From b490ef2f204b2bef49cee7d90ee86813cb8e5dd2 Mon Sep 17 00:00:00 2001 From: PabloHiro Date: Mon, 11 Nov 2024 17:55:22 +0100 Subject: [PATCH] feat: remove collection support for oauth --- awx_collection/README.md | 12 +- awx_collection/TESTING.md | 8 +- awx_collection/meta/runtime.yml | 1 - awx_collection/plugins/doc_fragments/auth.py | 10 - .../plugins/doc_fragments/auth_plugin.py | 11 - .../plugins/lookup/controller_api.py | 2 +- awx_collection/plugins/module_utils/awxkit.py | 8 +- .../plugins/module_utils/controller_api.py | 138 +----------- awx_collection/plugins/modules/token.py | 208 ------------------ awx_collection/test/awx/test_completeness.py | 3 +- awx_collection/test/awx/test_organization.py | 3 - .../integration/targets/token/tasks/main.yml | 115 ---------- .../integration/targets/user/tasks/main.yml | 1 - .../tools/roles/generate/templates/module.j2 | 5 - .../template_galaxy/templates/README.md.j2 | 21 +- 15 files changed, 43 insertions(+), 503 deletions(-) delete mode 100644 awx_collection/plugins/modules/token.py delete mode 100644 awx_collection/tests/integration/targets/token/tasks/main.yml diff --git a/awx_collection/README.md b/awx_collection/README.md index b6dd3f3a8dc7..65b5a6fd52fb 100644 --- a/awx_collection/README.md +++ b/awx_collection/README.md @@ -35,13 +35,7 @@ Non-deprecated modules in this collection have no Python requirements, but may require the official [AWX CLI](https://pypi.org/project/awxkit/) in the future. The `DOCUMENTATION` for each module will report this. -You can specify authentication by a combination of either: - - - host, username, password - - host, OAuth2 token - -The OAuth2 token is the preferred method. You can obtain a token via the -``login`` command with the AWX CLI. +You can specify authentication by host, username, and password. These can be specified via (from highest to lowest precedence): @@ -57,7 +51,8 @@ Config file syntax looks like this: [general] host = https://localhost:8043 verify_ssl = true -oauth_token = LEdCpKVKc4znzffcpQL5vLG8oyeku6 +username = foo +password = bar ``` ## Release and Upgrade Notes @@ -68,6 +63,7 @@ Notable releases of the `awx.awx` collection: - 11.0.0 has no non-deprecated modules that depend on the deprecated `tower-cli` [PyPI](https://pypi.org/project/ansible-tower-cli/). - 19.2.1 large renaming purged "tower" names (like options and module names), adding redirects for old names - 21.11.0 "tower" modules deprecated and symlinks removed. + - 24.6.X "token" module has been removed as oauth is no longer supported, use basic auth instead - X.X.X added support of named URLs to all modules. Anywhere that previously accepted name or id can also support named URLs - 0.0.1-devel is the version you should see if installing from source, which is intended for development and expected to be unstable. diff --git a/awx_collection/TESTING.md b/awx_collection/TESTING.md index 71748769c38b..c89895f58bec 100644 --- a/awx_collection/TESTING.md +++ b/awx_collection/TESTING.md @@ -124,18 +124,18 @@ FAILED awx_collection/test/awx/test_module_utils.py::test_type_warning - SystemE make: *** [Makefile:382: test_collection] Error 1 ``` -In addition to running all of the tests, you can also specify specific tests to run. This is useful when developing a single module. In this example, we will run the tests for the `token` module: +In addition to running all of the tests, you can also specify specific tests to run. This is useful when developing a single module. In this example, we will run the tests for the `project` module: ``` -$ pytest awx_collection/test/awx/test_token.py +$ pytest awx_collection/test/awx/test_project.py ============================ test session starts ============================ platform darwin -- Python 3.7.0, pytest-3.6.0, py-1.8.1, pluggy-0.6.0 django: settings: awx.settings.development (from ini) rootdir: /Users/jowestco/junk/awx, inifile: pytest.ini plugins: xdist-1.27.0, timeout-1.3.4, pythonpath-0.7.3, mock-1.11.1, forked-1.1.3, django-3.9.0, cov-2.8.1 -collected 1 item +collected 1 item -awx_collection/test/awx/test_token.py . [100%] +awx_collection/test/awx/test_project.py . [100%] ========================= 1 passed in 1.72 seconds ========================= ``` diff --git a/awx_collection/meta/runtime.yml b/awx_collection/meta/runtime.yml index 7ffdbce161b8..912fa4dccb53 100644 --- a/awx_collection/meta/runtime.yml +++ b/awx_collection/meta/runtime.yml @@ -42,7 +42,6 @@ action_groups: - settings - subscriptions - team - - token - user - workflow_approval - workflow_job_template_node diff --git a/awx_collection/plugins/doc_fragments/auth.py b/awx_collection/plugins/doc_fragments/auth.py index 763fe94dcddf..f8241e1c7841 100644 --- a/awx_collection/plugins/doc_fragments/auth.py +++ b/awx_collection/plugins/doc_fragments/auth.py @@ -32,16 +32,6 @@ class ModuleDocFragment(object): - If value not set, will try environment variable C(CONTROLLER_PASSWORD) and then config files type: str aliases: [ tower_password ] - controller_oauthtoken: - description: - - The OAuth token to use. - - This value can be in one of two formats. - - A string which is the token itself. (i.e. bqV5txm97wqJqtkxlMkhQz0pKhRMMX) - - A dictionary structure as returned by the token module. - - If value not set, will try environment variable C(CONTROLLER_OAUTH_TOKEN) and then config files - type: raw - version_added: "3.7.0" - aliases: [ tower_oauthtoken ] validate_certs: description: - Whether to allow insecure connections to AWX. diff --git a/awx_collection/plugins/doc_fragments/auth_plugin.py b/awx_collection/plugins/doc_fragments/auth_plugin.py index b46eaf6bbf03..49118baf714f 100644 --- a/awx_collection/plugins/doc_fragments/auth_plugin.py +++ b/awx_collection/plugins/doc_fragments/auth_plugin.py @@ -43,17 +43,6 @@ class ModuleDocFragment(object): version: '4.0.0' why: Collection name change alternatives: 'CONTROLLER_PASSWORD' - oauth_token: - description: - - The OAuth token to use. - env: - - name: CONTROLLER_OAUTH_TOKEN - - name: TOWER_OAUTH_TOKEN - deprecated: - collection_name: 'awx.awx' - version: '4.0.0' - why: Collection name change - alternatives: 'CONTROLLER_OAUTH_TOKEN' verify_ssl: description: - Specify whether Ansible should verify the SSL certificate of the controller host. diff --git a/awx_collection/plugins/lookup/controller_api.py b/awx_collection/plugins/lookup/controller_api.py index 4d5d79cf9181..d1b213f12bfe 100644 --- a/awx_collection/plugins/lookup/controller_api.py +++ b/awx_collection/plugins/lookup/controller_api.py @@ -18,7 +18,7 @@ options: _terms: description: - - The endpoint to query, i.e. teams, users, tokens, job_templates, etc. + - The endpoint to query, i.e. teams, users, job_templates, etc. required: True query_params: description: diff --git a/awx_collection/plugins/module_utils/awxkit.py b/awx_collection/plugins/module_utils/awxkit.py index 770b0c7aee31..ad9c3a9cc48d 100644 --- a/awx_collection/plugins/module_utils/awxkit.py +++ b/awx_collection/plugins/module_utils/awxkit.py @@ -33,12 +33,8 @@ def __init__(self, argument_spec, **kwargs): def authenticate(self): try: - if self.oauth_token: - self.connection.login(None, None, token=self.oauth_token) - self.authenticated = True - elif self.username: - self.connection.login(username=self.username, password=self.password) - self.authenticated = True + self.connection.login(username=self.username, password=self.password) + self.authenticated = True except Exception: self.fail_json("Failed to authenticate") diff --git a/awx_collection/plugins/module_utils/controller_api.py b/awx_collection/plugins/module_utils/controller_api.py index c2681a49afe9..dfcc06a9e4be 100644 --- a/awx_collection/plugins/module_utils/controller_api.py +++ b/awx_collection/plugins/module_utils/controller_api.py @@ -6,7 +6,7 @@ from ansible.module_utils.urls import Request, SSLValidationError, ConnectionError from ansible.module_utils.parsing.convert_bool import boolean as strtobool from ansible.module_utils.six import PY2 -from ansible.module_utils.six import raise_from, string_types +from ansible.module_utils.six import raise_from from ansible.module_utils.six.moves import StringIO from ansible.module_utils.six.moves.urllib.error import HTTPError from ansible.module_utils.six.moves.http_cookiejar import CookieJar @@ -55,9 +55,6 @@ class ControllerModule(AnsibleModule): controller_password=dict(no_log=True, aliases=['tower_password'], required=False, fallback=(env_fallback, ['CONTROLLER_PASSWORD', 'TOWER_PASSWORD'])), validate_certs=dict(type='bool', aliases=['tower_verify_ssl'], required=False, fallback=(env_fallback, ['CONTROLLER_VERIFY_SSL', 