Rebase (#3)

* Correctly parse sumologic url paths
 - Sumologic includes a token with a '==' at the end of it's host path.
   This adds rsyslog conf parsing tests and does not escape equals
   signs.

* allow org admins to remove labels

* Fix misc. linter errors due to the flake8-3.8.1 release
 - [Ref] https://flake8.pycqa.org/en/latest/release-notes/

* properly write rsyslog configuration as 0640

see: https://github.com/ansible/tower/issues/4383

* Bump foreman collection to 0.8.1

* New release includes:
  'add host_filters and want_ansible_ssh_host like script used to have'

* foreman: use group_prefix for all groups

* awx's "compatibility layer" for the foreman plugin had the
  group_prefix hard-coded to 'foreman_'

* delete and re-add host when ip address changes

* The websocket backplane interconnect is done via ip address for
Kubernetes and OpenShift. On init run_wsbroadcast reads all Instances
from the DB and makes a decision to use the ip address or the hostname
based, with preference given to the ip address if defined. For
Kubernetes and OpenShift the nodes can load the Instance before the
ip_address is set. This would cause the connection to be tried by
hostname rather than ip address. This changeset ensures that an ip
address set after an Instance record is created will be detected and
used.

* track stats by hostname not remote host/ip

* broadcast websockets have stats tracked (i.e. connection status,
number of messages total, messages per minute, etc). Previous to this
change, stats were tracked by ip address, if it was defined on the
instance, XOR hostname. This changeset tracks stats by hostname.

* don't block on log aggregator socket.send() calls

see: https://github.com/ansible/tower/issues/4391

* Send content-type with mattermost notifications, fixes ansible#7264

* Make all_parents_must_converge settable when creating node

When targeting, ../workflow_job_templates/id#/workflow_nodes/ endpoint,
user could not set all_parents_must_converge to true.

3.7.1 backport for awx issue ansible#7063

* disable reports option for foreman

* Allow use of fallback instance_ids

* update VMWARE_INSTANCE_ID_VAR

* Favor instanceUuid
* .. but fall back to instanceuuid if necessary

* Add queue / instance group registration to heartbeat for k8s installs

There is some history here.

ansible#7190 <- This PR was an attempt at fixing a
bug notting ran into where some jobs on k8s installs would get stuck in Waiting
forever.

The PR mentioned above introduced a bug where there are no instance groups on a
fresh k8s-based install. This is because this process currently happens in the
launch scripts, before the database is up.

With this patch, queue / instance group registration happens in the heartbeat,
right after auto-registering the instance.

* wrap --instance-id-var in quotes

* revert EC2_INSTANCE_ID_VAR

* UI translation strings for release_3.7.1 branch

* fix a regression in how job host summaries are generated

this change fixes a bug introduced in the optimization at ansible#7352

1. Create inventory with multiple hosts
2. Run a playbook with a limit to match only one host
3. Run job, verify that it only acts on the one host
4. Go to inventory host list and see that all the hosts have last_job updated to point to the job that only acted on one host.

* [DO NOT PORT to AWX] Pin dev requirements (ansible#4413)

* add backwards support for ssl_verify in foreman

* plugin changed option name from
  ssl_verify to validate_cert

* UI translation strings for release_3.7.1 branch for es and nl

* Added the ability, to set the broadcast_websocket_secret variable.
This is nessesary if you would like to rerun the playbook.

Signed-off-by: JoelKle <34544090+JoelKle@users.noreply.github.com>

* Fixed a bug, where the redis.conf first would be stored with mod 0600
and in the next task changed to 0666.
This has broke the ability to rerun the playbook.

Signed-off-by: JoelKle <34544090+JoelKle@users.noreply.github.com>

* Reintroduce label filtering

Labels are visible if you have a role on the org they are in, or
on a job template they're attached to.

* use jinja2.sandbox for credential type injectors

* Don't follow redirects in credential plugins

* Reduce error detail in webhook notification

* Reduce error detail in credential lookups

* prevent unsafe jinja from being saved in the first place for cred types

see: https://github.com/ansible/tower-security/issues/21

* add tests for clarified label permissions

* Include instance_id in host edit request

* fixed broken UI links

* remove the usage of create_temporary_fifo from credential plugins

this resolves an issue that causes an endless hang on with Cyberark AIM
lookups when a certificate *and* key are specified

the underlying issue here is that we can't rely on the underyling Python
ssl implementation to *only* read from the fifo that stores the pem data
*only once*; in reality, we need to just use *actual* tempfiles for
stability purposes

see: ansible#6986
see: urllib3/urllib3#1880

* Upgrade community.vmware for better error surfacing

* Change Dockerfile to copy custom venv

* update the named URL code to properly return 404 vs 403

* Force worker processes to have a different signal handler from the parent

Situations have come up where the 5+ minute kill signal for
run_task_manager is emitted to the worker process running it, but
since the worker improperly inherited the AWXConsumerBase().stop()
handler a deadlock ultimately was triggered on the database
connection.

