Merge branch 'remove-saml' of github.com:jessicamack/awx into remove-…

…saml
ansible · Oct 2, 2024 · 7ca549f · 7ca549f
2 parents d4a4d14 + 42df181
commit 7ca549f
Show file tree

Hide file tree

Showing 8 changed files with 21 additions and 494 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,19 +25,25 @@ jobs:
         tests:
           - name: api-test
             command: /start_tests.sh test_coverage
+            coverage-upload-name: ""
           - name: api-migrations
             command: /start_tests.sh test_migrations
+            coverage-upload-name: ""
           - name: api-lint
             command: /var/lib/awx/venv/awx/bin/tox -e linters
+            coverage-upload-name: ""
           - name: api-swagger
             command: /start_tests.sh swagger
+            coverage-upload-name: ""
           - name: awx-collection
             command: /start_tests.sh test_collection_all
+            coverage-upload-name: "awx-collection"
           - name: api-schema
             command: >-
               /start_tests.sh detect-schema-change SCHEMA_DIFF_BASE_BRANCH=${{
                 github.event.pull_request.base.ref || github.ref_name
               }}
+            coverage-upload-name: ""
 
     steps:
       - uses: actions/checkout@v4
@@ -109,7 +115,7 @@ jobs:
                 -v \
                 --user "${{ vars.PDE_ORG_RESULTS_AGGREGATOR_UPLOAD_USER }}:${{ secrets.PDE_ORG_RESULTS_UPLOAD_PASSWORD }}" \
                 --form "xunit_xml=@${junit_file}" \
-                --form "component_name=awx" \
+                --form "component_name=${{ matrix.tests.coverage-upload-name || 'awx' }}" \
                 --form "git_commit_sha=${{ github.sha }}" \
                 --form "git_repository_url=https://github.com/${{ github.repository }}" \
                 "${{ vars.PDE_ORG_RESULTS_AGGREGATOR_UPLOAD_URL }}/api/results/upload/"

diff --git a/awx/main/tasks/jobs.py b/awx/main/tasks/jobs.py
@@ -299,7 +299,7 @@ def build_env(self, instance, private_data_dir, private_data_files=None):
         env = {}
         # Add ANSIBLE_* settings to the subprocess environment.
         for attr in dir(settings):
-            if attr == attr.upper() and attr.startswith('ANSIBLE_'):
+            if attr == attr.upper() and attr.startswith('ANSIBLE_') and not attr.startswith('ANSIBLE_BASE_'):
                 env[attr] = str(getattr(settings, attr))
         # Also set environment variables configured in AWX_TASK_ENV setting.
         for key, value in settings.AWX_TASK_ENV.items():

diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
@@ -523,7 +523,12 @@
     'social_core.pipeline.user.user_details',
     'awx.sso.social_base_pipeline.prevent_inactive_login',
 )
-SOCIAL_AUTH_PIPELINE = _SOCIAL_AUTH_PIPELINE_BASE + ('awx.sso.social_pipeline.update_user_orgs', 'awx.sso.social_pipeline.update_user_teams')
+
+SOCIAL_AUTH_PIPELINE = _SOCIAL_AUTH_PIPELINE_BASE + (
+    'awx.sso.social_pipeline.update_user_orgs',
+    'awx.sso.social_pipeline.update_user_teams',
+    'ansible_base.resource_registry.utils.service_backed_sso_pipeline.redirect_to_resource_server',
+)
 
 SOCIAL_AUTH_LOGIN_URL = '/'
 SOCIAL_AUTH_LOGIN_REDIRECT_URL = '/sso/complete/'
@@ -1150,6 +1155,9 @@
 # Use AWX base view, to give 401 on unauthenticated requests
 ANSIBLE_BASE_CUSTOM_VIEW_PARENT = 'awx.api.generics.APIView'
 
+# If we have a resource server defined, apply local changes to that server
+RESOURCE_SERVER_SYNC_ENABLED = True
+
 # Settings for the ansible_base RBAC system
 
 # This has been moved to data migration code

diff --git a/docs/docsite/rst/administration/configure_awx_authentication.rst b/docs/docsite/rst/administration/configure_awx_authentication.rst
@@ -1,4 +1,4 @@
-Through the AWX user interface, you can set up a simplified login through various authentication types: GitHub, Google, LDAP, RADIUS, and SAML. After you create and register your developer application with the appropriate service, you can set up authorizations for them.  
+Through the AWX user interface, you can set up a simplified login through various authentication types: GitHub, Google, LDAP, and RADIUS. After you create and register your developer application with the appropriate service, you can set up authorizations for them.  
 
 1. From the left navigation bar, click **Settings**. 
 
@@ -9,10 +9,7 @@ Through the AWX user interface, you can set up a simplified login through variou
 - :ref:`ag_auth_google_oauth2` 
 - :ref:`LDAP settings <ag_auth_ldap>` 
 - :ref:`ag_auth_radius` 
-- :ref:`ag_auth_saml` 
 - :ref:`ag_auth_tacacs`
-- :ref:`ag_auth_oidc`
-
 
 Different authentication types require you to enter different information. Be sure to include all the information as required.
 

diff --git a/docs/docsite/rst/administration/ent_auth.rst b/docs/docsite/rst/administration/ent_auth.rst
diff --git a/docs/docsite/rst/administration/security_best_practices.rst b/docs/docsite/rst/administration/security_best_practices.rst
@@ -82,7 +82,7 @@ Do not disable SELinux, and do not disable AWX’s existing multi-tenant contain
 External account stores
 ^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Maintaining a full set of users just in AWX can be a time-consuming task in a large organization, prone to error. AWX supports connecting to external account sources via :ref:`LDAP <ag_auth_ldap>`, :ref:`SAML 2.0 <ag_auth_saml>`, and certain :ref:`OAuth providers <ag_social_auth>`. Using this eliminates a source of error when working with permissions.
+Maintaining a full set of users just in AWX can be a time-consuming task in a large organization, prone to error. AWX supports connecting to external account sources via :ref:`LDAP <ag_auth_ldap>` and certain :ref:`OAuth providers <ag_social_auth>`. Using this eliminates a source of error when working with permissions.
 
