)
+    def post(self, request, *args, **kwargs):
+        ret = super(JobTemplateList, self).post(request, *args, **kwargs)
+        if ret.status_code == 201:
+            job_template = models.JobTemplate.objects.get(id=ret.data['id'])
+            job_template.admin_role.members.add(request.user)
+        return ret
 
 
 class JobTemplateDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
@@ -2780,7 +2666,12 @@ class JobTemplateCallback(GenericAPIView):
         host for the current request.
         """
         # Find the list of remote host names/IPs to check.
-        remote_hosts = set(get_remote_hosts(self.request))
+        remote_hosts = set()
+        for header in settings.REMOTE_HOST_HEADERS:
+            for value in self.request.META.get(header, '').split(','):
+                value = value.strip()
+                if value:
+                    remote_hosts.add(value)
         # Add the reverse lookup of IP addresses.
         for rh in list(remote_hosts):
             try:
@@ -2941,12 +2832,10 @@ class JobTemplateAccessList(ResourceAccessList):
 
 
 class JobTemplateObjectRolesList(SubListAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializer
     parent_model = models.JobTemplate
     search_fields = ('role_field', 'content_type__model')
-    deprecated = True
 
     def get_queryset(self):
         po = self.get_parent_object()
@@ -3120,17 +3009,6 @@ class WorkflowJobTemplateList(ListCreateAPIView):
     serializer_class = serializers.WorkflowJobTemplateSerializer
     always_allow_superuser = False
 
-    def check_permissions(self, request):
-        if request.method == 'POST':
-            if request.user.is_anonymous:
-                self.permission_denied(request)
-            else:
-                can_access, messages = request.user.can_access_with_errors(self.model, 'add', request.data)
-                if not can_access:
-                    self.permission_denied(request, message=messages)
-
-        super(WorkflowJobTemplateList, self).check_permissions(request)
-
 
 class WorkflowJobTemplateDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
     model = models.WorkflowJobTemplate
@@ -3340,12 +3218,10 @@ class WorkflowJobTemplateAccessList(ResourceAccessList):
 
 
 class WorkflowJobTemplateObjectRolesList(SubListAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializer
     parent_model = models.WorkflowJobTemplate
     search_fields = ('role_field', 'content_type__model')
-    deprecated = True
 
     def get_queryset(self):
         po = self.get_parent_object()
@@ -4209,8 +4085,7 @@ class UnifiedJobStdout(RetrieveAPIView):
                 # Remove any ANSI escape sequences containing job event data.
                 content = re.sub(r'\x1b\[K(?:[A-Za-z0-9+/=]+\x1b\[\d+D)+\x1b\[K', '', content)
 
-                conv = Ansi2HTMLConverter()
-                body = conv.convert(html.escape(content))
+                body = ansiconv.to_html(html.escape(content))
 
                 context = {'title': get_view_name(self.__class__), 'body': mark_safe(body), 'dark': dark_bg, 'content_only': content_only}
                 data = render_to_string('api/stdout.html', context).strip()
@@ -4355,7 +4230,6 @@ class ActivityStreamDetail(RetrieveAPIView):
 
 
 class RoleList(ListAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializer
     permission_classes = (IsAuthenticated,)
@@ -4363,13 +4237,11 @@ class RoleList(ListAPIView):
 
 
 class RoleDetail(RetrieveAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializer
 
 
 class RoleUsersList(SubListAttachDetachAPIView):
-    deprecated = True
     model = models.User
     serializer_class = serializers.UserSerializer
     parent_model = models.Role
@@ -4390,15 +4262,7 @@ class RoleUsersList(SubListAttachDetachAPIView):
         user = get_object_or_400(models.User, pk=sub_id)
         role = self.get_parent_object()
 
-        content_types = ContentType.objects.get_for_models(models.Organization, models.Team, models.Credential)  # dict of {model: content_type}
-        if not settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT:
-            for model in [models.Organization, models.Team]:
-                ct = content_types[model]
-                if role.content_type == ct and role.role_field in ['member_role', 'admin_role']:
-                    data = dict(msg=_(f"Cannot directly modify user membership to {ct.model}. Direct shared resource management disabled"))
-                    return Response(data, status=status.HTTP_403_FORBIDDEN)
-
-        credential_content_type = content_types[models.Credential]
+        credential_content_type = ContentType.objects.get_for_model(models.Credential)
         if role.content_type == credential_content_type:
             if 'disassociate' not in request.data and role.content_object.organization and user not in role.content_object.organization.member_role:
                 data = dict(msg=_("You cannot grant credential access to a user not in the credentials' organization"))
@@ -4412,7 +4276,6 @@ class RoleUsersList(SubListAttachDetachAPIView):
 
 
 class RoleTeamsList(SubListAttachDetachAPIView):
-    deprecated = True
     model = models.Team
     serializer_class = serializers.TeamSerializer
     parent_model = models.Role
@@ -4457,12 +4320,10 @@ class RoleTeamsList(SubListAttachDetachAPIView):
             team.member_role.children.remove(role)
         else:
             team.member_role.children.add(role)
-
         return Response(status=status.HTTP_204_NO_CONTENT)
 
 
 class RoleParentsList(SubListAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializer
     parent_model = models.Role
@@ -4476,7 +4337,6 @@ class RoleParentsList(SubListAPIView):
 
 
 class RoleChildrenList(SubListAPIView):
-    deprecated = True
     model = models.Role
     serializer_class = serializers.RoleSerializer
     parent_model = models.Role

awx/api/views/analytics.py

@@ -48,23 +48,23 @@ class AnalyticsRootView(APIView):
 
     def get(self, request, format=None):
         data = OrderedDict()
-        data['authorized'] = reverse('api:analytics_authorized', request=request)
-        data['reports'] = reverse('api:analytics_reports_list', request=request)
-        data['report_options'] = reverse('api:analytics_report_options_list', request=request)
-        data['adoption_rate'] = reverse('api:analytics_adoption_rate', request=request)
-        data['adoption_rate_options'] = reverse('api:analytics_adoption_rate_options', request=request)
-        data['event_explorer'] = reverse('api:analytics_event_explorer', request=request)
-        data['event_explorer_options'] = reverse('api:analytics_event_explorer_options', request=request)
-        data['host_explorer'] = reverse('api:analytics_host_explorer', request=request)
-        data['host_explorer_options'] = reverse('api:analytics_host_explorer_options', request=request)
-        data['job_explorer'] = reverse('api:analytics_job_explorer', request=request)
-        data['job_explorer_options'] = reverse('api:analytics_job_explorer_options', request=request)
-        data['probe_templates'] = reverse('api:analytics_probe_templates_explorer', request=request)
-        data['probe_templates_options'] = reverse('api:analytics_probe_templates_options', request=request)
-        data['probe_template_for_hosts'] = reverse('api:analytics_probe_template_for_hosts_explorer', request=request)
-        data['probe_template_for_hosts_options'] = reverse('api:analytics_probe_template_for_hosts_options', request=request)
-        data['roi_templates'] = reverse('api:analytics_roi_templates_explorer', request=request)
-        data['roi_templates_options'] = reverse('api:analytics_roi_templates_options', request=request)
+        data['authorized'] = reverse('api:analytics_authorized')
+        data['reports'] = reverse('api:analytics_reports_list')
+        data['report_options'] = reverse('api:analytics_report_options_list')
+        data['adoption_rate'] = reverse('api:analytics_adoption_rate')
+        data['adoption_rate_options'] = reverse('api:analytics_adoption_rate_options')
+        data['event_explorer'] = reverse('api:analytics_event_explorer')
+        data['event_explorer_options'] = reverse('api:analytics_event_explorer_options')
+        data['host_explorer'] = reverse('api:analytics_host_explorer')
+        data['host_explorer_options'] = reverse('api:analytics_host_explorer_options')
+        data['job_explorer'] = reverse('api:analytics_job_explorer')
+        data['job_explorer_options'] = reverse('api:analytics_job_explorer_options')
+        data['probe_templates'] = reverse('api:analytics_probe_templates_explorer')
+        data['probe_templates_options'] = reverse('api:analytics_probe_templates_options')
+        data['probe_template_for_hosts'] = reverse('api:analytics_probe_template_for_hosts_explorer')
+        data['probe_template_for_hosts_options'] = reverse('api:analytics_probe_template_for_hosts_options')
+        data['roi_templates'] = reverse('api:analytics_roi_templates_explorer')
+        data['roi_templates_options'] = reverse('api:analytics_roi_templates_options')
         return Response(data)
 
 

awx/api/views/inventory.py

@@ -152,7 +152,6 @@ class InventoryObjectRolesList(SubListAPIView):
     serializer_class = RoleSerializer
     parent_model = Inventory
     search_fields = ('role_field', 'content_type__model')
-    deprecated = True
 
     def get_queryset(self):
         po = self.get_parent_object()

awx/api/views/organization.py

@@ -53,18 +53,15 @@ from awx.api.serializers import (
     CredentialSerializer,
 )
 from awx.api.views.mixin import RelatedJobsPreventDeleteMixin, OrganizationCountsMixin
-from awx.api.views import immutablesharedfields
 
 logger = logging.getLogger('awx.api.views.organization')
 
 
-@immutablesharedfields
 class OrganizationList(OrganizationCountsMixin, ListCreateAPIView):
     model = Organization
     serializer_class = OrganizationSerializer
 
 
-@immutablesharedfields
 class OrganizationDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
     model = Organization
     serializer_class = OrganizationSerializer
@@ -107,7 +104,6 @@ class OrganizationInventoriesList(SubListAPIView):
     relationship = 'inventories'
 
 
-@immutablesharedfields
 class OrganizationUsersList(BaseUsersList):
     model = User
     serializer_class = UserSerializer
@@ -116,7 +112,6 @@ class OrganizationUsersList(BaseUsersList):
     ordering = ('username',)
 
 
-@immutablesharedfields
 class OrganizationAdminsList(BaseUsersList):
     model = User
     serializer_class = UserSerializer
@@ -155,7 +150,6 @@ class OrganizationWorkflowJobTemplatesList(SubListCreateAPIView):
     parent_key = 'organization'
 
 
-@immutablesharedfields
 class OrganizationTeamsList(SubListCreateAttachDetachAPIView):
     model = Team
     serializer_class = TeamSerializer
@@ -232,7 +226,6 @@ class OrganizationObjectRolesList(SubListAPIView):
     serializer_class = RoleSerializer
     parent_model = Organization
     search_fields = ('role_field', 'content_type__model')
-    deprecated = True
 
     def get_queryset(self):
         po = self.get_parent_object()

awx/api/views/root.py

@@ -28,7 +28,7 @@ from awx.main.analytics import all_collectors
 from awx.main.ha import is_ha_environment
 from awx.main.utils import get_awx_version, get_custom_venv_choices
 from awx.main.utils.licensing import validate_entitlement_manifest
-from awx.api.versioning import URLPathVersioning, is_optional_api_urlpattern_prefix_request, reverse, drf_reverse
+from awx.api.versioning import reverse, drf_reverse
 from awx.main.constants import PRIVILEGE_ESCALATION_METHODS
 from awx.main.models import Project, Organization, Instance, InstanceGroup, JobTemplate
 from awx.main.utils import set_environ
@@ -40,19 +40,19 @@ logger = logging.getLogger('awx.api.views.root')
 class ApiRootView(APIView):
     permission_classes = (AllowAny,)
     name = _('REST API')
-    versioning_class = URLPathVersioning
+    versioning_class = None
     swagger_topic = 'Versioning'
 
     @method_decorator(ensure_csrf_cookie)
     def get(self, request, format=None):
         '''List supported API versions'''
-        v2 = reverse('api:api_v2_root_view', request=request, kwargs={'version': 'v2'})
+
+        v2 = reverse('api:api_v2_root_view', kwargs={'version': 'v2'})
         data = OrderedDict()
         data['description'] = _('AWX REST API')
         data['current_version'] = v2
         data['available_versions'] = dict(v2=v2)
-        if not is_optional_api_urlpattern_prefix_request(request):
-            data['oauth2'] = drf_reverse('api:oauth_authorization_root_view')
+        data['oauth2'] = drf_reverse('api:oauth_authorization_root_view')
         data['custom_logo'] = settings.CUSTOM_LOGO
         data['custom_login_info'] = settings.CUSTOM_LOGIN_INFO
         data['login_redirect_override'] = settings.LOGIN_REDIRECT_OVERRIDE
@@ -132,9 +132,6 @@ class ApiVersionRootView(APIView):
         data['bulk'] = reverse('api:bulk', request=request)
         data['analytics'] = reverse('api:analytics_root_view', request=request)
         data['service_index'] = django_reverse('service-index-root')
-        data['role_definitions'] = django_reverse('roledefinition-list')
-        data['role_user_assignments'] = django_reverse('roleuserassignment-list')
-        data['role_team_assignments'] = django_reverse('roleteamassignment-list')
         return Response(data)
 
 
@@ -285,6 +282,9 @@ class ApiV2ConfigView(APIView):
 
         pendo_state = settings.PENDO_TRACKING_STATE if settings.PENDO_TRACKING_STATE in ('off', 'anonymous', 'detailed') else 'off'
 
+        # Guarding against settings.UI_NEXT being set to a non-boolean value
+        ui_next_state = settings.UI_NEXT if settings.UI_NEXT in (True, False) else False
+
         data = dict(
             time_zone=settings.TIME_ZONE,
             license_info=license_data,
@@ -293,6 +293,7 @@ class ApiV2ConfigView(APIView):
             analytics_status=pendo_state,
             analytics_collectors=all_collectors(),
             become_methods=PRIVILEGE_ESCALATION_METHODS,
+            ui_next=ui_next_state,
         )
 
         # If LDAP is enabled, user_ldap_fields will return a list of field

awx/conf/fields.py

@@ -61,10 +61,6 @@ class StringListBooleanField(ListField):
 
     def to_representation(self, value):
         try:
-            if isinstance(value, str):
-                # https://github.com/encode/django-rest-framework/commit/a180bde0fd965915718b070932418cabc831cee1
-                # DRF changed truthy and falsy lists to be capitalized
-                value = value.lower()
             if isinstance(value, (list, tuple)):
                 return super(StringListBooleanField, self).to_representation(value)
             elif value in BooleanField.TRUE_VALUES:
@@ -82,8 +78,6 @@ class StringListBooleanField(ListField):
 
     def to_internal_value(self, data):
         try:
-            if isinstance(data, str):
-                data = data.lower()
             if isinstance(data, (list, tuple)):
                 return super(StringListBooleanField, self).to_internal_value(data)
             elif data in BooleanField.TRUE_VALUES:

awx/conf/tests/unit/test_settings.py

@@ -130,9 +130,9 @@ def test_default_setting(settings, mocker):
     settings.registry.register('AWX_SOME_SETTING', field_class=fields.CharField, category=_('System'), category_slug='system', default='DEFAULT')
 
     settings_to_cache = mocker.Mock(**{'order_by.return_value': []})
-    mocker.patch('awx.conf.models.Setting.objects.filter', return_value=settings_to_cache)
-    assert settings.AWX_SOME_SETTING == 'DEFAULT'
-    assert settings.cache.get('AWX_SOME_SETTING') == 'DEFAULT'
+    with mocker.patch('awx.conf.models.Setting.objects.filter', return_value=settings_to_cache):
+        assert settings.AWX_SOME_SETTING == 'DEFAULT'
+        assert settings.cache.get('AWX_SOME_SETTING') == 'DEFAULT'
 
 
 @pytest.mark.defined_in_file(AWX_SOME_SETTING='DEFAULT')
@@ -146,9 +146,9 @@ def test_setting_is_not_from_setting_file(settings, mocker):
     settings.registry.register('AWX_SOME_SETTING', field_class=fields.CharField, category=_('System'), category_slug='system', default='DEFAULT')
 
     settings_to_cache = mocker.Mock(**{'order_by.return_value': []})
-    mocker.patch('awx.conf.models.Setting.objects.filter', return_value=settings_to_cache)
-    assert settings.AWX_SOME_SETTING == 'DEFAULT'
-    assert settings.registry.get_setting_field('AWX_SOME_SETTING').defined_in_file is False
+    with mocker.patch('awx.conf.models.Setting.objects.filter', return_value=settings_to_cache):
+        assert settings.AWX_SOME_SETTING == 'DEFAULT'
+        assert settings.registry.get_setting_field('AWX_SOME_SETTING').defined_in_file is False
 
 
 def test_empty_setting(settings, mocker):
@@ -156,10 +156,10 @@ def test_empty_setting(settings, mocker):
     settings.registry.register('AWX_SOME_SETTING', field_class=fields.CharField, category=_('System'), category_slug='system')
 
     mocks = mocker.Mock(**{'order_by.return_value': mocker.Mock(**{'__iter__': lambda self: iter([]), 'first.return_value': None})})
-    mocker.patch('awx.conf.models.Setting.objects.filter', return_value=mocks)
-    with pytest.raises(AttributeError):
-        settings.AWX_SOME_SETTING
-    assert settings.cache.get('AWX_SOME_SETTING') == SETTING_CACHE_NOTSET
+    with mocker.patch('awx.conf.models.Setting.objects.filter', return_value=mocks):
+        with pytest.raises(AttributeError):
+            settings.AWX_SOME_SETTING
+        assert settings.cache.get('AWX_SOME_SETTING') == SETTING_CACHE_NOTSET
 
 
 def test_setting_from_db(settings, mocker):
@@ -168,9 +168,9 @@ def test_setting_from_db(settings, mocker):
 
     setting_from_db = mocker.Mock(key='AWX_SOME_SETTING', value='FROM_DB')
     mocks = mocker.Mock(**{'order_by.return_value': mocker.Mock(**{'__iter__': lambda self: iter([setting_from_db]), 'first.return_value': setting_from_db})})
-    mocker.patch('awx.conf.models.Setting.objects.filter', return_value=mocks)
-    assert settings.AWX_SOME_SETTING == 'FROM_DB'
-    assert settings.cache.get('AWX_SOME_SETTING') == 'FROM_DB'
+    with mocker.patch('awx.conf.models.Setting.objects.filter', return_value=mocks):
+        assert settings.AWX_SOME_SETTING == 'FROM_DB'
+        assert settings.cache.get('AWX_SOME_SETTING') == 'FROM_DB'
 
 
 @pytest.mark.defined_in_file(AWX_SOME_SETTING='DEFAULT')
@@ -205,8 +205,8 @@ def test_db_setting_update(settings, mocker):
 
     existing_setting = mocker.Mock(key='AWX_SOME_SETTING', value='FROM_DB')
     setting_list = mocker.Mock(**{'order_by.return_value.first.return_value': existing_setting})
-    mocker.patch('awx.conf.models.Setting.objects.filter', return_value=setting_list)
-    settings.AWX_SOME_SETTING = 'NEW-VALUE'
+    with mocker.patch('awx.conf.models.Setting.objects.filter', return_value=setting_list):
+        settings.AWX_SOME_SETTING = 'NEW-VALUE'
 
     assert existing_setting.value == 'NEW-VALUE'
     existing_setting.save.assert_called_with(update_fields=['value'])
@@ -217,8 +217,8 @@ def test_db_setting_deletion(settings, mocker):
     settings.registry.register('AWX_SOME_SETTING', field_class=fields.CharField, category=_('System'), category_slug='system')
 
     existing_setting = mocker.Mock(key='AWX_SOME_SETTING', value='FROM_DB')
-    mocker.patch('awx.conf.models.Setting.objects.filter', return_value=[existing_setting])
-    del settings.AWX_SOME_SETTING
+    with mocker.patch('awx.conf.models.Setting.objects.filter', return_value=[existing_setting]):
+        del settings.AWX_SOME_SETTING
 
     assert existing_setting.delete.call_count == 1
 
@@ -283,10 +283,10 @@ def test_sensitive_cache_data_is_encrypted(settings, mocker):
     # use its primary key as part of the encryption key
     setting_from_db = mocker.Mock(pk=123, key='AWX_ENCRYPTED', value='SECRET!')
     mocks = mocker.Mock(**{'order_by.return_value': mocker.Mock(**{'__iter__': lambda self: iter([setting_from_db]), 'first.return_value': setting_from_db})})
-    mocker.patch('awx.conf.models.Setting.objects.filter', return_value=mocks)
-    cache.set('AWX_ENCRYPTED', 'SECRET!')
-    assert cache.get('AWX_ENCRYPTED') == 'SECRET!'
-    assert native_cache.get('AWX_ENCRYPTED') == 'FRPERG!'
+    with mocker.patch('awx.conf.models.Setting.objects.filter', return_value=mocks):
+        cache.set('AWX_ENCRYPTED', 'SECRET!')
+        assert cache.get('AWX_ENCRYPTED') == 'SECRET!'
+        assert native_cache.get('AWX_ENCRYPTED') == 'FRPERG!'
 
 
 def test_readonly_sensitive_cache_data_is_encrypted(settings):

awx/main/access.py

@@ -20,10 +20,7 @@ from rest_framework.exceptions import ParseError, PermissionDenied
 # Django OAuth Toolkit
 from awx.main.models.oauth import OAuth2Application, OAuth2AccessToken
 
-# django-ansible-base
 from ansible_base.lib.utils.validation import to_python_boolean
-from ansible_base.rbac.models import RoleEvaluation
-from ansible_base.rbac import permission_registry
 
 # AWX
 from awx.main.utils import (
@@ -75,6 +72,8 @@ from awx.main.models import (
     WorkflowJobTemplateNode,
     WorkflowApproval,
     WorkflowApprovalTemplate,
+    ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
+    ROLE_SINGLETON_SYSTEM_AUDITOR,
 )
 from awx.main.models.mixins import ResourceMixin
 
@@ -242,10 +241,9 @@ class BaseAccess(object):
         return qs
 
     def filtered_queryset(self):
-        if permission_registry.is_registered(self.model):
-            return self.model.access_qs(self.user, 'view')
-        else:
-            raise NotImplementedError('Filtered queryset for model is not written')
+        # Override in subclasses
+        # filter objects according to user's read access
+        return self.model.objects.none()
 
     def can_read(self, obj):
         return bool(obj and self.get_queryset().filter(pk=obj.pk).exists())
@@ -266,11 +264,7 @@ class BaseAccess(object):
         return self.can_change(obj, data)
 
     def can_delete(self, obj):
-        if self.user.is_superuser:
-            return True
-        if obj._meta.model_name in [cls._meta.model_name for cls in permission_registry.all_registered_models]:
-            return self.user.has_obj_perm(obj, 'delete')
-        return False
+        return self.user.is_superuser
 
     def can_copy(self, obj):
         return self.can_add({'reference_obj': obj})
@@ -599,7 +593,7 @@ class InstanceGroupAccess(BaseAccess):
        - a superuser
        - admin role on the Instance group
     I can add/delete Instance Groups:
-       - a superuser(system administrator), because these are not org-scoped
+       - a superuser(system administrator)
     I can use Instance Groups when I have:
        - use_role on the instance group
     """
@@ -607,6 +601,9 @@ class InstanceGroupAccess(BaseAccess):
     model = InstanceGroup
     prefetch_related = ('instances',)
 
+    def filtered_queryset(self):
+        return self.model.accessible_objects(self.user, 'read_role')
+
     @check_superuser
     def can_use(self, obj):
         return self.user in obj.use_role
@@ -625,7 +622,7 @@ class InstanceGroupAccess(BaseAccess):
     def can_delete(self, obj):
         if obj.name in [settings.DEFAULT_EXECUTION_QUEUE_NAME, settings.DEFAULT_CONTROL_PLANE_QUEUE_NAME]:
             return False
-        return self.user.has_obj_perm(obj, 'delete')
+        return self.user.is_superuser
 
 
 class UserAccess(BaseAccess):
@@ -652,9 +649,11 @@ class UserAccess(BaseAccess):
             qs = User.objects.all()
         else:
             qs = (
-                User.objects.filter(pk__in=Organization.access_qs(self.user, 'view').values('member_role__members'))
+                User.objects.filter(pk__in=Organization.accessible_objects(self.user, 'read_role').values('member_role__members'))
                 | User.objects.filter(pk=self.user.id)
-                | User.objects.filter(is_superuser=True)
+                | User.objects.filter(
+                    pk__in=Role.objects.filter(singleton_name__in=[ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, ROLE_SINGLETON_SYSTEM_AUDITOR]).values('members')
+                )
             ).distinct()
         return qs
 
