External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-06-21 14:47:46 -02:30
Code Issues Packages Projects Releases Wiki Activity
Files
81b9c1f2945f2d0e75ca8f22dddbd8d840e7a4ae
awx/awx/main/utils/candlepin/__init__.py
jessicamack 90b7d35554 Implement Candlepin certificate integration (#16388) 
* AAP-12516 [option 2] Handle nested workflow artifacts via root node `ancestor_artifacts` (#16381)

* Add new test for artfact precedence upstream node vs outer workflow

* Fix bugs, upstream artifacts come first for precedence

* Track nested artifacts path through ancestor_artifacts on root nodes

* Fix case where first root node did not get the vars

* touchup comment

* Prevent conflict with sliced jobs hack

* Reorder URLs so that Django debug toolbar can work (#16352)

* Reorder URLs so that Django debug toolbar can work

* Move comment with URL move

* feat: support for oidc credential /test endpoint (#16370)

Adds support for testing external credentials that use OIDC workload identity tokens.
When FEATURE_OIDC_WORKLOAD_IDENTITY_ENABLED is enabled, the /test endpoints return
JWT payload details alongside test results.

- Add OIDC credential test endpoints with job template selection
- Return JWT payload and secret value in test response
- Maintain backward compatibility (detail field for errors)
- Add comprehensive unit and functional tests
- Refactor shared error handling logic

Co-authored-by: Daniel Finca <dfinca@redhat.com>
Co-authored-by: melissalkelly <melissalkelly1@gmail.com>

* Bind the install bundle to the ansible.receptor collection 2.0.8 version (#16396)

* [Devel] Config Endpoint Optimization (#16389)

* Improved performance of the config endpoint by reducing database queries in GET /api/controller/v2/config/

* Fix OIDC workload identity for inventory sync (#16390)

The cloud credential used by inventory updates was not going through
the OIDC workload identity token flow because it lives outside the
normal _credentials list. This overrides populate_workload_identity_tokens
in RunInventoryUpdate to include the cloud credential as an
additional_credentials argument to the base implementation, and
patches get_cloud_credential on the instance so the injector picks up
the credential with OIDC context intact.

Co-authored-by: Alan Rominger <arominge@redhat.com>
Co-authored-by: Dave Mulford <dmulford@redhat.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: integrate awx-tui to the awx_devel image (#16399)

* Aap 45980 (#16395)

* support bitbucket_dc webhooks

* add test

* update docs

* fix import for refactored method (#16394)

retrieve_workload_identity_jwt_with_claims is now
in a separate utility file, not in jobs.py

Signed-off-by: Seth Foster <fosterbseth@gmail.com>

* AAP-70257 controller collection should retry transient HTTP errors with exponential backoff. (#16415)

controller collection should retry transient HTTP errors with exponential backoff

* AAP-71844 Fix rrule fast-forward across DST boundaries (#16407)

Fix rrule fast-forward producing wrong occurrences across DST boundaries

The UTC round-trip in _fast_forward_rrule shifts the dtstart's local
hour when the original and fast-forwarded times are in different DST
periods. Since dateutil generates HOURLY occurrences by stepping in
local time, the shifted hour changes the set of reachable hours. With
BYHOUR constraints this causes a ValueError crash; without BYHOUR,
occurrences are silently shifted by 1 hour.

Fix by performing all arithmetic in the dtstart's original timezone.
Python aware-datetime subtraction already computes absolute elapsed
time regardless of timezone, so the UTC conversion was unnecessary
for correctness and actively harmful during fall-back ambiguity.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Correctly restrict push actions to ownership repos (#16398)

* Correctly restrict push actions to ownership repos

* Use standard action to see if push actions should run

* Run spec job for 2.6 and higher

* Be even more restrictve, do not push if on a fork

* [Devel] Performance Optimization for Select Hosts Query (#16413)

* Fixed black reformating

* Make test simulate 500k hosts in real world scenario

* feat: improve unauthorized response on aap deployments (#16422)

* fix: do not include secret values in the credentials test endpoint an… (#16425)

fix: do not include secret values in the credentials test endpoint and add a guard to make sure credentials are testable

* [devel backport] AAP-41742: Fix workflow node update failing when JT has unprompted labels (#16426)

* AAP-41742: Fix workflow node update failing when JT has unprompted labels

PATCH extra_data on a workflow node fails with
{"labels":["Field is not configured to prompt on launch."]}
when the node has labels associated but the JT has
ask_labels_on_launch=False.

