AAP-47499 Use get_settings to get CSRF_TRUSTED_ORIGINS in ansible_base SessionAuthentication (#755)

BrennanPaciorek · TheRealHaoLiu · web-flow · commit 2c18ec80936f · 2025-07-08T17:35:23.000-04:00
## Description
- What is being changed? Modify
ansible_base.authentication.session.SessionAuthentication to temporarily
patch CSRF_TRUSTED_ORIGINS with the setting retrieved from
`ansible_base.lib.utils.settings.get_setting`
- Why is this change needed? To support dynamic definitions of the
CSRF_TRUSTED_ORIGIN setting, provided the correct
ANSIBLE_BASE_SETTINGS_FUNCTION
- How does this change address the issue? By having
SessionAuthentication temporarily patch CSRF_TRUSTED_ORIGINS for the
duration of csrf enforcement

## Type of Change
&lt;!-- Mandatory: Check one or more boxes that apply --&gt;
- [ ] Bug fix (non-breaking change which fixes an issue)
- [X] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation update
- [X] Test update
- [ ] Refactoring (no functional changes)
- [ ] Development environment change
- [ ] Configuration change

## Self-Review Checklist
&lt;!-- These items help ensure quality - they complement our automated CI
checks --&gt;
- [ ] I have performed a self-review of my code
- [ ] I have added relevant comments to complex code sections
- [ ] I have updated documentation where needed
- [ ] I have considered the security impact of these changes
- [ ] I have considered performance implications
- [ ] I have thought about error handling and edge cases
- [ ] I have tested the changes in my local environment

## Testing Instructions

### Prerequisites
Run your django app with one worker for simplicity (we cannot guarantee
this in testing situations, so this is only for manual verification)

### Steps to Test
1. Modify your ANSIBLE_BASE_SETTINGS_FUNCTION to return a different
CSRF_TRUSTED_ORIGINS
2. Make a curl POST request, changing your `Origin` header to match an
element of your alternate CSRF_TRUSTED_ORIGINS

### Expected Results
- CSRF_TRUSTED_ORIGINS django setting remains unchanged
- CSRF origin checking does not fail

---------

Co-authored-by: Hao Liu &lt;44379968+TheRealHaoLiu@users.noreply.github.com&gt;
diff --git a/ansible_base/authentication/session.py b/ansible_base/authentication/session.py
@@ -1,10 +1,23 @@
 from rest_framework import authentication
 
+from ansible_base.lib.utils.settings import replace_trusted_origins
+
 
 class SessionAuthentication(authentication.SessionAuthentication):
     """
     This class allows us to fail with a 401 if the user is not authenticated.
+
+    Allows CSRF_TRUSTED_ORIGINS to be read dynamically using get_setting.
+    Reverting the value of CSRF_TRUSTED_ORIGINS afterwards.
     """
 
     def authenticate_header(self, request):
         return "Session"
+
+    @replace_trusted_origins
+    def enforce_csrf(self, request):
+        """
+        Enforce CSRF validation for session based authentication using
+        AnsibleBaseCsrfViewMiddleware instead of Django's CsrfViewMiddleware.
+        """
+        return super().enforce_csrf(request)
diff --git a/ansible_base/lib/utils/settings.py b/ansible_base/lib/utils/settings.py
@@ -49,6 +49,24 @@ def get_function_from_setting(setting_name: str) -> Any:
         return None
 
 
+def replace_trusted_origins(func):
+    """Decorator for patching the CSRF_TRUSTED_ORIGINS django setting using the potentially different value in get_setting for the duration of a
+    function call
+    """
+
+    def override_setting(*args, **kwargs):
+        csrf_trusted_origins = settings.CSRF_TRUSTED_ORIGINS
+        try:
+            # Temporarily patch the setting
+            settings.CSRF_TRUSTED_ORIGINS = get_setting("CSRF_TRUSTED_ORIGINS", csrf_trusted_origins)
+            return func(*args, **kwargs)
+        finally:
+            # Revert setting after this is done
+            settings.CSRF_TRUSTED_ORIGINS = csrf_trusted_origins
+
+    return override_setting
+
+
 def get_from_import(module_name, attr):
     "Thin wrapper around importlib.import_module, mostly exists so that we can safely mock this in tests"
     module = importlib.import_module(module_name, package=attr)
diff --git a/test_app/tests/authentication/test_middleware.py b/test_app/tests/authentication/test_middleware.py
@@ -1,7 +1,9 @@
 from django.conf import settings
 from social_core.exceptions import AuthException
 
-from ansible_base.authentication.middleware import SocialExceptionHandlerMiddleware
+from ansible_base.authentication.middleware import (
+    SocialExceptionHandlerMiddleware,
+)
 
 
 def test_social_exception_handler_mw():
