AAP-39645 Allow non-admin admin (#716)

bhavenst · Bryan Havenstein · web-flow · commit 95e8ccf3d184 · 2025-04-24T13:45:57.000-04:00
## Description

Fixes issues blocking a user not named "admin" from being the admin
user. The issue in this case was creation of the db authenticator via
"aap-gateway-manage authenticators --initialize" was hard coded to the
user "admin" but this PR allows it to be created by the system user or
by no user if there is no "admin" user or system user defined.

## Type of Change
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation update
- [ ] Test update
- [ ] Refactoring (no functional changes)
- [ ] Development environment change
- [ ] Configuration change

## Self-Review Checklist
- [x] I have performed a self-review of my code
- [x] I have added relevant comments to complex code sections
- [ ] I have updated documentation where needed
- [ ] I have considered the security impact of these changes
- [ ] I have considered performance implications
- [ ] I have thought about error handling and edge cases
- [x] I have tested the changes in my local environment

## Testing Instructions
### Prerequisites

### Steps to Test
1. Start gateway (with PR for AAP-39645 + this PR) after modifying
gateway_admin_username in container-startup.yml to something other than
admin.
2. See that everything works OK (there were errors in the log and didn't
start before). Log in as the specified user and see they have system
administrator role.
3. It's not really possible to unset SYSTEM_USER for gateway or for
test_app, both are not happy without one. This situation could be tested
with awx (since apparently it does not use a system user) but that is a
challenge to set up. Unit tests cover this scenario.

### Expected Results
See above.

## Additional Context
N/A

### Required Actions
- [ ] Requires documentation updates
- [ ] Requires downstream repository changes
- [ ] Requires infrastructure/deployment changes
- [ ] Requires coordination with other teams
- [ ] Blocked by PR/MR: #XXX

### Screenshots/Logs
N/A

---------

Co-authored-by: Bryan Havenstein &lt;bhavenst@redhat.com&gt;
diff --git a/ansible_base/authentication/management/commands/authenticators.py b/ansible_base/authentication/management/commands/authenticators.py
@@ -9,17 +9,18 @@
 from django.core.management.base import BaseCommand, CommandError
 from django.utils.translation import gettext_lazy as _
 
-from ansible_base.authentication.models import Authenticator, AuthenticatorUser
+from ansible_base.authentication.models import Authenticator
+from ansible_base.lib.utils.models import get_system_user
 
 
 class Command(BaseCommand):
     help = "Initialize service configuration with an admin user and a local authenticator"
 
     def add_arguments(self, parser):
-        parser.add_argument("--list", action="store_true", help="list the authenticators", required=False)
+        parser.add_argument("--list", action="store_true", help="List the authenticators", required=False)
         parser.add_argument("--initialize", action="store_true", help="Initialize an admin user and local db authenticator", required=False)
-        parser.add_argument("--enable", type=int, help="Initialize an admin user and local db authenticator", required=False)
-        parser.add_argument("--disable", type=int, help="Initialize an admin user and local db authenticator", required=False)
+        parser.add_argument("--enable", type=int, help="Enable the authenticator with provided ID", required=False)
+        parser.add_argument("--disable", type=int, help="Disable the authenticator with provided ID", required=False)
 
     def handle(self, *args, **options):
         took_action = False
@@ -30,17 +31,20 @@ def handle(self, *args, **options):
             for id, state in [(options['enable'], True), (options['disable'], False)]:
                 if not id:
                     continue
-                try:
-                    authenticator = Authenticator.objects.get(id=id)
-                except Authenticator.DoesNotExist:
-                    raise CommandError(_("Authenticator %(id)s does not exist") % {"id": id})
-                if authenticator.enabled is not state:
-                    authenticator.enabled = state
-                    authenticator.save()
+                self._update_authenticator(id, state)
             took_action = True
         if options["list"] or not took_action:
             self.list_authenticators()
 
+    def _update_authenticator(self, id: int, state: bool):
+        try:
+            authenticator = Authenticator.objects.get(id=id)
+        except Authenticator.DoesNotExist:
+            raise CommandError(_("Authenticator %(id)s does not exist") % {"id": id})
+        if authenticator.enabled is not state:
+            authenticator.enabled = state
+            authenticator.save()
+
     def list_authenticators(self):
         authenticators = []
         headers = ["ID", "Enabled", "Name", "Order"]
@@ -58,26 +62,34 @@ def list_authenticators(self):
         self.stdout.write('')
 
     def initialize_authenticators(self):
-        admin_user = get_user_model().objects.filter(username="admin").first()
-        if not admin_user:
-            raise CommandError("Admin user with username 'admin' not defined.")
+        if Authenticator.objects.filter(type="ansible_base.authentication.authenticator_plugins.local").exists():
+            self.stdout.write("Local authenticator already exists, skipping")
+            return
 