The serializer was passing all persisted M2M state from prompts_dict()
to _accept_or_ignore_job_kwargs() on every PATCH, re-validating
unchanged fields. Fix scopes validation to only the fields in the
request; full re-validation still occurs when unified_job_template
is being changed.

* Capture attrs keys before _build_mock_obj mutates them

_build_mock_obj() pops pseudo-fields (limit, scm_branch, job_tags,
etc.) from attrs. Computing requested_prompt_fields after the pop
would miss those fields and skip their ask_on_launch validation.

* Include survey_passwords when validating extra_vars prompts

prompts_dict() emits survey_passwords alongside extra_vars.
_accept_or_ignore_job_kwargs uses it to decrypt encrypted survey
values before validation. Without it, encrypted password blobs
are validated as-is against the survey spec.

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add test to ensure credential secret values are not returned (#16434)

* AAP-68024 perf: derive last_job_host_summary from query instead of denormalized FK (#16332)

* perf: stop eagerly updating Host.last_job_host_summary on every job completion

The playbook_on_stats wrapup path bulk-updates last_job_host_summary_id
on every host touched by a job. In the Q4CY25 scale lab this query had
a median execution time of 75 seconds due to index churn on main_host.

Replace all reads of the denormalized FK with a new classmethod
JobHostSummary.latest_for_host(host_id) that queries for the most
recent summary on demand. This eliminates the write-side bulk_update
of last_job_host_summary_id entirely.

Changes:
- Add JobHostSummary.latest_for_host() classmethod
- Serializer: use latest_for_host() instead of obj.last_job_host_summary
- Dashboard view: use subquery instead of FK traversal for failed hosts
- Inventory.update_computed_fields: use subquery for failed host count
- events.py: remove last_job_host_summary_id from bulk_update
- signals.py: simplify _update_host_last_jhs to only update last_job
- access.py/managers.py: remove select_related/defer through the FK

The FK field on Host is left in place for now (removal requires a
migration) but is no longer written to.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix .pk AttributeError, add job_template annotations, annotate host sublists

- Add 'pk' to AnnotatedSummary dynamic type (fixes AttributeError in get_related)
- Add job_template_id and job_template_name to subquery annotations so list
  views include these fields in summary_fields.last_job (matching detail views)
- Traverse job__ FK from JobHostSummary instead of using separate UnifiedJob
  subquery with OuterRef on another annotation (cleaner SQL, avoids alias issue)
- Annotate all host sublist views (InventoryHostsList, GroupHostsList,
  GroupAllHostsList, InventorySourceHostsList) to prevent N+1 queries

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Update test_events to use JobHostSummary.latest_for_host instead of stale FKs

Tests were asserting host.last_job_id and host.last_job_host_summary_id
which are no longer updated. Use JobHostSummary.latest_for_host() to
derive the same data, matching the new read-time derivation approach.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Remove stale failures_url from deprecated DashboardView

The failures_url linked to ?last_job_host_summary__failed=True which
filters on the now-stale FK. The dashboard count itself was already
fixed to use a subquery annotation. Since DashboardView is deprecated
and has_active_failures is a SerializerMethodField (not filterable),
remove the failures_url entirely rather than creating a custom filter.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Apply black formatting to changed files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Refactor: replace 10 subquery annotations with bulk prefetch

Instead of annotating every host queryset with 10 correlated subqueries
(summary + job + job_template fields), annotate only _latest_summary_id
and bulk-fetch the full JobHostSummary objects after pagination via
select_related('job', 'job__job_template').