* properly report 30x errors on credential plugin tests

* pin pytest-forked to fix broken unit tests

* properly obfuscate connection errors for credential lookup failure

* Cache downloaded roles & collections

Populate the cache the first time the job is run for a revision
that needs them, and for future runs for that revision just
copy it into the private directory.

Delete the cache on project deletion.

Invalidate the cache on a new project revision

Also download roles/collections during the sync job

Since we're writing into a per-revision cache, we can do this easily now.

Don't try and install content if there aren't any requirements expecting it

Adjust pathing to the proper location.

Force install if doing a manual sync.

Requirements may be unversioned.

Remove the cache when delete-on-update is set

Integrate content caching with existing task logic

Revert the --force flags

use the update id as metric for role caching

Shift the movement of cache to job folder from rsync task to python

Only install roles and collections if needed

Deal with roles and collections for jobs without sync
Skip local copy if roles or collections turned off

update docs for content caching

Design pivot - use empty cache dir to indicate lack of content

Do not cache content if we did not install content

Test changes to allay concerns about reliability of local_path

Do not blow away cache for SCM inventory updates

Remove project update vars no longer used

Remove job pre-creation of content folders

code style edit, always use cache_id as property in tasks

Fix log message

* Avoid using long name of option not in 2.8

* Use quotations when marking strings for translation

* Add settings framework

* Hide license route based on install and add useConfig hook

* ARM image build support

* upgrade `chromedriver` for ARM support
* upgrade `pynacl` to fix `libsodium` build issue on ARM
* remove unnecessary i686-specific `libstdc++.so.6` package
* install `kubectl` and `tini` from upstream binaries for ARM support
* use upstream `postgres` and `alpine` docker images for `postgresql` helm chart

Fixes ansible#7051

* Fix garbage being printed when exporting as YAML - related ansible#7795

This resolves issue ansible#7795, by passing the `encoding` keyword argument
only when the code is run on a Python 2 interpreter.

related ansible#7795.

* Adds delete functionality to user tokens list

* Removes Inventory Script screens, routes, stubs etc.

* remove vNNN from example migration files

* Create marginally more realistic event data with firehose

* Fix rbac on Add button on User Access/Team Roles lists

* mark PRIMARY_GALAXY_USERNAME and PRIMARY_GALAXY_PASSWORD as deprecated

* Handle form submission errors that may be deeply nested in the return object

* Updated import/export names for consistency

* Adding RuntimeError which is returned from a connection error in awx/main/dispatch/control.py

* Fix isolated dev env

* begin a 14.0.0 changelog

* Bump version to 14.0.0

* Make 'inputs' idempotent in credentials module, add test to check this works

* Add execution environment metadata to AWX collection

* Remove showExpandCollapse prop from the DataListToolbar calls

Remove showExpandCollapse prop from the DataListToolbar calls. This is
not an expected prop to be passed to this component.

Inside DataListToolbar.

```
  const showExpandCollapse = onCompact && onExpand;
```

In order to use this feature, `onCompact` and `onExpand` props should
be passed.

...

* Add advanced search to UI

* Updates to support advanced search changes:
- make set type and lookup prefixes/suffixes on searchColumns explicitly defined
- send possible search keys from options requests on (most) lists

* fix duplicate variable and key usng array index issues

* Add AdvancedSearch propTypes and defaultProps

* Move Search to hooks and excise PF Dropdown in favor of Select

* fix merge conflicts and failing test

* fix AddRersourceRole sort column

* add selectors for cypress tests

* add back in searchable keys props to user token list

* make sortColumnKey error message more clear

* update searchablekeys prop names for project lookup

* make name default searchColumn for ProjectJobTemplatesList.  also add helpful error message to tell you this is the issue

* update rest of lookups to use correct searchableKeys props

* delete inadverdently added back InventoryScriptLookup file

* fix busted flake8 CI

* Fix early return in assign related method

This change fixes an erroneus early return in a private method that was
preventing more than one type of related object from being correctly
assigned to the parent object, and therefore imported.