@@ -669,7 +668,7 @@ class UserAccess(BaseAccess):
             return True
         if not settings.MANAGE_ORGANIZATION_AUTH:
             return False
-        return Organization.access_qs(self.user, 'change').exists()
+        return Organization.accessible_objects(self.user, 'admin_role').exists()
 
     def can_change(self, obj, data):
         if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
@@ -689,7 +688,7 @@ class UserAccess(BaseAccess):
         """
         Returns all organizations that count `u` as a member
         """
-        return Organization.access_qs(u, 'member')
+        return Organization.accessible_objects(u, 'member_role')
 
     def is_all_org_admin(self, u):
         """
@@ -712,15 +711,6 @@ class UserAccess(BaseAccess):
             if not allow_orphans:
                 # in these cases only superusers can modify orphan users
                 return False
-            if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-                # Permission granted if the user has all permissions that the target user has
-                target_perms = set(
-                    RoleEvaluation.objects.filter(role__in=obj.has_roles.all()).values_list('object_id', 'content_type_id', 'codename').distinct()
-                )
-                user_perms = set(
-                    RoleEvaluation.objects.filter(role__in=self.user.has_roles.all()).values_list('object_id', 'content_type_id', 'codename').distinct()
-                )
-                return not (target_perms - user_perms)
             return not obj.roles.all().exclude(ancestors__in=self.user.roles.all()).exists()
         else:
             return self.is_all_org_admin(obj)
@@ -772,7 +762,7 @@ class OAuth2ApplicationAccess(BaseAccess):
     prefetch_related = ('organization', 'oauth2accesstoken_set')
 
     def filtered_queryset(self):
-        org_access_qs = Organization.access_qs(self.user, 'member')
+        org_access_qs = Organization.accessible_objects(self.user, 'member_role')
         return self.model.objects.filter(organization__in=org_access_qs)
 
     def can_change(self, obj, data):
@@ -785,7 +775,7 @@ class OAuth2ApplicationAccess(BaseAccess):
         if self.user.is_superuser:
             return True
         if not data:
-            return Organization.access_qs(self.user, 'change').exists()
+            return Organization.accessible_objects(self.user, 'admin_role').exists()
         return self.check_related('organization', Organization, data, role_field='admin_role', mandatory=True)
 
 
@@ -853,6 +843,9 @@ class OrganizationAccess(NotificationAttachMixin, BaseAccess):
     # organization admin_role is not a parent of organization auditor_role
     notification_attach_roles = ['admin_role', 'auditor_role']
 
+    def filtered_queryset(self):
+        return self.model.accessible_objects(self.user, 'read_role')
+
     @check_superuser
     def can_change(self, obj, data):
         if data and data.get('default_environment'):
@@ -920,6 +913,9 @@ class InventoryAccess(BaseAccess):
         Prefetch('labels', queryset=Label.objects.all().order_by('name')),
     )
 
+    def filtered_queryset(self, allowed=None, ad_hoc=None):
+        return self.model.accessible_objects(self.user, 'read_role')
+
     @check_superuser
     def can_use(self, obj):
         return self.user in obj.use_role
@@ -928,7 +924,7 @@ class InventoryAccess(BaseAccess):
     def can_add(self, data):
         # If no data is specified, just checking for generic add permission?
         if not data:
-            return Organization.access_qs(self.user, 'add_inventory').exists()
+            return Organization.accessible_objects(self.user, 'inventory_admin_role').exists()
         return self.check_related('organization', Organization, data, role_field='inventory_admin_role')
 
     @check_superuser
@@ -953,6 +949,9 @@ class InventoryAccess(BaseAccess):
     def can_update(self, obj):
         return self.user in obj.update_role
 
+    def can_delete(self, obj):
+        return self.can_admin(obj, None)
+
     def can_run_ad_hoc_commands(self, obj):
         return self.user in obj.adhoc_role
 
@@ -990,7 +989,7 @@ class HostAccess(BaseAccess):
 
     def can_add(self, data):
         if not data:  # So the browseable API will work
-            return Inventory.access_qs(self.user, 'change').exists()
+            return Inventory.accessible_objects(self.user, 'admin_role').exists()
 
         # Checks for admin or change permission on inventory.
         if not self.check_related('inventory', Inventory, data):
@@ -1052,7 +1051,7 @@ class GroupAccess(BaseAccess):
 
     def can_add(self, data):
         if not data:  # So the browseable API will work
-            return Inventory.access_qs(self.user, 'change').exists()
+            return Inventory.accessible_objects(self.user, 'admin_role').exists()
         if 'inventory' not in data:
             return False
         # Checks for admin or change permission on inventory.
@@ -1094,7 +1093,7 @@ class InventorySourceAccess(NotificationAttachMixin, UnifiedCredentialsMixin, Ba
 
     def can_add(self, data):
         if not data or 'inventory' not in data:
-            return Inventory.access_qs(self.user, 'change').exists()
+            return Inventory.accessible_objects(self.user, 'admin_role').exists()
 
         if not self.check_related('source_project', Project, data, role_field='use_role'):
             return False
@@ -1208,6 +1207,9 @@ class CredentialAccess(BaseAccess):
     )
     prefetch_related = ('admin_role', 'use_role', 'read_role', 'admin_role__parents', 'admin_role__members', 'credential_type', 'organization')
 
+    def filtered_queryset(self):
+        return self.model.accessible_objects(self.user, 'read_role')
+
     @check_superuser
     def can_add(self, data):
         if not data:  # So the browseable API will work
@@ -1318,7 +1320,7 @@ class TeamAccess(BaseAccess):
     @check_superuser
     def can_add(self, data):
         if not data:  # So the browseable API will work
-            return Organization.access_qs(self.user, 'view').exists()
+            return Organization.accessible_objects(self.user, 'admin_role').exists()
         if not settings.MANAGE_ORGANIZATION_AUTH:
             return False
         return self.check_related('organization', Organization, data)
@@ -1376,11 +1378,12 @@ class TeamAccess(BaseAccess):
 class ExecutionEnvironmentAccess(BaseAccess):
     """
     I can see an execution environment when:
-     - I can see its organization
-     - It is a global ExecutionEnvironment
+     - I'm a superuser
+     - I'm a member of the same organization
+     - it is a global ExecutionEnvironment
     I can create/change an execution environment when:
      - I'm a superuser
-     - I have an organization or object role that gives access
+     - I'm an admin for the organization(s)
     """
 
     model = ExecutionEnvironment
@@ -1389,34 +1392,26 @@ class ExecutionEnvironmentAccess(BaseAccess):
 
     def filtered_queryset(self):
         return ExecutionEnvironment.objects.filter(
-            Q(organization__in=Organization.access_ids_qs(self.user, 'view'))
-            | Q(organization__isnull=True)
-            | Q(id__in=ExecutionEnvironment.access_ids_qs(self.user, 'change'))
+            Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role')) | Q(organization__isnull=True)
         ).distinct()
 
     @check_superuser
     def can_add(self, data):
         if not data:  # So the browseable API will work
-            return Organization.access_qs(self.user, 'add_executionenvironment').exists()
+            return Organization.accessible_objects(self.user, 'execution_environment_admin_role').exists()
         return self.check_related('organization', Organization, data, mandatory=True, role_field='execution_environment_admin_role')
 
     @check_superuser
     def can_change(self, obj, data):
         if obj and obj.organization_id is None:
             raise PermissionDenied
-        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-            if not self.user.has_obj_perm(obj, 'change'):
+        if self.user not in obj.organization.execution_environment_admin_role:
+            raise PermissionDenied
+        if data and 'organization' in data:
+            new_org = get_object_from_data('organization', Organization, data, obj=obj)
+            if not new_org or self.user not in new_org.execution_environment_admin_role:
                 return False
-        else:
-            if self.user not in obj.organization.execution_environment_admin_role:
-                raise PermissionDenied
-        if not self.check_related('organization', Organization, data, obj=obj, role_field='execution_environment_admin_role'):
-            return False
-        # Special case that check_related does not catch, org users can not remove the organization from the EE
-        if data and ('organization' in data or 'organization_id' in data):
-            if (not data.get('organization')) and (not data.get('organization_id')):
-                return False
-        return True
+        return self.check_related('organization', Organization, data, obj=obj, mandatory=True, role_field='execution_environment_admin_role')
 
     def can_delete(self, obj):
         if obj.managed:
@@ -1446,10 +1441,13 @@ class ProjectAccess(NotificationAttachMixin, BaseAccess):
     prefetch_related = ('modified_by', 'created_by', 'organization', 'last_job', 'current_job')
     notification_attach_roles = ['admin_role']
 
+    def filtered_queryset(self):
+        return self.model.accessible_objects(self.user, 'read_role')
+
     @check_superuser
     def can_add(self, data):
         if not data:  # So the browseable API will work
-            return Organization.access_qs(self.user, 'add_project').exists()
+            return Organization.accessible_objects(self.user, 'project_admin_role').exists()
 
         if data.get('default_environment'):
             ee = get_object_from_data('default_environment', ExecutionEnvironment, data)
@@ -1545,6 +1543,9 @@ class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAc
         Prefetch('last_job', queryset=UnifiedJob.objects.non_polymorphic()),
     )
 
+    def filtered_queryset(self):
+        return self.model.accessible_objects(self.user, 'read_role')
+
     def can_add(self, data):
         """
         a user can create a job template if
@@ -1557,7 +1558,7 @@ class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAc
         Users who are able to create deploy jobs can also run normal and check (dry run) jobs.
         """
         if not data:  # So the browseable API will work
-            return Project.access_qs(self.user, 'use_project').exists()
+            return Project.accessible_objects(self.user, 'use_role').exists()
 
         # if reference_obj is provided, determine if it can be copied
         reference_obj = data.get('reference_obj', None)
@@ -1582,8 +1583,6 @@ class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAc
         inventory = get_value(Inventory, 'inventory')
         if inventory:
             if self.user not in inventory.use_role:
-                if self.save_messages:
-                    self.messages['inventory'] = [_('You do not have use permission on Inventory')]
                 return False
 
         if not self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role'):
@@ -1592,16 +1591,11 @@ class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAc
         project = get_value(Project, 'project')
         # If the user has admin access to the project (as an org admin), should
         # be able to proceed without additional checks.
-        if not project:
+        if project:
+            return self.user in project.use_role
+        else:
             return False
 
-        if self.user not in project.use_role:
-            if self.save_messages:
-                self.messages['project'] = [_('You do not have use permission on Project')]
-            return False
-
-        return True
-
     @check_superuser
     def can_copy_related(self, obj):
         """
@@ -1748,13 +1742,13 @@ class JobAccess(BaseAccess):
     def filtered_queryset(self):
         qs = self.model.objects
 
-        qs_jt = qs.filter(job_template__in=JobTemplate.access_qs(self.user, 'view'))
+        qs_jt = qs.filter(job_template__in=JobTemplate.accessible_objects(self.user, 'read_role'))
 
         org_access_qs = Organization.objects.filter(Q(admin_role__members=self.user) | Q(auditor_role__members=self.user))
         if not org_access_qs.exists():
             return qs_jt
 
-        return qs.filter(Q(job_template__in=JobTemplate.access_qs(self.user, 'view')) | Q(organization__in=org_access_qs)).distinct()
+        return qs.filter(Q(job_template__in=JobTemplate.accessible_objects(self.user, 'read_role')) | Q(organization__in=org_access_qs)).distinct()
 
     def can_add(self, data, validate_license=True):
         raise NotImplementedError('Direct job creation not possible in v2 API')
@@ -1843,11 +1837,6 @@ class SystemJobTemplateAccess(BaseAccess):
 
     model = SystemJobTemplate
 
-    def filtered_queryset(self):
-        if self.user.is_superuser or self.user.is_system_auditor:
-            return self.model.objects.all()
-        return self.model.objects.none()
-
     @check_superuser
     def can_start(self, obj, validate_license=True):
         '''Only a superuser can start a job from a SystemJobTemplate'''
@@ -1960,7 +1949,7 @@ class WorkflowJobTemplateNodeAccess(UnifiedCredentialsMixin, BaseAccess):
     prefetch_related = ('success_nodes', 'failure_nodes', 'always_nodes', 'unified_job_template', 'workflow_job_template')
 
     def filtered_queryset(self):
-        return self.model.objects.filter(workflow_job_template__in=WorkflowJobTemplate.access_qs(self.user, 'view'))
+        return self.model.objects.filter(workflow_job_template__in=WorkflowJobTemplate.accessible_objects(self.user, 'read_role'))
 
     @check_superuser
     def can_add(self, data):
@@ -2075,6 +2064,9 @@ class WorkflowJobTemplateAccess(NotificationAttachMixin, BaseAccess):
         'read_role',
     )
 
+    def filtered_queryset(self):
+        return self.model.accessible_objects(self.user, 'read_role')
+
     @check_superuser
     def can_add(self, data):
         """
@@ -2085,25 +2077,13 @@ class WorkflowJobTemplateAccess(NotificationAttachMixin, BaseAccess):
         Users who are able to create deploy jobs can also run normal and check (dry run) jobs.
         """
         if not data:  # So the browseable API will work
-            return Organization.access_qs(self.user, 'add_workflowjobtemplate').exists()
+            return Organization.accessible_objects(self.user, 'workflow_admin_role').exists()
 
-        if not self.check_related('organization', Organization, data, role_field='workflow_admin_role', mandatory=True):
-            if data.get('organization', None) is None:
-                if self.save_messages:
-                    self.messages['organization'] = [_('An organization is required to create a workflow job template for normal user')]
-            return False
-
-        if not self.check_related('inventory', Inventory, data, role_field='use_role'):
-            if self.save_messages:
-                self.messages['inventory'] = [_('You do not have use_role to the inventory')]
-            return False
-
-        if not self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role'):
-            if self.save_messages:
-                self.messages['execution_environment'] = [_('You do not have read_role to the execution environment')]
-            return False
-
-        return True
+        return bool(
+            self.check_related('organization', Organization, data, role_field='workflow_admin_role', mandatory=True)
+            and self.check_related('inventory', Inventory, data, role_field='use_role')
+            and self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role')
+        )
 
     def can_copy(self, obj):
         if self.save_messages:
@@ -2612,8 +2592,6 @@ class ScheduleAccess(UnifiedCredentialsMixin, BaseAccess):
         if not JobLaunchConfigAccess(self.user).can_add(data):
             return False
         if not data:
-            if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-                return self.user.has_roles.filter(permission_partials__codename__in=['execute_jobtemplate', 'update_project', 'update_inventory']).exists()
             return Role.objects.filter(role_field__in=['update_role', 'execute_role'], ancestors__in=self.user.roles.all()).exists()
 
         return self.check_related('unified_job_template', UnifiedJobTemplate, data, role_field='execute_role', mandatory=True)
@@ -2635,28 +2613,29 @@ class ScheduleAccess(UnifiedCredentialsMixin, BaseAccess):
 
 class NotificationTemplateAccess(BaseAccess):
     """
-    Run standard logic from DAB RBAC
+    I can see/use a notification_template if I have permission to
     """
 
     model = NotificationTemplate
     prefetch_related = ('created_by', 'modified_by', 'organization')
 
     def filtered_queryset(self):
-        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-            return self.model.access_qs(self.user, 'view')
         return self.model.objects.filter(
-            Q(organization__in=Organization.access_qs(self.user, 'add_notificationtemplate')) | Q(organization__in=self.user.auditor_of_organizations)
+            Q(organization__in=Organization.accessible_objects(self.user, 'notification_admin_role')) | Q(organization__in=self.user.auditor_of_organizations)
         ).distinct()
 
     @check_superuser
     def can_add(self, data):
         if not data:
-            return Organization.access_qs(self.user, 'add_notificationtemplate').exists()
+            return Organization.accessible_objects(self.user, 'notification_admin_role').exists()
         return self.check_related('organization', Organization, data, role_field='notification_admin_role', mandatory=True)
 
     @check_superuser
     def can_change(self, obj, data):
-        return self.user.has_obj_perm(obj, 'change') and self.check_related('organization', Organization, data, obj=obj, role_field='notification_admin_role')
+        if obj.organization is None:
+            # only superusers are allowed to edit orphan notification templates
+            return False
+        return self.check_related('organization', Organization, data, obj=obj, role_field='notification_admin_role', mandatory=True)
 
     def can_admin(self, obj, data):
         return self.can_change(obj, data)
@@ -2666,7 +2645,9 @@ class NotificationTemplateAccess(BaseAccess):
 
     @check_superuser
     def can_start(self, obj, validate_license=True):
-        return self.can_change(obj, None)
+        if obj.organization is None:
+            return False
+        return self.user in obj.organization.notification_admin_role
 
 
 class NotificationAccess(BaseAccess):
@@ -2679,7 +2660,7 @@ class NotificationAccess(BaseAccess):
 
     def filtered_queryset(self):
         return self.model.objects.filter(
-            Q(notification_template__organization__in=Organization.access_qs(self.user, 'add_notificationtemplate'))
+            Q(notification_template__organization__in=Organization.accessible_objects(self.user, 'notification_admin_role'))
             | Q(notification_template__organization__in=self.user.auditor_of_organizations)
         ).distinct()
 
@@ -2795,7 +2776,11 @@ class ActivityStreamAccess(BaseAccess):
         if credential_set:
             q |= Q(credential__in=credential_set)
 
-        auditing_orgs = (Organization.access_qs(self.user, 'change') | Organization.access_qs(self.user, 'audit')).distinct().values_list('id', flat=True)
+        auditing_orgs = (
+            (Organization.accessible_objects(self.user, 'admin_role') | Organization.accessible_objects(self.user, 'auditor_role'))
+            .distinct()
+            .values_list('id', flat=True)
+        )
         if auditing_orgs:
             q |= (
                 Q(user__in=auditing_orgs.values('member_role__members'))
@@ -2803,7 +2788,7 @@ class ActivityStreamAccess(BaseAccess):
                 | Q(notification_template__organization__in=auditing_orgs)
                 | Q(notification__notification_template__organization__in=auditing_orgs)
                 | Q(label__organization__in=auditing_orgs)
-                | Q(role__in=Role.visible_roles(self.user) if auditing_orgs else [])
+                | Q(role__in=Role.objects.filter(ancestors__in=self.user.roles.all()) if auditing_orgs else [])
             )
 
         project_set = Project.accessible_pk_qs(self.user, 'read_role')
@@ -2860,10 +2845,13 @@ class RoleAccess(BaseAccess):
 
     def filtered_queryset(self):
         result = Role.visible_roles(self.user)
-        # Make system admin/auditor mandatorily visible.
-        mandatories = ('system_administrator', 'system_auditor')
-        super_qs = Role.objects.filter(singleton_name__in=mandatories)
-        return result | super_qs
+        # Sanity check: is the requesting user an orphaned non-admin/auditor?
+        # if yes, make system admin/auditor mandatorily visible.
+        if not self.user.is_superuser and not self.user.is_system_auditor and not self.user.organizations.exists():
+            mandatories = ('system_administrator', 'system_auditor')
+            super_qs = Role.objects.filter(singleton_name__in=mandatories)
+            result = result | super_qs
+        return result
 
     def can_add(self, obj, data):
         # Unsupported for now

awx/main/analytics/broadcast_websocket.py

@@ -66,8 +66,10 @@ class FixedSlidingWindow:
 
 
 class RelayWebsocketStatsManager:
-    def __init__(self, local_hostname):
+    def __init__(self, event_loop, local_hostname):
         self._local_hostname = local_hostname
+
+        self._event_loop = event_loop
         self._stats = dict()
         self._redis_key = BROADCAST_WEBSOCKET_REDIS_KEY_NAME
 
@@ -92,10 +94,7 @@ class RelayWebsocketStatsManager:
             self.start()
 
     def start(self):
-        self.async_task = asyncio.get_running_loop().create_task(
-            self.run_loop(),
-            name='RelayWebsocketStatsManager.run_loop',
-        )
+        self.async_task = self._event_loop.create_task(self.run_loop())
         return self.async_task
 
     @classmethod

awx/main/apps.py

@@ -1,40 +1,7 @@
 from django.apps import AppConfig
 from django.utils.translation import gettext_lazy as _
-from awx.main.utils.named_url_graph import _customize_graph, generate_graph
-from awx.conf import register, fields
 
 
 class MainConfig(AppConfig):
     name = 'awx.main'
     verbose_name = _('Main')
-
-    def load_named_url_feature(self):
-        models = [m for m in self.get_models() if hasattr(m, 'get_absolute_url')]
-        generate_graph(models)
-        _customize_graph()
-        register(
-            'NAMED_URL_FORMATS',
-            field_class=fields.DictField,
-            read_only=True,
-            label=_('Formats of all available named urls'),
-            help_text=_('Read-only list of key-value pairs that shows the standard format of all available named URLs.'),
-            category=_('Named URL'),
-            category_slug='named-url',
-        )
-        register(
-            'NAMED_URL_GRAPH_NODES',
-            field_class=fields.DictField,
-            read_only=True,
-            label=_('List of all named url graph nodes.'),
-            help_text=_(
-                'Read-only list of key-value pairs that exposes named URL graph topology.'
-                ' Use this list to programmatically generate named URLs for resources'
-            ),
-            category=_('Named URL'),
-            category_slug='named-url',
-        )
-
-    def ready(self):
-        super().ready()
-
-        self.load_named_url_feature()

awx/main/conf.py

@@ -2,7 +2,6 @@
 import logging
 
 # Django
-from django.core.checks import Error
 from django.utils.translation import gettext_lazy as _
 
 # Django REST Framework
@@ -843,12 +842,22 @@ register(
     hidden=True,
 )
 
+register(
+    'UI_NEXT',
+    field_class=fields.BooleanField,
+    default=False,
+    label=_('Enable Preview of New User Interface'),
+    help_text=_('Enable preview of new user interface.'),
+    category=_('System'),
+    category_slug='system',
+    hidden=True,
+)
 
 register(
     'SUBSCRIPTION_USAGE_MODEL',
     field_class=fields.ChoiceField,
     choices=[
-        ('', _('No subscription. Deletion of host_metrics will not be considered for purposes of managed host counting')),
+        ('', _('Default model for AWX - no subscription. Deletion of host_metrics will not be considered for purposes of managed host counting')),
         (
             SUBSCRIPTION_USAGE_MODEL_UNIQUE_HOSTS,
             _('Usage based on unique managed nodes in a large historical time frame and delete functionality for no longer used managed nodes'),
@@ -919,16 +928,6 @@ register(
     category_slug='debug',
 )
 
-register(
-    'RECEPTOR_KEEP_WORK_ON_ERROR',
-    field_class=fields.BooleanField,
-    label=_('Keep receptor work on error'),
-    default=False,
-    help_text=_('Prevent receptor work from being released on when error is detected'),
-    category=('Debug'),
-    category_slug='debug',
-)
-
 
 def logging_validate(serializer, attrs):
     if not serializer.instance or not hasattr(serializer.instance, 'LOG_AGGREGATOR_HOST') or not hasattr(serializer.instance, 'LOG_AGGREGATOR_TYPE'):
@@ -955,27 +954,3 @@ def logging_validate(serializer, attrs):
 
 
 register_validate('logging', logging_validate)
-
-
-def csrf_trusted_origins_validate(serializer, attrs):
-    if not serializer.instance or not hasattr(serializer.instance, 'CSRF_TRUSTED_ORIGINS'):
-        return attrs
-    if 'CSRF_TRUSTED_ORIGINS' not in attrs:
-        return attrs
-    errors = []
-    for origin in attrs['CSRF_TRUSTED_ORIGINS']:
-        if "://" not in origin:
-            errors.append(
-                Error(
-                    "As of Django 4.0, the values in the CSRF_TRUSTED_ORIGINS "
-                    "setting must start with a scheme (usually http:// or "
-                    "https://) but found %s. See the release notes for details." % origin,
-                )
-            )
-    if errors:
-        error_messages = [error.msg for error in errors]
-        raise serializers.ValidationError(_('\n'.join(error_messages)))
-    return attrs
-
-
-register_validate('system', csrf_trusted_origins_validate)

awx/main/constants.py

@@ -14,7 +14,7 @@ __all__ = [
     'STANDARD_INVENTORY_UPDATE_ENV',
 ]
 