This reduces the SQL from 10 correlated subqueries to 1 subquery + 1 IN
query, addressing review feedback about annotation overhead on host list
views.

- _annotate_host_latest_summary: only annotates _latest_summary_id
- _prefetch_latest_summaries: bulk-fetches and attaches to host objects
- HostSummaryPrefetchMixin: hooks into list() after pagination
- Serializer uses real JobHostSummary objects (no more AnnotatedSummary)
- to_representation always overwrites stale FK values

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Refactor: move latest summary to QuerySet._fetch_all + Host.latest_summary

Per review feedback, replace the view-level HostSummaryPrefetchMixin
with a custom QuerySet that bulk-attaches summaries at evaluation time
(like prefetch_related), and a Host.latest_summary property as the
single access point.

- HostLatestSummaryQuerySet: overrides _fetch_all() to bulk-fetch
  JobHostSummary objects with select_related after queryset evaluation
- HostManager now inherits from the custom queryset via from_queryset()
- Host.latest_summary property: uses cache if available, falls back to
  individual query
- Remove _annotate_host_latest_summary, _prefetch_latest_summaries,
  HostSummaryPrefetchMixin from views — no more list() override needed
- Remove last_job/last_job_host_summary from SUMMARIZABLE_FK_FIELDS
- Serializer uses obj.latest_summary and DEFAULT_SUMMARY_FIELDS loop

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix: scope annotation to views, restore license_error/canceled_on

- Remove with_latest_summary_id() from HostManager.get_queryset() to
  avoid applying the correlated subquery to every Host query globally
  (count, exists, internal relations)
- Apply with_latest_summary_id() in get_queryset() of the 6
  host-serving views only
- Restore license_error and canceled_on to last_job summary fields
  to avoid breaking API change

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Guard _fetch_all() to skip bulk-attach on non-annotated querysets

Without this guard, _fetch_all() would set _latest_summary_cache=None
on every host in non-annotated querysets (e.g. Host.objects.filter()),
masking the per-object fallback query in Host.latest_summary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Remove name from last_job_host_summary and canceled_on from last_job summary

Per reviewer feedback: these fields were not in the original API contract
via SUMMARIZABLE_FK_FIELDS and their addition would be an API change.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add functional tests for HostLatestSummaryQuerySet and Host.latest_summary

Tests cover:
- with_latest_summary_id() annotation and most-recent selection
- _fetch_all() bulk-attach behavior on annotated querysets
- _fetch_all() skips non-annotated querysets (preserves fallback)
- .count() and .exists() do NOT trigger _fetch_all
- Host.latest_summary cache hits (zero queries) and fallback
- Host.latest_job property
- select_related on bulk-attached summaries (no N+1)
- Chaining preserves annotation
- Multiple jobs / partial host coverage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Apply black formatting to test_host_queryset.py

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ben Thomasson <bthomass@redhat.com>

* Fix flake8 F841: remove unused job1/job2 variables in tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ben Thomasson <bthomass@redhat.com>

* Add comment explaining why Prefetch was not used for host latest summary

Django Prefetch cannot handle latest per group -- [:1] slicing fetches
1 record globally, not per host (Django ticket #26780). The custom
_fetch_all override uses the same 2-query pattern as prefetch_related
internally, customized for this use case.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix null handling to keep old behavior

---------

Signed-off-by: Ben Thomasson <bthomass@redhat.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: AlanCoding <arominge@redhat.com>

* [AAP-72722] Use url instead of jwt_aud for workload identity audience (#16432)

* [AAP-72722] Use url instead of jwt_aud for workload identity audience

The OIDC credential plugin's jwt_aud field is being removed. Use the
plugin's url field as the audience when requesting workload identity
tokens, since the target service URL is the appropriate audience value.