Also, a minor spelling mistake was corrected.

* Export Workflow Job Template Node Labels

This change adds related Labels to the Workflow Job Template document that is
exported by the AWX CLI.

Previously, exporting and then importing Workflow Job Templates would
not retain their related Labels.

* Update websockets.md

Add documentation for websocket backplane secret key exchange logic.

* Update websockets.md

spelling

* Add feature to add instance group

Add feature to add instance group.

See: ansible#7744

* Refactor organization look to use useRequest hook

* Add smart inventory add form and host filter lookup

* Add smart inventory edit form

* Decode host filter chip values and fix boolean search filter chip bug

* Upgrade gitpython to pick up bug fix

* Revert updater changes to Ansible requirements

* Allow YAML as a CLI import format

This changset allows the import of YAML formatted resources. The CLI
user can indicate which format to use with the `-f, --format` option.
The CLI help text has been amended to reflect the new feature.

The AWX CLI `export` subcommand offers the option of formatting the output
as YAML or JSON, so it makes sense that the `import` subcommand reflects
this.

A simple test is also provided. In order to ease the task of testing
commands that import resources by reading the stdin, the CLI has been
extended to allow specifying an alternative file descriptor for stdin,
similarly to stdout and stderr.

* update to a newer python-ldap to address a bug

see: ansible#7868

* minor cleanup up CLI import -f yaml support

* Change regex to match what is in source

* Add feature to edit instance group

Add feature to edit instance group.

See: ansible#7767

* start notification template list

* flushing out notification template detail

* flush out template detail

* more template details; add template delete button

* add notification status indicator

* send test notifications

* add notification list tests

* add ObjectDetails for HTTP Headers display

* changelog updates for recent additions

* workaround import/dependency bug in tests

* Add smart inventory host list view

* Remove undefined prop from SelectedList call

Remove undefined prop from `SelectedList` call.

* kebabify additional controls when advanced search is displayed

* change name of hook to be useKebabifiedMenu

* add onShowAdvancedSearch callback test

* remove unnecessary selectors from kebabification test

* Add changelog preparing for awx.awx 14.1.0 bug fix

* Update websockets.md

Add more details about backplane websocket functionality.

* Update websockets.md

* Add custom host toggle tooltip for smart inventory hosts

* update existing relatedSearchKey requests to new convention and fix UJT searchKeys

* Adds User Token Details page

* Utilizes UserDateDetail, Capitalizes Scope value, fixes spelling errors

* Support workflow prompting on launch

* Run prettier

* Pin pytest-xdist

* make event stdout encoding more resilient to UTF-16 surrogate pairs

see: https://en.wikipedia.org/wiki/Universal_Character_Set_characters#Surrogates

* Use organization api to create users

This ensures that the user will be related to the chosen organization
when it is created.

* Embolden user organization name

* add a deprecation warning for mercurial project syncs

see: ansible#7932

* adds fix to allow look up to fetch data

* clean up old authtoken support

just use Bearer tokens - those are the only type of tokens we support

* fix a bug that prevents the explicit removal of instances from groups

* Update awx/ui_next/src/components/Lookup/CredentialLookup.jsx

Co-authored-by: Jake McDermott <yo@jakemcdermott.me>

* Adds workflow detail tab to workflow results

* Adding import/export awx kit features

Changed library structure

Origional TowerModule becomes TowerLegacyModule

TowerModule from tower_api becomes TowerAPIModule

A real base TowerModule is created in tower_module.py

A new TowerAWXKitModule is created in tower_awxkit

TowerAWXKitModule and TowerAPIModule are child classes of TowerModule

* Adding integration tests and example in import

* Fix python3 Zuul error with awxkit

* Fixing truthy linting issues

* Removed default: '' and updated [] to '' per specification

* Another linting issue

* Expanding examples

* Fixing linting issues

* Fixing ansible pep8 issues

* Fixing validate-module errors

* Fixing exit_module -> exit_json

* Fix linter whitespace error

* Trying to gobble up logs incase there are errors

* Fixing oauth token login and making module respect token over username/password

* Fixing sanity error

* Updating to remove auth_type since its not longer required

* Trying to make AWXKIT tests not run on python2

* Use a patternfly CSS variable instead of red

Use a patternfly CSS variable instead of red.

See: https://pf4.patternfly.org/documentation/overview/global-css-variables

* changelog for arm64 builds

* more changelog updates

* Add list of jobs for instance groups

Add list of jobs for instance groups.

