Merge branch 'devel' into max_recursion

Author: AlanCoding

.github/workflows/ci.yml

@@ -17,18 +17,23 @@ jobs:
           - env: check
             python-version: "3.11"
             sonar: false
+            junit-xml-upload: false
           - env: py39
             python-version: "3.9"
             sonar: false
+            junit-xml-upload: false
           - env: py310
             python-version: "3.10"
             sonar: false
+            junit-xml-upload: false
           - env: py311
             python-version: "3.11"
             sonar: true
+            junit-xml-upload: true
           - env: py311sqlite
             python-version: "3.11"
             sonar: false
+            junit-xml-upload: false
     steps:
       - uses: actions/checkout@v4
         with:
@@ -43,7 +48,7 @@ jobs:
           python-version: ${{ matrix.tests.python-version }}
 
       - name: Install tox
-        run: pip${{ matrix.tests.python-version }} install tox
+        run: pip${{ matrix.tests.python-version }} install tox tox-docker
 
       - name: Run tox
         run: |
@@ -55,7 +60,7 @@ jobs:
         run: sed -i '2i <!-- PR ${{ github.event.number }} -->' coverage.xml
 
       - name: Upload coverage as artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: matrix.tests.sonar
         with:
           name: coverage
@@ -67,3 +72,14 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+      - name: Upload jUnit XML test results
+        if: matrix.tests.junit-xml-upload && github.event_name == 'push' && github.repository == 'ansible/django-ansible-base' && github.ref_name == 'devel'
+        continue-on-error: true
+        run: >-
+          curl -v --user "${{ vars.PDE_ORG_RESULTS_AGGREGATOR_UPLOAD_USER }}:${{ secrets.PDE_ORG_RESULTS_UPLOAD_PASSWORD }}"
+          --form "[email protected]"
+          --form "component_name=django-ansible-base"
+          --form "git_commit_sha=${{ github.sha }}"
+          --form "git_repository_url=https://github.com/${{ github.repository }}"
+          "${{ vars.PDE_ORG_RESULTS_AGGREGATOR_UPLOAD_URL }}/api/results/upload/"

.github/workflows/release.yml

@@ -3,17 +3,15 @@ name: Release django-ansible-base
 
 env:
   LC_ALL: "C.UTF-8" # prevent ERROR: Ansible could not initialize the preferred locale: unsupported locale setting
+  PROJECT_NAME: django-ansible-base
 
 on:
   workflow_dispatch:
 
 jobs:
-  stage:
+  build:
     runs-on: ubuntu-latest
-    timeout-minutes: 90
-    permissions:
-      packages: write
-      contents: write
+    timeout-minutes: 2
     steps:
       - name: Checkout dab
         uses: actions/checkout@v4
@@ -24,12 +22,80 @@ jobs:
         run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
 
       - name: Install python ${{ env.py_version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.py_version }}
 
-      - name: Install python deeps
+      - name: Install python deps
         run: pip install -r requirements/requirements_dev.txt
 
-      - name: Create release
-        run: ansible-playbook tools/ansible/release.yml -i localhost -e github_token=${{ secrets.GITHUB_TOKEN }}
+      - name: Build the dists
+        run: >-
+          ansible-playbook
+          tools/ansible/release.yml
+          -i localhost
+          -e github_token=${{ secrets.GITHUB_TOKEN }}
+          -t build
+
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: |
+            dist/*.tar.gz
+            dist/*.whl
+          retention-days: 90
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs:
+      - build
+
+    runs-on: ubuntu-latest
+
+    timeout-minutes: 1
+
+    environment:
+      name: pypi
+      url: https://pypi.org/project/${{ env.PROJECT_NAME }}
+
+    permissions:
+      contents: read  # This job doesn't need to `git push` anything
+      id-token: write  # PyPI Trusted Publishing (OIDC)
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Publish dists to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  post-release-repo-update:
+    name: Make a GitHub Release
+    needs:
+      - publish-pypi
+
+    runs-on: ubuntu-latest
+
+    timeout-minutes: 2
+
+    permissions:
+      packages: write
+      contents: write
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Create a GitHub Release uploading the dists
+        run: >-
+          ansible-playbook
+          tools/ansible/release.yml
+          -i localhost
+          -e github_token=${{ secrets.GITHUB_TOKEN }}
+          -t github