Assisted-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* [Devel] Optimize host_list_rbac query  (#16408)

* Defer ansible_facts in HostManager to avoid fetching large JSON column in host list queries (AAP-68023)

The host list endpoint (GET /api/v2/hosts/) fetches the ansible_facts
JSON column unnecessarily, contributing to the 7.8s median query time
at scale. This column can be very large and is not used by the list
serializer.

Changes:
- HostManager.get_queryset() now defers ansible_facts
- finish_fact_cache call site uses .only(*HOST_FACTS_FIELDS) to eagerly
  load ansible_facts when actually needed, avoiding N+1 queries
- Unit test mocks updated to support .only() queryset chaining
- Points DAB dependency at the RBAC query optimization branch for
  combined testing

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------

* fix: constructed inventories no longer increase the host count (#16433)

* Fix version worktree (#16431)

* git worktree friendly precomit install

* worktrees don't have a .git directory. Before, docker-compose would
  trigger pre-commit install and fail.

* make docker-compose work in git worktree

* AWX tries to discover the version via info stored in .git/ dir.
  setuptools-scm is capable of finding the .git/ dir, starting from a
  worktree, but is unable because only the worktree is mapped into the
  container, not the .git/ dir itself. Thus, we have to detect and pass
  the version into the container from outside. That is why this change
  landed in the Makefile.

* fix: as_user() gateway session cookie fallback (#16437)

Add a fallback that checks for `gateway_sessionid` when no cookie
matches `session_cookie_name`, mirroring the existing fallback in
`Connection.login()`. The finally block now cleans up whichever
cookie name was actually used.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* Pass setting to dispatcherd so it can be configured (#16438)

* fix: allow blank password field to fix OpenAPI schema validation (#16440)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* first pass porting over metrics

* move settings to defaults

* add more unit tests

* update unit tests

* lint fixes

* more lint fixes

* refactor and address feedback

* remove the api views

* remove model and move helper functions out of licensing

* add settings to API, fix tests, refactoring

* fix circular import

* update tests

* remove duplicate code, handle edge cases, use clearer naming, add test coverage

* update test for changes in ship()

* remove unneeded setting

* _discover_org should account for verify-tls=False

* directly assign settings, detect url, update tests

* log errors close to occurance

* rename function for clarity, focus on critical tests

* rename for clarity, lint fixes

* fix test params, priority for org discovery

* fix test failures and linting

---------

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
Signed-off-by: Ben Thomasson <bthomass@redhat.com>
Co-authored-by: Alan Rominger <arominge@redhat.com>
Co-authored-by: Daniel Finca <dfinca@redhat.com>
Co-authored-by: melissalkelly <melissalkelly1@gmail.com>
Co-authored-by: Tong He <68936428+unnecessary-username@users.noreply.github.com>
Co-authored-by: Stevenson Michel <iamstevensonmichel@outlook.com>
Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
Co-authored-by: Dave Mulford <dmulford@redhat.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Adrià Sala <22398818+adrisala@users.noreply.github.com>
Co-authored-by: Peter Braun <pbraun@redhat.com>
Co-authored-by: Sean Sullivan <ssulliva@redhat.com>
Co-authored-by: Dirk Julich <djulich@redhat.com>
Co-authored-by: Ben Thomasson <bthomass@redhat.com>
Co-authored-by: Dan Leehr <dleehr@users.noreply.github.com>
Co-authored-by: Lila Yasin <lyasin@redhat.com>
Co-authored-by: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
2026-05-14 09:33:48 -04:00