See: ansible#7930

* Add type column to users list

Add type column to users list. Also, update `UserListItem` to be a
functional component.

See: ansible#5684

* update newly useRequested lists to get advanced searchableKeys

* add searchable keys support for AssociateModal and SelectResourceStep lists

* Adds support for toggling approval notifications on orgs and wfjts

* Add label to show isolated group

Add label to show isolated group.

See: https://tower-mockups.testing.ansible.com/patternfly/instance-groups/instance-groups/

* Only disable single notification row when toggling, not all rows

Co-authored-by: Ryan Petrello <rpetrell@redhat.com>
Co-authored-by: Christian Adams <chadams@redhat.com>
Co-authored-by: beeankha <beeankha@gmail.com>
Co-authored-by: Christian Adams <rooftopcellist@gmail.com>
Co-authored-by: Jim Ladd <jladd@redhat.com>
Co-authored-by: chris meyers <chris.meyers.fsu@gmail.com>
Co-authored-by: Chris Meyers <chrismeyersfsu@users.noreply.github.com>
Co-authored-by: Florian Apolloner <apollo13@users.noreply.github.com>
Co-authored-by: Seth Foster <fosterbseth@gmail.com>
Co-authored-by: Jake McDermott <yo@jakemcdermott.me>
Co-authored-by: AlanCoding <arominge@redhat.com>
Co-authored-by: Shane McDonald <me@shanemcd.com>
Co-authored-by: ansible-translation-bot <ansible-translation-bot@gmail.com>
Co-authored-by: JoelKle <34544090+JoelKle@users.noreply.github.com>
Co-authored-by: Bill Nottingham <notting@splat.cc>
Co-authored-by: Graham Mainwaring <graham@mhn.org>
Co-authored-by: Gabe Muniz <gmuniz@redhat.com>
Co-authored-by: Stefan Jakobs <sjakobs@anexia-it.com>
Co-authored-by: Jeff Bradberry <jeff.bradberry@gmail.com>
Co-authored-by: Marliana Lara <mlara@redhat.com>
Co-authored-by: Andrew Gaffney <andrew@agaffney.org>
Co-authored-by: Rigel Di Scala <rdiscala@redhat.com>
Co-authored-by: softwarefactory-project-zuul[bot] <33884098+softwarefactory-project-zuul[bot]@users.noreply.github.com>
Co-authored-by: Alex Corey <alex.swansboro@gmail.com>
Co-authored-by: mabashian <mabashia@redhat.com>
Co-authored-by: John Westcott IV <john.westcott.iv@redhat.com>
Co-authored-by: beeankha <bstohrer@redhat.com>
Co-authored-by: nixocio <nixocio@gmail.com>
Co-authored-by: John Mitchell <jmitchel@Johns-MacBook-Pro-46.local>
Co-authored-by: John Mitchell <jmitchel@ovpn-114-250.rdu2.redhat.com>
Co-authored-by: Keith Grant <keithjgrant@redhat.com>
Co-authored-by: John Mitchell <jmitchel@ovpn-113-13.rdu2.redhat.com>
Co-authored-by: Alex Corey <acorey@redhat.com>
Co-authored-by: John Mitchell <jmitchel@ovpn-117-206.rdu2.redhat.com>

CHANGELOG.md

@@ -2,6 +2,44 @@
 
 This is a list of high-level changes for each release of AWX. A full list of commits can be found at `https://github.com/ansible/awx/releases/tag/<version>`.
 
