Remove FEATURE_POLICY_AS_CODE_ENABLED flag (ansible#16006)

* remove FEATURE_POLICY_AS_CODE_ENABLED flag

* rename to OpaQueryPathMixin

* add OpaQueryPath docs to awx collection

* bypass test for awx collection

Author: jerabekjiri

awx/api/serializers.py

@@ -46,9 +46,6 @@
 from ansible_base.rbac.models import RoleEvaluation, ObjectRole
 from ansible_base.rbac import permission_registry
 
-# django-flags
-from flags.state import flag_enabled
-
 # AWX
 from awx.main.access import get_user_capabilities
 from awx.main.constants import ACTIVE_STATES, org_role_to_permission
@@ -737,13 +734,10 @@ class EmptySerializer(serializers.Serializer):
     pass
 
 
-class OpaQueryPathEnabledMixin(serializers.Serializer):
+class OpaQueryPathMixin(serializers.Serializer):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 
-        if not flag_enabled("FEATURE_POLICY_AS_CODE_ENABLED") and 'opa_query_path' in self.fields:
-            self.fields.pop('opa_query_path')
-
     def validate_opa_query_path(self, value):
         # Decode the URL and re-encode it
         decoded_value = urllib.parse.unquote(value)
@@ -755,7 +749,7 @@ def validate_opa_query_path(self, value):
         return value
 
 
-class UnifiedJobTemplateSerializer(BaseSerializer, OpaQueryPathEnabledMixin):
+class UnifiedJobTemplateSerializer(BaseSerializer, OpaQueryPathMixin):
     # As a base serializer, the capabilities prefetch is not used directly,
     # instead they are derived from the Workflow Job Template Serializer and the Job Template Serializer, respectively.
     capabilities_prefetch = []
@@ -1188,7 +1182,7 @@ class Meta:
         fields = ('*', '-is_system_auditor')
 
 
-class OrganizationSerializer(BaseSerializer, OpaQueryPathEnabledMixin):
+class OrganizationSerializer(BaseSerializer, OpaQueryPathMixin):
     show_capabilities = ['edit', 'delete']
 
     class Meta:
@@ -1547,7 +1541,7 @@ def get_summary_fields(self, obj):
         return res
 
 
-class InventorySerializer(LabelsListMixin, BaseSerializerWithVariables, OpaQueryPathEnabledMixin):
+class InventorySerializer(LabelsListMixin, BaseSerializerWithVariables, OpaQueryPathMixin):
     show_capabilities = ['edit', 'delete', 'adhoc', 'copy']
     capabilities_prefetch = ['admin', 'adhoc', {'copy': 'organization.inventory_admin'}]
 

awx/main/conf.py

@@ -4,7 +4,6 @@
 # Django
 from django.core.checks import Error
 from django.utils.translation import gettext_lazy as _
-from django.conf import settings
 
 # Django REST Framework
 from rest_framework import serializers
@@ -975,123 +974,122 @@ def csrf_trusted_origins_validate(serializer, attrs):
 register_validate('system', csrf_trusted_origins_validate)
 
