Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add gateway support to awxkit #15576

Merged
merged 3 commits into from
Oct 16, 2024
Merged

Add gateway support to awxkit #15576

merged 3 commits into from
Oct 16, 2024

Conversation

gravesm
Copy link
Member

@gravesm gravesm commented Oct 7, 2024

SUMMARY

This updates awxkit to add support for gateway when fetching oauth tokens, which is used during the login subcommand. awxkit will first try fetching a token from gateway and if that fails, fallback to existing behavior. This change is backwards compatible.

ISSUE TYPE
  • New or Enhanced Feature
COMPONENT NAME
  • CLI
AWX VERSION
ADDITIONAL INFORMATION

@AlanCoding AlanCoding self-requested a review October 8, 2024 14:48
@webknjaz
Copy link
Member

webknjaz commented Oct 8, 2024

@gravesm Codecov reports only 20.07% of your patched lines being hit: https://app.codecov.io/gh/ansible/awx/pull/15576?flags[0]=pytest. Could you look into increasing the test coverage there?

@AlanCoding
Copy link
Member

I think I've gotten to a code problem now.

export CONTROLLER_HOST=https://localhost/
export AWXKIT_API_BASE_PATH=/api/controller/
export AWXKIT_GATEWAY_BASE_PATH=/api/gateway/
export CONTROLLER_USERNAME=admin
export CONTROLLER_VERIFY_SSL=false

then run

$ CONTROLLER_PASSWORD=admin awx login -v
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): localhost:443
DEBUG:urllib3.connectionpool:https://localhost:443 "GET /api/controller/ HTTP/1.1" 200 256
DEBUG:awxkit.api.client:"GET https://localhost/api/controller/" elapsed: 0:00:00.039733
DEBUG:awxkit.api.registry:Retrieved <class 'awxkit.api.pages.api.ApiV2'> by url: /api/controller/v2/
DEBUG:urllib3.connectionpool:https://localhost:443 "GET /api/controller/v2/ HTTP/1.1" 200 2767
DEBUG:awxkit.api.client:"GET https://localhost/api/controller/v2/" elapsed: 0:00:00.033291
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): localhost:443
DEBUG:urllib3.connectionpool:https://localhost:443 "POST /api/gateway/v1/users/admin/personal_tokens/ HTTP/1.1" 405 41
DEBUG:awxkit.api.client:"POST https://localhost/api/gateway/v1/users/admin/personal_tokens/" elapsed: 0:00:00.132728
usage: awx login [-h] [--description TEXT] [--conf.client_id TEXT] [--conf.client_secret TEXT]
                 [--conf.scope {read,write}] [--conf.host https://example.awx.org] [--conf.token TEXT]
                 [--conf.username TEXT] [--conf.password TEXT] [-k]

options:
  -h, --help            show this help message and exit

OAuth2.0 Options:
  --description TEXT    description of the generated OAuth2.0 token
  --conf.client_id TEXT
  --conf.client_secret TEXT
  --conf.scope {read,write}

authentication:
  --conf.host https://example.awx.org
  --conf.token TEXT     an OAuth2.0 token (get one by using `awx login`)
  --conf.username TEXT
  --conf.password TEXT
  -k, --conf.insecure   Allow insecure server connections when using SSL
Error retrieving an OAuth2.0 token (<class 'awxkit.exceptions.MethodNotAllowed'>).

This tries to do what is intended. But then it hits a server error on:

DEBUG:awxkit.api.client:"POST https://localhost/api/gateway/v1/users/admin/personal_tokens/" elapsed: 0:00:00.132728

The server error is handled badly, both on the Gateway side and on the client side.

But this does seem to get us to a high-level problem with the current approach. You can look up a user by its username or ansible_id, which can be had from the controller server. However, none of this can be done unauthenticated, which is the whole point here.

It doesn't look like there is any support for accessing /v1/users/admin/personal_tokens/, and that will require some novel solution involving API changes.

AlanCoding
AlanCoding requested changes Oct 8, 2024
View reviewed changes
Copy link
Member

@AlanCoding AlanCoding left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't work because of API incompatibility, information to move forward should be sufficiently established

@AlanCoding
Copy link
Member

https://github.com/ansible/django-ansible-base/blob/b96e64fc293f975f03f411e86ed469c6bd9af509/test_app/tests/oauth2_provider/views/test_token.py#L122-L146

This test seems to give the expected steps for the DAB OAuth2 provider for the "login" flow, where you are unauthenticated, have a username/password, and wish to get a token. ping @relrod @john-westcott-iv

    data = {
        "grant_type": "password",
        "username": "user",
        "password": "password",
        "scope": "read",
    }
    resp = unauthenticated_api_client.post(
        url,
        data=urlencode(data),
        content_type='application/x-www-form-urlencoded',
        headers={'Authorization': 'Basic ' + base64.b64encode(f"{app.client_id}:{secret}".encode()).decode()},
    )

This is done to a url which is /api/v1/tokens/, unlike the AWX case where it used the personal_tokens sublist.

@gravesm gravesm force-pushed the gateway-support-awxkit branch 2 times, most recently from 9783c54 to e33d9ea Compare October 15, 2024 13:30
webknjaz
webknjaz reviewed Oct 15, 2024
View reviewed changes
awxkit/test/api/pages/test_base.py Outdated Show resolved Hide resolved
awxkit/test/api/pages/test_base.py Outdated Show resolved Hide resolved
awxkit/test/api/pages/test_base.py Outdated Show resolved Hide resolved
awxkit/test/api/pages/test_base.py Outdated Show resolved Hide resolved
awxkit/test/api/pages/test_base.py Outdated Show resolved Hide resolved
awxkit/test/api/pages/test_base.py Outdated Show resolved Hide resolved
awxkit/awxkit/api/pages/base.py Outdated Show resolved Hide resolved
AlanCoding
AlanCoding approved these changes Oct 15, 2024
View reviewed changes
Copy link
Member

@AlanCoding AlanCoding left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should still follow up with an issue about that server error

@gravesm
Add gateway support to awxkit
ae02cf7 
This updates awxkit to add support for gateway when fetching oauth
tokens, which is used during the `login` subcommand. awxkit will first
try fetching a token from gateway and if that fails, fallback to
existing behavior. This change is backwards compatible.

Signed-off-by: Mike Graves <mgraves@redhat.com>
@gravesm
Address review feedback
5b10955 
This:
  * adds coverage for the get_oauth2_token() method
  * changes AuthUrls to a TypedDict
  * changes the url used for personal token access in gateway
@gravesm
Address review feedback
c83af85 
This is just minor stylistic changes.
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 16, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@AlanCoding AlanCoding merged commit 764dcbf into ansible:devel Oct 16, 2024
23 of 25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webknjaz webknjaz webknjaz approved these changes

@AlanCoding AlanCoding AlanCoding approved these changes

@hakbailey hakbailey hakbailey approved these changes

Assignees
No one assigned
Labels
component:cli
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gravesm @webknjaz @AlanCoding @hakbailey