'TOWER_VERIFY_SSL'])), request_timeout=dict(type='float', required=False, fallback=(env_fallback, ['CONTROLLER_REQUEST_TIMEOUT'])), - controller_oauthtoken=dict( - type='raw', no_log=True, aliases=['tower_oauthtoken'], required=False, fallback=(env_fallback, ['CONTROLLER_OAUTH_TOKEN', 'TOWER_OAUTH_TOKEN']) - ), controller_config_file=dict(type='path', aliases=['tower_config_file'], required=False, default=None), ) # Associations of these types are ordered and have special consideration in the modified associations function @@ -68,15 +65,12 @@ class ControllerModule(AnsibleModule): 'password': 'controller_password', 'verify_ssl': 'validate_certs', 'request_timeout': 'request_timeout', - 'oauth_token': 'controller_oauthtoken', } host = '127.0.0.1' username = None password = None verify_ssl = True request_timeout = 10 - oauth_token = None - oauth_token_id = None authenticated = False config_name = 'tower_cli.cfg' version_checked = False @@ -111,20 +105,6 @@ def __init__(self, argument_spec=None, direct_params=None, error_callback=None, if direct_value is not None: setattr(self, short_param, direct_value) - # Perform magic depending on whether controller_oauthtoken is a string or a dict - if self.params.get('controller_oauthtoken'): - token_param = self.params.get('controller_oauthtoken') - if isinstance(token_param, dict): - if 'token' in token_param: - self.oauth_token = self.params.get('controller_oauthtoken')['token'] - else: - self.fail_json(msg="The provided dict in controller_oauthtoken did not properly contain the token entry") - elif isinstance(token_param, string_types): - self.oauth_token = self.params.get('controller_oauthtoken') - else: - error_msg = "The provided controller_oauthtoken type was not valid ({0}). Valid options are str or dict.".format(type(token_param).__name__) - self.fail_json(msg=error_msg) - # Perform some basic validation if not re.match('^https{0,1}://', self.host): self.host = "https://{0}".format(self.host) @@ -312,9 +292,6 @@ class ControllerAPIModule(ControllerModule): IDENTITY_FIELDS = {'users': 'username', 'workflow_job_template_nodes': 'identifier', 'instances': 'hostname'} ENCRYPTED_STRING = "$encrypted$" - # which app was used to create the oauth_token - oauth_token_app_key = None - def __init__(self, argument_spec, direct_params=None, error_callback=None, warn_callback=None, **kwargs): kwargs['supports_check_mode'] = True @@ -498,15 +475,12 @@ def make_request(self, method, endpoint, *args, **kwargs): # Extract the headers, this will be used in a couple of places headers = kwargs.get('headers', {}) - # Authenticate to AWX (if we don't have a token and if not already done so) - if not self.oauth_token and not self.authenticated: - # This method will set a cookie in the cookie jar for us and also an oauth_token when possible + # Authenticate to AWX (if not already done so) + if not self.authenticated: + # This method will set a cookie in the cookie jar for us self.authenticate(**kwargs) - if self.oauth_token: - # If we have a oauth token, we just use a bearer header - headers['Authorization'] = 'Bearer {0}'.format(self.oauth_token) - elif self.username and self.password: - headers['Authorization'] = self._get_basic_authorization_header() + + headers['Authorization'] = self._get_basic_authorization_header() if method in ['POST', 'PUT', 'PATCH']: headers.setdefault('Content-Type', 'application/json') @@ -665,71 +639,11 @@ def _authenticate_with_basic_auth(self): }, ) - def _authenticate_create_token(self, app_key=None): - # in case of failure and to give a chance to authenticate via other means, should not raise exceptions - # but only warnings - if self.username and self.password: - login_data = { - "description": "Automation Platform Controller Module Token", - "application": None, - "scope": "write", - } - - api_token_url = self.build_url("tokens", app_key=app_key).geturl() - try: - response = self.session.open( - 'POST', - api_token_url, - validate_certs=self.verify_ssl, - timeout=self.request_timeout, - follow_redirects=True, - data=dumps(login_data), - headers={ - "Content-Type": "application/json", - "Authorization": self._get_basic_authorization_header(), - }, - ) - - except Exception as exp: - self.warn("url: {0} - Failed to get token: {1}".format(api_token_url, exp)) - return - - token_response = None - try: - token_response = response.read() - response_json = loads(token_response) - self.oauth_token_id = response_json['id'] - self.oauth_token = response_json['token'] - # set the app that received the token create request, this is needed when removing the token at logout - self.oauth_token_app_key = app_key - except Exception as exp: - self.warn( - "url: {0} - Failed to extract token information from login response: {1}, response: {2}".format( - api_token_url, exp, token_response, - ) - ) - return - - return None - def authenticate(self, **kwargs): - # As a temporary solution for version 4.6 try to get a token by using basic authentication from: - # /api/gateway/v1/tokens/ when app_key is gateway - # /api/v2/tokens/ when app_key is None and _COLLECTION_TYPE = "awx" - # /api/controller/v2/tokens/ when app_key is None and _COLLECTION_TYPE != "awx" - for app_key in ["gateway", None]: - # to give a chance to authenticate via basic authentication in case of failure, - # _authenticate_create_token, should not raise exception but only warnings, - self._authenticate_create_token(app_key=app_key) - if self.oauth_token: - break - - if not self.oauth_token: - # if not having an oauth_token and when collection_type is awx try to login with basic authentication - try: - self._authenticate_with_basic_auth() - except Exception as exp: - self.fail_json(msg='Failed to get user info: {0}'.format(exp)) + try: + self._authenticate_with_basic_auth() + except Exception as exp: + self.fail_json(msg='Failed to get user info: {0}'.format(exp)) self.authenticated = True @@ -1080,37 +994,7 @@ def create_or_update_if_needed( ) def logout(self): - if self.authenticated and self.oauth_token_id: - # Attempt to delete our current token from /api/v2/tokens/ - # Post to the tokens endpoint with baisc auth to try and get a token - api_token_url = self.build_url( - "tokens/{0}/".format(self.oauth_token_id), - app_key=self.oauth_token_app_key, - ).geturl() - - try: - self.session.open( - 'DELETE', - api_token_url, - validate_certs=self.verify_ssl, - timeout=self.request_timeout, - follow_redirects=True, - headers={ - "Authorization": self._get_basic_authorization_header(), - } - ) - self.oauth_token_id = None - self.oauth_token = None - self.authenticated = False - except HTTPError as he: - try: - resp = he.read() - except Exception as e: - resp = 'unknown {0}'.format(e) - self.warn('Failed to release token: {0}, response: {1}'.format(he, resp)) - except (Exception) as e: - # Sanity check: Did the server send back some kind of internal error? - self.warn('Failed to release token {0}: {1}'.format(self.oauth_token_id, e)) + self.authenticated = False def is_job_done(self, job_status): if job_status in ['new', 'pending', 'waiting', 'running']: diff --git a/awx_collection/plugins/modules/token.py b/awx_collection/plugins/modules/token.py deleted file mode 100644 index b6e13cd02c39..000000000000 --- a/awx_collection/plugins/modules/token.py +++ /dev/null @@ -1,208 +0,0 @@ -#!/usr/bin/python -# coding: utf-8 -*- - - -# (c) 2020, John Westcott IV -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -from __future__ import absolute_import, division, print_function - -__metaclass__ = type - - -ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'} - -DOCUMENTATION = ''' ---- -module: token -author: "John Westcott IV (@john-westcott-iv)" -version_added: "2.3.0" -short_description: create, update, or destroy Automation Platform Controller tokens. -description: - - Create or destroy Automation Platform Controller tokens. See - U(https://www.ansible.com/tower) for an overview. - - In addition, the module sets an Ansible fact which can be passed into other - controller modules as the parameter controller_oauthtoken. See examples for usage. - - Because of the sensitive nature of tokens, the created token value is only available once - through the Ansible fact. (See RETURN for details) - - Due to the nature of tokens this module is not idempotent. A second will - with the same parameters will create a new token. - - If you are creating a temporary token for use with modules you should delete the token - when you are done with it. See the example for how to do it. -options: - description: - description: - - Optional description of this access token. - required: False - type: str - application: - description: - - The application name, ID, or named URL tied to this token. - required: False - type: str - scope: - description: - - Allowed scopes, further restricts user's permissions. Must be a simple