Tags: ansible/django-ansible-base
Tags
AAP-67028 Move scope_registry to DAB (#964) [AAP-67028](https://issues.redhat.com/browse/AAP-67028) ## Description - What is being changed? Moved `SCOPE_REGISTRY` to ansible_base/lib/workload_identity/__init__.py - Why is this change needed? Consolidates OAuth2/OIDC infrastructure in DAB following consistent architectural patterns. Keeps all workload identity infrastructure (base classes, scope definitions, scope registry) in one module ## Type of Change - [x] Refactoring (no functional changes) ## Self-Review Checklist <!-- These items help ensure quality - they complement our automated CI checks --> - [x] I have performed a self-review of my code - [x] I have added relevant comments to complex code sections - [x] I have updated documentation where needed - [x] I have considered the security impact of these changes - [x] I have considered performance implications - [x] I have thought about error handling and edge cases - [x] I have tested the changes in my local environment ## Testing Instructions Run unit tests in workload identity E2E testing see [AAP-67028](https://issues.redhat.com/browse/AAP-67028) description ### Screenshots/Logs <img width="610" height="57" alt="image" src="https://github.com/user-attachments/assets/52b6802d-f587-4277-9bbe-aab78bb7868c" /> <img width="597" height="624" alt="image" src="https://github.com/user-attachments/assets/d1ae1b63-88ad-4ae9-a7b6-9bc11ad10e99" /> <img width="444" height="603" alt="image" src="https://github.com/user-attachments/assets/ac82370f-62ec-4cb9-8a79-dd213ddee05a" /> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Workload identity scope registry is now publicly available for integrations and external use. * **Tests** * Added validation tests for scope registry functionality. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
[AAP-43413] FEATURE_OIDC_WORKLOAD_IDENTITY_ENABLED feature flag and O… …IDC endpoints (#915) Support in DAB for a new feature flag FEATURE_OIDC_WORKLOAD_IDENTITY_ENABLED disabled by default. View under `/o/` updated to display `/o/.well-known/jwks.json` and `/o/.well-known/openid-configuration` when the feature flag is enabled.
Make python 3.12 default (#892) ## Description - Based on https://github.com/ansible/django-ansible-base/tree/python-3.12-devel - Make Python 3.12 default - Keep only python 3.11 and 3.12 ## Type of Change <!-- Mandatory: Check one or more boxes that apply --> - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Documentation update - [x] Test update - [ ] Refactoring (no functional changes) - [x] Development environment change - [x] Configuration change ### Required Actions <!-- Check if changes require work in other areas --> <!-- Remove section if no external actions needed --> - [ ] Requires documentation updates <!-- API docs, feature docs, deployment guides --> - [ ] Requires downstream repository changes <!-- Specify repos: django-ansible-base, eda-server, etc. --> - [ ] Requires infrastructure/deployment changes <!-- CI/CD, installer updates, new services --> - [ ] Requires coordination with other teams <!-- UI team, platform services, infrastructure --> - [ ] Blocked by PR/MR: #XXX <!-- Reference blocking PRs/MRs with brief context --> --------- Co-authored-by: Tomas Z <[email protected]>
AAP-45875 Include feature flags definitions in package manifest Adds recursive-include directive for ansible_base/feature_flags/definitions to ensure feature flag definition files are included when the package is built and distributed. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> Signed-off-by: Fabricio Aguiar <[email protected]> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
AAP-58110 Update django version for CVE (#881) CVE-2025-64459 requires update of django to 4.2.26+ (or 5.2.8+ or 5.1.14+) due to an SQL injection vulnerability
[AAP-53405] Expand how AzureAd searches for the USERNAME_FIELD (#838) - Enhanced get_user_details method to search for USERNAME_FIELD across: * Original response data * ID token data (via user_data() method) * Standard user info from super().get_user_details() - Added comprehensive error handling with logging when USERNAME_FIELD not found - Improved data merging logic with proper precedence handling - Added deepcopy to ensure original response data immutability - Added comprehensive parameterized unit tests covering: * 5 different USERNAME_FIELD configurations * 3 error handling scenarios with missing fields * 4 token processing combinations (access_token, id_token, both, none) * 3 data merging behavior scenarios * 3 data immutability test cases - Total test coverage: 23 parameterized test scenarios ## Description <!-- Mandatory: Provide a clear, concise description of the changes and their purpose --> - What is being changed? The AzureAD will look in more places for the specified field to use for username. Additionally updated some of the help text. - Why is this change needed? Its a bit confusing for admins. - How does this change address the issue? It overlays a bunch of possible sources ad then checks in the results of all of them. ## Type of Change <!