with the advent of credential plugins there's no way for us to *actually
know* the RSA key value at the time the credential is _created_, because
the order of operations is:
1. Create the credential with a specified passphrase
2. Associate a new dynamic inventory source pointed at some third party
provider (hashi, cyberark, etc...)
this commit removes the code that warns you about an extraneous
passphrase (if you don't specify a private key)
additionally, the code for determining whether or not a credential
_requires_ a password/phrase at launch time has been updated to test
private key validity based on the *actual* value from the third party
provider
see: https://github.com/ansible/awx/issues/4791
added in logic to check if there was an existing error before checking form field entry for ssh_key_unlock, also added a test to ensure that garbage data entered would not trigger the error message for both the incorrect ssh_key_data and the incorrect ssh_key_unlock, rather just the incorrect ssh_key_data
This adds a url formatting type for credential input string fields
The validator for this formatting type will throw an error if the
provided url string doesn't have a url schema.
this is necessary for credential plugins support so that you can (in two
requests):
1. Save a Credential with _no_ input values defined
2. Create/associate one (or more) CredentialInputSource records to the
new Credential
* tower/release_3.2.3:
fix unicode bugs with log statements
use --export option for ansible-inventory
add support for new "BECOME" prompt in Ansible 2.5+ for adhoc commands
enforce strings for secret password inputs on Credentials
fix a bug for "users should be able to change type of unused credential"
fix xss vulnerabilities - on host recent jobs popover - on schedule name tooltip
fix a bug when testing UDP-based logging configuration
bump templates form credential_types page limit
Wait for Slack RTM API websocket connection to be established
don't process artifacts from custom `set_stat` calls asynchronously
don't overwrite env['ANSIBLE_LIBRARY'] when fact caching is enabled
only allow facts to cache in the proper file system location
replace our memcached-based fact cache implementation with local files
add support for new "BECOME" prompt in Ansible 2.5+
fix a bug in inventory generation for isolated nodes
properly handle unicode for isolated job buffers
instead of writing individual migrations for new built-in credential
types, this change makes the "setup_tower_managed_defaults" function
idempotent so that it only adds the credential types you're missing
This is mostly backwards compatability to avoid surprises: in 3.1.x
if you submit a field value with `null` or an empty string to
a CharField, it's treated as an empty string (and SSH key validation
is skipped). For boolean field values (`net.authorize`), `null` and
empty string are coerced to `False`.
see: #7216
see: #7218
this provides error messages keyed by input fields, so that instead of
e.g.,
{
'inputs': ['Invalid certificate or key: u'XYZ']
}
...you get:
{
'inputs': {
'ssh_key_data': ['Invalid certificate or key: u'XYZ']
}
}
Includes /api/v1/ compatability for error message format. Requests to
/api/v1/ will get:
{'ssh_key_data': ['Invalid certificate or key: u'XYZ']}
* Dynamic Inventory Source
Template against ansible 2.3 dynamic inventory sources.
The major change is removal of `rax.py`. Most upstream scripts except
`foreman.py` has quite trivial coding style changes, or minor functional
extensions that does not affect Tower inventory update runs.
`foreman.py`, on the other hand, went through quite a major refactoring,
but functionalities stay the same.
Major python dependency updates include apache-libcloud (1.3.0 -->
2.0.0), boto (2.45.0 --> 2.46.1) and shade (1.19.0 --> 1.20.0). Minor
python dependency updates include indirect updates via `pip-compile`,
which are determined by base dependencies.
Some minor `task.py` extensions:
- `.ini` file for ec2 has one more field `stack_filter=False`, which
reveals changes in `ec2.py`.
- `.ini` file for cloudforms will catch these four options from
`source_vars_dict` of inventory update: `'version', 'purge_actions',
'clean_group_keys', 'nest_tags'`. These four options have always been
available in `cloudforms.py` but `cloudforms.ini.example` has not
mentioned them until the latest version. For consistency with upstream
docs, we should make these fields available for tower user to customize.
- YAML file of openstack will catch ansible options `use_hostnames`,
`expand_hostvars` and `fail_on_errors` from `source_vars_dict` of
inventory update as a response to issue #6075.
* Remove Rackspace support
Supports of Rackspace as both a dynamic inventory source and a cloud
credential are fully removed. Data migrations have been added to support
arbitrary credential types feature and delete rackspace inventory
sources.
Note also requirement `jsonschema` has been moved from
`requirements.txt` to `requirements.in` as a primary dependency to
reflect it's usage in `/main/fields.py`.
Connected issue: #6080.
* `pexpect` major update
`pexpect` stands at the very core of our task system and underwent a
major update from 3.1 to 4.2.1. Although verified during devel, please
still be mindful of any suspicious issues on celery side even after this
PR gets merged.
* Miscellaneous
- requests now explicitly declared in `requirements.in` at version 2.11.1
in response to upstream issue
- celery: 3.1.17 -> 3.1.25
- django-extensions: 1.7.4 -> 1.7.8
- django-polymorphic: 0.7.2 -> 1.2
- django-split-settings: 0.2.2 -> 0.2.5
- django-taggit: 0.21.3 -> 0.22.1
- irc: 15.0.4 -> 15.1.1
- pygerduty: 0.35.1 -> 0.35.2
- pyOpenSSL: 16.2.0 -> 17.0.0
- python-saml: 2.2.0 -> 2.2.1
- redbaron: 0.6.2 -> 0.6.3
- slackclient: 1.0.2 -> 1.0.5
- tacacs_plus: 0.1 -> 0.2
- xmltodict: 0.10.2 -> 0.11.0
- pip: 8.1.2 -> 9.0.1
- setuptools: 23.0.0 -> 35.0.2
- (requirements_ansible.in only)kombu: 3.0.35 -> 3.0.37
Credentials now have a required CredentialType, which defines inputs
(i.e., username, password) and injectors (i.e., assign the username to
SOME_ENV_VARIABLE at job runtime)
This commit only implements the model changes necessary to support the
new inputs model, and includes code for the credential serializer that
allows backwards-compatible support for /api/v1/credentials/; tasks.py
still needs to be updated to actually respect CredentialType injectors.
This change *will* break the UI for credentials (because it needs to be
updated to use the new v2 endpoint).
see: #5877
see: #5876
see: #5805
Credential detail view was looked up with the organization's primary key. Works fine when the database arbitrarily gives them both pk=1 in a isolated test, but not a great thing to depend on.
This makes it so the credential organizaiton field can't be changed
through the API (unless the user is a super user). This brings us into
alignment with the original intent.