-CLOUD_PROVIDERS = ('azure_rm', 'ec2', 'gce', 'vmware', 'openstack', 'rhv', 'satellite6', 'controller', 'insights', 'terraform', 'openshift_virtualization')
+CLOUD_PROVIDERS = ('azure_rm', 'ec2', 'gce', 'vmware', 'openstack', 'rhv', 'satellite6', 'controller', 'insights', 'terraform')
 PRIVILEGE_ESCALATION_METHODS = [
     ('sudo', _('Sudo')),
     ('su', _('Su')),
@@ -43,7 +43,6 @@ STANDARD_INVENTORY_UPDATE_ENV = {
 }
 CAN_CANCEL = ('new', 'pending', 'waiting', 'running')
 ACTIVE_STATES = CAN_CANCEL
-ERROR_STATES = ('error',)
 MINIMAL_EVENTS = set(['playbook_on_play_start', 'playbook_on_task_start', 'playbook_on_stats', 'EOF'])
 CENSOR_VALUE = '************'
 ENV_BLOCKLIST = frozenset(
@@ -115,28 +114,3 @@ SUBSCRIPTION_USAGE_MODEL_UNIQUE_HOSTS = 'unique_managed_hosts'
 
 # Shared prefetch to use for creating a queryset for the purpose of writing or saving facts
 HOST_FACTS_FIELDS = ('name', 'ansible_facts', 'ansible_facts_modified', 'modified', 'inventory_id')
-
-# Data for RBAC compatibility layer
-role_name_to_perm_mapping = {
-    'adhoc_role': ['adhoc_'],
-    'approval_role': ['approve_'],
-    'auditor_role': ['audit_'],
-    'admin_role': ['change_', 'add_', 'delete_'],
-    'execute_role': ['execute_'],
-    'read_role': ['view_'],
-    'update_role': ['update_'],
-    'member_role': ['member_'],
-    'use_role': ['use_'],
-}
-
-org_role_to_permission = {
-    'notification_admin_role': 'add_notificationtemplate',
-    'project_admin_role': 'add_project',
-    'execute_role': 'execute_jobtemplate',
-    'inventory_admin_role': 'add_inventory',
-    'credential_admin_role': 'add_credential',
-    'workflow_admin_role': 'add_workflowjobtemplate',
-    'job_template_admin_role': 'change_jobtemplate',  # TODO: this doesnt really work, solution not clear
-    'execution_environment_admin_role': 'add_executionenvironment',
-    'auditor_role': 'view_project',  # TODO: also doesnt really work
-}

awx/main/dispatch/__init__.py

@@ -1,7 +1,6 @@
 import os
 import psycopg
 import select
-from copy import deepcopy
 
 from contextlib import contextmanager
 
@@ -95,15 +94,14 @@ class PubSub(object):
 
 
 def create_listener_connection():
-    conf = deepcopy(settings.DATABASES['default'])
-    conf['OPTIONS'] = deepcopy(conf.get('OPTIONS', {}))
+    conf = settings.DATABASES['default'].copy()
+    conf['OPTIONS'] = conf.get('OPTIONS', {}).copy()
     # Modify the application name to distinguish from other connections the process might use
     conf['OPTIONS']['application_name'] = get_application_name(settings.CLUSTER_HOST_ID, function='listener')
 
     # Apply overrides specifically for the listener connection
     for k, v in settings.LISTENER_DATABASES.get('default', {}).items():
-        if k != 'OPTIONS':
-            conf[k] = v
+        conf[k] = v
     for k, v in settings.LISTENER_DATABASES.get('default', {}).get('OPTIONS', {}).items():
         conf['OPTIONS'][k] = v
 

awx/main/fields.py

@@ -252,7 +252,7 @@ class ImplicitRoleField(models.ForeignKey):
         kwargs.setdefault('related_name', '+')
         kwargs.setdefault('null', 'True')
         kwargs.setdefault('editable', False)
-        kwargs.setdefault('on_delete', models.SET_NULL)
+        kwargs.setdefault('on_delete', models.CASCADE)
         super(ImplicitRoleField, self).__init__(*args, **kwargs)
 
     def deconstruct(self):

awx/main/management/commands/check_instance_ready.py

@@ -1,12 +0,0 @@
-from django.core.management.base import BaseCommand, CommandError
-from awx.main.models.ha import Instance
-
-
-class Command(BaseCommand):
-    help = 'Check if the task manager instance is ready throw error if not ready, can be use as readiness probe for k8s.'
-
-    def handle(self, *args, **options):
-        if Instance.objects.me().node_state != Instance.States.READY:
-            raise CommandError('Instance is not ready')  # so that return code is not 0
-
-        return

awx/main/management/commands/create_preload_data.py

@@ -2,7 +2,6 @@
 # All Rights Reserved
 
 from django.core.management.base import BaseCommand
-from django.db import transaction
 from crum import impersonate
 from awx.main.models import User, Organization, Project, Inventory, CredentialType, Credential, Host, JobTemplate
 from awx.main.signals import disable_computed_fields
@@ -14,12 +13,6 @@ class Command(BaseCommand):
     help = 'Creates a preload tower data if there is none.'
 
     def handle(self, *args, **kwargs):
-        # Wrap the operation in an atomic block, so we do not on accident
-        # create the organization but not create the project, etc.
-        with transaction.atomic():
-            self._handle()
-
-    def _handle(self):
         changed = False
 
         # Create a default organization as the first superuser found.
@@ -50,11 +43,10 @@ class Command(BaseCommand):
 
                     ssh_type = CredentialType.objects.filter(namespace='ssh').first()
                     c, _ = Credential.objects.get_or_create(
-                        credential_type=ssh_type, name='Demo Credential', inputs={'username': getattr(superuser, 'username', 'null')}, created_by=superuser
+                        credential_type=ssh_type, name='Demo Credential', inputs={'username': superuser.username}, created_by=superuser
                     )
 
-                    if superuser:
-                        c.admin_role.members.add(superuser)
+                    c.admin_role.members.add(superuser)
 
                     public_galaxy_credential, _ = Credential.objects.get_or_create(
                         name='Ansible Galaxy',

awx/main/management/commands/dump_auth_config.py

@@ -2,11 +2,10 @@ import json
 import os
 import sys
 import re
-from typing import Any
 
+from typing import Any
 from django.core.management.base import BaseCommand
 from django.conf import settings
-
 from awx.conf import settings_registry
 
 
@@ -41,15 +40,6 @@ class Command(BaseCommand):
         "USER_SEARCH": False,
     }
 
-    def is_enabled(self, settings, keys):
-        missing_fields = []
-        for key, required in keys.items():
-            if required and not settings.get(key):
-                missing_fields.append(key)
-        if missing_fields:
-            return False, missing_fields
-        return True, None
-
     def get_awx_ldap_settings(self) -> dict[str, dict[str, Any]]:
         awx_ldap_settings = {}
 
@@ -74,17 +64,15 @@ class Command(BaseCommand):
 
             if new_key == "SERVER_URI" and value:
                 value = value.split(", ")
-                grouped_settings[index][new_key] = value
-
-            if type(value).__name__ == "LDAPSearch":
-                data = []
-                data.append(value.base_dn)
-                data.append("SCOPE_SUBTREE")
-                data.append(value.filterstr)
-                grouped_settings[index][new_key] = data
 
         return grouped_settings
 
+    def is_enabled(self, settings, keys):
+        for key, required in keys.items():
+            if required and not settings.get(key):
+                return False
+        return True
+
     def get_awx_saml_settings(self) -> dict[str, Any]:
         awx_saml_settings = {}
         for awx_saml_setting in settings_registry.get_registered_settings(category_slug='saml'):
@@ -94,7 +82,7 @@ class Command(BaseCommand):
 
     def format_config_data(self, enabled, awx_settings, type, keys, name):
         config = {
-            "type": f"ansible_base.authentication.authenticator_plugins.{type}",
+            "type": f"awx.authentication.authenticator_plugins.{type}",
             "name": name,
             "enabled": enabled,
             "create_objects": True,
@@ -142,7 +130,7 @@ class Command(BaseCommand):
 
             # dump SAML settings
             awx_saml_settings = self.get_awx_saml_settings()
-            awx_saml_enabled, saml_missing_fields = self.is_enabled(awx_saml_settings, self.DAB_SAML_AUTHENTICATOR_KEYS)
+            awx_saml_enabled = self.is_enabled(awx_saml_settings, self.DAB_SAML_AUTHENTICATOR_KEYS)
             if awx_saml_enabled:
                 awx_saml_name = awx_saml_settings["ENABLED_IDPS"]
                 data.append(
@@ -154,25 +142,21 @@ class Command(BaseCommand):
                         awx_saml_name,
                     )
                 )
-            else:
-                data.append({"SAML_missing_fields": saml_missing_fields})
 
             # dump LDAP settings
             awx_ldap_group_settings = self.get_awx_ldap_settings()
-            for awx_ldap_name, awx_ldap_settings in awx_ldap_group_settings.items():
-                awx_ldap_enabled, ldap_missing_fields = self.is_enabled(awx_ldap_settings, self.DAB_LDAP_AUTHENTICATOR_KEYS)
-                if awx_ldap_enabled:
+            for awx_ldap_name, awx_ldap_settings in enumerate(awx_ldap_group_settings.values()):
+                enabled = self.is_enabled(awx_ldap_settings, self.DAB_LDAP_AUTHENTICATOR_KEYS)
+                if enabled:
                     data.append(
                         self.format_config_data(
-                            awx_ldap_enabled,
+                            enabled,
                             awx_ldap_settings,
                             "ldap",
                             self.DAB_LDAP_AUTHENTICATOR_KEYS,
-                            f"LDAP_{awx_ldap_name}",
+                            str(awx_ldap_name),
                         )
                     )
-                else:
-                    data.append({f"LDAP_{awx_ldap_name}_missing_fields": ldap_missing_fields})
 
             # write to file if requested
             if options["output_file"]:

awx/main/management/commands/run_wsrelay.py

@@ -101,9 +101,8 @@ class Command(BaseCommand):
             migrating = bool(executor.migration_plan(executor.loader.graph.leaf_nodes()))
             connection.close()  # Because of async nature, main loop will use new connection, so close this
         except Exception as exc:
-            time.sleep(10)  # Prevent supervisor from restarting the service too quickly and the service to enter FATAL state
-            # sleeping before logging because logging rely on setting which require database connection...
-            logger.warning(f'Error on startup of run_wsrelay (error: {exc}), slept for 10s...')
+            logger.warning(f'Error on startup of run_wsrelay (error: {exc}), retry in 10s...')
+            time.sleep(10)
             return
 
         # In containerized deployments, migrations happen in the task container,
@@ -122,14 +121,13 @@ class Command(BaseCommand):
             return
 
         try:
-            my_hostname = Instance.objects.my_hostname()  # This relies on settings.CLUSTER_HOST_ID which requires database connection
+            my_hostname = Instance.objects.my_hostname()
             logger.info('Active instance with hostname {} is registered.'.format(my_hostname))
         except RuntimeError as e:
             # the CLUSTER_HOST_ID in the task, and web instance must match and
             # ensure network connectivity between the task and web instance
-            time.sleep(10)  # Prevent supervisor from restarting the service too quickly and the service to enter FATAL state
-            # sleeping before logging because logging rely on setting which require database connection...
-            logger.warning(f"Unable to return currently active instance: {e}, slept for 10s before return.")
+            logger.info('Unable to return currently active instance: {}, retry in 5s...'.format(e))
+            time.sleep(5)
             return
 
         if options.get('status'):
@@ -167,15 +165,14 @@ class Command(BaseCommand):
             return
 
         WebsocketsMetricsServer().start()
+        websocket_relay_manager = WebSocketRelayManager()
 
-        try:
-            logger.info('Starting Websocket Relayer...')
-            websocket_relay_manager = WebSocketRelayManager()
-            asyncio.run(websocket_relay_manager.run())
-        except KeyboardInterrupt:
-            logger.info('Terminating Websocket Relayer')
-        except BaseException as e:  # BaseException is used to catch all exceptions including asyncio.CancelledError
-            time.sleep(10)  # Prevent supervisor from restarting the service too quickly and the service to enter FATAL state
-            # sleeping before logging because logging rely on setting which require database connection...
-            logger.warning(f"Encounter error while running Websocket Relayer {e}, slept for 10s...")
-            return
+        while True:
+            try:
+                asyncio.run(websocket_relay_manager.run())
+            except KeyboardInterrupt:
+                logger.info('Shutting down Websocket Relayer')
+                break
+            except Exception as e:
+                logger.exception('Error in Websocket Relayer, exception: {}. Restarting in 10 seconds'.format(e))
+                time.sleep(10)

awx/main/middleware.py

@@ -1,25 +1,28 @@
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved.
 
-import functools
 import logging
 import threading
 import time
 import urllib.parse
-from pathlib import Path, PurePosixPath
+from pathlib import Path
 
 from django.conf import settings
 from django.contrib.auth import logout
+from django.contrib.auth.models import User
 from django.db.migrations.recorder import MigrationRecorder
 from django.db import connection
 from django.shortcuts import redirect
+from django.apps import apps
 from django.utils.deprecation import MiddlewareMixin
+from django.utils.translation import gettext_lazy as _
 from django.urls import reverse, resolve
 
 from awx.main import migrations
+from awx.main.utils.named_url_graph import generate_graph, GraphNode
+from awx.conf import fields, register
 from awx.main.utils.profiling import AWXProfiler
 from awx.main.utils.common import memoize
-from awx.urls import get_urlpatterns
 
 
 logger = logging.getLogger('awx.main.middleware')
@@ -97,7 +100,49 @@ class DisableLocalAuthMiddleware(MiddlewareMixin):
                 logout(request)
 
 
+def _customize_graph():
+    from awx.main.models import Instance, Schedule, UnifiedJobTemplate
+
+    for model in [Schedule, UnifiedJobTemplate]:
+        if model in settings.NAMED_URL_GRAPH:
+            settings.NAMED_URL_GRAPH[model].remove_bindings()
+            settings.NAMED_URL_GRAPH.pop(model)
+    if User not in settings.NAMED_URL_GRAPH:
+        settings.NAMED_URL_GRAPH[User] = GraphNode(User, ['username'], [])
+        settings.NAMED_URL_GRAPH[User].add_bindings()
+    if Instance not in settings.NAMED_URL_GRAPH:
+        settings.NAMED_URL_GRAPH[Instance] = GraphNode(Instance, ['hostname'], [])
+        settings.NAMED_URL_GRAPH[Instance].add_bindings()
+
+
 class URLModificationMiddleware(MiddlewareMixin):
+    def __init__(self, get_response):
+        models = [m for m in apps.get_app_config('main').get_models() if hasattr(m, 'get_absolute_url')]
+        generate_graph(models)
+        _customize_graph()
+        register(
+            'NAMED_URL_FORMATS',
+            field_class=fields.DictField,
+            read_only=True,
+            label=_('Formats of all available named urls'),
+            help_text=_('Read-only list of key-value pairs that shows the standard format of all available named URLs.'),
+            category=_('Named URL'),
+            category_slug='named-url',
+        )
+        register(
+            'NAMED_URL_GRAPH_NODES',
+            field_class=fields.DictField,
+            read_only=True,
+            label=_('List of all named url graph nodes.'),
+            help_text=_(
+                'Read-only list of key-value pairs that exposes named URL graph topology.'
+                ' Use this list to programmatically generate named URLs for resources'
+            ),
+            category=_('Named URL'),
+            category_slug='named-url',
+        )
+        super().__init__(get_response)
+
     @staticmethod
     def _hijack_for_old_jt_name(node, kwargs, named_url):
         try:
@@ -138,36 +183,14 @@ class URLModificationMiddleware(MiddlewareMixin):
 
     @classmethod
     def _convert_named_url(cls, url_path):
-        default_prefix = PurePosixPath('/api/v2/')
-        optional_prefix = PurePosixPath(f'/api/{settings.OPTIONAL_API_URLPATTERN_PREFIX}/v2/')
-
-        url_path_original = url_path
-        url_path = PurePosixPath(url_path)
-
-        if set(optional_prefix.parts).issubset(set(url_path.parts)):
-            url_prefix = optional_prefix
-        elif set(default_prefix.parts).issubset(set(url_path.parts)):
-            url_prefix = default_prefix
-        else:
-            return url_path_original
-
-        # Remove prefix
-        url_path = PurePosixPath(*url_path.parts[len(url_prefix.parts) :])
-        try:
-            resource_path = PurePosixPath(url_path.parts[0])
-            name = url_path.parts[1]
-            url_suffix = PurePosixPath(*url_path.parts[2:])  # remove name and resource
-        except IndexError:
-            return url_path_original
-
-        resource = resource_path.parts[0]
+        url_units = url_path.split('/')
+        # If the identifier is an empty string, it is always invalid.
+        if len(url_units) < 6 or url_units[1] != 'api' or url_units[2] not in ['v2'] or not url_units[4]:
+            return url_path
+        resource = url_units[3]
         if resource in settings.NAMED_URL_MAPPINGS:
-            pk = PurePosixPath(cls._named_url_to_pk(settings.NAMED_URL_GRAPH[settings.NAMED_URL_MAPPINGS[resource]], resource, name))
-        else:
-            return url_path_original
-
-        parts = url_prefix.parts + resource_path.parts + pk.parts + url_suffix.parts
-        return PurePosixPath(*parts).as_posix() + '/'
+            url_units[4] = cls._named_url_to_pk(settings.NAMED_URL_GRAPH[settings.NAMED_URL_MAPPINGS[resource]], resource, url_units[4])
+        return '/'.join(url_units)
 
     def process_request(self, request):
         old_path = request.path_info
@@ -197,27 +220,3 @@ class MigrationRanCheckMiddleware(MiddlewareMixin):
     def process_request(self, request):
         if is_migrating() and getattr(resolve(request.path), 'url_name', '') != 'migrations_notran':
             return redirect(reverse("ui:migrations_notran"))
-
-
-class OptionalURLPrefixPath(MiddlewareMixin):
-    @functools.lru_cache
-    def _url_optional(self, prefix):
-        # Relavant Django code path https://github.com/django/django/blob/stable/4.2.x/django/core/handlers/base.py#L300
-        #
-        # resolve_request(request)
-        #   get_resolver(request.urlconf)
-        #     _get_cached_resolver(request.urlconf) <-- cached via @functools.cache
-        #
-        # Django will attempt to cache the value(s) of request.urlconf
-        # Being hashable is a prerequisit for being cachable.
-        # tuple() is hashable list() is not.
-        # Hence the tuple(list()) wrap.
-        return tuple(get_urlpatterns(prefix=prefix))
-
-    def process_request(self, request):
-        prefix = settings.OPTIONAL_API_URLPATTERN_PREFIX
-
-        if request.path.startswith(f"/api/{prefix}"):
-            request.urlconf = self._url_optional(prefix)
-        else:
-            request.urlconf = 'awx.urls'

awx/main/migrations/0021_v330_declare_new_rbac_roles.py

@@ -17,49 +17,49 @@ class Migration(migrations.Migration):
             model_name='organization',
             name='execute_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='job_template_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                editable=False, null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
+                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='credential_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='inventory_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='project_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='workflow_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AddField(
             model_name='organization',
             name='notification_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AlterField(
@@ -67,7 +67,7 @@ class Migration(migrations.Migration):
             name='admin_role',
             field=awx.main.fields.ImplicitRoleField(
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['singleton:system_administrator', 'organization.credential_admin_role'],
                 related_name='+',
                 to='main.Role',
@@ -77,7 +77,7 @@ class Migration(migrations.Migration):
             model_name='inventory',
             name='admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='organization.inventory_admin_role', related_name='+', to='main.Role'
+                null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='organization.inventory_admin_role', related_name='+', to='main.Role'
             ),
         ),
         migrations.AlterField(
@@ -85,7 +85,7 @@ class Migration(migrations.Migration):
             name='admin_role',
             field=awx.main.fields.ImplicitRoleField(
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['organization.project_admin_role', 'singleton:system_administrator'],
                 related_name='+',
                 to='main.Role',
@@ -96,7 +96,7 @@ class Migration(migrations.Migration):
             name='admin_role',
             field=awx.main.fields.ImplicitRoleField(
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['singleton:system_administrator', 'organization.workflow_admin_role'],
                 related_name='+',
                 to='main.Role',
@@ -107,7 +107,7 @@ class Migration(migrations.Migration):
             name='execute_role',
             field=awx.main.fields.ImplicitRoleField(
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['admin_role', 'organization.execute_role'],
                 related_name='+',
                 to='main.Role',
@@ -119,7 +119,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['project.organization.job_template_admin_role', 'inventory.organization.job_template_admin_role'],
                 related_name='+',
                 to='main.Role',
@@ -130,7 +130,7 @@ class Migration(migrations.Migration):
             name='execute_role',
             field=awx.main.fields.ImplicitRoleField(
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['admin_role', 'project.organization.execute_role', 'inventory.organization.execute_role'],
                 related_name='+',
                 to='main.Role',
@@ -142,7 +142,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=[
                     'admin_role',
                     'execute_role',

awx/main/migrations/0042_v330_org_member_role_deparent.py

@@ -18,7 +18,7 @@ class Migration(migrations.Migration):
             model_name='organization',
             name='member_role',
             field=awx.main.fields.ImplicitRoleField(
-                editable=False, null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role=['admin_role'], related_name='+', to='main.Role'
+                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role=['admin_role'], related_name='+', to='main.Role'
             ),
         ),
         migrations.AlterField(
@@ -27,7 +27,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=[
                     'member_role',
                     'auditor_role',

awx/main/migrations/0086_v360_workflow_approval.py

@@ -36,7 +36,7 @@ class Migration(migrations.Migration):
             model_name='organization',
             name='approval_role',
             field=awx.main.fields.ImplicitRoleField(
-                editable=False, null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
+                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
             ),
             preserve_default='True',
         ),
@@ -46,7 +46,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['organization.approval_role', 'admin_role'],
                 related_name='+',
                 to='main.Role',
@@ -116,7 +116,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=[
                     'member_role',
                     'auditor_role',
@@ -139,7 +139,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['singleton:system_auditor', 'organization.auditor_role', 'execute_role', 'admin_role', 'approval_role'],
                 related_name='+',
                 to='main.Role',

awx/main/migrations/0109_v370_job_template_organization_field.py

@@ -80,7 +80,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['organization.job_template_admin_role'],
                 related_name='+',
                 to='main.Role',
@@ -92,7 +92,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['admin_role', 'organization.execute_role'],
                 related_name='+',
                 to='main.Role',
@@ -104,7 +104,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['organization.auditor_role', 'inventory.organization.auditor_role', 'execute_role', 'admin_role'],
                 related_name='+',
                 to='main.Role',

awx/main/migrations/0125_more_ee_modeling_changes.py

@@ -26,7 +26,7 @@ class Migration(migrations.Migration):
             model_name='organization',
             name='execution_environment_admin_role',
             field=awx.main.fields.ImplicitRoleField(
-                editable=False, null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role='admin_role', related_name='+', to='main.Role'
+                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role='admin_role', related_name='+', to='main.Role'
             ),
             preserve_default='True',
         ),

awx/main/migrations/0128_organiaztion_read_roles_ee_admin.py

@@ -17,7 +17,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=[
                     'member_role',
                     'auditor_role',

