fixes #85 Preserve data types in galaxy-server.secret.yaml.j2

[Denney-tech]

SUMMARY

Should fix #85. Since we're injecting into a Python file, we don't necessarily want all values to become strings or other json types. Partially fixes #96 for group types.

ADDITIONAL INFORMATION

Tested on ansible 2.14.9, python 3.9.18, jinja 3.1.2, with ANSIBLE_JINJA2_NATIVE set to true and false.

pulp_settings:
  cors_origin_whitelist:
    - 'https://ansible-galaxy.apps.os4.contoso.com'
  auth_ldap_user_attr_map:
    email: mail
    first_name: givenName
    last_name: sn
  auth_ldap_user_flags_by_group:
    is_staff:
      - 'CN=Galaxy_Users,OU=contoso,OU=Groups,DC=contoso,DC=com'
    is_superuser:
      - 'CN=Galaxy_Admins,OU=contoso,OU=Groups,DC=contoso,DC=com'
  auth_ldap_cache_timeout: 3600
  analytics: false
  execution_environments: false
  legacy_roles: false
  api_root: /api/galaxy/pulp/
  token_server: 'https://ansible-galaxy.apps.os4.contoso.com/token/'
  enable_signing: 2
  galaxy_container_signing_server: '@none None'
  csrf_trusted_origins:
    - 'https://ansible-galaxy.apps.os4.contoso.com'
  allowed_import_paths:
    - /tmp
  content_origin: 'https://ansible-galaxy.apps.os4.contoso.com'
  galaxy_authentication_classes:
    - rest_framework.authentication.SessionAuthentication
    - rest_framework.authentication.TokenAuthentication
    - rest_framework.authentication.BasicAuthentication
  galaxy_deployment_mode: standalone
  galaxy_enable_unauthenticated_collection_access: true
  # attempt to escape quotes in code injection
  a_custom: |-
    "
    arbitrary_code_injection = test.snafu()
    "#
  galaxy_feature_flags:
    execution_environments: false
    ai_deny_index: true
    display_repositories: true
    legacy_roles: false
  galaxy_require_content_approval: true
  galaxy_enable_unauthenticated_collection_download: true
  auth_ldap_mirror_groups: true
  aws_s3_verify: false
  aws_s3_endpoitn_url: 'https://ansible-galaxy.apps.os4.contoso.com/pulp/content/'
  allowed_export_paths:
    - /tmp
  auth_ldap_group_type: NestedActiveDirectoryGroupType()
  ansible_api_hostname: 'https://ansible-galaxy.apps.os4.contoso.com'

Results before/after change.