-- Mandatory: Check one or more boxes that apply --> - [ ] Bug fix (non-breaking change which fixes an issue) - [X] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Documentation update - [ ] Test update - [ ] Refactoring (no functional changes) - [ ] Development environment change - [ ] Configuration change ## Self-Review Checklist <!-- These items help ensure quality - they complement our automated CI checks --> - [X] I have performed a self-review of my code - [X] I have added relevant comments to complex code sections - [X] I have updated documentation where needed - [X] I have considered the security impact of these changes - [X] I have considered performance implications - [X] I have thought about error handling and edge cases - [X] I have tested the changes in my local environment ## Testing Instructions <!-- Optional for test-only changes. Mandatory for all other changes --> <!-- Must be detailed enough for reviewers to reproduce --> ### Prerequisites <!-- List any specific setup required --> ### Steps to Test 1. Create an Azure AD authenticator leaving the Username field blank. 2. Log in as an AD user note your username, log out. 3. Log in as admin, delete the user your logged in as in step 2. 4. Alter the Azure AD authenticator to use a different field for the username (like email). 5. Log out as admin. 6. Log in as the AD user your email should now be your username. ### Expected Results <!-- Describe what should happen after following the steps --> ## Additional Context <!-- Optional but helpful information --> ### Required Actions <!-- Check if changes require work in other areas --> <!-- Remove section if no external actions needed --> - [ ] Requires documentation updates <!-- API docs, feature docs, deployment guides --> - [ ] Requires downstream repository changes <!-- Specify repos: django-ansible-base, eda-server, etc. --> - [ ] Requires infrastructure/deployment changes <!-- CI/CD, installer updates, new services --> - [ ] Requires coordination with other teams <!-- UI team, platform services, infrastructure --> - [ ] Blocked by PR/MR: #XXX <!-- Reference blocking PRs/MRs with brief context --> ### Screenshots/Logs <!-- Add if relevant to demonstrate the changes --> Co-authored-by: Claude (Anthropic) <[email protected]>
AAP-49910 - Delete legacy authenticator code (#780) ## Description <!-- Mandatory: Provide a clear, concise description of the changes and their purpose --> - What is being changed? Remove code no longer needed, as the legacy authenticator is now removed. - Why is this change needed? Since the legacy authenticators have been removed, the related DAB code is no longer needed and can be removed - How does this change address the issue? This change addresses the issue by removing the now unnecessary code. [Jira](https://issues.redhat.com/browse/AAP-49910) ## Type of Change <!-- Mandatory: Check one or more boxes that apply --> - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Documentation update - [ ] Test update - [x] Refactoring (no functional changes) - [ ] Development environment change - [ ] Configuration change ## Self-Review Checklist <!-- These items help ensure quality - they complement our automated CI checks --> - [x] I have performed a self-review of my code - [x] I have added relevant comments to complex code sections - [x] I have updated documentation where needed - [x] I have considered the security impact of these changes - [x] I have considered performance implications - [x] I have thought about error handling and edge cases - [x] I have tested the changes in my local environment ## Testing Instructions <!-- Optional for test-only changes. Mandatory for all other changes --> <!-- Must be detailed enough for reviewers to reproduce --> ### Prerequisites <!-- List any specific setup required --> ### Steps to Test 1. Deploy this PR in aap-dev, validate all functionality works as expected 2. This change just removes unnecessary code, so no functionality should be impacted. 3. ### Expected Results <!-- Describe what should happen after following the steps --> ## Additional Context ### Required Actions After this PR merges, we can merge in the following PR in quick succession - 1. [EDA-Server](ansible/eda-server#1371) ### Screenshots/Logs <!-- Add if relevant to demonstrate the changes -->
[AAP-50642] memoize pem private key to avoid openssl slowdown (#791) For 2.6, we've moved to RHEL9 for the base container, which has openssl 3.2 in it. Apparently , its is a known issue that the RSA key validation is more secure and more slow in this version vs. Openssl 1 that RHEL8 uses. We were loading and validating the same jwt private key on every request, at a cost of ~ 38 ms, vs previously this took ~ 3 ms. We noticed this slowdown in the benchmarks and after deep dive/profiling we found this was the difference and memoizing the validated private key saves us from this broad slowdown. See https://issues.redhat.com/browse/AAP-50642 for more details [pyca/cryptography#7236 (comment)](pyca/cryptography#7236 (comment)) <--- report that details Openssl 3 slowdown
PreviousNext