awx/main/migrations/0177_instance_group_role_addition.py

@@ -17,7 +17,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['singleton:system_administrator'],
                 related_name='+',
                 to='main.role',
@@ -30,7 +30,7 @@ class Migration(migrations.Migration):
             field=awx.main.fields.ImplicitRoleField(
                 editable=False,
                 null='True',
-                on_delete=django.db.models.deletion.SET_NULL,
+                on_delete=django.db.models.deletion.CASCADE,
                 parent_role=['singleton:system_auditor', 'use_role', 'admin_role'],
                 related_name='+',
                 to='main.role',
@@ -41,7 +41,7 @@ class Migration(migrations.Migration):
             model_name='instancegroup',
             name='use_role',
             field=awx.main.fields.ImplicitRoleField(
-                editable=False, null='True', on_delete=django.db.models.deletion.SET_NULL, parent_role=['admin_role'], related_name='+', to='main.role'
+                editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role=['admin_role'], related_name='+', to='main.role'
             ),
             preserve_default='True',
         ),

awx/main/migrations/0190_alter_inventorysource_source_and_more.py

@@ -4,6 +4,7 @@ from django.db import migrations, models
 
 
 class Migration(migrations.Migration):
+
     dependencies = [
         ('main', '0189_inbound_hop_nodes'),
     ]

awx/main/migrations/0191_add_django_permissions.py

@@ -1,85 +0,0 @@
-# Generated by Django 4.2.6 on 2023-11-13 20:10
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('main', '0190_alter_inventorysource_source_and_more'),
-        ('dab_rbac', '__first__'),
-    ]
-
-    operations = [
-        # Add custom permissions for all special actions, like update, use, adhoc, and so on
-        migrations.AlterModelOptions(
-            name='credential',
-            options={'ordering': ('name',), 'permissions': [('use_credential', 'Can use credential in a job or related resource')]},
-        ),
-        migrations.AlterModelOptions(
-            name='instancegroup',
-            options={'permissions': [('use_instancegroup', 'Can use instance group in a preference list of a resource')]},
-        ),
-        migrations.AlterModelOptions(
-            name='inventory',
-            options={
-                'ordering': ('name',),
-                'permissions': [
-                    ('use_inventory', 'Can use inventory in a job template'),
-                    ('adhoc_inventory', 'Can run ad hoc commands'),
-                    ('update_inventory', 'Can update inventory sources in inventory'),
-                ],
-                'verbose_name_plural': 'inventories',
-            },
-        ),
-        migrations.AlterModelOptions(
-            name='jobtemplate',
-            options={'ordering': ('name',), 'permissions': [('execute_jobtemplate', 'Can run this job template')]},
-        ),
-        migrations.AlterModelOptions(
-            name='project',
-            options={
-                'ordering': ('id',),
-                'permissions': [('update_project', 'Can run a project update'), ('use_project', 'Can use project in a job template')],
-            },
-        ),
-        migrations.AlterModelOptions(
-            name='workflowjobtemplate',
-            options={
-                'permissions': [
-                    ('execute_workflowjobtemplate', 'Can run this workflow job template'),
-                    ('approve_workflowjobtemplate', 'Can approve steps in this workflow job template'),
-                ]
-            },
-        ),
-        migrations.AlterModelOptions(
-            name='organization',
-            options={
-                'default_permissions': ('change', 'delete', 'view'),
-                'ordering': ('name',),
-                'permissions': [
-                    ('member_organization', 'Basic participation permissions for organization'),
-                    ('audit_organization', 'Audit everything inside the organization'),
-                ],
-            },
-        ),
-        migrations.AlterModelOptions(
-            name='team',
-            options={'ordering': ('organization__name', 'name'), 'permissions': [('member_team', 'Inherit all roles assigned to this team')]},
-        ),
-        # Remove add default permission for a few models
-        migrations.AlterModelOptions(
-            name='jobtemplate',
-            options={
-                'default_permissions': ('change', 'delete', 'view'),
-                'ordering': ('name',),
-                'permissions': [('execute_jobtemplate', 'Can run this job template')],
-            },
-        ),
-        migrations.AlterModelOptions(
-            name='instancegroup',
-            options={
-                'default_permissions': ('change', 'delete', 'view'),
-                'permissions': [('use_instancegroup', 'Can use instance group in a preference list of a resource')],
-            },
-        ),
-    ]

awx/main/migrations/0192_custom_roles.py

@@ -1,20 +0,0 @@
-# Generated by Django 4.2.6 on 2023-11-21 02:06
-
-from django.db import migrations
-
-from awx.main.migrations._dab_rbac import migrate_to_new_rbac, create_permissions_as_operation, setup_managed_role_definitions
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('main', '0191_add_django_permissions'),
-        ('dab_rbac', '__first__'),
-    ]
-
-    operations = [
-        # make sure permissions and content types have been created by now
-        # these normally run in a post_migrate signal but we need them for our logic
-        migrations.RunPython(create_permissions_as_operation, migrations.RunPython.noop),
-        migrations.RunPython(setup_managed_role_definitions, migrations.RunPython.noop),
-        migrations.RunPython(migrate_to_new_rbac, migrations.RunPython.noop),
-    ]

awx/main/migrations/0193_alter_notification_notification_type_and_more.py

@@ -1,51 +0,0 @@
-# Generated by Django 4.2.6 on 2024-05-08 07:29
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('main', '0192_custom_roles'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='notification',
-            name='notification_type',
-            field=models.CharField(
-                choices=[
-                    ('awssns', 'AWS SNS'),
-                    ('email', 'Email'),
-                    ('grafana', 'Grafana'),
-                    ('irc', 'IRC'),
-                    ('mattermost', 'Mattermost'),
-                    ('pagerduty', 'Pagerduty'),
-                    ('rocketchat', 'Rocket.Chat'),
-                    ('slack', 'Slack'),
-                    ('twilio', 'Twilio'),
-                    ('webhook', 'Webhook'),
-                ],
-                max_length=32,
-            ),
-        ),
-        migrations.AlterField(
-            model_name='notificationtemplate',
-            name='notification_type',
-            field=models.CharField(
-                choices=[
-                    ('awssns', 'AWS SNS'),
-                    ('email', 'Email'),
-                    ('grafana', 'Grafana'),
-                    ('irc', 'IRC'),
-                    ('mattermost', 'Mattermost'),
-                    ('pagerduty', 'Pagerduty'),
-                    ('rocketchat', 'Rocket.Chat'),
-                    ('slack', 'Slack'),
-                    ('twilio', 'Twilio'),
-                    ('webhook', 'Webhook'),
-                ],
-                max_length=32,
-            ),
-        ),
-    ]

awx/main/migrations/0194_alter_inventorysource_source_and_more.py

@@ -1,61 +0,0 @@
-# Generated by Django 4.2.10 on 2024-06-12 19:59
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('main', '0193_alter_notification_notification_type_and_more'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='inventorysource',
-            name='source',
-            field=models.CharField(
-                choices=[
-                    ('file', 'File, Directory or Script'),
-                    ('constructed', 'Template additional groups and hostvars at runtime'),
-                    ('scm', 'Sourced from a Project'),
-                    ('ec2', 'Amazon EC2'),
-                    ('gce', 'Google Compute Engine'),
-                    ('azure_rm', 'Microsoft Azure Resource Manager'),
-                    ('vmware', 'VMware vCenter'),
-                    ('satellite6', 'Red Hat Satellite 6'),
-                    ('openstack', 'OpenStack'),
-                    ('rhv', 'Red Hat Virtualization'),
-                    ('controller', 'Red Hat Ansible Automation Platform'),
-                    ('insights', 'Red Hat Insights'),
-                    ('terraform', 'Terraform State'),
-                    ('openshift_virtualization', 'OpenShift Virtualization'),
-                ],
-                default=None,
-                max_length=32,
-            ),
-        ),
-        migrations.AlterField(
-            model_name='inventoryupdate',
-            name='source',
-            field=models.CharField(
-                choices=[
-                    ('file', 'File, Directory or Script'),
-                    ('constructed', 'Template additional groups and hostvars at runtime'),
-                    ('scm', 'Sourced from a Project'),
-                    ('ec2', 'Amazon EC2'),
-                    ('gce', 'Google Compute Engine'),
-                    ('azure_rm', 'Microsoft Azure Resource Manager'),
-                    ('vmware', 'VMware vCenter'),
-                    ('satellite6', 'Red Hat Satellite 6'),
-                    ('openstack', 'OpenStack'),
-                    ('rhv', 'Red Hat Virtualization'),
-                    ('controller', 'Red Hat Ansible Automation Platform'),
-                    ('insights', 'Red Hat Insights'),
-                    ('terraform', 'Terraform State'),
-                    ('openshift_virtualization', 'OpenShift Virtualization'),
-                ],
-                default=None,
-                max_length=32,
-            ),
-        ),
-    ]

awx/main/migrations/0195_EE_permissions.py

@@ -1,26 +0,0 @@
-# Generated by Django 4.2.6 on 2024-06-20 15:55
-
-from django.db import migrations
-
-
-def delete_execution_environment_read_role(apps, schema_editor):
-    permission_classes = [apps.get_model('auth', 'Permission'), apps.get_model('dab_rbac', 'DABPermission')]
-    for permission_cls in permission_classes:
-        ee_read_perm = permission_cls.objects.filter(codename='view_executionenvironment').first()
-        if ee_read_perm:
-            ee_read_perm.delete()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('main', '0194_alter_inventorysource_source_and_more'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='executionenvironment',
-            options={'default_permissions': ('add', 'change', 'delete'), 'ordering': ('-created',)},
-        ),
-        migrations.RunPython(delete_execution_environment_read_role, migrations.RunPython.noop),
-    ]

awx/main/migrations/_dab_rbac.py

@@ -1,433 +0,0 @@
-import json
-import logging
-
-from django.apps import apps as global_apps
-from django.db.models import ForeignKey
-from django.conf import settings
-from ansible_base.rbac.migrations._utils import give_permissions
-from ansible_base.rbac.management import create_dab_permissions
-
-from awx.main.fields import ImplicitRoleField
-from awx.main.constants import role_name_to_perm_mapping
-
-from ansible_base.rbac.permission_registry import permission_registry
-
-
-logger = logging.getLogger('awx.main.migrations._dab_rbac')
-
-
-def create_permissions_as_operation(apps, schema_editor):
-    create_dab_permissions(global_apps.get_app_config("main"), apps=apps)
-
-
-"""
-Data structures and methods for the migration of old Role model to ObjectRole
-"""
-
-system_admin = ImplicitRoleField(name='system_administrator')
-system_auditor = ImplicitRoleField(name='system_auditor')
-system_admin.model = None
-system_auditor.model = None
-
-
-def resolve_parent_role(f, role_path):
-    """
-    Given a field and a path declared in parent_role from the field definition, like
-        execute_role = ImplicitRoleField(parent_role='admin_role')
-    This expects to be passed in (execute_role object, "admin_role")
-    It hould return the admin_role from that object
-    """
-    if role_path == 'singleton:system_administrator':
-        return system_admin
-    elif role_path == 'singleton:system_auditor':
-        return system_auditor
-    else:
-        related_field = f
-        current_model = f.model
-        for related_field_name in role_path.split('.'):
-            related_field = current_model._meta.get_field(related_field_name)
-            if isinstance(related_field, ForeignKey) and not isinstance(related_field, ImplicitRoleField):
-                current_model = related_field.related_model
-        return related_field
-
-
-def build_role_map(apps):
-    """
-    For the old Role model, this builds and returns dictionaries (children, parents)
-    which give a global mapping of the ImplicitRoleField instances according to the graph
-    """
-    models = set(apps.get_app_config('main').get_models())
-
-    all_fields = set()
-    parents = {}
-    children = {}
-
-    all_fields.add(system_admin)
-    all_fields.add(system_auditor)
-
-    for cls in models:
-        for f in cls._meta.get_fields():
-            if isinstance(f, ImplicitRoleField):
-                all_fields.add(f)
-
-    for f in all_fields:
-        if f.parent_role is not None:
-            if isinstance(f.parent_role, str):
-                parent_roles = [f.parent_role]
-            else:
-                parent_roles = f.parent_role
-
-            # SPECIAL CASE: organization auditor_role is not a child of admin_role
-            # this makes no practical sense and conflicts with expected managed role
-            # so we put it in as a hack here
-            if f.name == 'auditor_role' and f.model._meta.model_name == 'organization':
-                parent_roles.append('admin_role')
-
-            parent_list = []
-            for rel_name in parent_roles:
-                parent_list.append(resolve_parent_role(f, rel_name))
-
-            parents[f] = parent_list
-
-    # build children lookup from parents lookup
-    for child_field, parent_list in parents.items():
-        for parent_field in parent_list:
-            children.setdefault(parent_field, [])
-            children[parent_field].append(child_field)
-
-    return (parents, children)
-
-
-def get_descendents(f, children_map):
-    """
-    Given ImplicitRoleField F and the children mapping, returns all descendents
-    of that field, as a set of other fields, including itself
-    """
-    ret = {f}
-    if f in children_map:
-        for child_field in children_map[f]:
-            ret.update(get_descendents(child_field, children_map))
-    return ret
-
-
-def get_permissions_for_role(role_field, children_map, apps):
-    Permission = apps.get_model('dab_rbac', 'DABPermission')
-    ContentType = apps.get_model('contenttypes', 'ContentType')
-
-    perm_list = []
-    for child_field in get_descendents(role_field, children_map):
-        if child_field.name in role_name_to_perm_mapping:
-            for perm_name in role_name_to_perm_mapping[child_field.name]:
-                if perm_name == 'add_' and role_field.model._meta.model_name != 'organization':
-                    continue  # only organizations can contain add permissions
-                perm = Permission.objects.filter(content_type=ContentType.objects.get_for_model(child_field.model), codename__startswith=perm_name).first()
-                if perm is not None and perm not in perm_list:
-                    perm_list.append(perm)
-
-    # special case for two models that have object roles but no organization roles in old system
-    if role_field.name == 'notification_admin_role' or (role_field.name == 'admin_role' and role_field.model._meta.model_name == 'organization'):
-        ct = ContentType.objects.get_for_model(apps.get_model('main', 'NotificationTemplate'))
-        perm_list.extend(list(Permission.objects.filter(content_type=ct)))
-    if role_field.name == 'execution_environment_admin_role' or (role_field.name == 'admin_role' and role_field.model._meta.model_name == 'organization'):
-        ct = ContentType.objects.get_for_model(apps.get_model('main', 'ExecutionEnvironment'))
-        perm_list.extend(list(Permission.objects.filter(content_type=ct)))
-
-    # more special cases for those same above special org-level roles
-    if role_field.name == 'auditor_role':
-        perm_list.append(Permission.objects.get(codename='view_notificationtemplate'))
-
-    return perm_list
-
-
-def model_class(ct, apps):
-    """
-    You can not use model methods in migrations, so this duplicates
-    what ContentType.model_class does, using current apps
-    """
-    try:
-        return apps.get_model(ct.app_label, ct.model)
-    except LookupError:
-        return None
-
-
-def migrate_to_new_rbac(apps, schema_editor):
-    """
-    This method moves the assigned permissions from the old rbac.py models
-    to the new RoleDefinition and ObjectRole models
-    """
-    Role = apps.get_model('main', 'Role')
-    RoleDefinition = apps.get_model('dab_rbac', 'RoleDefinition')
-    RoleUserAssignment = apps.get_model('dab_rbac', 'RoleUserAssignment')
-    Permission = apps.get_model('dab_rbac', 'DABPermission')
-
-    # remove add premissions that are not valid for migrations from old versions
-    for perm_str in ('add_organization', 'add_jobtemplate'):
-        perm = Permission.objects.filter(codename=perm_str).first()
-        if perm:
-            perm.delete()
-
-    managed_definitions = dict()
-    for role_definition in RoleDefinition.objects.filter(managed=True).exclude(name__in=(settings.ANSIBLE_BASE_JWT_MANAGED_ROLES)):
-        permissions = frozenset(role_definition.permissions.values_list('id', flat=True))
-        managed_definitions[permissions] = role_definition
-
-    # Build map of old role model
-    parents, children = build_role_map(apps)
-
-    # NOTE: this import is expected to break at some point, and then just move the data here
-    from awx.main.models.rbac import role_descriptions
-
-    for role in Role.objects.prefetch_related('members', 'parents').iterator():
-        if role.singleton_name:
-            continue  # only bothering to migrate object roles
-
-        team_roles = []
-        for parent in role.parents.all():
-            if parent.id not in json.loads(role.implicit_parents):
-                team_roles.append(parent)
-
-        # we will not create any roles that do not have any users or teams
-        if not (role.members.all() or team_roles):
-            logger.debug(f'Skipping role {role.role_field} for {role.content_type.model}-{role.object_id} due to no members')
-            continue
-
-        # get a list of permissions that the old role would grant
-        object_cls = apps.get_model(f'main.{role.content_type.model}')
-        object = object_cls.objects.get(pk=role.object_id)  # WORKAROUND, role.content_object does not work in migrations
-        f = object._meta.get_field(role.role_field)  # should be ImplicitRoleField
-        perm_list = get_permissions_for_role(f, children, apps)
-
-        permissions = frozenset(perm.id for perm in perm_list)
-
-        # With the needed permissions established, obtain the RoleDefinition this will need, priorities:
-        # 1. If it exists as a managed RoleDefinition then obviously use that
-        # 2. If we already created this for a prior role, use that
-        # 3. Create a new RoleDefinition that lists those permissions
-        if permissions in managed_definitions:
-            role_definition = managed_definitions[permissions]
-        else:
-            action = role.role_field.rsplit('_', 1)[0]  # remove the _field ending of the name
-            role_definition_name = f'{model_class(role.content_type, apps).__name__} {action.title()}'
-
-            description = role_descriptions[role.role_field]
-            if type(description) == dict:
-                if role.content_type.model in description:
-                    description = description.get(role.content_type.model)
-                else:
-                    description = description.get('default')
-            if '%s' in description:
-                description = description % role.content_type.model
-
-            role_definition, created = RoleDefinition.objects.get_or_create(
-                name=role_definition_name,
-                defaults={'description': description, 'content_type_id': role.content_type_id},
-            )
-
-            if created:
-                logger.info(f'Created custom Role Definition {role_definition_name}, pk={role_definition.pk}')
-                role_definition.permissions.set(perm_list)
-
-        # Create the object role and add users to it
-        give_permissions(
-            apps,
-            role_definition,
-            users=role.members.all(),
-            teams=[tr.object_id for tr in team_roles],
-            object_id=role.object_id,
-            content_type_id=role.content_type_id,
-        )
-
-    # Create new replacement system auditor role
-    new_system_auditor, created = RoleDefinition.objects.get_or_create(
-        name='System Auditor',
-        defaults={'description': 'Migrated singleton role giving read permission to everything', 'managed': True},
-    )
-    new_system_auditor.permissions.add(*list(Permission.objects.filter(codename__startswith='view')))
-
-    # migrate is_system_auditor flag, because it is no longer handled by a system role
-    old_system_auditor = Role.objects.filter(singleton_name='system_auditor').first()
-    if old_system_auditor:
-        # if the system auditor role is not present, this is a new install and no users should exist
-        ct = 0
-        for user in role.members.all():
-            RoleUserAssignment.objects.create(user=user, role_definition=new_system_auditor)
-            ct += 1
-        if ct:
-            logger.info(f'Migrated {ct} users to new system auditor flag')
-
-
-def get_or_create_managed(name, description, ct, permissions, RoleDefinition):
-    role_definition, created = RoleDefinition.objects.get_or_create(name=name, defaults={'managed': True, 'description': description, 'content_type': ct})
-    role_definition.permissions.set(list(permissions))
-
-    if not role_definition.managed:
-        role_definition.managed = True
-        role_definition.save(update_fields=['managed'])
-
-    if created:
-        logger.info(f'Created RoleDefinition {role_definition.name} pk={role_definition} with {len(permissions)} permissions')
-
-    return role_definition
-
-
-def setup_managed_role_definitions(apps, schema_editor):
-    """
-    Idepotent method to create or sync the managed role definitions
-    """
-    to_create = {
-        'object_admin': '{cls.__name__} Admin',
-        'org_admin': 'Organization Admin',
-        'org_children': 'Organization {cls.__name__} Admin',
-        'special': '{cls.__name__} {action}',
-    }
-
-    ContentType = apps.get_model('contenttypes', 'ContentType')
-    Permission = apps.get_model('dab_rbac', 'DABPermission')
-    RoleDefinition = apps.get_model('dab_rbac', 'RoleDefinition')
-    Organization = apps.get_model(settings.ANSIBLE_BASE_ORGANIZATION_MODEL)
-    org_ct = ContentType.objects.get_for_model(Organization)
-    managed_role_definitions = []
-
-    org_perms = set()
-    for cls in permission_registry.all_registered_models:
-        ct = ContentType.objects.get_for_model(cls)
-        cls_name = cls._meta.model_name
-        object_perms = set(Permission.objects.filter(content_type=ct))
-        # Special case for InstanceGroup which has an organiation field, but is not an organization child object
-        if cls_name != 'instancegroup':
-            org_perms.update(object_perms)
-
-        if 'object_admin' in to_create and cls_name != 'organization':
-            indiv_perms = object_perms.copy()
-            add_perms = [perm for perm in indiv_perms if perm.codename.startswith('add_')]
-            if add_perms:
-                for perm in add_perms:
-                    indiv_perms.remove(perm)
-
-            managed_role_definitions.append(
-                get_or_create_managed(
-                    to_create['object_admin'].format(cls=cls), f'Has all permissions to a single {cls._meta.verbose_name}', ct, indiv_perms, RoleDefinition
-                )
-            )
-            if cls_name == 'team':
-                managed_role_definitions.append(
-                    get_or_create_managed(
-                        'Controller Team Admin',
-                        f'Has all permissions to a single {cls._meta.verbose_name}',
-                        ct,
-                        indiv_perms,
-                        RoleDefinition,
-                    )
-                )
-
-        if 'org_children' in to_create and (cls_name not in ('organization', 'instancegroup', 'team')):
-            org_child_perms = object_perms.copy()
-            org_child_perms.add(Permission.objects.get(codename='view_organization'))
-
-            managed_role_definitions.append(
-                get_or_create_managed(
-                    to_create['org_children'].format(cls=cls),
-                    f'Has all permissions to {cls._meta.verbose_name_plural} within an organization',
-                    org_ct,
-                    org_child_perms,
-                    RoleDefinition,
-                )
-            )
-
-        if 'special' in to_create:
-            special_perms = []
-            for perm in object_perms:
-                # Organization auditor is handled separately
-                if perm.codename.split('_')[0] not in ('add', 'change', 'delete', 'view', 'audit'):
-                    special_perms.append(perm)
-            for perm in special_perms:
-                action = perm.codename.split('_')[0]
-                view_perm = Permission.objects.get(content_type=ct, codename__startswith='view_')
-                perm_list = [perm, view_perm]
-                # Handle special-case where adhoc role also listed use permission
-                if action == 'adhoc':
-                    for other_perm in object_perms:
-                        if other_perm.codename == 'use_inventory':
-                            perm_list.append(other_perm)
-                            break
-                managed_role_definitions.append(
-                    get_or_create_managed(
-                        to_create['special'].format(cls=cls, action=action.title()),
-                        f'Has {action} permissions to a single {cls._meta.verbose_name}',
-                        ct,
-                        perm_list,
-                        RoleDefinition,
-                    )
-                )
-                if action == 'member' and cls_name in ('organization', 'team'):
-                    suffix = to_create['special'].format(cls=cls, action=action.title())
-                    rd_name = f'Controller {suffix}'
-                    managed_role_definitions.append(
-                        get_or_create_managed(
-                            rd_name,
-                            f'Has {action} permissions to a single {cls._meta.verbose_name}',
-                            ct,
-                            perm_list,
-                            RoleDefinition,
-                        )
-                    )
-
-    if 'org_admin' in to_create:
-        managed_role_definitions.append(
-            get_or_create_managed(
-                to_create['org_admin'].format(cls=Organization),
-                'Has all permissions to a single organization and all objects inside of it',
-                org_ct,
-                org_perms,
-                RoleDefinition,
-            )
-        )
-        managed_role_definitions.append(
-            get_or_create_managed(
-                'Controller Organization Admin',
-                'Has all permissions to a single organization and all objects inside of it',
-                org_ct,
-                org_perms,
-                RoleDefinition,
-            )
-        )
-
-    # Special "organization action" roles
-    audit_permissions = [perm for perm in org_perms if perm.codename.startswith('view_')]
-    audit_permissions.append(Permission.objects.get(codename='audit_organization'))
-    managed_role_definitions.append(
-        get_or_create_managed(
-            'Organization Audit',
-            'Has permission to view all objects inside of a single organization',
-            org_ct,
-            audit_permissions,
-            RoleDefinition,
-        )
-    )
-
-    org_execute_permissions = {'view_jobtemplate', 'execute_jobtemplate', 'view_workflowjobtemplate', 'execute_workflowjobtemplate', 'view_organization'}
-    managed_role_definitions.append(
-        get_or_create_managed(
-            'Organization Execute',
-            'Has permission to execute all runnable objects in the organization',
-            org_ct,
-            [perm for perm in org_perms if perm.codename in org_execute_permissions],
-            RoleDefinition,
-        )
-    )
-
-    org_approval_permissions = {'view_organization', 'view_workflowjobtemplate', 'approve_workflowjobtemplate'}
-    managed_role_definitions.append(
-        get_or_create_managed(
-            'Organization Approval',
-            'Has permission to approve any workflow steps within a single organization',
-            org_ct,
-            [perm for perm in org_perms if perm.codename in org_approval_permissions],
-            RoleDefinition,
-        )
-    )
-
-    unexpected_role_definitions = RoleDefinition.objects.filter(managed=True).exclude(pk__in=[rd.pk for rd in managed_role_definitions])
-    for role_definition in unexpected_role_definitions:
-        logger.info(f'Deleting old managed role definition {role_definition.name}, pk={role_definition.pk}')
-        role_definition.delete()

awx/main/models/__init__.py

@@ -1,8 +1,6 @@
 # Copyright (c) 2015 Ansible, Inc.
 # All Rights Reserved.
 