.gitignore

@@ -19,6 +19,7 @@ __pycache__
 .coverage*
 coverage.xml
 coverage.json
+django-ansible-base-test-results.xml
 htmlcov
 *.tox
 venv/

ansible_base/authentication/authenticator_plugins/_radiusauth.py

@@ -39,6 +39,9 @@
 #Handle custom user models
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group
+
+logger = logging.getLogger('ansible_base.authentication.authenticator_plugins._radiusauth')
+
 User = get_user_model()
 
 DICTIONARY = u"""
@@ -149,23 +152,23 @@ def _perform_radius_auth(self, client, packet):
         try:
             reply = client.SendPacket(packet)
         except Timeout as e:
-            logging.error("RADIUS timeout occurred contacting %s:%s" % (
+            logger.error("RADIUS timeout occurred contacting %s:%s" % (
                 client.server, client.authport))
             return None
         except Exception as e:
-            logging.error("RADIUS error: %s" % e)
+            logger.error("RADIUS error: %s" % e)
             return None
 
         if reply.code == AccessReject:
-            logging.warning("RADIUS access rejected for user '%s'" % (
+            logger.warning("RADIUS access rejected for user '%s'" % (
                 packet['User-Name']))
             return None
         elif reply.code != AccessAccept:
-            logging.error("RADIUS access error for user '%s' (code %s)" % (
+            logger.error("RADIUS access error for user '%s' (code %s)" % (
                 packet['User-Name'], reply.code))
             return None
 
-        logging.info("RADIUS access granted for user '%s'" % (
+        logger.info("RADIUS access granted for user '%s'" % (
             packet['User-Name']))
 
         if "Class" not in reply.keys():
@@ -190,7 +193,7 @@ def _perform_radius_auth(self, client, packet):
                 elif role == "superuser":
                     is_superuser = True
                 else:
-                    logging.warning("RADIUS Attribute Class contains unknown role '%s'. Only roles 'staff' and 'superuser' are allowed" % cl)
+                    logger.warning("RADIUS Attribute Class contains unknown role '%s'. Only roles 'staff' and 'superuser' are allowed" % cl)
         return groups, is_staff, is_superuser
 
     def _radius_auth(self, server, username, password):
@@ -232,7 +235,7 @@ def get_user_groups(self, group_names):
         groups = Group.objects.filter(name__in=group_names)
         if len(groups) != len(group_names):
             local_group_names = [g.name for g in groups]
-            logging.warning("RADIUS reply contains %d user groups (%s), but only %d (%s) found" % (
+            logger.warning("RADIUS reply contains %d user groups (%s), but only %d (%s) found" % (
                 len(group_names), ", ".join(group_names), len(groups), ", ".join(local_group_names)))
         return groups
 

ansible_base/authentication/authenticator_plugins/base.py

@@ -1,5 +1,6 @@
 import logging
 
+from django.db import IntegrityError, transaction
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 from rest_framework.fields import empty
@@ -134,3 +135,61 @@ def add_related_fields(self, request, authenticator):
 