+## 14.1.0 (TBD)
+- AWX images can now be built on ARM64 - https://github.com/ansible/awx/pull/7607
+- Deprecated official support for Mercurial-based project updates - https://github.com/ansible/awx/issues/7932
+- Added resource import/export support to the official AWX collection - https://github.com/ansible/awx/issues/7329
+- Added the ability to import YAML-based resources (instead of just JSON) when using the AWX CLI - https://github.com/ansible/awx/pull/7808
+- Updated the AWX CLI to export labels associated with Workflow Job Templates - https://github.com/ansible/awx/pull/7847
+- Updated to the latest python-ldap to address a bug - https://github.com/ansible/awx/issues/7868
+- Upgraded git-python to fix a bug that caused workflows to sometimes fail - https://github.com/ansible/awx/issues/6119
+- Fixed a bug in the AWX CLI that prevented Workflow nodes from importing properly - https://github.com/ansible/awx/issues/7793
+- Fixed a bug in the awx.awx collection release process that templated the wrong version - https://github.com/ansible/awx/issues/7870
+- Fixed a bug that caused errors rendering stdout that contained UTF-16 surrogate pairs - https://github.com/ansible/awx/pull/7918
+
+## 14.0.0 (Aug 6, 2020)
+- As part of our commitment to inclusivity in open source, we recently took some time to audit AWX's source code and user interface and replace certain terminology with more inclusive language.  Strictly speaking, this isn't a bug or a feature, but we think it's important and worth calling attention to:
+    * https://github.com/ansible/awx/commit/78229f58715fbfbf88177e54031f532543b57acc
+    * https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language
+- Installing roles and collections via requirements.yml as part of Project Updates now requires at least Ansible 2.9 - https://github.com/ansible/awx/issues/7769
+- Deprecated the use of the `PRIMARY_GALAXY_USERNAME` and `PRIMARY_GALAXY_PASSWORD` settings. We recommend using tokens to access Galaxy or Automation Hub.
+- Added local caching for downloaded roles and collections so they are not re-downloaded on nodes where they are up to date with the project - https://github.com/ansible/awx/issues/5518
+- Added the ability to associate K8S/OpenShift credentials to Job Template for playbook interaction with the `community.kubernetes` collection - https://github.com/ansible/awx/issues/5735
+- Added the ability to include HTML in the Custom Login Info presented on the login page - https://github.com/ansible/awx/issues/7600
+- Fixed https://access.redhat.com/security/cve/cve-2020-14327 - Server-side request forgery on credentials
+- Fixed https://access.redhat.com/security/cve/cve-2020-14328 - Server-side request forgery on webhooks
+- Fixed https://access.redhat.com/security/cve/cve-2020-14329 - Sensitive data exposure on labels
+- Fixed https://access.redhat.com/security/cve/cve-2020-14337 - Named URLs allow for testing the presence or absence of objects
+- Fixed a number of bugs in the user interface related to an upgrade of jQuery:
+     * https://github.com/ansible/awx/issues/7530
+     * https://github.com/ansible/awx/issues/7546
+     * https://github.com/ansible/awx/issues/7534
+     * https://github.com/ansible/awx/issues/7606
+- Fixed a bug that caused the `-f yaml` flag of the AWX CLI to not print properly formatted YAML - https://github.com/ansible/awx/issues/7795
+- Fixed a bug in the installer that caused errors when `docker_registry_password` was set - https://github.com/ansible/awx/issues/7695
+- Fixed a permissions error that prevented certain users from starting AWX services - https://github.com/ansible/awx/issues/7545
+- Fixed a bug that allows superusers to run unsafe Jinja code when defining custom Credential Types - https://github.com/ansible/awx/pull/7584/
+- Fixed a bug that prevented users from creating (or editing) custom Credential Types containing boolean fields - https://github.com/ansible/awx/issues/7483
+- Fixed a bug that prevented users with postgres usernames containing uppercase letters from restoring backups succesfully - https://github.com/ansible/awx/pull/7519
+- Fixed a bug which allowed the creation (in the Tower API) of Groups and Hosts with the same name - https://github.com/ansible/awx/issues/4680
+
 ## 13.0.0 (Jun 23, 2020)
 - Added import and export commands to the official AWX CLI, replacing send and receive from the old tower-cli (https://github.com/ansible/awx/pull/6125).
 - Removed scripts as a means of running inventory updates of built-in types (https://github.com/ansible/awx/pull/6911)
@@ -15,7 +53,7 @@ This is a list of high-level changes for each release of AWX. A full list of com
 - Moved to a single container image build instead of separate awx_web and awx_task images. The container image is just `awx` (https://github.com/ansible/awx/pull/7228)
 - Official AWX container image builds now use a two-stage container build process that notably reduces the size of our published images (https://github.com/ansible/awx/pull/7017)
 - Removed support for HipChat notifications ([EoL announcement](https://www.atlassian.com/partnerships/slack/faq#faq-98b17ca3-247f-423b-9a78-70a91681eff0)); all previously-created HipChat notification templates will be deleted due to this removal.
-- Fixed a bug which broke AWX installations with oc version 4.3 (https://github.com/ansible/awx/pull/6948/files)
+- Fixed a bug which broke AWX installations with oc version 4.3 (https://github.com/ansible/awx/pull/6948/)
 - Fixed a performance issue that caused notable delay of stdout processing for playbooks run against large numbers of hosts (https://github.com/ansible/awx/issues/6991)
 - Fixed a bug that caused CyberArk AIM credential plugin looks to hang forever in some environments (https://github.com/ansible/awx/issues/6986)
 - Fixed a bug that caused ANY/ALL converage settings not to properly save when editing approval nodes in the UI (https://github.com/ansible/awx/issues/6998)

Makefile

@@ -369,7 +369,7 @@ test:
 	PYTHONDONTWRITEBYTECODE=1 py.test -p no:cacheprovider -n auto $(TEST_DIRS)
 	cmp VERSION awxkit/VERSION || "VERSION and awxkit/VERSION *must* match"
 	cd awxkit && $(VENV_BASE)/awx/bin/tox -re py3
-	awx-manage check_migrations --dry-run --check  -n 'vNNN_missing_migration_file'
+	awx-manage check_migrations --dry-run --check  -n 'missing_migration_file'
 
 COLLECTION_TEST_DIRS ?= awx_collection/test/awx
 COLLECTION_TEST_TARGET ?=

VERSION

@@ -1 +1 @@
-13.0.0
+14.0.0

awx/api/generics.py

@@ -51,6 +51,7 @@
     StubLicense
 )
 from awx.main.utils.db import get_all_field_names
+from awx.main.views import ApiErrorView
 from awx.api.serializers import ResourceAccessListElementSerializer, CopySerializer, UserSerializer
 from awx.api.versioning import URLPathVersioning
 from awx.api.metadata import SublistAttachDetatchMetadata, Metadata
@@ -188,6 +189,29 @@ def finalize_response(self, request, response, *args, **kwargs):
         '''
         Log warning for 400 requests.  Add header with elapsed time.
         '''
+
+        #
+        # If the URL was rewritten, and we get a 404, we should entirely
+        # replace the view in the request context with an ApiErrorView()
+        # Without this change, there will be subtle differences in the BrowseableAPIRenderer
+        #
+        # These differences could provide contextual clues which would allow
+        # anonymous users to determine if usernames were valid or not
+        # (e.g., if an anonymous user visited `/api/v2/users/valid/`, and got a 404,
+        # but also saw that the page heading said "User Detail", they might notice
+        # that's a difference in behavior from a request to `/api/v2/users/not-valid/`, which
+        # would show a page header of "Not Found").  Changing the view here
+        # guarantees that the rendered response will look exactly like the response
+        # when you visit a URL that has no matching URL paths in `awx.api.urls`.
+        #
+        if response.status_code == 404 and 'awx.named_url_rewritten' in request.environ:
+            self.headers.pop('Allow', None)
+            response = super(APIView, self).finalize_response(request, response, *args, **kwargs)
+            view = ApiErrorView()
+            setattr(view, 'request', request)
+            response.renderer_context['view'] = view
+            return response
+
         if response.status_code >= 400:
             status_msg = "status %s received by user %s attempting to access %s from %s" % \
                          (response.status_code, request.user, request.path, request.META.get('REMOTE_ADDR', None))

awx/api/renderers.py

@@ -7,6 +7,24 @@
 # Django REST Framework
 from rest_framework import renderers
 from rest_framework.request import override_method
+from rest_framework.utils import encoders
+
+
+class SurrogateEncoder(encoders.JSONEncoder):
+
+    def encode(self, obj):
+        ret = super(SurrogateEncoder, self).encode(obj)
+        try:
+            ret.encode()
+        except UnicodeEncodeError as e:
+            if 'surrogates not allowed' in e.reason:
+                ret = ret.encode('utf-8', 'replace').decode()
+        return ret
+
+
+class DefaultJSONRenderer(renderers.JSONRenderer):
+
+    encoder_class = SurrogateEncoder
 
 
 class BrowsableAPIRenderer(renderers.BrowsableAPIRenderer):

awx/api/views/__init__.py

@@ -14,6 +14,8 @@
 from base64 import b64encode
 from collections import OrderedDict
 
+from urllib3.exceptions import ConnectTimeoutError
+
 
 # Django
 from django.conf import settings
@@ -171,6 +173,15 @@ def api_exception_handler(exc, context):
         exc = ParseError(exc.args[0])
     if isinstance(context['view'], UnifiedJobStdout):
         context['view'].renderer_classes = [renderers.BrowsableAPIRenderer, JSONRenderer]
+    if isinstance(exc, APIException):
+        req = context['request']._request
+        if 'awx.named_url_rewritten' in req.environ and not str(getattr(exc, 'status_code', 0)).startswith('2'):
+            # if the URL was rewritten, and it's not a 2xx level status code,
+            # revert the request.path to its original value to avoid leaking
+            # any context about the existance of resources
+            req.path = req.environ['awx.named_url_rewritten']
+            if exc.status_code == 403:
+                exc = NotFound(detail=_('Not found.'))
     return exception_handler(exc, context)
 