-import json
-
 # Django
 from django.conf import settings  # noqa
 from django.db import connection
@@ -10,10 +8,7 @@ from django.db.models.signals import pre_delete  # noqa
 
 # django-ansible-base
 from ansible_base.resource_registry.fields import AnsibleResourceField
-from ansible_base.rbac import permission_registry
-from ansible_base.rbac.models import RoleDefinition, RoleUserAssignment
 from ansible_base.lib.utils.models import prevent_search
-from ansible_base.lib.utils.models import user_summary_fields
 
 # AWX
 from awx.main.models.base import BaseModel, PrimordialModel, accepts_json, CLOUD_INVENTORY_SOURCES, VERBOSITY_CHOICES  # noqa
@@ -107,7 +102,6 @@ User.add_to_class('get_queryset', get_user_queryset)
 User.add_to_class('can_access', check_user_access)
 User.add_to_class('can_access_with_errors', check_user_access_with_errors)
 User.add_to_class('resource', AnsibleResourceField(primary_key_field="id"))
-User.add_to_class('summary_fields', user_summary_fields)
 
 
 def convert_jsonfields():
@@ -176,17 +170,17 @@ pre_delete.connect(cleanup_created_modified_by, sender=User)
 
 @property
 def user_get_organizations(user):
-    return Organization.access_qs(user, 'member')
+    return Organization.objects.filter(member_role__members=user)
 
 
 @property
 def user_get_admin_of_organizations(user):
-    return Organization.access_qs(user, 'change')
+    return Organization.objects.filter(admin_role__members=user)
 
 
 @property
 def user_get_auditor_of_organizations(user):
-    return Organization.access_qs(user, 'audit')
+    return Organization.objects.filter(auditor_role__members=user)
 
 
 @property
@@ -200,21 +194,11 @@ User.add_to_class('auditor_of_organizations', user_get_auditor_of_organizations)
 User.add_to_class('created', created)
 
 
-def get_system_auditor_role():
-    rd, created = RoleDefinition.objects.get_or_create(
-        name='System Auditor', defaults={'description': 'Migrated singleton role giving read permission to everything'}
-    )
-    if created:
-        rd.permissions.add(*list(permission_registry.permission_qs.filter(codename__startswith='view')))
-    return rd
-
-
 @property
 def user_is_system_auditor(user):
     if not hasattr(user, '_is_system_auditor'):
         if user.pk:
-            rd = get_system_auditor_role()
-            user._is_system_auditor = RoleUserAssignment.objects.filter(user=user, role_definition=rd).exists()
+            user._is_system_auditor = user.roles.filter(singleton_name='system_auditor', role_field='system_auditor').exists()
         else:
             # Odd case where user is unsaved, this should never be relied on
             return False
@@ -228,17 +212,17 @@ def user_is_system_auditor(user, tf):
         # time they've logged in, and we've just created the new User in this
         # request), we need one to set up the system auditor role
         user.save()
-    rd = get_system_auditor_role()
-    assignment = RoleUserAssignment.objects.filter(user=user, role_definition=rd).first()
-    prior_value = bool(assignment)
-    if prior_value != bool(tf):
-        if assignment:
-            assignment.delete()
-        else:
-            rd.give_global_permission(user)
-        user._is_system_auditor = bool(tf)
-        entry = ActivityStream.objects.create(changes=json.dumps({"is_system_auditor": [prior_value, bool(tf)]}), object1='user', operation='update')
-        entry.user.add(user)
+    if tf:
+        role = Role.singleton('system_auditor')
+        # must check if member to not duplicate activity stream
+        if user not in role.members.all():
+            role.members.add(user)
+        user._is_system_auditor = True
+    else:
+        role = Role.singleton('system_auditor')
+        if user in role.members.all():
+            role.members.remove(user)
+        user._is_system_auditor = False
 
 
 User.add_to_class('is_system_auditor', user_is_system_auditor)
@@ -306,10 +290,6 @@ activity_stream_registrar.connect(WorkflowApprovalTemplate)
 activity_stream_registrar.connect(OAuth2Application)
 activity_stream_registrar.connect(OAuth2AccessToken)
 
-# Register models
-permission_registry.register(Project, Team, WorkflowJobTemplate, JobTemplate, Inventory, Organization, Credential, NotificationTemplate, ExecutionEnvironment)
-permission_registry.register(InstanceGroup, parent_field_name=None)  # Not part of an organization
-
 # prevent API filtering on certain Django-supplied sensitive fields
 prevent_search(User._meta.get_field('password'))
 prevent_search(OAuth2AccessToken._meta.get_field('token'))

awx/main/models/base.py

@@ -7,9 +7,6 @@ from django.core.exceptions import ValidationError, ObjectDoesNotExist
 from django.utils.translation import gettext_lazy as _
 from django.utils.timezone import now
 
-# django-ansible-base
-from ansible_base.lib.utils.models import get_type_for_model
-
 # Django-CRUM
 from crum import get_current_user
 
@@ -142,23 +139,6 @@ class BaseModel(models.Model):
             self.save(update_fields=update_fields)
         return update_fields
 
-    def summary_fields(self):
-        """
-        This exists for use by django-ansible-base,
-        which has standard patterns that differ from AWX, but we enable views from DAB
-        for those views to list summary_fields for AWX models, those models need to provide this
-        """
-        from awx.api.serializers import SUMMARIZABLE_FK_FIELDS
-
-        model_name = get_type_for_model(self)
-        related_fields = SUMMARIZABLE_FK_FIELDS.get(model_name, {})
-        summary_data = {}
-        for field_name in related_fields:
-            fval = getattr(self, field_name, None)
-            if fval is not None:
-                summary_data[field_name] = fval
-        return summary_data
-
 
 class CreatedModifiedModel(BaseModel):
     """

awx/main/models/credential/__init__.py

@@ -21,10 +21,6 @@ from django.conf import settings
 from django.utils.encoding import force_str
 from django.utils.functional import cached_property
 from django.utils.timezone import now
-from django.contrib.auth.models import User
-
-# DRF
-from rest_framework.serializers import ValidationError as DRFValidationError
 
 # AWX
 from awx.api.versioning import reverse
@@ -45,7 +41,6 @@ from awx.main.models.rbac import (
     ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
     ROLE_SINGLETON_SYSTEM_AUDITOR,
 )
-from awx.main.models import Team, Organization
 from awx.main.utils import encrypt_field
 from . import injectors as builtin_injectors
 
@@ -88,7 +83,6 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
         app_label = 'main'
         ordering = ('name',)
         unique_together = ('organization', 'name', 'credential_type')
-        permissions = [('use_credential', 'Can use credential in a job or related resource')]
 
     PASSWORD_FIELDS = ['inputs']
     FIELDS_TO_PRESERVE_AT_COPY = ['input_sources']
@@ -320,16 +314,6 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
         else:
             raise ValueError('{} is not a dynamic input field'.format(field_name))
 
-    def validate_role_assignment(self, actor, role_definition):
-        if self.organization:
-            if isinstance(actor, User):
-                if actor.is_superuser or Organization.access_qs(actor, 'member').filter(id=self.organization.id).exists():
-                    return
-            if isinstance(actor, Team):
-                if actor.organization == self.organization:
-                    return
-            raise DRFValidationError({'detail': _(f"You cannot grant credential access to a {actor._meta.object_name} not in the credentials' organization")})
-
 
 class CredentialType(CommonModelNameNotUnique):
     """
@@ -1247,14 +1231,6 @@ ManagedCredentialType(
                 'multiline': True,
                 'help_text': gettext_noop('Terraform backend config as Hashicorp configuration language.'),
             },
-            {
-                'id': 'gce_credentials',
-                'label': gettext_noop('Google Cloud Platform account credentials'),
-                'type': 'string',
-                'secret': True,
-                'multiline': True,
-                'help_text': gettext_noop('Google Cloud Platform account credentials in JSON format.'),
-            },
         ],
         'required': ['configuration'],
     },

awx/main/models/credential/injectors.py

@@ -130,10 +130,3 @@ def terraform(cred, env, private_data_dir):
         os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
         f.write(cred.get_input('configuration'))
     env['TF_BACKEND_CONFIG_FILE'] = to_container_path(path, private_data_dir)
-    # Handle env variables for GCP account credentials
-    if 'gce_credentials' in cred.inputs:
-        handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
-        with os.fdopen(handle, 'w') as f:
-            os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
-            f.write(cred.get_input('gce_credentials'))
-        env['GOOGLE_BACKEND_CREDENTIALS'] = to_container_path(path, private_data_dir)

awx/main/models/events.py

@@ -4,12 +4,11 @@ import datetime
 from datetime import timezone
 import logging
 from collections import defaultdict
-import itertools
 import time
 
 from django.conf import settings
 from django.core.exceptions import ObjectDoesNotExist
-from django.db import models, DatabaseError, transaction
+from django.db import models, DatabaseError
 from django.db.models.functions import Cast
 from django.utils.dateparse import parse_datetime
 from django.utils.text import Truncator
@@ -606,23 +605,19 @@ class JobEvent(BasePlaybookEvent):
     def _update_host_metrics(updated_hosts_list):
         from awx.main.models import HostMetric  # circular import
 
+        # bulk-create
         current_time = now()
-
-        # FUTURE:
-        #   - Hand-rolled implementation of itertools.batched(), introduced in Python 3.12.  Replace.
-        #   - Ability to do ORM upserts *may* have been introduced in Django 5.0.
-        #     See the entry about `create_defaults` in https://docs.djangoproject.com/en/5.0/releases/5.0/#models.
-        #     Hopefully this will be fully ready for batch use by 5.2 LTS.
-
-        args = [iter(updated_hosts_list)] * 500
-        for hosts in itertools.zip_longest(*args):
-            with transaction.atomic():
-                HostMetric.objects.bulk_create(
-                    [HostMetric(hostname=hostname, last_automation=current_time) for hostname in hosts if hostname is not None], ignore_conflicts=True
-                )
-                HostMetric.objects.filter(hostname__in=hosts).update(
-                    last_automation=current_time, automated_counter=models.F('automated_counter') + 1, deleted=False
-                )
+        HostMetric.objects.bulk_create(
+            [HostMetric(hostname=hostname, last_automation=current_time) for hostname in updated_hosts_list], ignore_conflicts=True, batch_size=100
+        )
+        # bulk-update
+        batch_start, batch_size = 0, 1000
+        while batch_start <= len(updated_hosts_list):
+            batched_host_list = updated_hosts_list[batch_start : (batch_start + batch_size)]
+            HostMetric.objects.filter(hostname__in=batched_host_list).update(
+                last_automation=current_time, automated_counter=models.F('automated_counter') + 1, deleted=False
+            )
+            batch_start += batch_size
 
     @property
     def job_verbosity(self):

awx/main/models/execution_environments.py

@@ -1,8 +1,6 @@
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
-from rest_framework.exceptions import ValidationError
-
 from awx.api.versioning import reverse
 from awx.main.models.base import CommonModel
 from awx.main.validators import validate_container_image_name
@@ -14,8 +12,6 @@ __all__ = ['ExecutionEnvironment']
 class ExecutionEnvironment(CommonModel):
     class Meta:
         ordering = ('-created',)
-        # Remove view permission, as a temporary solution, defer to organization read permission
-        default_permissions = ('add', 'change', 'delete')
 
     PULL_CHOICES = [
         ('always', _("Always pull container before running.")),
@@ -57,12 +53,3 @@ class ExecutionEnvironment(CommonModel):
 
     def get_absolute_url(self, request=None):
         return reverse('api:execution_environment_detail', kwargs={'pk': self.pk}, request=request)
-
-    def validate_role_assignment(self, actor, role_definition):
-        if self.managed:
-            raise ValidationError({'object_id': _('Can not assign object roles to managed Execution Environments')})
-        if self.organization_id is None:
-            raise ValidationError({'object_id': _('Can not assign object roles to global Execution Environments')})
-
-        if actor._meta.model_name == 'user' and (not actor.has_obj_perm(self.organization, 'view')):
-            raise ValidationError({'user': _('User must have view permission to Execution Environment organization')})

awx/main/models/ha.py

@@ -485,9 +485,6 @@ class InstanceGroup(HasPolicyEditsMixin, BaseModel, RelatedJobsMixin, ResourceMi
 
     class Meta:
         app_label = 'main'
-        permissions = [('use_instancegroup', 'Can use instance group in a preference list of a resource')]
-        # Since this has no direct organization field only superuser can add, so remove add permission
-        default_permissions = ('change', 'delete', 'view')
 
     def set_default_policy_fields(self):
         self.policy_instance_list = []

awx/main/models/inventory.py

@@ -11,8 +11,6 @@ import os.path
 from urllib.parse import urljoin
 
 import yaml
-import tempfile
-import stat
 
 # Django
 from django.conf import settings
@@ -91,11 +89,6 @@ class Inventory(CommonModelNameNotUnique, ResourceMixin, RelatedJobsMixin):
         verbose_name_plural = _('inventories')
         unique_together = [('name', 'organization')]
         ordering = ('name',)
-        permissions = [
-            ('use_inventory', 'Can use inventory in a job template'),
-            ('adhoc_inventory', 'Can run ad hoc commands'),
-            ('update_inventory', 'Can update inventory sources in inventory'),
-        ]
 
     organization = models.ForeignKey(
         'Organization',
@@ -933,7 +926,6 @@ class InventorySourceOptions(BaseModel):
         ('controller', _('Red Hat Ansible Automation Platform')),
         ('insights', _('Red Hat Insights')),
         ('terraform', _('Terraform State')),
-        ('openshift_virtualization', _('OpenShift Virtualization')),
     ]
 
     # From the options of the Django management base command
@@ -1043,7 +1035,7 @@ class InventorySourceOptions(BaseModel):
     def cloud_credential_validation(source, cred):
         if not source:
             return None
-        if cred and source not in ('custom', 'scm', 'openshift_virtualization'):
+        if cred and source not in ('custom', 'scm'):
             # If a credential was provided, it's important that it matches
             # the actual inventory source being used (Amazon requires Amazon
             # credentials; Rackspace requires Rackspace credentials; etc...)
@@ -1052,14 +1044,12 @@ class InventorySourceOptions(BaseModel):
         # Allow an EC2 source to omit the credential.  If Tower is running on
         # an EC2 instance with an IAM Role assigned, boto will use credentials
         # from the instance metadata instead of those explicitly provided.
-        elif source in CLOUD_PROVIDERS and source not in ['ec2', 'openshift_virtualization']:
+        elif source in CLOUD_PROVIDERS and source != 'ec2':
             return _('Credential is required for a cloud source.')
         elif source == 'custom' and cred and cred.credential_type.kind in ('scm', 'ssh', 'insights', 'vault'):
             return _('Credentials of type machine, source control, insights and vault are disallowed for custom inventory sources.')
         elif source == 'scm' and cred and cred.credential_type.kind in ('insights', 'vault'):
             return _('Credentials of type insights and vault are disallowed for scm inventory sources.')
-        elif source == 'openshift_virtualization' and cred and cred.credential_type.kind != 'kubernetes':
-            return _('Credentials of type kubernetes is requred for openshift_virtualization inventory sources.')
         return None
 
     def get_cloud_credential(self):
@@ -1410,7 +1400,7 @@ class InventoryUpdate(UnifiedJob, InventorySourceOptions, JobNotificationMixin,
         return selected_groups
 
 
-class CustomInventoryScript(CommonModelNameNotUnique):
+class CustomInventoryScript(CommonModelNameNotUnique, ResourceMixin):
     class Meta:
         app_label = 'main'
         ordering = ('name',)
@@ -1643,39 +1633,17 @@ class satellite6(PluginFileInjector):
 
 class terraform(PluginFileInjector):
     plugin_name = 'terraform_state'
+    base_injector = 'managed'
     namespace = 'cloud'
     collection = 'terraform'
     use_fqcn = True
 
     def inventory_as_dict(self, inventory_update, private_data_dir):
+        env = super(terraform, self).get_plugin_env(inventory_update, private_data_dir, None)
         ret = super().inventory_as_dict(inventory_update, private_data_dir)
-        credential = inventory_update.get_cloud_credential()
-        config_cred = credential.get_input('configuration')
-        if config_cred:
-            handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
-            with os.fdopen(handle, 'w') as f:
-                os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
-                f.write(config_cred)
-            ret['backend_config_files'] = to_container_path(path, private_data_dir)
+        ret['backend_config_files'] = env["TF_BACKEND_CONFIG_FILE"]
         return ret
 
-    def build_plugin_private_data(self, inventory_update, private_data_dir):
-        credential = inventory_update.get_cloud_credential()
-
-        private_data = {'credentials': {}}
-        gce_cred = credential.get_input('gce_credentials', default=None)
-        if gce_cred:
-            private_data['credentials'][credential] = gce_cred
-        return private_data
-
-    def get_plugin_env(self, inventory_update, private_data_dir, private_data_files):
-        env = super(terraform, self).get_plugin_env(inventory_update, private_data_dir, private_data_files)
-        credential = inventory_update.get_cloud_credential()
-        cred_data = private_data_files['credentials']
-        if credential in cred_data:
-            env['GOOGLE_BACKEND_CREDENTIALS'] = to_container_path(cred_data[credential], private_data_dir)
-        return env
-
 
 class controller(PluginFileInjector):
     plugin_name = 'tower'  # TODO: relying on routing for now, update after EEs pick up revised collection
@@ -1696,16 +1664,6 @@ class insights(PluginFileInjector):
     use_fqcn = True
 
 
-class openshift_virtualization(PluginFileInjector):
-    plugin_name = 'kubevirt'
-    base_injector = 'template'
-    namespace = 'kubevirt'
-    collection = 'core'
-    downstream_namespace = 'redhat'
-    downstream_collection = 'openshift_virtualization'
-    use_fqcn = True
-
-
 class constructed(PluginFileInjector):
     plugin_name = 'constructed'
     namespace = 'ansible'

awx/main/models/jobs.py

@@ -205,9 +205,6 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, SurveyJobTemplateMixin, Resour
     class Meta:
         app_label = 'main'
         ordering = ('name',)
-        permissions = [('execute_jobtemplate', 'Can run this job template')]
-        # Remove add permission, ability to add comes from use permission for inventory, project, credentials
-        default_permissions = ('change', 'delete', 'view')
 
     job_type = models.CharField(
         max_length=64,

awx/main/models/mixins.py

@@ -19,14 +19,13 @@ from django.utils.translation import gettext_lazy as _
 from ansible_base.lib.utils.models import prevent_search
 
 # AWX
-
-from awx.main.models.rbac import Role, RoleAncestorEntry, to_permissions
+from awx.main.models.rbac import Role, RoleAncestorEntry
 from awx.main.utils import parse_yaml_or_json, get_custom_venv_choices, get_licenser, polymorphic
 from awx.main.utils.execution_environments import get_default_execution_environment
 from awx.main.utils.encryption import decrypt_value, get_encryption_key, is_encrypted
 from awx.main.utils.polymorphic import build_polymorphic_ctypes_map
 from awx.main.fields import AskForField
-from awx.main.constants import ACTIVE_STATES, org_role_to_permission
+from awx.main.constants import ACTIVE_STATES
 
 
 logger = logging.getLogger('awx.main.models.mixins')
@@ -65,18 +64,6 @@ class ResourceMixin(models.Model):
 
     @staticmethod
     def _accessible_pk_qs(cls, accessor, role_field, content_types=None):
-        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-            if cls._meta.model_name == 'organization' and role_field in org_role_to_permission:
-                # Organization roles can not use the DAB RBAC shortcuts
-                # like Organization.access_qs(user, 'change_jobtemplate') is needed
-                # not just Organization.access_qs(user, 'change') is needed
-                if accessor.is_superuser:
-                    return cls.objects.values_list('id')
-
-                codename = org_role_to_permission[role_field]
-
-                return cls.access_ids_qs(accessor, codename, content_types=content_types)
-            return cls.access_ids_qs(accessor, to_permissions[role_field], content_types=content_types)
         if accessor._meta.model_name == 'user':
             ancestor_roles = accessor.roles.all()
         elif type(accessor) == Role:

awx/main/models/notifications.py

@@ -31,7 +31,6 @@ from awx.main.notifications.mattermost_backend import MattermostBackend
 from awx.main.notifications.grafana_backend import GrafanaBackend
 from awx.main.notifications.rocketchat_backend import RocketChatBackend
 from awx.main.notifications.irc_backend import IrcBackend
-from awx.main.notifications.awssns_backend import AWSSNSBackend
 
 
 logger = logging.getLogger('awx.main.models.notifications')
@@ -41,7 +40,6 @@ __all__ = ['NotificationTemplate', 'Notification']
 
 class NotificationTemplate(CommonModelNameNotUnique):
     NOTIFICATION_TYPES = [
-        ('awssns', _('AWS SNS'), AWSSNSBackend),
         ('email', _('Email'), CustomEmailBackend),
         ('slack', _('Slack'), SlackBackend),
         ('twilio', _('Twilio'), TwilioBackend),
@@ -396,11 +394,11 @@ class JobNotificationMixin(object):
                 'verbosity': 0,
             },
             'job_friendly_name': 'Job',
-            'url': 'https://platformhost/#/jobs/playbook/1010',
+            'url': 'https://towerhost/#/jobs/playbook/1010',
             'approval_status': 'approved',
             'approval_node_name': 'Approve Me',
-            'workflow_url': 'https://platformhost/#/jobs/workflow/1010',
-            'job_metadata': """{'url': 'https://platformhost/$/jobs/playbook/13',
+            'workflow_url': 'https://towerhost/#/jobs/workflow/1010',
+            'job_metadata': """{'url': 'https://towerhost/$/jobs/playbook/13',
  'traceback': '',
  'status': 'running',
  'started': '2019-08-07T21:46:38.362630+00:00',

awx/main/models/organization.py

@@ -35,12 +35,6 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
     class Meta:
         app_label = 'main'
         ordering = ('name',)
-        permissions = [
-            ('member_organization', 'Basic participation permissions for organization'),
-            ('audit_organization', 'Audit everything inside the organization'),
-        ]
-        # Remove add permission, only superuser can add
-        default_permissions = ('change', 'delete', 'view')
 
     instance_groups = OrderedManyToManyField('InstanceGroup', blank=True, through='OrganizationInstanceGroupMembership')
     galaxy_credentials = OrderedManyToManyField(
@@ -143,7 +137,6 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
         app_label = 'main'
         unique_together = [('organization', 'name')]
         ordering = ('organization__name', 'name')
-        permissions = [('member_team', 'Inherit all roles assigned to this team')]
 
     organization = models.ForeignKey(
         'Organization',

awx/main/models/projects.py

@@ -259,7 +259,6 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin, CustomVirtualEn
     class Meta:
         app_label = 'main'
         ordering = ('id',)
-        permissions = [('update_project', 'Can run a project update'), ('use_project', 'Can use project in a job template')]
 
     default_environment = models.ForeignKey(
         'ExecutionEnvironment',

awx/main/models/rbac.py

@@ -7,30 +7,14 @@ import threading
 import contextlib
 import re
 
-# django-rest-framework
-from rest_framework.serializers import ValidationError
-
-# crum to impersonate users
-from crum import impersonate
-
 # Django
 from django.db import models, transaction, connection
-from django.db.models.signals import m2m_changed
-from django.contrib.auth import get_user_model
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.contenttypes.fields import GenericForeignKey
 from django.utils.translation import gettext_lazy as _
-from django.apps import apps
-from django.conf import settings
-
-# Ansible_base app
-from ansible_base.rbac.models import RoleDefinition
-from ansible_base.lib.utils.models import get_type_for_model
 