space-separated string with allowed scopes ['read', 'write']. - required: False - type: str - choices: ["read", "write"] - existing_token: - description: The data structure produced from token in create mode to be used with state absent. - type: dict - existing_token_id: - description: A token ID (number) which can be used to delete an arbitrary token with state absent. - type: str - state: - description: - - Desired state of the resource. - choices: ["present", "absent"] - default: "present" - type: str -extends_documentation_fragment: awx.awx.auth -''' - -EXAMPLES = ''' -- block: - - name: Create a new token using an existing token - token: - description: '{{ token_description }}' - scope: "write" - state: present - controller_oauthtoken: "{{ my_existing_token }}" - - - name: Delete this token - token: - existing_token: "{{ controller_token }}" - state: absent - - - name: Create a new token using username/password - token: - description: '{{ token_description }}' - scope: "write" - state: present - controller_username: "{{ my_username }}" - controller_password: "{{ my_password }}" - - - name: Use our new token to make another call - job_list: - controller_oauthtoken: "{{ controller_token }}" - - always: - - name: Delete our Token with the token we created - token: - existing_token: "{{ controller_token }}" - state: absent - when: token is defined - -- name: Delete a token by its id - token: - existing_token_id: 4 - state: absent -''' - -RETURN = ''' -controller_token: - type: dict - description: An Ansible Fact variable representing a token object which can be used for auth in subsequent modules. See examples for usage. - contains: - token: - description: The token that was generated. This token can never be accessed again, make sure this value is noted before it is lost. - type: str - id: - description: The numeric ID of the token created - type: str - returned: on successful create -''' - -from ..module_utils.controller_api import ControllerAPIModule - - -def return_token(module, last_response): - # A token is special because you can never get the actual token ID back from the API. - # So the default module return would give you an ID but then the token would forever be masked on you. - # This method will return the entire token object we got back so that a user has access to the token - - module.json_output['ansible_facts'] = { - 'controller_token': last_response, - 'tower_token': last_response, - } - module.exit_json(**module.json_output) - - -def main(): - # Any additional arguments that are not fields of the item can be added here - argument_spec = dict( - description=dict(), - application=dict(), - scope=dict(choices=['read', 'write']), - existing_token=dict(type='dict', no_log=False), - existing_token_id=dict(), - state=dict(choices=['present', 'absent'], default='present'), - ) - - # Create a module for ourselves - module = ControllerAPIModule( - argument_spec=argument_spec, - mutually_exclusive=[ - ('existing_token', 'existing_token_id'), - ], - # If we are state absent make sure one of existing_token or existing_token_id are present - required_if=[ - [ - 'state', - 'absent', - ('existing_token', 'existing_token_id'), - True, - ], - ], - ) - - # Extract our parameters - description = module.params.get('description') - application = module.params.get('application') - scope = module.params.get('scope') - existing_token = module.params.get('existing_token') - existing_token_id = module.params.get('existing_token_id') - state = module.params.get('state') - - if state == 'absent': - if not existing_token: - existing_token = module.get_one( - 'tokens', - **{ - 'data': { - 'id': existing_token_id, - } - } - ) - - # If the state was absent we can let the module delete it if needed, the module will handle exiting from this - module.delete_if_needed(existing_token) - - # Attempt to look up the related items the user specified (these will fail the module if not found) - application_id = None - if application: - application_id = module.resolve_name_to_id('applications', application) - - # Create the data that gets sent for create and update - new_fields = {} - if description is not None: - new_fields['description'] = description - if application is not None: - new_fields['application'] = application_id - if scope is not None: - new_fields['scope'] = scope - - # If the state was present