-        existing_authenticator = Authenticator.objects.filter(type="ansible_base.authentication.authenticator_plugins.local").first()
-        if not existing_authenticator:
-            existing_authenticator = Authenticator.objects.create(
-                name='Local Database Authenticator',
-                enabled=True,
-                create_objects=True,
-                configuration={},
-                created_by=admin_user,
-                modified_by=admin_user,
-                remove_users=False,
-                type='ansible_base.authentication.authenticator_plugins.local',
-            )
-            self.stdout.write("Created default local authenticator")
+        # First try to get the system user
+        system_user = get_system_user()
+        admin_user = None
+        try:
+            admin_user = get_user_model().objects.filter(username="admin").first()
+        except get_user_model().DoesNotExist:
+            pass
+        creator = None
+        if system_user is not None:
+            creator = system_user
+        elif admin_user is not None:
+            creator = admin_user
+        else:
+            creator = None
+            self.stderr.write("Neither system user nor admin user were defined, local authenticator will be created without created_by set")
 
-            AuthenticatorUser.objects.get_or_create(
-                uid=admin_user.username,
-                user=admin_user,
-                provider=existing_authenticator,
-            )
+        Authenticator.objects.create(
+            name='Local Database Authenticator',
+            enabled=True,
+            create_objects=True,
+            configuration={},
+            created_by=creator,
+            modified_by=creator,
+            remove_users=False,
+            type='ansible_base.authentication.authenticator_plugins.local',
+        )
+        self.stdout.write("Created default local authenticator")
diff --git a/test_app/tests/authentication/management/test_authenticators.py b/test_app/tests/authentication/management/test_authenticators.py
@@ -3,6 +3,7 @@
 
 import pytest
 from django.core.management import CommandError, call_command
+from django.test.utils import override_settings
 
 from ansible_base.authentication.models import Authenticator, AuthenticatorUser
 
@@ -77,27 +78,49 @@ def test_authenticators_cli_list_without_tabulate(command_args, local_authentica
         assert order.strip() == str(authenticator.order)
 
 
-def test_authenticators_cli_initialize(django_user_model):
+@pytest.mark.parametrize(
+    "system_user_exists,admin_user_exists,log_location,expected_log_entry,expected_authenticator_creator",
+    [
+        (True, True, "stdout", "Created default local authenticator", "_system"),
+        (True, False, "stdout", "Created default local authenticator", "_system"),
+        (False, True, "stdout", "Created default local authenticator", "admin"),
+        (False, False, "stderr", "Neither system user nor admin user were defined", None),
+    ],
+)
+def test_authenticators_cli_initialize(
+    django_user_model, system_user_exists, admin_user_exists, log_location, expected_log_entry, expected_authenticator_creator
+):
     """
-    Calling with --initialize will create:
-    - An authenticator if there is an admin user
+    Tests the different options for --initialize on authenticators.
     """
     out = StringIO()
     err = StringIO()
 
     # Sanity check:
     assert django_user_model.objects.count() == 0
 
-    with pytest.raises(CommandError) as e:
+    # Optionally create admin user
+    if admin_user_exists:
+        django_user_model.objects.create(username="admin")
+
+    # Set system user
+    system_username = "_system" if system_user_exists else None
+    with override_settings(SYSTEM_USERNAME=system_username):
         call_command('authenticators', "--initialize", stdout=out, stderr=err)
-    assert "Admin user with username 'admin' not defined." in str(e.value)
 
-    django_user_model.objects.create(username="admin")
-    call_command('authenticators', "--initialize", stdout=out, stderr=err)
-    assert "Created default local authenticator" in out.getvalue()
+        if log_location == "stdout":
+            assert expected_log_entry in out.getvalue()
+        else:
+            assert expected_log_entry in err.getvalue()
 
+        assert Authenticator.objects.count() == 1
+        if admin_user_exists or system_user_exists:
+            assert Authenticator.objects.first().created_by.username == expected_authenticator_creator
+        else:
+            assert Authenticator.objects.first().created_by is None
 
-def test_authenticators_cli_initialize_pre_existing(django_user_model, local_authenticator, admin_user):
+
+def test_authenticators_cli_initialize_pre_existing(django_user_model, local_authenticator, admin_user, unauthenticated_api_client):
     """
     What if we already have an admin user?
 
@@ -121,12 +144,17 @@ def test_authenticators_cli_initialize_pre_existing(django_user_model, local_aut
     # Nothing should have changed
     assert existing_user == new_user
     assert existing_user.date_joined == new_user.date_joined
-    assert out.getvalue() == ""
+    assert "Local authenticator already exists, skipping" in out.getvalue()
     assert err.getvalue() == ""
 
     # No AuthenticatorUser should get created in this case
     assert AuthenticatorUser.objects.count() == 0
 
+    # Log in to auto-create AuthenticatorUser
+    unauthenticated_api_client.login(username="admin", password="password")
+    assert AuthenticatorUser.objects.count() == 1
+    assert AuthenticatorUser.objects.first().user == admin_user
+
 
 @pytest.mark.parametrize(
     "start_state, flag, end_state, exp_out, exp_err",