 # AWX
 from awx.api.versioning import reverse
-from awx.main.migrations._dab_rbac import build_role_map, get_permissions_for_role
-from awx.main.constants import role_name_to_perm_mapping, org_role_to_permission
 
 __all__ = [
     'Role',
@@ -91,11 +75,6 @@ role_descriptions = {
 }
 
 
-to_permissions = {}
-for k, v in role_name_to_perm_mapping.items():
-    to_permissions[k] = v[0].strip('_')
-
-
 tls = threading.local()  # thread local storage
 
 
@@ -107,8 +86,10 @@ def check_singleton(func):
     """
 
     def wrapper(*args, **kwargs):
+        sys_admin = Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR)
+        sys_audit = Role.singleton(ROLE_SINGLETON_SYSTEM_AUDITOR)
         user = args[0]
-        if user.is_superuser or user.is_system_auditor:
+        if user in sys_admin or user in sys_audit:
             if len(args) == 2:
                 return args[1]
             return Role.objects.all()
@@ -188,24 +169,6 @@ class Role(models.Model):
 
     def __contains__(self, accessor):
         if accessor._meta.model_name == 'user':
-            if accessor.is_superuser:
-                return True
-            if self.role_field == 'system_administrator':
-                return accessor.is_superuser
-            elif self.role_field == 'system_auditor':
-                return accessor.is_system_auditor
-            elif self.role_field in ('read_role', 'auditor_role') and accessor.is_system_auditor:
-                return True
-
-            if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-                if self.content_object and self.content_object._meta.model_name == 'organization' and self.role_field in org_role_to_permission:
-                    codename = org_role_to_permission[self.role_field]
-
-                    return accessor.has_obj_perm(self.content_object, codename)
-
-                if self.role_field not in to_permissions:
-                    raise Exception(f'{self.role_field} evaluated but not a translatable permission')
-                return accessor.has_obj_perm(self.content_object, to_permissions[self.role_field])
             return self.ancestors.filter(members=accessor).exists()
         else:
             raise RuntimeError(f'Role evaluations only valid for users, received {accessor}')
@@ -317,9 +280,6 @@ class Role(models.Model):
         #
         #
 
-        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-            return
-
         if len(additions) == 0 and len(removals) == 0:
             return
 
@@ -452,12 +412,6 @@ class Role(models.Model):
         in their organization, but some of those roles descend from
         organization admin_role, but not auditor_role.
         """
-        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-            from ansible_base.rbac.models import RoleEvaluation
-
-            q = RoleEvaluation.objects.filter(role__in=user.has_roles.all()).values_list('object_id', 'content_type_id').query
-            return roles_qs.extra(where=[f'(object_id,content_type_id) in ({q})'])
-
         return roles_qs.filter(
             id__in=RoleAncestorEntry.objects.filter(
                 descendent__in=RoleAncestorEntry.objects.filter(ancestor_id__in=list(user.roles.values_list('id', flat=True))).values_list(
@@ -480,13 +434,6 @@ class Role(models.Model):
         return self.singleton_name in [ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, ROLE_SINGLETON_SYSTEM_AUDITOR]
 
 
-class AncestorManager(models.Manager):
-    def get_queryset(self):
-        if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-            raise RuntimeError('The old RBAC system has been disabled, this should never be called')
-        return super(AncestorManager, self).get_queryset()
-
-
 class RoleAncestorEntry(models.Model):
     class Meta:
         app_label = 'main'
@@ -504,8 +451,6 @@ class RoleAncestorEntry(models.Model):
     content_type_id = models.PositiveIntegerField(null=False)
     object_id = models.PositiveIntegerField(null=False)
 
-    objects = AncestorManager()
-
 
 def role_summary_fields_generator(content_object, role_field):
     global role_descriptions
@@ -534,204 +479,3 @@ def role_summary_fields_generator(content_object, role_field):
     summary['name'] = role_names[role_field]
     summary['id'] = getattr(content_object, '{}_id'.format(role_field))
     return summary
-
-
-# ----------------- Custom Role Compatibility -------------------------
-# The following are methods to connect this (old) RBAC system to the new
-# system which allows custom roles
-# this follows the ORM interface layer documented in docs/rbac.md
-def get_role_codenames(role):
-    obj = role.content_object
-    if obj is None:
-        return
-    f = obj._meta.get_field(role.role_field)
-    parents, children = build_role_map(apps)
-    return [perm.codename for perm in get_permissions_for_role(f, children, apps)]
-
-
-def get_role_definition(role):
-    """Given a old-style role, this gives a role definition in the new RBAC system for it"""
-    obj = role.content_object
-    if obj is None:
-        return
-    f = obj._meta.get_field(role.role_field)
-    action_name = f.name.rsplit("_", 1)[0]
-    model_print = type(obj).__name__
-    perm_list = get_role_codenames(role)
-    defaults = {
-        'content_type_id': role.content_type_id,
-        'description': f'Has {action_name.title()} permission to {model_print} for backwards API compatibility',
-    }
-    # use Controller-specific role definitions for Team/Organization and member/admin
-    # instead of platform role definitions
-    # these should exist in the system already, so just do a lookup by role definition name
-    if model_print in ['Team', 'Organization'] and action_name in ['member', 'admin']:
-        rd_name = f'Controller {model_print} {action_name.title()}'
-        rd = RoleDefinition.objects.filter(name=rd_name).first()
-        if rd:
-            return rd
-        else:
-            return RoleDefinition.objects.create_from_permissions(permissions=perm_list, name=rd_name, managed=True, **defaults)
-
-    else:
-        rd_name = f'{model_print} {action_name.title()} Compat'
-
-    with impersonate(None):
-        try:
-            rd, created = RoleDefinition.objects.get_or_create(name=rd_name, permissions=perm_list, defaults=defaults)
-        except ValidationError:
-            # This is a tricky case - practically speaking, users should not be allowed to create team roles
-            # or roles that include the team member permission.
-            # If we need to create this for compatibility purposes then we will create it as a managed non-editable role
-            defaults['managed'] = True
-            rd, created = RoleDefinition.objects.get_or_create(name=rd_name, permissions=perm_list, defaults=defaults)
-    return rd
-
-
-def get_role_from_object_role(object_role):
-    """
-    Given an object role from the new system, return the corresponding role from the old system
-    reverses naming from get_role_definition, and the ANSIBLE_BASE_ROLE_PRECREATE setting.
-    """
-    rd = object_role.role_definition
-    if rd.name.endswith(' Compat'):
-        model_name, role_name, _ = rd.name.split()
-        role_name = role_name.lower()
-        role_name += '_role'
-    elif rd.name.startswith('Controller') and rd.name.endswith(' Admin'):
-        # Controller Organization Admin and Controller Team Admin
-        role_name = 'admin_role'
-    elif rd.name.startswith('Controller') and rd.name.endswith(' Member'):
-        # Controller Organization Member and Controller Team Member
-        role_name = 'member_role'
-    elif rd.name.endswith(' Admin') and rd.name.count(' ') == 2:
-        # cases like "Organization Project Admin"
-        model_name, target_model_name, role_name = rd.name.split()
-        role_name = role_name.lower()
-        model_cls = apps.get_model('main', target_model_name)
-        target_model_name = get_type_for_model(model_cls)
-
-        # exception cases completely specific to one model naming convention
-        if target_model_name == 'notification_template':
-            target_model_name = 'notification'
-        elif target_model_name == 'workflow_job_template':
-            target_model_name = 'workflow'
-
-        role_name = f'{target_model_name}_admin_role'
-    elif rd.name.endswith(' Admin'):
-        # cases like "project-admin"
-        role_name = 'admin_role'
-    elif rd.name == 'Organization Audit':
-        role_name = 'auditor_role'
-    else:
-        model_name, role_name = rd.name.split()
-        role_name = role_name.lower()
-        role_name += '_role'
-    return getattr(object_role.content_object, role_name)
-
-
-def give_or_remove_permission(role, actor, giving=True):
-    obj = role.content_object
-    if obj is None:
-        return
-    rd = get_role_definition(role)
-    rd.give_or_remove_permission(actor, obj, giving=giving)
-
-
-class SyncEnabled(threading.local):
-    def __init__(self):
-        self.enabled = True
-
-
-rbac_sync_enabled = SyncEnabled()
-
-
-@contextlib.contextmanager
-def disable_rbac_sync():
-    try:
-        previous_value = rbac_sync_enabled.enabled
-        rbac_sync_enabled.enabled = False
-        yield
-    finally:
-        rbac_sync_enabled.enabled = previous_value
-
-
-def give_creator_permissions(user, obj):
-    assignment = RoleDefinition.objects.give_creator_permissions(user, obj)
-    if assignment:
-        with disable_rbac_sync():
-            old_role = get_role_from_object_role(assignment.object_role)
-            old_role.members.add(user)
-
-
-def sync_members_to_new_rbac(instance, action, model, pk_set, reverse, **kwargs):
-    if action.startswith('pre_'):
-        return
-    if not rbac_sync_enabled.enabled:
-        return
-
-    if action == 'post_add':
-        is_giving = True
-    elif action == 'post_remove':
-        is_giving = False
-    elif action == 'post_clear':
-        raise RuntimeError('Clearing of role members not supported')
-
-    if reverse:
-        user = instance
-    else:
-        role = instance
-
-    for user_or_role_id in pk_set:
-        if reverse:
-            role = Role.objects.get(pk=user_or_role_id)
-        else:
-            user = get_user_model().objects.get(pk=user_or_role_id)
-        give_or_remove_permission(role, user, giving=is_giving)
-
-
-def sync_parents_to_new_rbac(instance, action, model, pk_set, reverse, **kwargs):
-    if action.startswith('pre_'):
-        return
-
-    if action == 'post_add':
-        is_giving = True
-    elif action == 'post_remove':
-        is_giving = False
-    elif action == 'post_clear':
-        raise RuntimeError('Clearing of role members not supported')
-
-    if reverse:
-        parent_role = instance
-    else:
-        child_role = instance
-
-    for role_id in pk_set:
-        if reverse:
-            try:
-                child_role = Role.objects.get(id=role_id)
-            except Role.DoesNotExist:
-                continue
-        else:
-            try:
-                parent_role = Role.objects.get(id=role_id)
-            except Role.DoesNotExist:
-                continue
-
-        # To a fault, we want to avoid running this if triggered from implicit_parents management
-        # we only want to do anything if we know for sure this is a non-implicit team role
-        if parent_role.role_field == 'member_role' and parent_role.content_type.model == 'team':
-            # Team internal parents are member_role->read_role and admin_role->member_role
-            # for the same object, this parenting will also be implicit_parents management
-            # do nothing for internal parents, but OTHER teams may still be assigned permissions to a team
-            if (child_role.content_type_id == parent_role.content_type_id) and (child_role.object_id == parent_role.object_id):
-                return
-
-            from awx.main.models.organization import Team
-
-            team = Team.objects.get(pk=parent_role.object_id)
-            give_or_remove_permission(child_role, team, giving=is_giving)
-
-
-m2m_changed.connect(sync_members_to_new_rbac, Role.members.through)
-m2m_changed.connect(sync_parents_to_new_rbac, Role.parents.through)

awx/main/models/unified_jobs.py

@@ -17,7 +17,7 @@ from collections import OrderedDict
 
 # Django
 from django.conf import settings
-from django.db import models, connection, transaction
+from django.db import models, connection
 from django.core.exceptions import NON_FIELD_ERRORS
 from django.utils.translation import gettext_lazy as _
 from django.utils.timezone import now
@@ -31,15 +31,13 @@ from rest_framework.exceptions import ParseError
 from polymorphic.models import PolymorphicModel
 
 from ansible_base.lib.utils.models import prevent_search, get_type_for_model
-from ansible_base.rbac import permission_registry
 
 # AWX
 from awx.main.models.base import CommonModelNameNotUnique, PasswordFieldsModel, NotificationFieldsModel
 from awx.main.dispatch import get_task_queuename
 from awx.main.dispatch.control import Control as ControlDispatcher
 from awx.main.registrar import activity_stream_registrar
-from awx.main.models.mixins import TaskManagerUnifiedJobMixin, ExecutionEnvironmentMixin
-from awx.main.models.rbac import to_permissions
+from awx.main.models.mixins import ResourceMixin, TaskManagerUnifiedJobMixin, ExecutionEnvironmentMixin
 from awx.main.utils.common import (
     camelcase_to_underscore,
     get_model_for_type,
@@ -198,7 +196,9 @@ class UnifiedJobTemplate(PolymorphicModel, CommonModelNameNotUnique, ExecutionEn
 
     @classmethod
     def _submodels_with_roles(cls):
-        return [c for c in cls.__subclasses__() if permission_registry.is_registered(c)]
+        ujt_classes = [c for c in cls.__subclasses__() if c._meta.model_name not in ['inventorysource', 'systemjobtemplate']]
+        ct_dict = ContentType.objects.get_for_models(*ujt_classes)
+        return [ct.id for ct in ct_dict.values()]
 
     @classmethod
     def accessible_pk_qs(cls, accessor, role_field):
@@ -210,23 +210,7 @@ class UnifiedJobTemplate(PolymorphicModel, CommonModelNameNotUnique, ExecutionEn
         # do not use this if in a subclass
         if cls != UnifiedJobTemplate:
             return super(UnifiedJobTemplate, cls).accessible_pk_qs(accessor, role_field)
-        from ansible_base.rbac.models import RoleEvaluation
-
-        action = to_permissions[role_field]
-
-        # Special condition for super auditor
-        role_subclasses = cls._submodels_with_roles()
-        role_cts = ContentType.objects.get_for_models(*role_subclasses).values()
-        all_codenames = {f'{action}_{cls._meta.model_name}' for cls in role_subclasses}
-        if not (all_codenames - accessor.singleton_permissions()):
-            qs = cls.objects.filter(polymorphic_ctype__in=role_cts)
-            return qs.values_list('id', flat=True)
-
-        return (
-            RoleEvaluation.objects.filter(role__in=accessor.has_roles.all(), codename__in=all_codenames, content_type_id__in=[ct.id for ct in role_cts])
-            .values_list('object_id')
-            .distinct()
-        )
+        return ResourceMixin._accessible_pk_qs(cls, accessor, role_field, content_types=cls._submodels_with_roles())
 
     def _perform_unique_checks(self, unique_checks):
         # Handle the list of unique fields returned above. Replace with an
@@ -280,14 +264,7 @@ class UnifiedJobTemplate(PolymorphicModel, CommonModelNameNotUnique, ExecutionEn
         if new_next_schedule:
             if new_next_schedule.pk == self.next_schedule_id and new_next_schedule.next_run == self.next_job_run:
                 return  # no-op, common for infrequent schedules
-
-            # If in a transaction, use select_for_update to lock the next schedule row, which
-            # prevents a race condition if new_next_schedule is deleted elsewhere during this transaction
-            if transaction.get_autocommit():
-                self.next_schedule = related_schedules.first()
-            else:
-                self.next_schedule = related_schedules.select_for_update().first()
-
+            self.next_schedule = new_next_schedule
             self.next_job_run = new_next_schedule.next_run
             self.save(update_fields=['next_schedule', 'next_job_run'])
 
@@ -837,7 +814,7 @@ class UnifiedJob(
                 update_fields.append(key)
 
         if parent_instance:
-            if self.status in ('pending', 'running'):
+            if self.status in ('pending', 'waiting', 'running'):
                 if parent_instance.current_job != self:
                     parent_instance_set('current_job', self)
                 # Update parent with all the 'good' states of it's child
@@ -874,7 +851,7 @@ class UnifiedJob(
         # If this job already exists in the database, retrieve a copy of
         # the job in its prior state.
         # If update_fields are given without status, then that indicates no change
-        if self.status != 'waiting' and self.pk and ((not update_fields) or ('status' in update_fields)):
+        if self.pk and ((not update_fields) or ('status' in update_fields)):
             self_before = self.__class__.objects.get(pk=self.pk)
             if self_before.status != self.status:
                 status_before = self_before.status
@@ -916,8 +893,7 @@ class UnifiedJob(
                 update_fields.append('elapsed')
 
         # Ensure that the job template information is current.
-        # unless status is 'waiting', because this happens in large batches at end of task manager runs and is blocking
-        if self.status != 'waiting' and self.unified_job_template != self._get_parent_instance():
+        if self.unified_job_template != self._get_parent_instance():
             self.unified_job_template = self._get_parent_instance()
             if 'unified_job_template' not in update_fields:
                 update_fields.append('unified_job_template')
@@ -930,9 +906,8 @@ class UnifiedJob(
         # Okay; we're done. Perform the actual save.
         result = super(UnifiedJob, self).save(*args, **kwargs)
 
-        # If status changed, update the parent instance
-        # unless status is 'waiting', because this happens in large batches at end of task manager runs and is blocking
-        if self.status != status_before and self.status != 'waiting':
+        # If status changed, update the parent instance.
+        if self.status != status_before:
             # Update parent outside of the transaction for Job w/ allow_simultaneous=True
             # This dodges lock contention at the expense of the foreign key not being
             # completely correct.
@@ -1624,8 +1599,7 @@ class UnifiedJob(
             extra["controller_node"] = self.controller_node or "NOT_SET"
         elif state == "execution_node_chosen":
             extra["execution_node"] = self.execution_node or "NOT_SET"
-
-        logger_job_lifecycle.info(f"{msg} {json.dumps(extra)}")
+        logger_job_lifecycle.info(msg, extra=extra)
 
     @property
     def launched_by(self):

awx/main/models/workflow.py

@@ -467,10 +467,6 @@ class WorkflowJobTemplate(UnifiedJobTemplate, WorkflowJobOptions, SurveyJobTempl
 
     class Meta:
         app_label = 'main'
-        permissions = [
-            ('execute_workflowjobtemplate', 'Can run this workflow job template'),
-            ('approve_workflowjobtemplate', 'Can approve steps in this workflow job template'),
-        ]
 
     notification_templates_approvals = models.ManyToManyField(
         "NotificationTemplate",

awx/main/notifications/awssns_backend.py

@@ -1,70 +0,0 @@
-# Copyright (c) 2016 Ansible, Inc.
-# All Rights Reserved.
-import json
-import logging
-
-import boto3
-from botocore.exceptions import ClientError
-
-from awx.main.notifications.base import AWXBaseEmailBackend
-from awx.main.notifications.custom_notification_base import CustomNotificationBase
-
-logger = logging.getLogger('awx.main.notifications.awssns_backend')
-WEBSOCKET_TIMEOUT = 30
-
-
-class AWSSNSBackend(AWXBaseEmailBackend, CustomNotificationBase):
-    init_parameters = {
-        "aws_region": {"label": "AWS Region", "type": "string", "default": ""},
-        "aws_access_key_id": {"label": "Access Key ID", "type": "string", "default": ""},
-        "aws_secret_access_key": {"label": "Secret Access Key", "type": "password", "default": ""},
-        "aws_session_token": {"label": "Session Token", "type": "password", "default": ""},
-        "sns_topic_arn": {"label": "SNS Topic ARN", "type": "string", "default": ""},
-    }
-    recipient_parameter = "sns_topic_arn"
-    sender_parameter = None
-
-    DEFAULT_BODY = "{{ job_metadata }}"
-    default_messages = CustomNotificationBase.job_metadata_messages
-
-    def __init__(self, aws_region, aws_access_key_id, aws_secret_access_key, aws_session_token, fail_silently=False, **kwargs):
-        session = boto3.session.Session()
-        client_config = {"service_name": 'sns'}
-        if aws_region:
-            client_config["region_name"] = aws_region
-        if aws_secret_access_key:
-            client_config["aws_secret_access_key"] = aws_secret_access_key
-        if aws_access_key_id:
-            client_config["aws_access_key_id"] = aws_access_key_id
-        if aws_session_token:
-            client_config["aws_session_token"] = aws_session_token
-        self.client = session.client(**client_config)
-        super(AWSSNSBackend, self).__init__(fail_silently=fail_silently)
-
-    def _sns_publish(self, topic_arn, message):
-        self.client.publish(TopicArn=topic_arn, Message=message, MessageAttributes={})
-
-    def format_body(self, body):
-        if isinstance(body, str):
-            try:
-                body = json.loads(body)
-            except json.JSONDecodeError:
-                pass
-
-        if isinstance(body, dict):
-            body = json.dumps(body)
-        # convert dict body to json string
-        return body
-
-    def send_messages(self, messages):
-        sent_messages = 0
-        for message in messages:
-            sns_topic_arn = str(message.recipients()[0])
-            try:
-                self._sns_publish(topic_arn=sns_topic_arn, message=message.body)
-                sent_messages += 1
-            except ClientError as error:
-                if not self.fail_silently:
-                    raise error
-
-        return sent_messages

awx/main/notifications/custom_notification_base.py

@@ -32,15 +32,3 @@ class CustomNotificationBase(object):
             "denied": {"message": DEFAULT_APPROVAL_DENIED_MSG, "body": None},
         },
     }
-
-    job_metadata_messages = {
-        "started": {"body": "{{ job_metadata }}"},
-        "success": {"body": "{{ job_metadata }}"},
-        "error": {"body": "{{ job_metadata }}"},
-        "workflow_approval": {
-            "running": {"body": '{"body": "The approval node \\"{{ approval_node_name }}\\" needs review. This node can be viewed at: {{ workflow_url }}"}'},
-            "approved": {"body": '{"body": "The approval node \\"{{ approval_node_name }}\\" was approved. {{ workflow_url }}"}'},
-            "timed_out": {"body": '{"body": "The approval node \\"{{ approval_node_name }}\\" has timed out. {{ workflow_url }}"}'},
-            "denied": {"body": '{"body": "The approval node \\"{{ approval_node_name }}\\" was denied. {{ workflow_url }}"}'},
-        },
-    }

awx/main/notifications/webhook_backend.py

@@ -27,7 +27,17 @@ class WebhookBackend(AWXBaseEmailBackend, CustomNotificationBase):
     sender_parameter = None
 