and we can let the module build or update the existing item, this will return on its own - module.create_or_update_if_needed( - None, - new_fields, - endpoint='tokens', - item_type='token', - associations={}, - on_create=return_token, - ) - - -if __name__ == '__main__': - main() diff --git a/awx_collection/test/awx/test_completeness.py b/awx_collection/test/awx/test_completeness.py index 42d013df6cbb..e4d804afdba2 100644 --- a/awx_collection/test/awx/test_completeness.py +++ b/awx_collection/test/awx/test_completeness.py @@ -22,6 +22,7 @@ # THINK HARD ABOUT DOING THIS no_module_for_endpoint = [ 'constructed_inventory', # This is a view for inventory with kind=constructed + 'token', # Usage of OAuth tokens is deprecated ] # Some modules work on the related fields of an endpoint. These modules will not have an auto-associated endpoint @@ -61,8 +62,6 @@ no_api_parameter_ok = { # The wait is for whether or not to wait for a project update on change 'project': ['wait', 'interval', 'update_project'], - # Existing_token and id are for working with an existing tokens - 'token': ['existing_token', 'existing_token_id'], # /survey spec is now how we handle associations # We take an organization here to help with the lookups only 'job_template': ['survey_spec', 'organization'], diff --git a/awx_collection/test/awx/test_organization.py b/awx_collection/test/awx/test_organization.py index e6b3cc5e2dac..a38ca3dbe108 100644 --- a/awx_collection/test/awx/test_organization.py +++ b/awx_collection/test/awx/test_organization.py @@ -20,7 +20,6 @@ def test_create_organization(run_module, admin_user): 'controller_username': None, 'controller_password': None, 'validate_certs': None, - 'controller_oauthtoken': None, 'controller_config_file': None, } @@ -53,7 +52,6 @@ def test_galaxy_credential_order(run_module, admin_user): 'controller_username': None, 'controller_password': None, 'validate_certs': None, - 'controller_oauthtoken': None, 'controller_config_file': None, 'galaxy_credentials': cred_ids, } @@ -78,7 +76,6 @@ def test_galaxy_credential_order(run_module, admin_user): 'controller_username': None, 'controller_password': None, 'validate_certs': None, - 'controller_oauthtoken': None, 'controller_config_file': None, 'galaxy_credentials': cred_ids, } diff --git a/awx_collection/tests/integration/targets/token/tasks/main.yml b/awx_collection/tests/integration/targets/token/tasks/main.yml deleted file mode 100644 index 9cd4972a931c..000000000000 --- a/awx_collection/tests/integration/targets/token/tasks/main.yml +++ /dev/null @@ -1,115 +0,0 @@ ---- -- name: Generate a test ID - set_fact: - test_id: "{{ lookup('password', '/dev/null chars=ascii_letters length=16') }}" - when: test_id is not defined - -- name: Generate names - set_fact: - token_description: "AWX-Collection-tests-token-description-{{ test_id }}" - -- name: Try to use a token as a dict which is missing the token parameter - job_list: - controller_oauthtoken: - not_token: "This has no token entry" - register: results - ignore_errors: true - -- assert: - that: - - results is failed - - '"The provided dict in controller_oauthtoken did not properly contain the token entry" == results.msg' - -- name: Try to use a token as a list - job_list: - controller_oauthtoken: - - dummy_token - register: results - ignore_errors: true - -- assert: - that: - - results is failed - - '"The provided controller_oauthtoken type was not valid (list). Valid options are str or dict." == results.msg' - -- name: Try to delete a token with no existing_token or existing_token_id - token: - state: absent - register: results - ignore_errors: true - -- assert: - that: - - results is failed - # We don't assert a message here because it's handled by ansible - -- name: Try to delete a token with both existing_token or existing_token_id - token: - existing_token: - id: 1234 - existing_token_id: 1234 - state: absent - register: results - ignore_errors: true - -- assert: - that: - - results is failed - # We don't assert a message here because it's handled by ansible - - -- block: - - name: Create a Token - token: - description: '{{ token_description }}' - scope: "write" - state: present - register: new_token - - - name: Validate our token works by token - job_list: - controller_oauthtoken: "{{ controller_token.token }}" - register: job_list - - - name: Validate our token works by object - job_list: - controller_oauthtoken: "{{ controller_token }}" - register: job_list - - always: - - name: Delete our Token with our own token - token: - existing_token: "{{ controller_token }}" - controller_oauthtoken: "{{ controller_token }}" - state: absent - when: controller_token is defined - register: results - - - assert: - that: - - results is changed or results is skipped - -- block: - - name: Create a second token - token: - description: '{{ token_description }}' - scope: "write" - state: present - register: results - - - assert: - that: - - results is changed - - always: - - name: Delete the second Token with our own token - token: - existing_token_id: "{{ controller_token['id'] }}" - controller_oauthtoken: "{{ controller_token }}" - state: absent - when: controller_token is defined - register: results - - - assert: - that: - - results is changed or resuslts is skipped diff --git a/awx_collection/tests/integration/targets/user/tasks/main.yml b/awx_collection/tests/integration/targets/user/tasks/main.yml index a3fae666b0e9..2d88bb199ab5 100644 --- a/awx_collection/tests/integration/targets/user/tasks/main.yml +++ b/awx_collection/tests/integration/targets/user/tasks/main.yml @@ -220,7 +220,6 @@ user: controller_username: "{{ username }}-orgadmin" controller_password: "{{ username }}-orgadmin" - controller_oauthtoken: false # Hack for CI where we use oauth in config file username: "{{ username }}" first_name: Joe password: "{{ 65535 | random | to_uuid }}" diff --git a/awx_collection/tools/roles/generate/templates/module.j2 b/awx_collection/tools/roles/generate/templates/module.j2 index 57e6bc4c7799..6efe6340e952 100644 --- a/awx_collection/tools/roles/generate/templates/module.j2 +++ b/awx_collection/tools/roles/generate/templates/module.j2 @@ -82,11 +82,6 @@ options: choices: ["present", "absent"] default: "present" type: str - controller_oauthtoken: - description: - - The OAuth token to use. - required: False - type: str extends_documentation_fragment: awx.awx.auth ''' diff --git a/awx_collection/tools/roles/template_galaxy/templates/README.md.j2 b/awx_collection/tools/roles/template_galaxy/templates/README.md.j2 index 8ffe9d33dffb..3674038ec9cd 100644 --- a/awx_collection/tools/roles/template_galaxy/templates/README.md.j2 +++ b/awx_collection/tools/roles/template_galaxy/templates/README.md.j2 @@ -37,11 +37,28 @@ This collection should be installed from [Content Hub](https://cloud.redhat.com/ ## Running Non-deprecated modules in this collection have no Python requirements, but -may require the AWX CLI +may require the official [AWX CLI](https://pypi.org/project/awxkit/) in the future. The `DOCUMENTATION` for each module will report this. You can specify authentication by host, username, and password. +These can be specified via (from highest to lowest precedence): + + - direct module parameters + - environment variables (most useful when running against localhost) + - a config file path specified by the `tower_config_file` parameter + - a config file at `~/.tower_cli.cfg` + - a config file at `/etc/tower/tower_cli.cfg` + +Config file syntax looks like this: + +``` +[general] +host = https://localhost:8043 +verify_ssl = true +username = foo +password = bar +``` ## Release and Upgrade Notes @@ -52,12 +69,14 @@ Notable releases of the `{{ collection_namespace }}.{{ collection_package }}` co - 11.0.0 has no non-deprecated modules that depend on the deprecated `tower-cli` [PyPI](https://pypi.org/project/ansible-tower-cli/). - 19.2.1 large renaming purged "tower" names (like options and module names), adding redirects for old names - 21.11.0 "tower" modules deprecated and symlinks removed. + - 25.0.0 "token" module has been removed as oauth is no longer supported, use basic auth instead - X.X.X added support of named URLs to all modules. Anywhere that previously accepted name or id can also support named URLs - 0.0.1-devel is the version you should see if installing from source, which is intended for development and expected to be unstable. {% else %} - 3.7.0 initial release - 4.0.0 ansible.tower renamed to ansible.controller - tower_ prefix is dropped from the module names, e.g. tower_inventory becomes inventory + - 4.7.0 "token" module has been removed as oauth is no longer supported, use basic auth instead {% endif %} The following notes are changes that may require changes to playbooks: