AAP-49910 - Delete legacy authenticator code (#780)

zkayyali812 · web-flow · commit b6ec2e8003a5 · 2025-08-11T13:56:30.000-04:00
## Description  - What is being changed? Remove code no longer needed, as the legacy authenticator is now removed. - Why is this change needed? Since the legacy authenticators have been removed, the related DAB code is no longer needed and can be removed - How does this change address the issue? This change addresses the issue by removing the now unnecessary code. [Jira](https://issues.redhat.com/browse/AAP-49910) ## Type of Change  - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Documentation update - [ ] Test update - [x] Refactoring (no functional changes) - [ ] Development environment change - [ ] Configuration change ## Self-Review Checklist  - [x] I have performed a self-review of my code - [x] I have added relevant comments to complex code sections - [x] I have updated documentation where needed - [x] I have considered the security impact of these changes - [x] I have considered performance implications - [x] I have thought about error handling and edge cases - [x] I have tested the changes in my local environment ## Testing Instructions   ### Prerequisites  ### Steps to Test 1. Deploy this PR in aap-dev, validate all functionality works as expected 2. This change just removes unnecessary code, so no functionality should be impacted. 3. ### Expected Results  ## Additional Context ### Required Actions After this PR merges, we can merge in the following PR in quick succession - 1. [EDA-Server](ansible/eda-server#1371) ### Screenshots/Logs
diff --git a/ansible_base/resource_registry/rest_client.py b/ansible_base/resource_registry/rest_client.py
@@ -133,9 +133,6 @@ def _get_request_dict(self, data: ResourceRequestBody):
                     req_dict[k] = raw_dict[k]
         return req_dict
 
-    def validate_local_user(self, username: str, password: str):
-        return self._make_request("post", "validate-local-account/", {"username": username, "password": password})
-
     def get_service_metadata(self):
         return self._make_request("get", "metadata/")
 
diff --git a/ansible_base/resource_registry/urls.py b/ansible_base/resource_registry/urls.py
@@ -14,7 +14,6 @@
 
 service = [
     path('metadata/', views.ServiceMetadataView.as_view(), name="service-metadata"),
-    path('validate-local-account/', views.ValidateLocalUserView.as_view(), name="validate-local-account"),
     path('', include(service_router.urls)),
     path('', views.ServiceIndexRootView.as_view(), name='service-index-root'),
 ]
diff --git a/ansible_base/resource_registry/views.py b/ansible_base/resource_registry/views.py
@@ -2,15 +2,13 @@
 from collections import OrderedDict
 
 from django.conf import settings
-from django.contrib.auth import get_user_model
 from django.db.models import Q
 from django.http import HttpResponseNotFound
 from django.shortcuts import get_object_or_404
 from django.urls.exceptions import NoReverseMatch
 from rest_framework import permissions
 from rest_framework.decorators import action
 from rest_framework.pagination import PageNumberPagination
-from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet, mixins
 
@@ -19,8 +17,7 @@
 from ansible_base.lib.utils.views.permissions import try_add_oauth2_scope_permission
 from ansible_base.resource_registry.models import Resource, ResourceType, service_id
 from ansible_base.resource_registry.registry import get_registry
-from ansible_base.resource_registry.serializers import ResourceListSerializer, ResourceSerializer, ResourceTypeSerializer, UserAuthenticationSerializer
-from ansible_base.resource_registry.utils.auth_code import get_user_auth_code
+from ansible_base.resource_registry.serializers import ResourceListSerializer, ResourceSerializer, ResourceTypeSerializer
 from ansible_base.rest_filters.rest_framework.field_lookup_backend import FieldLookupBackend
 from ansible_base.rest_filters.rest_framework.order_backend import OrderByBackend
 from ansible_base.rest_filters.rest_framework.type_filter_backend import TypeFilterBackend
@@ -193,43 +190,3 @@ def get(self, request, format=None):
             except NoReverseMatch:
                 logger.info('DAB RBAC service-index views were not included, so not linked')
         return Response(data)
-
-
-class ValidateLocalUserView(AnsibleBaseDjangoAppApiView):
-    """
-    Validate a user's username and password.
-    """
-
-    custom_action_label = "validate-local-user"
-
-    permission_classes = [AllowAny]
-
-    def post(self, request, **kwargs):
-        serializer = UserAuthenticationSerializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-
-        # Ensure the users exists before authenticating
-        PREFIX = getattr(settings, "RENAMED_USERNAME_PREFIX", "")
-        viable_usernames = [serializer.validated_data["username"], PREFIX + serializer.validated_data["username"]]
-        if not get_user_model().objects.filter(username__in=viable_usernames).exists():
-            logger.debug(f"User {serializer.validated_data['username']} does not exist, not validating authentication")
-            return Response(status=401)
-
-        api_config = get_registry().api_config
-        user = api_config.authenticate_local_user(serializer.validated_data["username"], serializer.validated_data["password"])
-
-        if not user:
-            return Response(status=401)
-
-        try:
-            auth_code = get_user_auth_code(user)
-        except AttributeError:
-            logger.exception(f"Cannot generate auth code for user {user}")
-            auth_code = None
-
-        response = {
-            "ansible_id": Resource.get_resource_for_object(user).ansible_id,
-            "auth_code": auth_code,
-        }
-
-        return Response(data=response)
diff --git a/docs/apps/oauth2_provider.md b/docs/apps/oauth2_provider.md
@@ -171,7 +171,6 @@ settings logic:
 
 ```python
 ANSIBLE_BASE_OAUTH2_PROVIDER_PERMISSIONS_CHECK_IGNORED_VIEWS = [
-    'ansible_base.resource_registry.views.ValidateLocalUserView',
     'test_app.views.SomeOtherViewSet',
 ]
 ```
diff --git a/test_app/tests/oauth2_provider/checks/test_permissions_check.py b/test_app/tests/oauth2_provider/checks/test_permissions_check.py
@@ -16,7 +16,6 @@
 from ansible_base.authentication.views.ui_auth import UIAuth
 from ansible_base.lib.utils.views.urls import get_api_view_functions
 from ansible_base.oauth2_provider.checks.permisssions_check import oauth2_permission_scope_check, view_in_app_configs
-from ansible_base.resource_registry.views import ValidateLocalUserView
 from test_app import views
 