350 lines
13 KiB
Python
Raw Blame History

# Copyright (c) 2026 Ansible, Inc.
# All Rights Reserved.
"""
Candlepin integration for mTLS-based authentication.
This package provides Candlepin consumer identity certificate support,
enabling AAP controller instances to authenticate analytics uploads using
mTLS instead of service account credentials.
"""
import logging
import requests
from django.conf import settings
from .client import CandlepinClient
from .lifecycle import (
get_candlepin_ca,
get_candlepin_url,
get_proxy_url,
get_renewal_days,
is_cert_valid,
parse_cert,
run_candlepin_lifecycle,
)
logger = logging.getLogger('awx.main.utils.candlepin')
def _fetch_candlepin_cert_from_db():
"""Read cert PEM, key PEM, and consumer UUID from AWX conf_settings.
Returns (cert_pem, key_pem, consumer_uuid) if valid certificate data exists,
or (None, None, None) if placeholder/unregistered data.
Best-effort: failures are logged as warnings and never propagate.
"""
try:
consumer_uuid = getattr(settings, 'CANDLEPIN_CONSUMER_UUID', '')
cert_pem = getattr(settings, 'CANDLEPIN_CERT_PEM', '')
key_pem = getattr(settings, 'CANDLEPIN_KEY_PEM', '')
# Check if we have valid data
if not consumer_uuid or not cert_pem or not key_pem:
return None, None, None
return cert_pem, key_pem, consumer_uuid
except Exception as e:
logger.warning(f'Could not fetch Candlepin lifecycle data from settings: {e}')
return None, None, None
def _save_candlepin_cert_to_db(cert_pem, key_pem):
"""Persist a renewed Candlepin identity cert and key to AWX conf_settings.
Returns:
bool: True if save succeeded, False on any error.
"""
try:
# Parse certificate to extract metadata
try:
cert_info = parse_cert(cert_pem)
serial_number = cert_info.get('serial', '')
except Exception as e:
logger.warning(f'Could not parse certificate metadata: {e}')
serial_number = ''
# Update conf_settings via settings wrapper
settings.CANDLEPIN_CERT_PEM = cert_pem
settings.CANDLEPIN_KEY_PEM = key_pem
settings.CANDLEPIN_SERIAL_NUMBER = serial_number
logger.info('Renewed Candlepin cert and key saved to conf_settings.')
return True
except Exception as e:
logger.error(f'Could not save renewed Candlepin cert to conf_settings: {e}')
return False
def _discover_org(candlepin_url, username, password, verify_tls=True):
"""Discover org key via GET /users/{username}/owners.
Args:
candlepin_url: Candlepin base URL
username: Username for authentication
password: Password for authentication
verify_tls: Whether to verify TLS certificates (default: True)
Returns:
str: Organization key if found, None on any failure.
"""
try:
url = f"{candlepin_url}/users/{username}/owners"
if verify_tls:
candlepin_ca = get_candlepin_ca()
verify = candlepin_ca if candlepin_ca else True
else:
verify = False
resp = requests.get(url, auth=(username, password), verify=verify, timeout=30)
resp.raise_for_status()
owners = resp.json()
if not owners:
logger.warning(f'No organizations found for user {username}')
return None
# Pick the first org, but warn if multiple exist
if len(owners) > 1:
logger.warning(f'User {username} has access to {len(owners)} organizations. Using first: {owners[0]}')
first_org = owners[0]
org = first_org.get('key')
if not org:
logger.warning(f'Organization key missing in first org entry for user {username}')
return None
return org
except requests.exceptions.RequestException as e:
logger.warning(f'Failed to discover organization for user {username}: {e}')
return None
except Exception as e:
logger.warning(f'Unexpected error discovering organization for user {username}: {e}')
return None
def _fetch_registration_credentials_from_db(verify_tls=True):
"""Read Candlepin registration credentials from AWX settings.
Tries several options to retrieve the Candlepin credentials (set by AWX when the
customer configures their Red Hat subscription), and to discover the org (org
key for the Candlepin /consumers endpoint), and INSTALL_UUID (used as the
consumer's aap.instance_uuid fact).
Priority for authentication credentials:
