Merge branch 'devel' into root_logger

Author: AlanCoding

.github/workflows/release.yml

@@ -7,13 +7,13 @@ env:
 on:
   workflow_dispatch:
 
+env:
+  PROJECT_NAME: django-ansible-base
+
 jobs:
-  stage:
+  build:
     runs-on: ubuntu-latest
-    timeout-minutes: 90
-    permissions:
-      packages: write
-      contents: write
+    timeout-minutes: 2
     steps:
       - name: Checkout dab
         uses: actions/checkout@v4
@@ -24,12 +24,80 @@ jobs:
         run: echo py_version=`make PYTHON_VERSION` >> $GITHUB_ENV
 
       - name: Install python ${{ env.py_version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ env.py_version }}
 
-      - name: Install python deeps
+      - name: Install python deps
         run: pip install -r requirements/requirements_dev.txt
 
-      - name: Create release
-        run: ansible-playbook tools/ansible/release.yml -i localhost -e github_token=${{ secrets.GITHUB_TOKEN }}
+      - name: Build the dists
+        run: >-
+          ansible-playbook
+          tools/ansible/release.yml
+          -i localhost
+          -e github_token=${{ secrets.GITHUB_TOKEN }}
+          -t build
+
+      - name: Store the distribution packages
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: |
+            dist/*.tar.gz
+            dist/*.whl
+          retention-days: 90
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs:
+      - build
+
+    runs-on: ubuntu-latest
+
+    timeout-minutes: 1
+
+    environment:
+      name: pypi
+      url: https://pypi.org/project/${{ env.PROJECT_NAME }}
+
+    permissions:
+      contents: read  # This job doesn't need to `git push` anything
+      id-token: write  # PyPI Trusted Publishing (OIDC)
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+      - name: Publish dists to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  post-release-repo-update:
+    name: Make a GitHub Release
+    needs:
+      - publish-pypi
+
+    runs-on: ubuntu-latest
+
+    timeout-minutes: 2
+
+    permissions:
+      packages: write
+      contents: write
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Create a GitHub Release uploading the dists
+        run: >-
+          ansible-playbook
+          tools/ansible/release.yml
+          -i localhost
+          -e github_token=${{ secrets.GITHUB_TOKEN }}
+          -t github

ansible_base/authentication/authenticator_plugins/google_oauth2.py

@@ -7,7 +7,7 @@
 from ansible_base.authentication.social_auth import SocialAuthMixin, SocialAuthValidateCallbackMixin
 from ansible_base.lib.serializers.fields import BooleanField, CharField, ChoiceField, ListField, URLField
 
-logger = logging.getLogger('ansible_base.authentication.authenticator_plugins.oidc')
+logger = logging.getLogger('ansible_base.authentication.authenticator_plugins.google_oauth2')
 
 
 class GoogleOAuth2Configuration(BaseAuthenticatorConfiguration):

ansible_base/jwt_consumer/common/util.py

@@ -42,9 +42,15 @@ def validate_x_trusted_proxy_header(header_value: str, ignore_cache=False) -> bo
         logger.warning("Failed to validate x-trusted-proxy-header, malformed, expected value to contain a -")
         return False
 
+    try:
+        signature_bytes = bytes.fromhex(signature)
+    except ValueError:
+        logger.warning("Failed to validate x-trusted-proxy-header, malformed, expected signature to well-formed base64")
+        return False
+
     try:
         public_key.verify(
-            bytes.fromhex(signature),
+            signature_bytes,
             bytes(f'{_SHARED_SECRET}-{timestamp}', 'utf-8'),
             padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH),
             hashes.SHA256(),

ansible_base/lib/cache/fallback_cache.py

@@ -9,13 +9,21 @@
 from django.core import cache as django_cache
 from django.core.cache.backends.base import BaseCache
 
+from ansible_base.lib.utils.settings import get_setting
+
 logger = logging.getLogger('ansible_base.cache.fallback_cache')
 
 DEFAULT_TIMEOUT = None
 PRIMARY_CACHE = 'primary'
 FALLBACK_CACHE = 'fallback'
 
-_temp_file = Path().joinpath(tempfile.gettempdir(), 'gw_primary_cache_failed')
+_temp_path = get_setting('ANSIBLE_BASE_FALLBACK_CACHE_FILE_PATH', tempfile.gettempdir())
+_temp_file = Path().joinpath(_temp_path, 'gw_primary_cache_failed')
+
+
+def create_temp_file():
+    _temp_file.touch()
+    _temp_file.chmod(mode=0o660)
 
 
 class DABCacheWithFallback(BaseCache):
@@ -77,7 +85,7 @@ def _op_with_fallback(self, operation, *args, **kwargs):
                     time.sleep(random.uniform(10, 100) / 100.0)
                     if not _temp_file.exists():
                         logger.error("Primary cache unavailable, switching to fallback cache.")
-                    _temp_file.touch()
+                    create_temp_file()
                 response = getattr(self._fallback_cache, operation)(*args, **kwargs)
 
         return response

ansible_base/resource_registry/apps.py

@@ -103,7 +103,7 @@ def proxies_of_model(cls):
 def _should_reverse_sync():
     enabled = getattr(settings, 'RESOURCE_SERVER_SYNC_ENABLED', False)
     if enabled and (not resource_server_defined()):
-        logger.error("RESOURCE_SERVER is not configured. Reverse sync will not be enabled.")
+        logger.debug("RESOURCE_SERVER is not configured. Reverse sync will not be enabled.")
         enabled = False
     if enabled and resource_server_defined() and ('SECRET_KEY' not in settings.RESOURCE_SERVER or not settings.RESOURCE_SERVER['SECRET_KEY']):
         logger.error("RESOURCE_SERVER['SECRET_KEY'] is not configured. Reverse sync will not be enabled.")