1. More like pulp-operator # original PR output

 stringData:
   settings.py: |
-        CORS_ORIGIN_WHITELIST = ["https://ansible-galaxy.apps.os4.contoso.com"]
-        AUTH_LDAP_USER_ATTR_MAP = {"email": "mail", "first_name": "givenName", "last_name": "sn"}
-        AUTH_LDAP_USER_FLAGS_BY_GROUP = {"is_staff": ["CN=Galaxy_Users,OU=contoso,OU=Groups,DC=contoso,DC=com"], "is_superuser": ["CN=Galaxy_Admins,OU=contoso,OU=Groups,DC=contoso,DC=com"]}
+        CORS_ORIGIN_WHITELIST = ['https://ansible-galaxy.apps.os4.contoso.com']
+        AUTH_LDAP_USER_ATTR_MAP = {'email': 'mail', 'first_name': 'givenName', 'last_name': 'sn'}
+        AUTH_LDAP_USER_FLAGS_BY_GROUP = {'is_staff': ['CN=Galaxy_Users,OU=contoso,OU=Groups,DC=contoso,DC=com'], 'is_superuser': ['CN=Galaxy_Admins,OU=contoso,OU=Groups,DC=contoso,DC=com']}
         AUTH_LDAP_CACHE_TIMEOUT = 3600
         ANALYTICS = False
         EXECUTION_ENVIRONMENTS = False
@@ -17,20 +17,20 @@
         TOKEN_SERVER = "https://ansible-galaxy.apps.os4.contoso.com/token/"
         ENABLE_SIGNING = 2
         GALAXY_CONTAINER_SIGNING_SERVER = "@none None"
-        CSRF_TRUSTED_ORIGINS = ["https://ansible-galaxy.apps.os4.contoso.com"]
-        ALLOWED_IMPORT_PATHS = ["/tmp"]
+        CSRF_TRUSTED_ORIGINS = ['https://ansible-galaxy.apps.os4.contoso.com']
+        ALLOWED_IMPORT_PATHS = ['/tmp']
         CONTENT_ORIGIN = "https://ansible-galaxy.apps.os4.contoso.com"
-        GALAXY_AUTHENTICATION_CLASSES = ["rest_framework.authentication.SessionAuthentication", "rest_framework.authentication.TokenAuthentication", "rest_framework.authentication.BasicAuthentication"]
+        GALAXY_AUTHENTICATION_CLASSES = ['rest_framework.authentication.SessionAuthentication', 'rest_framework.authentication.TokenAuthentication', 'rest_framework.authentication.BasicAuthentication']
         GALAXY_DEPLOYMENT_MODE = "standalone"
         GALAXY_ENABLE_UNAUTHENTICATED_COLLECTION_ACCESS = True
         A_CUSTOM = "\"\narbitrary_code_injection = test.snafu()\n\"#"
-        GALAXY_FEATURE_FLAGS = {"execution_environments": false, "ai_deny_index": true, "display_repositories": true, "legacy_roles": false}
+        GALAXY_FEATURE_FLAGS = {'execution_environments': False, 'ai_deny_index': True, 'display_repositories': True, 'legacy_roles': False}
         GALAXY_REQUIRE_CONTENT_APPROVAL = True
         GALAXY_ENABLE_UNAUTHENTICATED_COLLECTION_DOWNLOAD = True
         AUTH_LDAP_MIRROR_GROUPS = True
         AWS_S3_VERIFY = False
         AWS_S3_ENDPOITN_URL = "https://ansible-galaxy.apps.os4.contoso.com/pulp/content/"
-        ALLOWED_EXPORT_PATHS = ["/tmp"]
-        AUTH_LDAP_GROUP_TYPE = "NestedActiveDirectoryGroupType()"
+        ALLOWED_EXPORT_PATHS = ['/tmp']
+        AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
         ANSIBLE_API_HOSTNAME = "https://ansible-galaxy.apps.os4.contoso.com"

2. More like awx-operator # current PR output

 stringData:
   settings.py: |
-        CORS_ORIGIN_WHITELIST = ["https://ansible-galaxy.apps.os4.contoso.com"]
-        AUTH_LDAP_USER_ATTR_MAP = {"email": "mail", "first_name": "givenName", "last_name": "sn"}
-        AUTH_LDAP_USER_FLAGS_BY_GROUP = {"is_staff": ["CN=Galaxy_Users,OU=contoso,OU=Groups,DC=contoso,DC=com"], "is_superuser": ["CN=Galaxy_Admins,OU=contoso,OU=Groups,DC=contoso,DC=com"]}
+        CORS_ORIGIN_WHITELIST = ['https://ansible-galaxy.apps.os4.contoso.com']
+        AUTH_LDAP_USER_ATTR_MAP = {'email': 'mail', 'first_name': 'givenName', 'last_name': 'sn'}
+        AUTH_LDAP_USER_FLAGS_BY_GROUP = {'is_staff': ['CN=Galaxy_Users,OU=contoso,OU=Groups,DC=contoso,DC=com'], 'is_superuser': ['CN=Galaxy_Admins,OU=contoso,OU=Groups,DC=contoso,DC=com']}
         AUTH_LDAP_CACHE_TIMEOUT = 3600
         ANALYTICS = False
         EXECUTION_ENVIRONMENTS = False
         LEGACY_ROLES = False
-        API_ROOT = "/api/galaxy/pulp/"
-        TOKEN_SERVER = "https://ansible-galaxy.apps.os4.contoso.com/token/"
+        API_ROOT = /api/galaxy/pulp/
+        TOKEN_SERVER = https://ansible-galaxy.apps.os4.contoso.com/token/
         ENABLE_SIGNING = 2
-        GALAXY_CONTAINER_SIGNING_SERVER = "@none None"
-        CSRF_TRUSTED_ORIGINS = ["https://ansible-galaxy.apps.os4.contoso.com"]
-        ALLOWED_IMPORT_PATHS = ["/tmp"]
-        CONTENT_ORIGIN = "https://ansible-galaxy.apps.os4.contoso.com"
-        GALAXY_AUTHENTICATION_CLASSES = ["rest_framework.authentication.SessionAuthentication", "rest_framework.authentication.TokenAuthentication", "rest_framework.authentication.BasicAuthentication"]
-        GALAXY_DEPLOYMENT_MODE = "standalone"
+        GALAXY_CONTAINER_SIGNING_SERVER = @none None
+        CSRF_TRUSTED_ORIGINS = ['https://ansible-galaxy.apps.os4.contoso.com']
+        ALLOWED_IMPORT_PATHS = ['/tmp']
+        CONTENT_ORIGIN = https://ansible-galaxy.apps.os4.contoso.com
+        GALAXY_AUTHENTICATION_CLASSES = ['rest_framework.authentication.SessionAuthentication', 'rest_framework.authentication.TokenAuthentication', 'rest_framework.authentication.BasicAuthentication']
+        GALAXY_DEPLOYMENT_MODE = standalone
         GALAXY_ENABLE_UNAUTHENTICATED_COLLECTION_ACCESS = True
-        AUT_LDAP_USER_SEARCH = "LDAPSearch(\"OU=Users,DC=contoso,DC=com\",ldap.SCOPE_SUBTREE,\"(sAMAccountName=%(user)s)\",)"
-        B_CUSTOM = "none; from django_auth_ldap.config import *; #()"
-        A_CUSTOM = "\"\narbitrary_code_injection = test.snafu()\n\"#"
-        GALAXY_FEATURE_FLAGS = {"execution_environments": false, "ai_deny_index": true, "display_repositories": true, "legacy_roles": false}
+        AUT_LDAP_USER_SEARCH = LDAPSearch("OU=Users,DC=contoso,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)
+        B_CUSTOM = none; from django_auth_ldap.config import *; #()
+        A_CUSTOM = "
+arbitrary_code_injection = test.snafu()
+"#
+        GALAXY_FEATURE_FLAGS = {'execution_environments': False, 'ai_deny_index': True, 'display_repositories': True, 'legacy_roles': False}
         GALAXY_REQUIRE_CONTENT_APPROVAL = True
         GALAXY_ENABLE_UNAUTHENTICATED_COLLECTION_DOWNLOAD = True
         AUTH_LDAP_MIRROR_GROUPS = True
         AWS_S3_VERIFY = False
-        AWS_S3_ENDPOITN_URL = "https://ansible-galaxy.apps.os4.contoso.com/pulp/content/"
-        ALLOWED_EXPORT_PATHS = ["/tmp"]
-        AUTH_LDAP_GROUP_TYPE = "NestedActiveDirectoryGroupType()"
-        ANSIBLE_API_HOSTNAME = "https://ansible-galaxy.apps.os4.contoso.com"
+        AWS_S3_ENDPOITN_URL = https://ansible-galaxy.apps.os4.contoso.com/pulp/content/
+        ALLOWED_EXPORT_PATHS = ['/tmp']
+        AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
+        ANSIBLE_API_HOSTNAME = https://ansible-galaxy.apps.os4.contoso.com

[Denney-tech]

Switched to Draft after second-guessing myself. For LDAP, there is a need to inject code like AUTH_LDAP_USER_SEARCH = LDAPSearch("OU=Users,DC=contoso,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",), but my last commit which allows for this, makes me think I could inject arbitrary code.

e.g.

pulp_settings:
  b_custom: none; from django_auth_ldap.config import *; #()

becomes
B_CUSTOM = none; from django_auth_ldap.config import *; #() thanks to () matching the regex.

I'm not sure if this a real security concern, or what could be done better. I'm going to poke around AWX-Operator to see how those get injected since it "just works" for me over there.

[Denney-tech]

config.yaml.j2#L87-L89

Looks like they're not doing anything fancy, but they're only adding extra_settings to a much larger template.

@rooftopcellist Thoughts?

[kurokobo]

@Denney-tech
I believe these are the lines that you need. I think it's okay to add these lines to Galaxy Operator as well:

https://github.com/ansible/awx-operator/blob/413b7003a2c5f949b175e430456d4eb49c13a999/roles/installer/templates/configmaps/config.yaml.j2#L17-L18

[Denney-tech]

That is part of the solution, yes. There should also be an optional ldap secret that contains the bind password.

I'm going to bed soon, so I will look around more tomorrow.

[Denney-tech]

@rooftopcellist this should work exactly the same as awx-operator, and should close #85. I'm working on a new PR to address LDAP, and would like to discuss it a bit over on the forum.

[Denney-tech]

@rooftopcellist I've edited the original post with another diff output. The first diff is what the PR originally did, which more closely emulates the pulp-operator, and the second diff is the current state which emulates the awx-operator instead.

Personally I would like to lean towards the awx-operator, but either way we need to add documentation/examples that reflects how pulp_settings should be used with the galaxy-operator (at least until the parameter is removed/ignored).

[Denney-tech]

Muddied the water a bit in my fork, so I'm closing these PR's while I cleanup.