 urlpatterns = [
@@ -32,8 +31,6 @@
     path('/docs/', SpectacularSwaggerView.as_view()),
     # Fully permissive APIView (via empty permission classes)
     path('/ui-auth/', UIAuth.as_view()),
-    # Fully permissive APIView (via AllowAny)
-    path('/validate-users-view/', ValidateLocalUserView.as_view()),
     # Non-ApiView view
     path('/non-api-view/', SAMLMetadataView.as_view()),
 ]
@@ -109,11 +106,6 @@ def test_check_function(
                 id="ansible_base.oauth2_provider.D03",
                 obj=SpectacularSwaggerView,
             ),
-            Debug(
-                "View object is fully permissive, OAuth2ScopePermission is not required",
-                obj=ValidateLocalUserView,
-                id="ansible_base.oauth2_provider.D04",
-            ),
             Debug(
                 "View object is fully permissive, OAuth2ScopePermission is not required",
                 obj=UIAuth,
diff --git a/test_app/tests/resource_registry/test_resources_api_rest_client.py b/test_app/tests/resource_registry/test_resources_api_rest_client.py
@@ -1,14 +1,12 @@
 import uuid
 
-import jwt
 import pytest
 from requests.exceptions import HTTPError
 
 from ansible_base.authentication.models import AuthenticatorUser
 from ansible_base.rbac import permission_registry
 from ansible_base.rbac.models import RoleDefinition
 from ansible_base.resource_registry.models import Resource, service_id
-from ansible_base.resource_registry.resource_server import get_resource_server_config
 from ansible_base.resource_registry.rest_client import ResourceAPIClient, ResourceRequestBody
 from test_app.models import Inventory
 
@@ -300,22 +298,6 @@ def test_additional_data_write(resource_client, partial):
     assert {perm.api_slug for perm in rd.permissions.all()} == {'aap.view_inventory'}
 
 
-@pytest.mark.django_db
-def test_validate_local_user(resource_client, admin_user, member_rd):
-    resp = resource_client.validate_local_user(username=admin_user.username, password="password")
-
-    assert resp.status_code == 200
-    json = resp.json()
-    json["ansible_id"] == str(admin_user.resource.ansible_id)
-
-    config = get_resource_server_config()
-    jwt_decoded = jwt.decode(json["auth_code"], config["SECRET_KEY"], config["JWT_ALGORITHM"])
-    assert jwt_decoded['username'] == admin_user.username
-
-    resp = resource_client.validate_local_user(username=admin_user.username, password="fake password")
-    assert resp.status_code == 401
-
-
 @pytest.mark.django_db
 def test_list_user_assignments(resource_client, org_admin_rd, user, organization):
     """Test listing user role assignments."""
diff --git a/test_app/tests/resource_registry/test_views.py b/test_app/tests/resource_registry/test_views.py
@@ -3,35 +3,6 @@
 from ansible_base.lib.utils.response import get_relative_url
 
 
-def test_validate_local_user(unauthenticated_api_client, admin_user, local_authenticator, settings_override_mutable, settings):
-    url = get_relative_url('validate-local-account')
-    data = {
-        "username": admin_user.username,
-        "password": "password",
-    }
-    response = unauthenticated_api_client.post(url, data=data)
-    assert response.status_code == 200
-    assert 'ansible_id' in response.data
-    assert response.data['auth_code'] is not None
-
-    # If we're missing RESOURCE_SERVER, we can't generate an auth code, so return null instead.
-    with settings_override_mutable('RESOURCE_SERVER'):
-        delattr(settings, 'RESOURCE_SERVER')
-
-        response = unauthenticated_api_client.post(url, data=data)
-        assert response.status_code == 200
-        assert 'ansible_id' in response.data
-        assert response.data['auth_code'] is None
-
-    # Should return 401 for non-existent user
-    data = {
-        "username": "fakeuser",
-        "password": "doesnotexist",
-    }
-    response = unauthenticated_api_client.post(url, data=data)
-    assert response.status_code == 401
-
-
 def get_users_manifest(client, data=None, expect=200):
     if data is None:
         data = {}

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,6 @@`
`14`	`14`
`15`	`15`	`service = [`
`16`	`16`	`path('metadata/', views.ServiceMetadataView.as_view(), name="service-metadata"),`
`17`		`- path('validate-local-account/', views.ValidateLocalUserView.as_view(), name="validate-local-account"),`
`18`	`17`	`path('', include(service_router.urls)),`
`19`	`18`	`path('', views.ServiceIndexRootView.as_view(), name='service-index-root'),`
`20`	`19`	`]`
Original file line number	Diff line number	Diff line change
`@@ -171,7 +171,6 @@ settings logic:`
`171`	`171`
`172`	`172`	```python
`173`	`173`	`ANSIBLE_BASE_OAUTH2_PROVIDER_PERMISSIONS_CHECK_IGNORED_VIEWS = [`
`174`		`- 'ansible_base.resource_registry.views.ValidateLocalUserView',`
`175`	`174`	`'test_app.views.SomeOtherViewSet',`
`176`	`175`	`]`
`177`	`176`	```