     DEFAULT_BODY = "{{ job_metadata }}"
-    default_messages = CustomNotificationBase.job_metadata_messages
+    default_messages = {
+        "started": {"body": DEFAULT_BODY},
+        "success": {"body": DEFAULT_BODY},
+        "error": {"body": DEFAULT_BODY},
+        "workflow_approval": {
+            "running": {"body": '{"body": "The approval node \\"{{ approval_node_name }}\\" needs review. This node can be viewed at: {{ workflow_url }}"}'},
+            "approved": {"body": '{"body": "The approval node \\"{{ approval_node_name }}\\" was approved. {{ workflow_url }}"}'},
+            "timed_out": {"body": '{"body": "The approval node \\"{{ approval_node_name }}\\" has timed out. {{ workflow_url }}"}'},
+            "denied": {"body": '{"body": "The approval node \\"{{ approval_node_name }}\\" was denied. {{ workflow_url }}"}'},
+        },
+    }
 
     def __init__(self, http_method, headers, disable_ssl_verification=False, fail_silently=False, username=None, password=None, **kwargs):
         self.http_method = http_method

awx/main/routing.py

@@ -63,10 +63,6 @@ websocket_urlpatterns = [
     re_path(r'api/websocket/$', consumers.EventConsumer.as_asgi()),
     re_path(r'websocket/$', consumers.EventConsumer.as_asgi()),
 ]
-
-if settings.OPTIONAL_API_URLPATTERN_PREFIX:
-    websocket_urlpatterns.append(re_path(r'api/{}/v2/websocket/$'.format(settings.OPTIONAL_API_URLPATTERN_PREFIX), consumers.EventConsumer.as_asgi()))
-
 websocket_relay_urlpatterns = [
     re_path(r'websocket/relay/$', consumers.RelayConsumer.as_asgi()),
 ]

awx/main/scheduler/task_manager.py

@@ -138,8 +138,7 @@ class TaskBase:
 
         # Lock
         with task_manager_bulk_reschedule():
-            lock_session_timeout_milliseconds = settings.TASK_MANAGER_LOCK_TIMEOUT * 1000  # convert to milliseconds
-            with advisory_lock(f"{self.prefix}_lock", lock_session_timeout_milliseconds=lock_session_timeout_milliseconds, wait=False) as acquired:
+            with advisory_lock(f"{self.prefix}_lock", wait=False) as acquired:
                 with transaction.atomic():
                     if acquired is False:
                         logger.debug(f"Not running {self.prefix} scheduler, another task holds lock")

awx/main/signals.py

@@ -126,8 +126,6 @@ def rebuild_role_ancestor_list(reverse, model, instance, pk_set, action, **kwarg
 
 def sync_superuser_status_to_rbac(instance, **kwargs):
     'When the is_superuser flag is changed on a user, reflect that in the membership of the System Admnistrator role'
-    if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-        return
     update_fields = kwargs.get('update_fields', None)
     if update_fields and 'is_superuser' not in update_fields:
         return
@@ -139,8 +137,6 @@ def sync_superuser_status_to_rbac(instance, **kwargs):
 
 def sync_rbac_to_superuser_status(instance, sender, **kwargs):
     'When the is_superuser flag is false but a user has the System Admin role, update the database to reflect that'
-    if settings.ANSIBLE_BASE_ROLE_SYSTEM_ACTIVATED:
-        return
     if kwargs['action'] in ['post_add', 'post_remove', 'post_clear']:
         new_status_value = bool(kwargs['action'] == 'post_add')
         if hasattr(instance, 'singleton_name'):  # duck typing, role.members.add() vs user.roles.add()

awx/main/tasks/receptor.py

@@ -405,11 +405,10 @@ class AWXReceptorJob:
         finally:
             # Make sure to always release the work unit if we established it
             if self.unit_id is not None and settings.RECEPTOR_RELEASE_WORK:
-                if settings.RECPETOR_KEEP_WORK_ON_ERROR and getattr(res, 'status', 'error') == 'error':
-                    try:
-                        receptor_ctl.simple_command(f"work release {self.unit_id}")
-                    except Exception:
-                        logger.exception(f"Error releasing work unit {self.unit_id}.")
+                try:
+                    receptor_ctl.simple_command(f"work release {self.unit_id}")
+                except Exception:
+                    logger.exception(f"Error releasing work unit {self.unit_id}.")
 
     def _run_internal(self, receptor_ctl):
         # Create a socketpair. Where the left side will be used for writing our payload

awx/main/tasks/system.py

@@ -36,9 +36,6 @@ import ansible_runner.cleanup
 # dateutil
 from dateutil.parser import parse as parse_date
 
-# django-ansible-base
-from ansible_base.resource_registry.tasks.sync import SyncExecutor
-
 # AWX
 from awx import __version__ as awx_application_version
 from awx.main.access import access_registry
@@ -54,7 +51,7 @@ from awx.main.models import (
     Job,
     convert_jsonfields,
 )
-from awx.main.constants import ACTIVE_STATES, ERROR_STATES
+from awx.main.constants import ACTIVE_STATES
 from awx.main.dispatch.publish import task
 from awx.main.dispatch import get_task_queuename, reaper
 from awx.main.utils.common import ignore_inventory_computed_fields, ignore_inventory_group_removal
@@ -685,8 +682,6 @@ def awx_receptor_workunit_reaper():
 
     unit_ids = [id for id in receptor_work_list]
     jobs_with_unreleased_receptor_units = UnifiedJob.objects.filter(work_unit_id__in=unit_ids).exclude(status__in=ACTIVE_STATES)
-    if settings.RECEPTOR_KEEP_WORK_ON_ERROR:
-        jobs_with_unreleased_receptor_units = jobs_with_unreleased_receptor_units.exclude(status__in=ERROR_STATES)
     for job in jobs_with_unreleased_receptor_units:
         logger.debug(f"{job.log_format} is not active, reaping receptor work unit {job.work_unit_id}")
         receptor_ctl.simple_command(f"work cancel {job.work_unit_id}")
@@ -706,10 +701,7 @@ def awx_k8s_reaper():
         logger.debug("Checking for orphaned k8s pods for {}.".format(group))
         pods = PodManager.list_active_jobs(group)
         time_cutoff = now() - timedelta(seconds=settings.K8S_POD_REAPER_GRACE_PERIOD)
-        reap_job_candidates = UnifiedJob.objects.filter(pk__in=pods.keys(), finished__lte=time_cutoff).exclude(status__in=ACTIVE_STATES)
-        if settings.RECEPTOR_KEEP_WORK_ON_ERROR:
-            reap_job_candidates = reap_job_candidates.exclude(status__in=ERROR_STATES)
-        for job in reap_job_candidates:
+        for job in UnifiedJob.objects.filter(pk__in=pods.keys(), finished__lte=time_cutoff).exclude(status__in=ACTIVE_STATES):
             logger.debug('{} is no longer active, reaping orphaned k8s pod'.format(job.log_format))
             try:
                 pm = PodManager(job)
@@ -720,8 +712,7 @@ def awx_k8s_reaper():
 
 @task(queue=get_task_queuename)
 def awx_periodic_scheduler():
-    lock_session_timeout_milliseconds = settings.TASK_MANAGER_LOCK_TIMEOUT * 1000
-    with advisory_lock('awx_periodic_scheduler_lock', lock_session_timeout_milliseconds=lock_session_timeout_milliseconds, wait=False) as acquired:
+    with advisory_lock('awx_periodic_scheduler_lock', wait=False) as acquired:
         if acquired is False:
             logger.debug("Not running periodic scheduler, another task holds lock")
             return
@@ -973,27 +964,3 @@ def deep_copy_model_obj(model_module, model_name, obj_pk, new_obj_pk, user_pk, p
             permission_check_func(creater, copy_mapping.values())
     if isinstance(new_obj, Inventory):
         update_inventory_computed_fields.delay(new_obj.id)
-
-
-@task(queue=get_task_queuename)
-def periodic_resource_sync():
-    if not getattr(settings, 'RESOURCE_SERVER', None):
-        logger.debug("Skipping periodic resource_sync, RESOURCE_SERVER not configured")
-        return
-
-    with advisory_lock('periodic_resource_sync', wait=False) as acquired:
-        if acquired is False:
-            logger.debug("Not running periodic_resource_sync, another task holds lock")
-            return
-        logger.debug("Running periodic resource sync")
-
-        executor = SyncExecutor()
-        executor.run()
-        for key, item_list in executor.results.items():
-            if not item_list or key == 'noop':
-                continue
-            # Log creations and conflicts
-            if len(item_list) > 10 and settings.LOG_AGGREGATOR_LEVEL != 'DEBUG':
-                logger.info(f'Periodic resource sync {key}, first 10 items:\n{item_list[:10]}')
-            else:
-                logger.info(f'Periodic resource sync {key}:\n{item_list}')

awx/main/tests/data/inventory/plugins/openshift_virtualization/env.json

@@ -1,5 +0,0 @@
-{
-    "K8S_AUTH_HOST": "https://foo.invalid",
-    "K8S_AUTH_API_KEY": "fooo",
-    "K8S_AUTH_VERIFY_SSL": "False"
-}

awx/main/tests/data/inventory/plugins/terraform/env.json

@@ -1,3 +1,3 @@
 {
-    "GOOGLE_BACKEND_CREDENTIALS": "{{ file_reference }}"
+    "TF_BACKEND_CONFIG_FILE": "{{ file_reference }}"
 }

awx/main/tests/docs/test_swagger_generation.py

@@ -99,7 +99,7 @@ class TestSwaggerGeneration:
         # The number of API endpoints changes over time, but let's just check
         # for a reasonable number here; if this test starts failing, raise/lower the bounds
         paths = JSON['paths']
-        assert 250 < len(paths) < 400
+        assert 250 < len(paths) < 375
         assert set(list(paths['/api/'].keys())) == set(['get', 'parameters'])
         assert set(list(paths['/api/v2/'].keys())) == set(['get', 'parameters'])
         assert set(list(sorted(paths['/api/v2/credentials/'].keys()))) == set(['get', 'post', 'parameters'])

awx/main/tests/functional/analytics/test_metrics.py

@@ -4,6 +4,7 @@ from prometheus_client.parser import text_string_to_metric_families
 from awx.main import models
 from awx.main.analytics.metrics import metrics
 from awx.api.versioning import reverse
+from awx.main.models.rbac import Role
 
 EXPECTED_VALUES = {
     'awx_system_info': 1.0,
@@ -65,6 +66,7 @@ def test_metrics_permissions(get, admin, org_admin, alice, bob, organization):
     organization.auditor_role.members.add(bob)
     assert get(get_metrics_view_db_only(), user=bob).status_code == 403
 
+    Role.singleton('system_auditor').members.add(bob)
     bob.is_system_auditor = True
     assert get(get_metrics_view_db_only(), user=bob).status_code == 200
 

awx/main/tests/functional/api/test_auth.py

@@ -6,7 +6,7 @@ from django.test import Client
 from rest_framework.test import APIRequestFactory
 
 from awx.api.generics import LoggedLoginView
-from rest_framework.reverse import reverse as drf_reverse
+from awx.api.versioning import drf_reverse
 
 
 @pytest.mark.django_db

awx/main/tests/functional/api/test_create_attach_views.py

@@ -9,8 +9,8 @@ def test_user_role_view_access(rando, inventory, mocker, post):
     role_pk = inventory.admin_role.pk
     data = {"id": role_pk}
     mock_access = mocker.MagicMock(can_attach=mocker.MagicMock(return_value=False))
-    mocker.patch('awx.main.access.RoleAccess', return_value=mock_access)
-    post(url=reverse('api:user_roles_list', kwargs={'pk': rando.pk}), data=data, user=rando, expect=403)
+    with mocker.patch('awx.main.access.RoleAccess', return_value=mock_access):
+        post(url=reverse('api:user_roles_list', kwargs={'pk': rando.pk}), data=data, user=rando, expect=403)
     mock_access.can_attach.assert_called_once_with(inventory.admin_role, rando, 'members', data, skip_sub_obj_read_check=False)
 
 
@@ -21,8 +21,8 @@ def test_team_role_view_access(rando, team, inventory, mocker, post):
     role_pk = inventory.admin_role.pk
     data = {"id": role_pk}
     mock_access = mocker.MagicMock(can_attach=mocker.MagicMock(return_value=False))
-    mocker.patch('awx.main.access.RoleAccess', return_value=mock_access)
-    post(url=reverse('api:team_roles_list', kwargs={'pk': team.pk}), data=data, user=rando, expect=403)
+    with mocker.patch('awx.main.access.RoleAccess', return_value=mock_access):
+        post(url=reverse('api:team_roles_list', kwargs={'pk': team.pk}), data=data, user=rando, expect=403)
     mock_access.can_attach.assert_called_once_with(inventory.admin_role, team, 'member_role.parents', data, skip_sub_obj_read_check=False)
 
 
@@ -33,8 +33,8 @@ def test_role_team_view_access(rando, team, inventory, mocker, post):
     role_pk = inventory.admin_role.pk
     data = {"id": team.pk}
     mock_access = mocker.MagicMock(return_value=False, __name__='mocked')
-    mocker.patch('awx.main.access.RoleAccess.can_attach', mock_access)
-    post(url=reverse('api:role_teams_list', kwargs={'pk': role_pk}), data=data, user=rando, expect=403)
+    with mocker.patch('awx.main.access.RoleAccess.can_attach', mock_access):
+        post(url=reverse('api:role_teams_list', kwargs={'pk': role_pk}), data=data, user=rando, expect=403)
     mock_access.assert_called_once_with(inventory.admin_role, team, 'member_role.parents', data, skip_sub_obj_read_check=False)
 
 

awx/main/tests/functional/api/test_credential.py

@@ -30,7 +30,7 @@ def test_idempotent_credential_type_setup():
 
 
 @pytest.mark.django_db
-def test_create_user_credential_via_credentials_list(post, get, alice, credentialtype_ssh, setup_managed_roles):
+def test_create_user_credential_via_credentials_list(post, get, alice, credentialtype_ssh):
     params = {
         'credential_type': 1,
         'inputs': {'username': 'someusername'},
@@ -81,7 +81,7 @@ def test_credential_validation_error_with_multiple_owner_fields(post, admin, ali
 
 
 @pytest.mark.django_db
-def test_create_user_credential_via_user_credentials_list(post, get, alice, credentialtype_ssh, setup_managed_roles):
+def test_create_user_credential_via_user_credentials_list(post, get, alice, credentialtype_ssh):
     params = {
         'credential_type': 1,
         'inputs': {'username': 'someusername'},
@@ -385,9 +385,10 @@ def test_list_created_org_credentials(post, get, organization, org_admin, org_me
 @pytest.mark.django_db
 def test_list_cannot_order_by_encrypted_field(post, get, organization, org_admin, credentialtype_ssh, order_by):
     for i, password in enumerate(('abc', 'def', 'xyz')):
-        post(reverse('api:credential_list'), {'organization': organization.id, 'name': 'C%d' % i, 'password': password}, org_admin, expect=400)
+        response = post(reverse('api:credential_list'), {'organization': organization.id, 'name': 'C%d' % i, 'password': password}, org_admin)
 
-    get(reverse('api:credential_list'), org_admin, QUERY_STRING='order_by=%s' % order_by, expect=400)
+    response = get(reverse('api:credential_list'), org_admin, QUERY_STRING='order_by=%s' % order_by, status=400)
+    assert response.status_code == 400
 
 
 @pytest.mark.django_db
@@ -398,7 +399,8 @@ def test_inputs_cannot_contain_extra_fields(get, post, organization, admin, cred
         'credential_type': credentialtype_ssh.pk,
         'inputs': {'invalid_field': 'foo'},
     }
-    response = post(reverse('api:credential_list'), params, admin, expect=400)
+    response = post(reverse('api:credential_list'), params, admin)
+    assert response.status_code == 400
     assert "'invalid_field' was unexpected" in response.data['inputs'][0]
 
 

awx/main/tests/functional/api/test_generic.py

@@ -1,30 +1,22 @@
 import pytest
-from unittest import mock
 
 from awx.api.versioning import reverse
 
-from django.test.utils import override_settings
-
-from ansible_base.jwt_consumer.common.util import generate_x_trusted_proxy_header
-from ansible_base.lib.testing.fixtures import rsa_keypair_factory, rsa_keypair  # noqa: F401; pylint: disable=unused-import
-
-
-class HeaderTrackingMiddleware(object):
-    def __init__(self):
-        self.environ = {}
-
-    def process_request(self, request):
-        pass
-
-    def process_response(self, request, response):
-        self.environ = request.environ
-
 
 @pytest.mark.django_db
 def test_proxy_ip_allowed(get, patch, admin):
     url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'system'})
     patch(url, user=admin, data={'REMOTE_HOST_HEADERS': ['HTTP_X_FROM_THE_LOAD_BALANCER', 'REMOTE_ADDR', 'REMOTE_HOST']})
 
+    class HeaderTrackingMiddleware(object):
+        environ = {}
+
+        def process_request(self, request):
+            pass
+
+        def process_response(self, request, response):
+            self.environ = request.environ
+
     # By default, `PROXY_IP_ALLOWED_LIST` is disabled, so custom `REMOTE_HOST_HEADERS`
     # should just pass through
     middleware = HeaderTrackingMiddleware()
@@ -53,51 +45,6 @@ def test_proxy_ip_allowed(get, patch, admin):
     assert middleware.environ['HTTP_X_FROM_THE_LOAD_BALANCER'] == 'some-actual-ip'
 
 
-@pytest.mark.django_db
-class TestTrustedProxyAllowListIntegration:
-    @pytest.fixture
-    def url(self, patch, admin):
-        url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'system'})
-        patch(url, user=admin, data={'REMOTE_HOST_HEADERS': ['HTTP_X_FROM_THE_LOAD_BALANCER', 'REMOTE_ADDR', 'REMOTE_HOST']})
-        patch(url, user=admin, data={'PROXY_IP_ALLOWED_LIST': ['my.proxy.example.org']})
-        return url
-
-    @pytest.fixture
-    def middleware(self):
-        return HeaderTrackingMiddleware()
-
-    def test_x_trusted_proxy_valid_signature(self, get, admin, rsa_keypair, url, middleware):  # noqa: F811
-        # Headers should NOT get deleted
-        headers = {
-            'HTTP_X_TRUSTED_PROXY': generate_x_trusted_proxy_header(rsa_keypair.private),
-            'HTTP_X_FROM_THE_LOAD_BALANCER': 'some-actual-ip',
-        }
-        with mock.patch('ansible_base.jwt_consumer.common.cache.JWTCache.get_key_from_cache', lambda self: None):
-            with override_settings(ANSIBLE_BASE_JWT_KEY=rsa_keypair.public, PROXY_IP_ALLOWED_LIST=[]):
-                get(url, user=admin, middleware=middleware, **headers)
-        assert middleware.environ['HTTP_X_FROM_THE_LOAD_BALANCER'] == 'some-actual-ip'
-
-    def test_x_trusted_proxy_invalid_signature(self, get, admin, url, patch, middleware):
-        # Headers should NOT get deleted
-        headers = {
-            'HTTP_X_TRUSTED_PROXY': 'DEAD-BEEF',
-            'HTTP_X_FROM_THE_LOAD_BALANCER': 'some-actual-ip',
-        }
-        with override_settings(PROXY_IP_ALLOWED_LIST=[]):
-            get(url, user=admin, middleware=middleware, **headers)
-        assert middleware.environ['HTTP_X_FROM_THE_LOAD_BALANCER'] == 'some-actual-ip'
-
-    def test_x_trusted_proxy_invalid_signature_valid_proxy(self, get, admin, url, middleware):
-        # A valid explicit proxy SHOULD result in sensitive headers NOT being deleted, regardless of the trusted proxy signature results
-        headers = {
-            'HTTP_X_TRUSTED_PROXY': 'DEAD-BEEF',
-            'REMOTE_ADDR': 'my.proxy.example.org',
-            'HTTP_X_FROM_THE_LOAD_BALANCER': 'some-actual-ip',
-        }
-        get(url, user=admin, middleware=middleware, **headers)
-        assert middleware.environ['HTTP_X_FROM_THE_LOAD_BALANCER'] == 'some-actual-ip'
-
-
 @pytest.mark.django_db
 class TestDeleteViews:
     def test_sublist_delete_permission_check(self, inventory_source, host, rando, delete):

awx/main/tests/functional/api/test_immutablesharedfields.py

@@ -1,64 +0,0 @@
-import pytest
-
-from awx.api.versioning import reverse
-from awx.main.models import Organization
-
-
-@pytest.mark.django_db
-class TestImmutableSharedFields:
-    @pytest.fixture(autouse=True)
-    def configure_settings(self, settings):
-        settings.ALLOW_LOCAL_RESOURCE_MANAGEMENT = False
-
-    def test_create_raises_permission_denied(self, admin_user, post):
-        orgA = Organization.objects.create(name='orgA')
-        resp = post(
-            url=reverse('api:team_list'),
-            data={'name': 'teamA', 'organization': orgA.id},
-            user=admin_user,
-            expect=403,
-        )
-        assert "Creation of this resource is not allowed" in resp.data['detail']
-
-    def test_perform_delete_raises_permission_denied(self, admin_user, delete):
-        orgA = Organization.objects.create(name='orgA')
-        team = orgA.teams.create(name='teamA')
-        resp = delete(
-            url=reverse('api:team_detail', kwargs={'pk': team.id}),
-            user=admin_user,
-            expect=403,
-        )
-        assert "Deletion of this resource is not allowed" in resp.data['detail']
-
-    def test_perform_update(self, admin_user, patch):
-        orgA = Organization.objects.create(name='orgA')
-        # allow patching non-shared fields
-        patch(
-            url=reverse('api:organization_detail', kwargs={'pk': orgA.id}),
-            data={"max_hosts": 76},
-            user=admin_user,
-            expect=200,
-        )
-        # prevent patching shared fields
-        resp = patch(url=reverse('api:organization_detail', kwargs={'pk': orgA.id}), data={"name": "orgB"}, user=admin_user, expect=403)
-        assert "Cannot change shared field" in resp.data['name']
-
-    @pytest.mark.parametrize(
-        'role',
-        ['admin_role', 'member_role'],
-    )
-    @pytest.mark.parametrize('resource', ['organization', 'team'])
-    def test_prevent_assigning_member_to_organization_or_team(self, admin_user, post, resource, role):
-        orgA = Organization.objects.create(name='orgA')
-        if resource == 'organization':
-            role = getattr(orgA, role)
-        elif resource == 'team':
-            teamA = orgA.teams.create(name='teamA')
-            role = getattr(teamA, role)
-        resp = post(
-            url=reverse('api:user_roles_list', kwargs={'pk': admin_user.id}),
-            data={'id': role.id},
-            user=admin_user,
-            expect=403,
-        )
-        assert f"Cannot directly modify user membership to {resource}." in resp.data['msg']

awx/main/tests/functional/api/test_instance_group.py

@@ -32,6 +32,13 @@ def node_type_instance():
     return fn
 
 
+@pytest.fixture
+def instance_group(job_factory):
+    ig = InstanceGroup(name="east")
+    ig.save()
+    return ig
+
+
 @pytest.fixture
 def containerized_instance_group(instance_group, kube_credential):
     ig = InstanceGroup(name="container")

awx/main/tests/functional/api/test_job_runtime_params.py

@@ -131,11 +131,11 @@ def test_job_ignore_unprompted_vars(runtime_data, job_template_prompts, post, ad
 
     mock_job = mocker.MagicMock(spec=Job, id=968, **runtime_data)
 
-    mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job)
-    mocker.patch('awx.api.serializers.JobSerializer.to_representation')
-    response = post(reverse('api:job_template_launch', kwargs={'pk': job_template.pk}), runtime_data, admin_user, expect=201)
-    assert JobTemplate.create_unified_job.called
-    assert JobTemplate.create_unified_job.call_args == ()
+    with mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job):
+        with mocker.patch('awx.api.serializers.JobSerializer.to_representation'):
+            response = post(reverse('api:job_template_launch', kwargs={'pk': job_template.pk}), runtime_data, admin_user, expect=201)
+            assert JobTemplate.create_unified_job.called
+            assert JobTemplate.create_unified_job.call_args == ()
 
     # Check that job is serialized correctly
     job_id = response.data['job']
@@ -167,12 +167,12 @@ def test_job_accept_prompted_vars(runtime_data, job_template_prompts, post, admi
 
     mock_job = mocker.MagicMock(spec=Job, id=968, **runtime_data)
 
-    mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job)
-    mocker.patch('awx.api.serializers.JobSerializer.to_representation')
-    response = post(reverse('api:job_template_launch', kwargs={'pk': job_template.pk}), runtime_data, admin_user, expect=201)
-    assert JobTemplate.create_unified_job.called
-    called_with = data_to_internal(runtime_data)
-    JobTemplate.create_unified_job.assert_called_with(**called_with)
+    with mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job):
+        with mocker.patch('awx.api.serializers.JobSerializer.to_representation'):
+            response = post(reverse('api:job_template_launch', kwargs={'pk': job_template.pk}), runtime_data, admin_user, expect=201)
+            assert JobTemplate.create_unified_job.called
+            called_with = data_to_internal(runtime_data)
+            JobTemplate.create_unified_job.assert_called_with(**called_with)
 
     job_id = response.data['job']
     assert job_id == 968
@@ -187,11 +187,11 @@ def test_job_accept_empty_tags(job_template_prompts, post, admin_user, mocker):
 
     mock_job = mocker.MagicMock(spec=Job, id=968)
 
-    mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job)
-    mocker.patch('awx.api.serializers.JobSerializer.to_representation')
-    post(reverse('api:job_template_launch', kwargs={'pk': job_template.pk}), {'job_tags': '', 'skip_tags': ''}, admin_user, expect=201)
-    assert JobTemplate.create_unified_job.called
-    assert JobTemplate.create_unified_job.call_args == ({'job_tags': '', 'skip_tags': ''},)
+    with mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job):
+        with mocker.patch('awx.api.serializers.JobSerializer.to_representation'):
+            post(reverse('api:job_template_launch', kwargs={'pk': job_template.pk}), {'job_tags': '', 'skip_tags': ''}, admin_user, expect=201)
+            assert JobTemplate.create_unified_job.called
+            assert JobTemplate.create_unified_job.call_args == ({'job_tags': '', 'skip_tags': ''},)
 
     mock_job.signal_start.assert_called_once()
 
@@ -203,14 +203,14 @@ def test_slice_timeout_forks_need_int(job_template_prompts, post, admin_user, mo
 
     mock_job = mocker.MagicMock(spec=Job, id=968)
 
-    mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job)
-    mocker.patch('awx.api.serializers.JobSerializer.to_representation')
-    response = post(
-        reverse('api:job_template_launch', kwargs={'pk': job_template.pk}), {'timeout': '', 'job_slice_count': '', 'forks': ''}, admin_user, expect=400
-    )
-    assert 'forks' in response.data and response.data['forks'][0] == 'A valid integer is required.'
-    assert 'job_slice_count' in response.data and response.data['job_slice_count'][0] == 'A valid integer is required.'
-    assert 'timeout' in response.data and response.data['timeout'][0] == 'A valid integer is required.'
+    with mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job):
+        with mocker.patch('awx.api.serializers.JobSerializer.to_representation'):
+            response = post(
+                reverse('api:job_template_launch', kwargs={'pk': job_template.pk}), {'timeout': '', 'job_slice_count': '', 'forks': ''}, admin_user, expect=400
+            )
+            assert 'forks' in response.data and response.data['forks'][0] == 'A valid integer is required.'
+            assert 'job_slice_count' in response.data and response.data['job_slice_count'][0] == 'A valid integer is required.'
+            assert 'timeout' in response.data and response.data['timeout'][0] == 'A valid integer is required.'
 
