Add new settings for customizing Galaxy auth/authZ (#1561)

fixes: #1555

CHANGES/1555.feature

@@ -0,0 +1,2 @@
+Added settings ``ANSIBLE_AUTHENTICATION_CLASSES`` and ``ANSIBLE_PERMISSION_CLASSES`` to allow for
+customizing Galaxy authentication and authorization separate from Pulp APIs.

docs/settings.rst

@@ -67,7 +67,7 @@ ANSIBLE_URL_NAMESPACE
 ^^^^^^^^^^^^^^^^^^^^^
 
    The Django URL namespace to be used when generating URLs that are returned by the galaxy
-   APIs. Setting this allows for the galaxy APIs to redirect requests to django URLs in other apps.
+   APIs. Setting this allows for the Galaxy APIs to redirect requests to django URLs in other apps.
    This defaults to the pulp ansible URL router.
 
 
@@ -76,3 +76,19 @@ ANSIBLE_COLLECT_DOWNLOAD_LOG
 
    A flag to activate collecting download logs about collections consumed. You can dump the
    collected information using ``pulpcore-manager download-log``.
+
+
+ANSIBLE_AUTHENTICATION_CLASSES
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+   A list of authentication classes to be used to authenticate requests to the Galaxy API. Defaults
+   to ``REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES``. See `authentication docs
+   <https://www.django-rest-framework.org/api-guide/authentication/#api-reference>`_ for more.
+
+
+ANSIBLE_PERMISSION_CLASSES
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+   A list of permission classes to be used to authorize requests to the Galaxy API. Defaults to
+   ``REST_FRAMEWORK__DEFAULT_PERMISSION_CLASSES``. See `authorization docs
+   <https://www.django-rest-framework.org/api-guide/permissions/#api-reference>`_ for more.

pulp_ansible/app/galaxy/mixins.py

@@ -1,3 +1,5 @@
+from django.conf import settings
+from django.utils.module_loading import import_string
 from pulpcore.plugin.tasking import dispatch
 
 from pulp_ansible.app.tasks.collections import import_collection
@@ -25,3 +27,20 @@ def get_deferred_context(self, request):
         if "file" in request.data:
             context["filename"] = request.data["file"].name
         return context
+
+
+def perform_import(value):
+    if isinstance(value, str):
+        return import_string(value)
+    elif isinstance(value, (tuple, list)):
+        return [perform_import(v) for v in value]
+    return value
+
+
+class GalaxyAuthMixin:
+    """
+    Provides the authentication and permission classes from settings.
+    """
+
+    authentication_classes = perform_import(settings.ANSIBLE_AUTHENTICATION_CLASSES)
+    permission_classes = perform_import(settings.ANSIBLE_PERMISSION_CLASSES)

pulp_ansible/app/galaxy/v3/views.py

@@ -71,7 +71,7 @@
     CollectionVersionUploadSerializer,
 )
 
-from pulp_ansible.app.galaxy.mixins import UploadGalaxyCollectionMixin
+from pulp_ansible.app.galaxy.mixins import UploadGalaxyCollectionMixin, GalaxyAuthMixin
 from pulp_ansible.app.galaxy.v3.pagination import LimitOffsetPagination
 from pulp_ansible.app.viewsets import (
     CollectionVersionFilter,
@@ -261,6 +261,7 @@ class Meta:
 
 
 class CollectionViewSet(
+    GalaxyAuthMixin,
     ExceptionHandlerMixin,
     AnsibleDistributionMixin,
     mixins.ListModelMixin,
@@ -508,6 +509,7 @@ def urlpattern(*args, **kwargs):
 
 
 class CollectionUploadViewSet(
+    GalaxyAuthMixin,
     ExceptionHandlerMixin,
     UploadGalaxyCollectionMixin,
     SingleArtifactContentUploadViewSet,
@@ -621,7 +623,7 @@ def create(self, request, path):
         return super().create(request, distro_base_path=path)
 
 
-class CollectionArtifactDownloadView(views.APIView, AnsibleDistributionMixin):
+class CollectionArtifactDownloadView(GalaxyAuthMixin, views.APIView, AnsibleDistributionMixin):
     """Collection download endpoint."""
 
     action = "download"
@@ -745,7 +747,7 @@ def get(self, request, *args, **kwargs):
     delete=extend_schema(responses={202: AsyncOperationResponseSerializer}),
 )
 class AnsibleNamespaceViewSet(
-    ExceptionHandlerMixin, AnsibleDistributionMixin, viewsets.ModelViewSet
+    GalaxyAuthMixin, ExceptionHandlerMixin, AnsibleDistributionMixin, viewsets.ModelViewSet
 ):
     serializer_class = AnsibleNamespaceMetadataSerializer
     lookup_field = "name"
@@ -866,6 +868,7 @@ def delete(self, request, *args, **kwargs):
 
 
 class CollectionVersionViewSet(
+    GalaxyAuthMixin,
     CollectionVersionRetrieveMixin,
     ExceptionHandlerMixin,
     AnsibleDistributionMixin,
@@ -1092,6 +1095,7 @@ def list(self, request, *args, **kwargs):
 
 
 class CollectionVersionDocsViewSet(
+    GalaxyAuthMixin,
     CollectionVersionRetrieveMixin,
     ExceptionHandlerMixin,
     AnsibleDistributionMixin,
@@ -1135,6 +1139,7 @@ def retrieve(self, request, *args, **kwargs):
 
 
 class CollectionImportViewSet(
+    GalaxyAuthMixin,
     ExceptionHandlerMixin,
     mixins.RetrieveModelMixin,
     viewsets.GenericViewSet,
@@ -1184,6 +1189,7 @@ def retrieve(self, request, *args, **kwargs):
 
 
 class RepoMetadataViewSet(
+    GalaxyAuthMixin,
     ExceptionHandlerMixin,
     AnsibleDistributionMixin,
     mixins.RetrieveModelMixin,
@@ -1328,7 +1334,7 @@ def update(self, request, *args, **kwargs):
     return GeneratedRedirectView.as_view(actions, url=url)
 
 
-class ClientConfigurationView(views.APIView, AnsibleDistributionMixin):
+class ClientConfigurationView(GalaxyAuthMixin, views.APIView, AnsibleDistributionMixin):
     """Return configurations for the ansible-galaxy client."""
 
     DEFAULT_ACCESS_POLICY = _PERMISSIVE_ACCESS_POLICY

pulp_ansible/app/galaxy/v3/viewsets.py

@@ -7,6 +7,7 @@
 from pulp_ansible.app.galaxy.v3.serializers import (
     CollectionVersionSearchListSerializer,
 )
+from pulp_ansible.app.galaxy.mixins import GalaxyAuthMixin
 
 from pulpcore.plugin.util import get_url
 
@@ -61,7 +62,7 @@
         ],
     )
 )
-class CollectionVersionSearchViewSet(viewsets.ModelViewSet):
+class CollectionVersionSearchViewSet(GalaxyAuthMixin, viewsets.ModelViewSet):
     """
     A viewset for cross-repo searches.
     """

pulp_ansible/app/settings.py

@@ -28,6 +28,8 @@
 ANSIBLE_URL_NAMESPACE = ""
 ANSIBLE_COLLECT_DOWNLOAD_LOG = False
 ANSIBLE_COLLECT_DOWNLOAD_COUNT = False
+ANSIBLE_AUTHENTICATION_CLASSES = settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
+ANSIBLE_PERMISSION_CLASSES = settings.REST_FRAMEWORK["DEFAULT_PERMISSION_CLASSES"]
 
 DRF_ACCESS_POLICY = {
     "dynaconf_merge_unique": True,