 
@@ -1397,10 +1408,18 @@ def post(self, request, *args, **kwargs):
             obj.credential_type.plugin.backend(**backend_kwargs)
             return Response({}, status=status.HTTP_202_ACCEPTED)
         except requests.exceptions.HTTPError as exc:
-            message = 'HTTP {}\n{}'.format(exc.response.status_code, exc.response.text)
+            message = 'HTTP {}'.format(exc.response.status_code)
             return Response({'inputs': message}, status=status.HTTP_400_BAD_REQUEST)
         except Exception as exc:
-            return Response({'inputs': str(exc)}, status=status.HTTP_400_BAD_REQUEST)
+            message = exc.__class__.__name__
+            args = getattr(exc, 'args', [])
+            for a in args:
+                if isinstance(
+                    getattr(a, 'reason', None),
+                    ConnectTimeoutError
+                ):
+                    message = str(a.reason)
+            return Response({'inputs': message}, status=status.HTTP_400_BAD_REQUEST)
 
 
 class CredentialInputSourceDetail(RetrieveUpdateDestroyAPIView):
@@ -1449,10 +1468,18 @@ def post(self, request, *args, **kwargs):
             obj.plugin.backend(**backend_kwargs)
             return Response({}, status=status.HTTP_202_ACCEPTED)
         except requests.exceptions.HTTPError as exc:
-            message = 'HTTP {}\n{}'.format(exc.response.status_code, exc.response.text)
+            message = 'HTTP {}'.format(exc.response.status_code)
             return Response({'inputs': message}, status=status.HTTP_400_BAD_REQUEST)
         except Exception as exc:
-            return Response({'inputs': str(exc)}, status=status.HTTP_400_BAD_REQUEST)
+            message = exc.__class__.__name__
+            args = getattr(exc, 'args', [])
+            for a in args:
+                if isinstance(
+                    getattr(a, 'reason', None),
+                    ConnectTimeoutError
+                ):
+                    message = str(a.reason)
+            return Response({'inputs': message}, status=status.HTTP_400_BAD_REQUEST)
 
 
 class HostRelatedSearchMixin(object):

awx/main/access.py

@@ -2479,13 +2479,16 @@ def can_delete(self, obj):
 
 class LabelAccess(BaseAccess):
     '''
-    I can see/use a Label if I have permission to associated organization
+    I can see/use a Label if I have permission to associated organization, or to a JT that the label is on
     '''
     model = Label
     prefetch_related = ('modified_by', 'created_by', 'organization',)
 
     def filtered_queryset(self):
-        return self.model.objects.all()
+        return self.model.objects.filter(
+            Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role')) |
+            Q(unifiedjobtemplate_labels__in=UnifiedJobTemplate.accessible_pk_qs(self.user, 'read_role'))
+        )
 
     @check_superuser
     def can_add(self, data):

awx/main/conf.py

@@ -458,7 +458,8 @@ def _load_default_license_from_file():
     required=False,
     allow_blank=True,
     label=_('Primary Galaxy Server Username'),
-    help_text=_('For using a galaxy server at higher precedence than the public Ansible Galaxy. '
+    help_text=_('(This setting is deprecated and will be removed in a future release) '
+                'For using a galaxy server at higher precedence than the public Ansible Galaxy. '
                 'The username to use for basic authentication against the Galaxy instance, '
                 'this is mutually exclusive with PRIMARY_GALAXY_TOKEN.'),
     category=_('Jobs'),
@@ -472,7 +473,8 @@ def _load_default_license_from_file():
     required=False,
     allow_blank=True,
     label=_('Primary Galaxy Server Password'),
-    help_text=_('For using a galaxy server at higher precedence than the public Ansible Galaxy. '
+    help_text=_('(This setting is deprecated and will be removed in a future release) '
+                'For using a galaxy server at higher precedence than the public Ansible Galaxy. '
                 'The password to use for basic authentication against the Galaxy instance, '
                 'this is mutually exclusive with PRIMARY_GALAXY_TOKEN.'),
     category=_('Jobs'),

awx/main/credential_plugins/aim.py

@@ -1,4 +1,4 @@
-from .plugin import CredentialPlugin, CertFiles
+from .plugin import CredentialPlugin, CertFiles, raise_for_status
 
 from urllib.parse import quote, urlencode, urljoin
 
@@ -82,8 +82,9 @@ def aim_backend(**kwargs):
             timeout=30,
             cert=cert,
             verify=verify,
+            allow_redirects=False,
         )
-    res.raise_for_status()
+    raise_for_status(res)
     return res.json()['Content']
 