- If both REDHAT_USERNAME and SUBSCRIPTIONS_USERNAME exist: use REDHAT_USERNAME
- If only SUBSCRIPTIONS_USERNAME exists: use SUBSCRIPTIONS_USERNAME
Args:
verify_tls: Whether to verify TLS certificates during org discovery (default: True)
Returns (username, password, org, install_uuid), any of which may be None
if the corresponding setting is not configured.
"""
candlepin_url = get_candlepin_url()
try:
username = getattr(settings, 'REDHAT_USERNAME', None)
password = getattr(settings, 'REDHAT_PASSWORD', None)
if not (username and password):
username = getattr(settings, 'SUBSCRIPTIONS_USERNAME', None)
password = getattr(settings, 'SUBSCRIPTIONS_PASSWORD', None)
install_uuid = getattr(settings, 'INSTALL_UUID', None)
org = _discover_org(candlepin_url, username, password, verify_tls=verify_tls) if username and password else None
return username, password, org, install_uuid
except Exception as e:
logger.warning(f'Could not fetch Candlepin registration credentials from settings: {e}')
return None, None, None, None
def resolve_registration_credentials(username_override=None, password_override=None, org_override=None, verify_tls=True):
"""Resolve Candlepin registration credentials with optional overrides.
Fetches credentials from database settings and merges with any provided overrides.
Validates that all required fields are present.
Args:
username_override: Optional username to use instead of database value
password_override: Optional password to use instead of database value
org_override: Optional org to use instead of auto-discovered value
verify_tls: Whether to verify TLS certificates during org discovery (default: True)
Returns:
Tuple (username, password, org, install_uuid) if all required fields present,
or (None, None, None, None, error_messages) if validation fails.
error_messages is a list of strings describing missing values.
"""
db_username, db_password, db_org, db_install_uuid = _fetch_registration_credentials_from_db(verify_tls=verify_tls)
username = username_override or db_username
password = password_override or db_password
org = org_override or db_org
# Validate all required fields are present
missing = []
if not username:
missing.append('username (provide --username or set REDHAT_USERNAME in database)')
if not password:
missing.append('password (provide password or set REDHAT_PASSWORD in database)')
if not org:
missing.append('org (provide --org or ensure SUBSCRIPTIONS_USERNAME/PASSWORD are configured for auto-discovery)')
if missing:
return None, None, None, None, missing
return username, password, org, db_install_uuid, None
def _save_candlepin_registration_to_db(cert_pem, key_pem, consumer_uuid):
"""Persist a new Candlepin consumer registration (cert, key, UUID) to AWX conf_settings.
Returns:
bool: True if save succeeded, False on any error.
"""
try:
# Parse certificate to extract metadata
try:
cert_info = parse_cert(cert_pem)
serial_number = cert_info.get('serial', '')
except Exception as e:
logger.warning(f'Could not parse certificate metadata: {e}')
serial_number = ''
# Update conf_settings with all registration data via settings wrapper
settings.CANDLEPIN_CONSUMER_UUID = consumer_uuid
settings.CANDLEPIN_CERT_PEM = cert_pem
settings.CANDLEPIN_KEY_PEM = key_pem
settings.CANDLEPIN_SERIAL_NUMBER = serial_number
logger.info(f'Candlepin consumer registration saved to conf_settings (uuid={consumer_uuid}).')
return True
except Exception as e:
logger.error(f'Could not save Candlepin registration to conf_settings: {e}')
return False
def _register_candlepin_consumer():
"""Register a new Candlepin consumer using credentials from AWX settings.
Called when no identity cert exists in the DB.
Reads the Candlepin credentials and the org key and then calls
POST /consumers on Candlepin to obtain an identity certificate.
On success the cert, key, and consumer UUID are persisted to conf_settings.
Returns (cert_pem, key_pem, consumer_uuid) on success, (None, None, None) on
any failure. Best-effort: logs errors but never propagates.
"""