 
 .. _ag_security_django_password:

diff --git a/docs/docsite/rst/administration/social_auth.rst b/docs/docsite/rst/administration/social_auth.rst
@@ -11,12 +11,10 @@ Authentication methods help simplify logins for end users--offering single sign-
 
 Account authentication can be configured in the AWX User Interface and saved to the PostgreSQL database. For instructions, refer to the :ref:`ag_configure_awx` section. 
 
-Account authentication in AWX can be configured to centrally use OAuth2, while enterprise-level account authentication can be configured for :ref:`Azure <ag_auth_azure>`, :ref:`RADIUS <ag_auth_radius>`, :ref:`SAML <ag_auth_saml>`, or even :ref:`LDAP <ag_auth_ldap>` as a source for authentication information. See :ref:`ag_ent_auth` for more detail.
+Account authentication in AWX can be configured to centrally use OAuth2, while enterprise-level account authentication can be configured for :ref:`Azure <ag_auth_azure>`, :ref:`RADIUS <ag_auth_radius>`, or even :ref:`LDAP <ag_auth_ldap>` as a source for authentication information. See :ref:`ag_ent_auth` for more detail.
 
 For websites, such as Microsoft Azure, Google or GitHub, that provide account information, account information is often implemented using the OAuth standard. OAuth is a secure authorization protocol which is commonly used in conjunction with account authentication to grant 3rd party applications a "session token" allowing them to make API calls to providers on the user’s behalf.
 
-Security Assertion Markup Language (:ref:`SAML <ag_auth_saml>`) is an XML-based, open-standard data format for exchanging account authentication and authorization data between  an identity provider and a service provider. 
-
 The :ref:`RADIUS <ag_auth_radius>` distributed client/server system allows you to secure networks against unauthorized access and can be implemented in network environments requiring high levels of security while maintaining network access for remote users.
 
 
@@ -341,7 +339,6 @@ Organization mappings may be specified separately for each account authenticatio
     SOCIAL_AUTH_GITHUB_ORGANIZATION_MAP = {}
     SOCIAL_AUTH_GITHUB_ORG_ORGANIZATION_MAP = {}
     SOCIAL_AUTH_GITHUB_TEAM_ORGANIZATION_MAP = {}
-    SOCIAL_AUTH_SAML_ORGANIZATION_MAP = {}
 
 
 Team mapping
@@ -387,7 +384,6 @@ Team mappings may be specified separately for each account authentication backen
     SOCIAL_AUTH_GITHUB_TEAM_MAP = {}
     SOCIAL_AUTH_GITHUB_ORG_TEAM_MAP = {}
     SOCIAL_AUTH_GITHUB_TEAM_TEAM_MAP = {}
-    SOCIAL_AUTH_SAML_TEAM_MAP = {}
 
 Uncomment the line below (i.e. set ``SOCIAL_AUTH_USER_FIELDS`` to an empty list) to prevent new user accounts from being created.  Only users who have previously logged in to AWX using social or enterprise-level authentication or have a user account with a matching email address will be able to login.
 

diff --git a/docs/docsite/rst/release_notes/known_issues.rst b/docs/docsite/rst/release_notes/known_issues.rst
@@ -27,7 +27,6 @@ Known Issues
    pair: known issues; session limit
    pair: known issues; Ansible Azure dependencies
    pair: known issues; authentication (reactive user)
-   pair: known issues; SAML issues   
    pair: known issues; user cannot log in using authentication
    pair: known issues; login problems with social authentication
    pair: known issues; OAuth account recreation
@@ -111,20 +110,6 @@ Potential security issue using ``X_FORWARDED_FOR`` in ``REMOTE_HOST_HEADERS``
 If placing AWX nodes behind some sort of proxy, this may pose a security issue. This approach assumes traffic is always flowing exclusively through your load balancer, and that traffic that circumvents the load balancer is suspect to ``X-Forwarded-For`` header spoofing. 
 
 
-Server error when accessing SAML metadata via hostname
-=========================================================
-
-When AWX is accessed via hostname only (e.g. https://my-little-awx), trying to read the SAML metadata from /sso/metadata/saml/ generates a ``sp_acs_url_invalid`` server error.
-
-A configuration in which uses SAML when accessing AWX via hostname only instead of an FQDN, is not supported. Doing so will generate an error that is captured in the browser with full traceback information.
-
-
-SAML authentication revokes admin role upon login
-==================================================
-
-Older versions of AWX, the SAML adapter did not evaluate the System Auditor or System Admin roles for a user logging in. Because of this, the login process would not change a user's system roles that were granted through the User Interface. The adapter now has a setting called **SAML User Flags Attribute Mapping** to grant users logging in these roles based on either SAML attributes or roles, and the adapter defaults to removing these roles if unspecified akin to the LDAP adapter. Refer to the :ref:`logic table <ag_auth_saml_user_flags_attr_map>` that shows the relationship between how the role, attribute, and attribute value settings are configured and whether or not a user will be granted the System Admin/Auditor roles.
-
-
 Live events status indicators
 ===============================