     def validate(self, serializer, data):
         return data
+
+    def move_authenticator_user_to(self, new_user, old_authenticator_user):
+        """
+        new_user: django User instance. User that we're moving this account to.
+        old_authenticator_user: AuthenticatorUser instance from this authenticator that is being removed.
+        """
+        exclude_fields = (
+            "social_auth",
+            "authenticator_users",
+            "groups",
+            "has_roles",
+            # We're ignoring role assignments for two reasons: 1. this isn't safe to copy right now, as it
+            # could break the caching layer, 2. roles are intented to come from the authenticator via an
+            # authenticator map, so when a user is move to a new authenticator, they're old roles should
+            # be removed.
+            "role_assignments",
+            "logentry",
+        )
+
+        old_user = old_authenticator_user.user
+
+        # Delete the old authenticator user
+        old_authenticator_user.delete()
+
+        if new_user.pk == old_user.pk:
+            return
+
+        # Copy all of the relationships from the old user to the new one
+        for field in new_user._meta.get_fields():
+            if field.many_to_many is True or field.one_to_many is True:
+                name = field.name
+                if name in exclude_fields:
+                    continue
+                if not hasattr(old_user, name) or not hasattr(new_user, name):
+                    continue
+                for x in getattr(old_user, name).all():
+                    # The only case where this might fail is if the relationship has a uniqueness
+                    # contraint on the user. In this case, all we can do is skip.
+                    try:
+                        # This atomic block is here to prevent a failure that is best described by
+                        # this stack overflow: https://stackoverflow.com/questions/21458387
+                        with transaction.atomic():
+                            getattr(new_user, name).add(x)
+                    except IntegrityError as e:
+                        logger.warning(f"Could not add {name} to {new_user.username}. Error: {e}")
+                        continue
+
+        return old_user
+
+    def get_alternative_uid(self, **kwargs):
+        """
+        This method can be used to provide an alternative UID for the user in case we need to match
+        UIDs across different authenticators (as is the case for auto_migrate_users_to). It receives
+        the kwargs from the social auth pipeline (https://python-social-auth.readthedocs.io/en/latest/pipeline.html).
+
+        For a good example of this method in action, check out the keycloak authenticator.
+        """
+        return None

ansible_base/authentication/authenticator_plugins/google_oauth2.py

@@ -7,7 +7,7 @@
 from ansible_base.authentication.social_auth import SocialAuthMixin, SocialAuthValidateCallbackMixin
 from ansible_base.lib.serializers.fields import BooleanField, CharField, ChoiceField, ListField, URLField
 
-logger = logging.getLogger('ansible_base.authentication.authenticator_plugins.oidc')
+logger = logging.getLogger('ansible_base.authentication.authenticator_plugins.google_oauth2')
 
 
 class GoogleOAuth2Configuration(BaseAuthenticatorConfiguration):

ansible_base/authentication/authenticator_plugins/keycloak.py

@@ -58,3 +58,6 @@ def extra_data(self, user, backend, response, *args, **kwargs):
 
     def get_user_groups(self, extra_groups=[]):
         return extra_groups
+
+    def get_alternative_uid(self, **kwargs):
+        return kwargs.get("response", {}).get("sub", None)

ansible_base/authentication/authenticator_plugins/ldap.py

@@ -374,7 +374,8 @@ def authenticate(self, request, username=None, password=None, **kwargs) -> (obje
         # Ensure USER_SEARCH and GROUP_SEARCH are converted into a search object
         for field, search_must_have_user in [('GROUP_SEARCH', False), ('USER_SEARCH', True)]:
             data = getattr(self.settings, field, None)
-            if data is None:
+            # Ignore None or empty (e.g., [])
+            if not data:
                 setattr(self.settings, field, None)
             elif not isinstance(data, config.LDAPSearch):
                 try:

ansible_base/authentication/authenticator_plugins/oidc.py

@@ -270,3 +270,12 @@ def user_data(self, access_token, *args, **kwargs):
                 logger.error(_(f"Unable to decode user info response JWT: {e}"))
                 return None
         return user_data.json()
+
+    def get_alternative_uid(self, **kwargs):
+        preferred_username = kwargs.get("response", {}).get("preferred_username", None)
+        uid = kwargs.get("uid", None)
+
+        if preferred_username != uid:
+            return preferred_username
+
+        return None

ansible_base/authentication/authenticator_plugins/saml.py

@@ -301,6 +301,13 @@ def extra_data(self, user, backend, response, *args, **kwargs):
     def get_user_groups(self, extra_groups=[]):
         return extra_groups
 
+    def get_alternative_uid(self, **kwargs):
+        if uid := kwargs.get("uid", None):
+            if ":" in uid:
+                return uid.split(":", maxsplit=1)[1]
+
+        return None
+
 
 class SAMLMetadataView(View):
     def get(self, request, pk=None, format=None):