 
 @pytest.mark.django_db
@@ -244,12 +244,12 @@ def test_job_accept_prompted_vars_null(runtime_data, job_template_prompts_null,
 
     mock_job = mocker.MagicMock(spec=Job, id=968, **runtime_data)
 
-    mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job)
-    mocker.patch('awx.api.serializers.JobSerializer.to_representation')
-    response = post(reverse('api:job_template_launch', kwargs={'pk': job_template.pk}), runtime_data, rando, expect=201)
-    assert JobTemplate.create_unified_job.called
-    expected_call = data_to_internal(runtime_data)
-    assert JobTemplate.create_unified_job.call_args == (expected_call,)
+    with mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job):
+        with mocker.patch('awx.api.serializers.JobSerializer.to_representation'):
+            response = post(reverse('api:job_template_launch', kwargs={'pk': job_template.pk}), runtime_data, rando, expect=201)
+            assert JobTemplate.create_unified_job.called
+            expected_call = data_to_internal(runtime_data)
+            assert JobTemplate.create_unified_job.call_args == (expected_call,)
 
     job_id = response.data['job']
     assert job_id == 968
@@ -641,18 +641,18 @@ def test_job_launch_unprompted_vars_with_survey(mocker, survey_spec_factory, job
     job_template.survey_spec = survey_spec_factory('survey_var')
     job_template.save()
 
-    mocker.patch('awx.main.access.BaseAccess.check_license')
-    mock_job = mocker.MagicMock(spec=Job, id=968, extra_vars={"job_launch_var": 3, "survey_var": 4})
-    mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job)
-    mocker.patch('awx.api.serializers.JobSerializer.to_representation', return_value={})
-    response = post(
-        reverse('api:job_template_launch', kwargs={'pk': job_template.pk}),
-        dict(extra_vars={"job_launch_var": 3, "survey_var": 4}),
-        admin_user,
-        expect=201,
-    )
-    assert JobTemplate.create_unified_job.called
-    assert JobTemplate.create_unified_job.call_args == ({'extra_vars': {'survey_var': 4}},)
+    with mocker.patch('awx.main.access.BaseAccess.check_license'):
+        mock_job = mocker.MagicMock(spec=Job, id=968, extra_vars={"job_launch_var": 3, "survey_var": 4})
+        with mocker.patch.object(JobTemplate, 'create_unified_job', return_value=mock_job):
+            with mocker.patch('awx.api.serializers.JobSerializer.to_representation', return_value={}):
+                response = post(
+                    reverse('api:job_template_launch', kwargs={'pk': job_template.pk}),
+                    dict(extra_vars={"job_launch_var": 3, "survey_var": 4}),
+                    admin_user,
+                    expect=201,
+                )
+                assert JobTemplate.create_unified_job.called
+                assert JobTemplate.create_unified_job.call_args == ({'extra_vars': {'survey_var': 4}},)
 
     job_id = response.data['job']
     assert job_id == 968
@@ -670,22 +670,22 @@ def test_callback_accept_prompted_extra_var(mocker, survey_spec_factory, job_tem
     job_template.survey_spec = survey_spec_factory('survey_var')
     job_template.save()
 
-    mocker.patch('awx.main.access.BaseAccess.check_license')
-    mock_job = mocker.MagicMock(spec=Job, id=968, extra_vars={"job_launch_var": 3, "survey_var": 4})
-    mocker.patch.object(UnifiedJobTemplate, 'create_unified_job', return_value=mock_job)
-    mocker.patch('awx.api.serializers.JobSerializer.to_representation', return_value={})
-    mocker.patch('awx.api.views.JobTemplateCallback.find_matching_hosts', return_value=[host])
-    post(
-        reverse('api:job_template_callback', kwargs={'pk': job_template.pk}),
-        dict(extra_vars={"job_launch_var": 3, "survey_var": 4}, host_config_key="foo"),
-        admin_user,
-        expect=201,
-        format='json',
-    )
-    assert UnifiedJobTemplate.create_unified_job.called
-    call_args = UnifiedJobTemplate.create_unified_job.call_args[1]
-    call_args.pop('_eager_fields', None)  # internal purposes
-    assert call_args == {'extra_vars': {'survey_var': 4, 'job_launch_var': 3}, 'limit': 'single-host'}
+    with mocker.patch('awx.main.access.BaseAccess.check_license'):
+        mock_job = mocker.MagicMock(spec=Job, id=968, extra_vars={"job_launch_var": 3, "survey_var": 4})
+        with mocker.patch.object(UnifiedJobTemplate, 'create_unified_job', return_value=mock_job):
+            with mocker.patch('awx.api.serializers.JobSerializer.to_representation', return_value={}):
+                with mocker.patch('awx.api.views.JobTemplateCallback.find_matching_hosts', return_value=[host]):
+                    post(
+                        reverse('api:job_template_callback', kwargs={'pk': job_template.pk}),
+                        dict(extra_vars={"job_launch_var": 3, "survey_var": 4}, host_config_key="foo"),
+                        admin_user,
+                        expect=201,
+                        format='json',
+                    )
+                    assert UnifiedJobTemplate.create_unified_job.called
+                    call_args = UnifiedJobTemplate.create_unified_job.call_args[1]
+                    call_args.pop('_eager_fields', None)  # internal purposes
+                    assert call_args == {'extra_vars': {'survey_var': 4, 'job_launch_var': 3}, 'limit': 'single-host'}
 
     mock_job.signal_start.assert_called_once()
 
@@ -697,22 +697,22 @@ def test_callback_ignore_unprompted_extra_var(mocker, survey_spec_factory, job_t
     job_template.host_config_key = "foo"
     job_template.save()
 
-    mocker.patch('awx.main.access.BaseAccess.check_license')
-    mock_job = mocker.MagicMock(spec=Job, id=968, extra_vars={"job_launch_var": 3, "survey_var": 4})
-    mocker.patch.object(UnifiedJobTemplate, 'create_unified_job', return_value=mock_job)
-    mocker.patch('awx.api.serializers.JobSerializer.to_representation', return_value={})
-    mocker.patch('awx.api.views.JobTemplateCallback.find_matching_hosts', return_value=[host])
-    post(
-        reverse('api:job_template_callback', kwargs={'pk': job_template.pk}),
-        dict(extra_vars={"job_launch_var": 3, "survey_var": 4}, host_config_key="foo"),
-        admin_user,
-        expect=201,
-        format='json',
-    )
-    assert UnifiedJobTemplate.create_unified_job.called
-    call_args = UnifiedJobTemplate.create_unified_job.call_args[1]
-    call_args.pop('_eager_fields', None)  # internal purposes
-    assert call_args == {'limit': 'single-host'}
+    with mocker.patch('awx.main.access.BaseAccess.check_license'):
+        mock_job = mocker.MagicMock(spec=Job, id=968, extra_vars={"job_launch_var": 3, "survey_var": 4})
+        with mocker.patch.object(UnifiedJobTemplate, 'create_unified_job', return_value=mock_job):
+            with mocker.patch('awx.api.serializers.JobSerializer.to_representation', return_value={}):
+                with mocker.patch('awx.api.views.JobTemplateCallback.find_matching_hosts', return_value=[host]):
+                    post(
+                        reverse('api:job_template_callback', kwargs={'pk': job_template.pk}),
+                        dict(extra_vars={"job_launch_var": 3, "survey_var": 4}, host_config_key="foo"),
+                        admin_user,
+                        expect=201,
+                        format='json',
+                    )
+                    assert UnifiedJobTemplate.create_unified_job.called
+                    call_args = UnifiedJobTemplate.create_unified_job.call_args[1]
+                    call_args.pop('_eager_fields', None)  # internal purposes
+                    assert call_args == {'limit': 'single-host'}
 
     mock_job.signal_start.assert_called_once()
 
@@ -725,9 +725,9 @@ def test_callback_find_matching_hosts(mocker, get, job_template_prompts, admin_u
     job_template.save()
     host_with_alias = Host(name='localhost', inventory=job_template.inventory)
     host_with_alias.save()
-    mocker.patch('awx.main.access.BaseAccess.check_license')
-    r = get(reverse('api:job_template_callback', kwargs={'pk': job_template.pk}), user=admin_user, expect=200)
-    assert tuple(r.data['matching_hosts']) == ('localhost',)
+    with mocker.patch('awx.main.access.BaseAccess.check_license'):
+        r = get(reverse('api:job_template_callback', kwargs={'pk': job_template.pk}), user=admin_user, expect=200)
+        assert tuple(r.data['matching_hosts']) == ('localhost',)
 
 
 @pytest.mark.django_db
@@ -738,6 +738,6 @@ def test_callback_extra_var_takes_priority_over_host_name(mocker, get, job_templ
     job_template.save()
     host_with_alias = Host(name='localhost', variables={'ansible_host': 'foobar'}, inventory=job_template.inventory)
     host_with_alias.save()
-    mocker.patch('awx.main.access.BaseAccess.check_license')
-    r = get(reverse('api:job_template_callback', kwargs={'pk': job_template.pk}), user=admin_user, expect=200)
-    assert not r.data['matching_hosts']
+    with mocker.patch('awx.main.access.BaseAccess.check_license'):
+        r = get(reverse('api:job_template_callback', kwargs={'pk': job_template.pk}), user=admin_user, expect=200)
+        assert not r.data['matching_hosts']

awx/main/tests/functional/api/test_job_template.py

@@ -1,5 +1,4 @@
 import pytest
-from unittest import mock
 
 # AWX
 from awx.api.serializers import JobTemplateSerializer
@@ -9,15 +8,10 @@ from awx.main.migrations import _save_password_keys as save_password_keys
 
 # Django
 from django.apps import apps
-from django.test.utils import override_settings
 
 # DRF
 from rest_framework.exceptions import ValidationError
 
-# DAB
-from ansible_base.jwt_consumer.common.util import generate_x_trusted_proxy_header
-from ansible_base.lib.testing.fixtures import rsa_keypair_factory, rsa_keypair  # noqa: F401; pylint: disable=unused-import
-
 
 @pytest.mark.django_db
 @pytest.mark.parametrize(
@@ -375,113 +369,3 @@ def test_job_template_missing_inventory(project, inventory, admin_user, post):
     )
     assert r.status_code == 400
     assert "Cannot start automatically, an inventory is required." in str(r.data)
-
-
-@pytest.mark.django_db
-class TestJobTemplateCallbackProxyIntegration:
-    """
-    Test the interaction of provision job template callback feature and:
-        settings.PROXY_IP_ALLOWED_LIST
-        x-trusted-proxy http header
-    """
-
-    @pytest.fixture
-    def job_template(self, inventory, project):
-        jt = JobTemplate.objects.create(name='test-jt', inventory=inventory, project=project, playbook='helloworld.yml', host_config_key='abcd')
-        return jt
-
-    @override_settings(REMOTE_HOST_HEADERS=['HTTP_X_FROM_THE_LOAD_BALANCER', 'REMOTE_ADDR', 'REMOTE_HOST'], PROXY_IP_ALLOWED_LIST=['my.proxy.example.org'])
-    def test_host_not_found(self, job_template, admin_user, post, rsa_keypair):  # noqa: F811
-        job_template.inventory.hosts.create(name='foobar')
-
-        headers = {
-            'HTTP_X_FROM_THE_LOAD_BALANCER': 'baz',
-            'REMOTE_HOST': 'baz',
-            'REMOTE_ADDR': 'baz',
-        }
-        r = post(
-            url=reverse('api:job_template_callback', kwargs={'pk': job_template.pk}), data={'host_config_key': 'abcd'}, user=admin_user, expect=400, **headers
-        )
-        assert r.data['msg'] == 'No matching host could be found!'
-
-    @pytest.mark.parametrize(
-        'headers, expected',
-        (
-            pytest.param(
-                {
-                    'HTTP_X_FROM_THE_LOAD_BALANCER': 'foobar',
-                    'REMOTE_HOST': 'my.proxy.example.org',
-                },
-                201,
-            ),
-            pytest.param(
-                {
-                    'HTTP_X_FROM_THE_LOAD_BALANCER': 'foobar',
-                    'REMOTE_HOST': 'not-my-proxy.org',
-                },
-                400,
-            ),
-        ),
-    )
-    @override_settings(REMOTE_HOST_HEADERS=['HTTP_X_FROM_THE_LOAD_BALANCER', 'REMOTE_ADDR', 'REMOTE_HOST'], PROXY_IP_ALLOWED_LIST=['my.proxy.example.org'])
-    def test_proxy_ip_allowed_list(self, job_template, admin_user, post, headers, expected):  # noqa: F811
-        job_template.inventory.hosts.create(name='my.proxy.example.org')
-
-        post(
-            url=reverse('api:job_template_callback', kwargs={'pk': job_template.pk}),
-            data={'host_config_key': 'abcd'},
-            user=admin_user,
-            expect=expected,
-            **headers
-        )
-
-    @override_settings(REMOTE_HOST_HEADERS=['HTTP_X_FROM_THE_LOAD_BALANCER', 'REMOTE_ADDR', 'REMOTE_HOST'], PROXY_IP_ALLOWED_LIST=[])
-    def test_no_proxy_trust_all_headers(self, job_template, admin_user, post):
-        job_template.inventory.hosts.create(name='foobar')
-
-        headers = {
-            'HTTP_X_FROM_THE_LOAD_BALANCER': 'foobar',
-            'REMOTE_ADDR': 'bar',
-            'REMOTE_HOST': 'baz',
-        }
-        post(url=reverse('api:job_template_callback', kwargs={'pk': job_template.pk}), data={'host_config_key': 'abcd'}, user=admin_user, expect=201, **headers)
-
-    @override_settings(REMOTE_HOST_HEADERS=['HTTP_X_FROM_THE_LOAD_BALANCER', 'REMOTE_ADDR', 'REMOTE_HOST'], PROXY_IP_ALLOWED_LIST=['my.proxy.example.org'])
-    def test_trusted_proxy(self, job_template, admin_user, post, rsa_keypair):  # noqa: F811
-        job_template.inventory.hosts.create(name='foobar')
-
-        headers = {
-            'HTTP_X_TRUSTED_PROXY': generate_x_trusted_proxy_header(rsa_keypair.private),
-            'HTTP_X_FROM_THE_LOAD_BALANCER': 'foobar, my.proxy.example.org',
-        }
-
-        with mock.patch('ansible_base.jwt_consumer.common.cache.JWTCache.get_key_from_cache', lambda self: None):
-            with override_settings(ANSIBLE_BASE_JWT_KEY=rsa_keypair.public):
-                post(
-                    url=reverse('api:job_template_callback', kwargs={'pk': job_template.pk}),
-                    data={'host_config_key': 'abcd'},
-                    user=admin_user,
-                    expect=201,
-                    **headers
-                )
-
-    @override_settings(REMOTE_HOST_HEADERS=['HTTP_X_FROM_THE_LOAD_BALANCER', 'REMOTE_ADDR', 'REMOTE_HOST'], PROXY_IP_ALLOWED_LIST=['my.proxy.example.org'])
-    def test_trusted_proxy_host_not_found(self, job_template, admin_user, post, rsa_keypair):  # noqa: F811
-        job_template.inventory.hosts.create(name='foobar')
-
-        headers = {
-            'HTTP_X_TRUSTED_PROXY': generate_x_trusted_proxy_header(rsa_keypair.private),
-            'HTTP_X_FROM_THE_LOAD_BALANCER': 'baz, my.proxy.example.org',
-            'REMOTE_ADDR': 'bar',
-            'REMOTE_HOST': 'baz',
-        }
-
-        with mock.patch('ansible_base.jwt_consumer.common.cache.JWTCache.get_key_from_cache', lambda self: None):
-            with override_settings(ANSIBLE_BASE_JWT_KEY=rsa_keypair.public):
-                post(
-                    url=reverse('api:job_template_callback', kwargs={'pk': job_template.pk}),
-                    data={'host_config_key': 'abcd'},
-                    user=admin_user,
-                    expect=400,
-                    **headers
-                )

awx/main/tests/functional/api/test_oauth.py

@@ -8,10 +8,8 @@ from django.db import connection
 from django.test.utils import override_settings
 from django.utils.encoding import smart_str, smart_bytes
 
-from rest_framework.reverse import reverse as drf_reverse
-
 from awx.main.utils.encryption import decrypt_value, get_encryption_key
-from awx.api.versioning import reverse
+from awx.api.versioning import reverse, drf_reverse
 from awx.main.models.oauth import OAuth2Application as Application, OAuth2AccessToken as AccessToken
 from awx.main.tests.functional import immediate_on_commit
 from awx.sso.models import UserEnterpriseAuth

awx/main/tests/functional/api/test_rbac_displays.py

@@ -165,8 +165,8 @@ class TestAccessListCapabilities:
     def test_access_list_direct_access_capability(self, inventory, rando, get, mocker, mock_access_method):
         inventory.admin_role.members.add(rando)
 
-        mocker.patch.object(access_registry[Role], 'can_unattach', mock_access_method)
-        response = get(reverse('api:inventory_access_list', kwargs={'pk': inventory.id}), rando)
+        with mocker.patch.object(access_registry[Role], 'can_unattach', mock_access_method):
+            response = get(reverse('api:inventory_access_list', kwargs={'pk': inventory.id}), rando)
 
         mock_access_method.assert_called_once_with(inventory.admin_role, rando, 'members', **self.extra_kwargs)
         self._assert_one_in_list(response.data)
@@ -174,8 +174,8 @@ class TestAccessListCapabilities:
         assert direct_access_list[0]['role']['user_capabilities']['unattach'] == 'foobar'
 
     def test_access_list_indirect_access_capability(self, inventory, organization, org_admin, get, mocker, mock_access_method):
-        mocker.patch.object(access_registry[Role], 'can_unattach', mock_access_method)
-        response = get(reverse('api:inventory_access_list', kwargs={'pk': inventory.id}), org_admin)
+        with mocker.patch.object(access_registry[Role], 'can_unattach', mock_access_method):
+            response = get(reverse('api:inventory_access_list', kwargs={'pk': inventory.id}), org_admin)
 
         mock_access_method.assert_called_once_with(organization.admin_role, org_admin, 'members', **self.extra_kwargs)
         self._assert_one_in_list(response.data, sublist='indirect_access')
@@ -185,8 +185,8 @@ class TestAccessListCapabilities:
     def test_access_list_team_direct_access_capability(self, inventory, team, team_member, get, mocker, mock_access_method):
         team.member_role.children.add(inventory.admin_role)
 
-        mocker.patch.object(access_registry[Role], 'can_unattach', mock_access_method)
-        response = get(reverse('api:inventory_access_list', kwargs={'pk': inventory.id}), team_member)
+        with mocker.patch.object(access_registry[Role], 'can_unattach', mock_access_method):
+            response = get(reverse('api:inventory_access_list', kwargs={'pk': inventory.id}), team_member)
 
         mock_access_method.assert_called_once_with(inventory.admin_role, team.member_role, 'parents', **self.extra_kwargs)
         self._assert_one_in_list(response.data)
@@ -198,8 +198,8 @@ class TestAccessListCapabilities:
 def test_team_roles_unattach(mocker, team, team_member, inventory, mock_access_method, get):
     team.member_role.children.add(inventory.admin_role)
 
-    mocker.patch.object(access_registry[Role], 'can_unattach', mock_access_method)
-    response = get(reverse('api:team_roles_list', kwargs={'pk': team.id}), team_member)
+    with mocker.patch.object(access_registry[Role], 'can_unattach', mock_access_method):
+        response = get(reverse('api:team_roles_list', kwargs={'pk': team.id}), team_member)
 
     # Did we assess whether team_member can remove team's permission to the inventory?
     mock_access_method.assert_called_once_with(inventory.admin_role, team.member_role, 'parents', skip_sub_obj_read_check=True, data={})
@@ -212,8 +212,8 @@ def test_user_roles_unattach(mocker, organization, alice, bob, mock_access_metho
     organization.member_role.members.add(alice)
     organization.member_role.members.add(bob)
 
-    mocker.patch.object(access_registry[Role], 'can_unattach', mock_access_method)
-    response = get(reverse('api:user_roles_list', kwargs={'pk': alice.id}), bob)
+    with mocker.patch.object(access_registry[Role], 'can_unattach', mock_access_method):
+        response = get(reverse('api:user_roles_list', kwargs={'pk': alice.id}), bob)
 
     # Did we assess whether bob can remove alice's permission to the inventory?
     mock_access_method.assert_called_once_with(organization.member_role, alice, 'members', skip_sub_obj_read_check=True, data={})

awx/main/tests/functional/api/test_role.py

@@ -3,6 +3,17 @@ import pytest
 from awx.api.versioning import reverse
 
 
+@pytest.mark.django_db
+def test_admin_visible_to_orphaned_users(get, alice):
+    names = set()
+
+    response = get(reverse('api:role_list'), user=alice)
+    for item in response.data['results']:
+        names.add(item['name'])
+    assert 'System Auditor' in names
+    assert 'System Administrator' in names
+
+
 @pytest.mark.django_db
 @pytest.mark.parametrize('role,code', [('member_role', 400), ('admin_role', 400), ('inventory_admin_role', 204)])
 @pytest.mark.parametrize('reversed', [True, False])