username, password, org, install_uuid = _fetch_registration_credentials_from_db()
if not username or not password:
logger.warning('Candlepin registration is enabled but credentials are not set; skipping registration.')
return None, None, None
if not org:
logger.warning('Candlepin registration is enabled but subscription org is not available; skipping registration.')
return None, None, None
candlepin_url = get_candlepin_url()
candlepin_ca = get_candlepin_ca()
proxy = get_proxy_url()
client = CandlepinClient(base_url=candlepin_url, candlepin_ca=candlepin_ca, proxy=proxy)
try:
cert_pem, key_pem, consumer_uuid = client.register_consumer(username, password, org, install_uuid)
except Exception as e:
logger.error(f'Candlepin consumer registration failed: {e}')
return None, None, None
if not _save_candlepin_registration_to_db(cert_pem, key_pem, consumer_uuid):
logger.error('Candlepin consumer registration succeeded but failed to save to database.')
return None, None, None
return cert_pem, key_pem, consumer_uuid
def _run_candlepin_lifecycle(cert_pem, key_pem, consumer_uuid):
"""Orchestrate Candlepin check-in and proactive cert renewal.
Returns the (possibly renewed) (cert_pem, key_pem) tuple. If renewal fails, the
original cert is returned and the caller will validate it with is_cert_valid().
If invalid, the caller skips mTLS and falls back directly to OIDC authentication.
"""
if not consumer_uuid:
logger.warning('Candlepin lifecycle is enabled but consumer UUID is not set; skipping check-in and renewal.')
return cert_pem, key_pem
candlepin_url = get_candlepin_url()
renewal_days = get_renewal_days()
candlepin_ca = get_candlepin_ca()
proxy = get_proxy_url()
try:
new_cert_pem, new_key_pem = run_candlepin_lifecycle(
cert_pem,
key_pem,
consumer_uuid,
candlepin_url=candlepin_url,
renewal_days=renewal_days,
candlepin_ca=candlepin_ca,
proxy=proxy,
)
if (new_cert_pem, new_key_pem) != (cert_pem, key_pem):
if not _save_candlepin_cert_to_db(new_cert_pem, new_key_pem):
logger.warning('Renewed certificate will be used for this request, but failed to persist to database for future use.')
return new_cert_pem, new_key_pem
except Exception as e:
logger.error(f'Candlepin lifecycle (check-in / renewal) failed: {e}; will attempt mTLS with existing cert')
return cert_pem, key_pem
def get_or_generate_candlepin_certificate():
"""
Get or generate Candlepin certificate for analytics authentication.
This function provides certificate-based authentication for analytics uploads.
It will:
1. Check for existing certificate in conf_settings
2. If missing, attempt to register with Candlepin (credentials from settings)
3. If exists, check for renewal needs and refresh if needed
4. Return the certificate and key as PEM strings
Returns:
Tuple (cert_pem, key_pem) as strings if certificate is available, (None, None) otherwise.
Note:
Credentials for registration are retrieved from Django settings internally
(REDHAT_USERNAME/PASSWORD, SUBSCRIPTIONS_USERNAME/PASSWORD, or
SUBSCRIPTIONS_CLIENT_ID/CLIENT_SECRET in priority order).
"""
cert_pem, key_pem, consumer_uuid = _fetch_candlepin_cert_from_db()
# If no certificate exists, attempt registration
if not cert_pem or not key_pem:
logger.info('No Candlepin certificate found, attempting registration')
cert_pem, key_pem, consumer_uuid = _register_candlepin_consumer()
if not cert_pem or not key_pem:
logger.debug('Candlepin certificate registration failed or not configured')
return None, None
# Run lifecycle (check-in and renewal if needed)
if consumer_uuid:
cert_pem, key_pem = _run_candlepin_lifecycle(cert_pem, key_pem, consumer_uuid)
# Validate certificate is still usable
if not is_cert_valid(cert_pem):
logger.warning('Candlepin certificate is not valid (expired or not yet valid)')
return None, None
# Return raw PEM strings - caller will create temp files if needed
return cert_pem, key_pem
__all__ = [
'get_or_generate_candlepin_certificate',
'resolve_registration_credentials',
]
Reference in New Issue View Git Blame Copy Permalink