Skip to content

fix: default RESOURCE_SERVER__URL to None to restore standalone auth #1503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
kaiokmo wants to merge 1 commit into from
Closed

fix: default RESOURCE_SERVER__URL to None to restore standalone auth #1503

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/aap_eda/settings/defaults.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@
# DJANGO ANSIBLE BASE RESOURCE API CLIENT
# --------------------------------------------------------

RESOURCE_SERVER__URL: Optional[str] = "https://localhost"
RESOURCE_SERVER__URL: Optional[str] = None
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== SyncCerts implementation (URL usage) =="
fd 'sync_certs.py$' --exec sed -n '1,260p' {}

echo
echo "== SyncCerts instantiations with context =="
rg -nP --type=py -C4 '\bSyncCerts\s*\('

echo
echo "== RESOURCE_SERVER URL guards with context =="
rg -nP --type=py -C3 'RESOURCE_SERVER\["URL"\]'

echo
echo "== URL composition sites that can fail on None =="
rg -nP --type=py -C3 'urljoin\s*\(\s*self\.gateway_url\s*,|f"\{settings\.RESOURCE_SERVER\["URL"\]'

Repository: ansible/eda-server

Length of output: 18410

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Finding gw_handler signal registration =="
rg -nP --type=py 'gw_handler|post_save.*EdaCredential' -B2 -A2

echo
echo "== All SyncCertificates instantiations in production code =="
rg -nP --type=py 'SyncCertificates\s*\(' --glob='!test*.py' --glob='!*/tests/*' -B3 -A1

echo
echo "== Checking RESOURCE_SERVER["URL"] guards in production =="
rg -nP --type=py 'if.*RESOURCE_SERVER\["URL"\]|RESOURCE_SERVER\["URL"\]\s*and' --glob='!test*.py' --glob='!*/tests/*' -B2 -A2

Repository: ansible/eda-server

Length of output: 7725

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Full gw_handler implementation =="
sed -n '286,320p' src/aap_eda/services/sync_certs.py

echo
echo "== event_stream.py instantiation context =="
sed -n '355,375p' src/aap_eda/api/views/event_stream.py

echo
echo "== Checking if RESOURCE_SERVER["URL"] is checked anywhere before signal handler calls =="
rg -nP --type=py 'if.*RESOURCE_SERVER' --glob='!test*.py' --glob='!*/tests/*' -B1 -A1

Repository: ansible/eda-server

Length of output: 2618

Both SyncCertificates call paths lack guards for None URL and will fail at runtime

With RESOURCE_SERVER__URL now defaulting to None, the signal handler in gw_handler() (line 302 of sync_certs.py) and the API view in event_stream.py (line 363) will both instantiate SyncCertificates without checking whether settings.RESOURCE_SERVER["URL"] is set. Line 42 assigns directly: self.gateway_url: str = settings.RESOURCE_SERVER["URL"], and later calls like urljoin(self.gateway_url, slug) (lines 125, 133, 227, 241) will raise TypeError when gateway_url is None.

Add a guard in both call sites to skip sync when settings.RESOURCE_SERVER.get("URL") is falsy, or add a check in SyncCertificates.__init__ to raise a clearer error.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/aap_eda/settings/defaults.py` at line 196, The signal handler gw_handler
and the event_stream API view instantiate SyncCertificates without guarding
against settings.RESOURCE_SERVER["URL"] being None; either add early guards in
those call sites to skip creating SyncCertificates when
settings.RESOURCE_SERVER.get("URL") is falsy (i.e., return/skip sync) or add a
defensive check in SyncCertificates.__init__ that validates
settings.RESOURCE_SERVER.get("URL") and raises a clear ValueError. Update
gw_handler (sync_certs.py) and the event_stream view (event_stream.py) to check
settings.RESOURCE_SERVER.get("URL") before calling SyncCertificates, or
implement the check inside SyncCertificates.__init__ (and adjust call sites to
handle the exception) so urljoin(self.gateway_url, ...) cannot receive None.

RESOURCE_SERVER__SECRET_KEY: Optional[str] = ""
RESOURCE_SERVER__VALIDATE_HTTPS: bool = False
RESOURCE_JWT_USER_ID: Optional[str] = None
Expand Down
Loading