 

awx/main/credential_plugins/conjur.py

@@ -1,4 +1,4 @@
-from .plugin import CredentialPlugin, CertFiles
+from .plugin import CredentialPlugin, CertFiles, raise_for_status
 
 import base64
 from urllib.parse import urljoin, quote
@@ -58,7 +58,8 @@ def conjur_backend(**kwargs):
 
     auth_kwargs = {
         'headers': {'Content-Type': 'text/plain'},
-        'data': api_key
+        'data': api_key,
+        'allow_redirects': False,
     }
 
     with CertFiles(cacert) as cert:
@@ -68,11 +69,12 @@ def conjur_backend(**kwargs):
             urljoin(url, '/'.join(['authn', account, username, 'authenticate'])),
             **auth_kwargs
         )
-    resp.raise_for_status()
+    raise_for_status(resp)
     token = base64.b64encode(resp.content).decode('utf-8')
 
     lookup_kwargs = {
         'headers': {'Authorization': 'Token token="{}"'.format(token)},
+        'allow_redirects': False,
     }
 
     # https://www.conjur.org/api.html#secrets-retrieve-a-secret-get
@@ -88,7 +90,7 @@ def conjur_backend(**kwargs):
     with CertFiles(cacert) as cert:
         lookup_kwargs['verify'] = cert
         resp = requests.get(path, timeout=30, **lookup_kwargs)
-    resp.raise_for_status()
+    raise_for_status(resp)
     return resp.text
 
 

awx/main/credential_plugins/hashivault.py

@@ -3,7 +3,7 @@
 import pathlib
 from urllib.parse import urljoin
 
-from .plugin import CredentialPlugin, CertFiles
+from .plugin import CredentialPlugin, CertFiles, raise_for_status
 
 import requests
 from django.utils.translation import ugettext_lazy as _
@@ -145,7 +145,10 @@ def kv_backend(**kwargs):
     cacert = kwargs.get('cacert', None)
     api_version = kwargs['api_version']
 
-    request_kwargs = {'timeout': 30}
+    request_kwargs = {
+        'timeout': 30,
+        'allow_redirects': False,
+    }
 
     sess = requests.Session()
     sess.headers['Authorization'] = 'Bearer {}'.format(token)
@@ -175,7 +178,7 @@ def kv_backend(**kwargs):
     with CertFiles(cacert) as cert:
         request_kwargs['verify'] = cert
         response = sess.get(request_url, **request_kwargs)
-    response.raise_for_status()
+    raise_for_status(response)
 
     json = response.json()
     if api_version == 'v2':
@@ -198,7 +201,10 @@ def ssh_backend(**kwargs):
     role = kwargs['role']
     cacert = kwargs.get('cacert', None)
 
-    request_kwargs = {'timeout': 30}
+    request_kwargs = {
+        'timeout': 30,
+        'allow_redirects': False,
+    }
 
     request_kwargs['json'] = {'public_key': kwargs['public_key']}
     if kwargs.get('valid_principals'):
@@ -215,7 +221,7 @@ def ssh_backend(**kwargs):
         request_kwargs['verify'] = cert
         resp = sess.post(request_url, **request_kwargs)
 
-    resp.raise_for_status()
+    raise_for_status(resp)
     return resp.json()['data']['signed_key']
 
 

awx/main/credential_plugins/plugin.py

@@ -3,9 +3,19 @@
 
 from collections import namedtuple
 
+from requests.exceptions import HTTPError
+
 CredentialPlugin = namedtuple('CredentialPlugin', ['name', 'inputs', 'backend'])
 
 
+def raise_for_status(resp):
+    resp.raise_for_status()
+    if resp.status_code >= 300:
+        exc = HTTPError()
+        setattr(exc, 'response', resp)
+        raise exc
+
+
 class CertFiles():
     """
     A context manager used for writing a certificate and (optional) key

awx/main/management/commands/remove_from_queue.py

@@ -32,4 +32,7 @@ def handle(self, *arg, **options):
             sys.exit(1)
         i = i.first()
         ig.instances.remove(i)
+        if i.hostname in ig.policy_instance_list:
+            ig.policy_instance_list.remove(i.hostname)
+            ig.save()
         print("Instance removed from instance group")