 
-if settings.FEATURE_POLICY_AS_CODE_ENABLED:  # Unable to use flag_enabled due to AppRegistryNotReady error
-    register(
-        'OPA_HOST',
-        field_class=fields.CharField,
-        label=_('OPA server hostname'),
-        default='',
-        help_text=_('The hostname used to connect to the OPA server. If empty, policy enforcement will be disabled.'),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-        allow_blank=True,
-    )
-
-    register(
-        'OPA_PORT',
-        field_class=fields.IntegerField,
-        label=_('OPA server port'),
-        default=8181,
-        help_text=_('The port used to connect to the OPA server. Defaults to 8181.'),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-    )
-
-    register(
-        'OPA_SSL',
-        field_class=fields.BooleanField,
-        label=_('Use SSL for OPA connection'),
-        default=False,
-        help_text=_('Enable or disable the use of SSL to connect to the OPA server. Defaults to false.'),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-    )
-
-    register(
-        'OPA_AUTH_TYPE',
-        field_class=fields.ChoiceField,
-        label=_('OPA authentication type'),
-        choices=[OPA_AUTH_TYPES.NONE, OPA_AUTH_TYPES.TOKEN, OPA_AUTH_TYPES.CERTIFICATE],
-        default=OPA_AUTH_TYPES.NONE,
-        help_text=_('The authentication type that will be used to connect to the OPA server: "None", "Token", or "Certificate".'),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-    )
-
-    register(
-        'OPA_AUTH_TOKEN',
-        field_class=fields.CharField,
-        label=_('OPA authentication token'),
-        default='',
-        help_text=_(
-            'The token for authentication to the OPA server. Required when OPA_AUTH_TYPE is "Token". If an authorization header is defined in OPA_AUTH_CUSTOM_HEADERS, it will be overridden by OPA_AUTH_TOKEN.'
-        ),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-        allow_blank=True,
-        encrypted=True,
-    )
-
-    register(
-        'OPA_AUTH_CLIENT_CERT',
-        field_class=fields.CharField,
-        label=_('OPA client certificate content'),
-        default='',
-        help_text=_('The content of the client certificate file for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate".'),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-        allow_blank=True,
-    )
-
-    register(
-        'OPA_AUTH_CLIENT_KEY',
-        field_class=fields.CharField,
-        label=_('OPA client key content'),
-        default='',
-        help_text=_('The content of the client key for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate".'),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-        allow_blank=True,
-        encrypted=True,
-    )
-
-    register(
-        'OPA_AUTH_CA_CERT',
-        field_class=fields.CharField,
-        label=_('OPA CA certificate content'),
-        default='',
-        help_text=_('The content of the CA certificate for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate".'),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-        allow_blank=True,
-    )
-
-    register(
-        'OPA_AUTH_CUSTOM_HEADERS',
-        field_class=fields.DictField,
-        label=_('OPA custom authentication headers'),
-        default={},
-        help_text=_('Optional custom headers included in requests to the OPA server. Defaults to empty dictionary ({}).'),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-    )
-
-    register(
-        'OPA_REQUEST_TIMEOUT',
-        field_class=fields.FloatField,
-        label=_('OPA request timeout'),
-        default=1.5,
-        help_text=_('The number of seconds after which the connection to the OPA server will time out. Defaults to 1.5 seconds.'),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-    )
-
-    register(
-        'OPA_REQUEST_RETRIES',
-        field_class=fields.IntegerField,
-        label=_('OPA request retry count'),
-        default=2,
-        help_text=_('The number of retry attempts for connecting to the OPA server. Default is 2.'),
-        category=('PolicyAsCode'),
-        category_slug='policyascode',
-    )
+register(
+    'OPA_HOST',
+    field_class=fields.CharField,
+    label=_('OPA server hostname'),
+    default='',
+    help_text=_('The hostname used to connect to the OPA server. If empty, policy enforcement will be disabled.'),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+    allow_blank=True,
+)
+
+register(
+    'OPA_PORT',
+    field_class=fields.IntegerField,
+    label=_('OPA server port'),
+    default=8181,
+    help_text=_('The port used to connect to the OPA server. Defaults to 8181.'),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+)
+
+register(
+    'OPA_SSL',
+    field_class=fields.BooleanField,
+    label=_('Use SSL for OPA connection'),
+    default=False,
+    help_text=_('Enable or disable the use of SSL to connect to the OPA server. Defaults to false.'),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+)
+
+register(
+    'OPA_AUTH_TYPE',
+    field_class=fields.ChoiceField,
+    label=_('OPA authentication type'),
+    choices=[OPA_AUTH_TYPES.NONE, OPA_AUTH_TYPES.TOKEN, OPA_AUTH_TYPES.CERTIFICATE],
+    default=OPA_AUTH_TYPES.NONE,
+    help_text=_('The authentication type that will be used to connect to the OPA server: "None", "Token", or "Certificate".'),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+)
+
+register(
+    'OPA_AUTH_TOKEN',
+    field_class=fields.CharField,
+    label=_('OPA authentication token'),
+    default='',
+    help_text=_(
+        'The token for authentication to the OPA server. Required when OPA_AUTH_TYPE is "Token". If an authorization header is defined in OPA_AUTH_CUSTOM_HEADERS, it will be overridden by OPA_AUTH_TOKEN.'
+    ),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+    allow_blank=True,
+    encrypted=True,
+)
+
+register(
+    'OPA_AUTH_CLIENT_CERT',
+    field_class=fields.CharField,
+    label=_('OPA client certificate content'),
+    default='',
+    help_text=_('The content of the client certificate file for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate".'),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+    allow_blank=True,
+)
+
+register(
+    'OPA_AUTH_CLIENT_KEY',
+    field_class=fields.CharField,
+    label=_('OPA client key content'),
+    default='',
+    help_text=_('The content of the client key for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate".'),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+    allow_blank=True,
+    encrypted=True,
+)
+
+register(
+    'OPA_AUTH_CA_CERT',
+    field_class=fields.CharField,
+    label=_('OPA CA certificate content'),
+    default='',
+    help_text=_('The content of the CA certificate for mTLS authentication to the OPA server. Required when OPA_AUTH_TYPE is "Certificate".'),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+    allow_blank=True,
+)
+
+register(
+    'OPA_AUTH_CUSTOM_HEADERS',
+    field_class=fields.DictField,
+    label=_('OPA custom authentication headers'),
+    default={},
+    help_text=_('Optional custom headers included in requests to the OPA server. Defaults to empty dictionary ({}).'),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+)
+
+register(
+    'OPA_REQUEST_TIMEOUT',
+    field_class=fields.FloatField,
+    label=_('OPA request timeout'),
+    default=1.5,
+    help_text=_('The number of seconds after which the connection to the OPA server will time out. Defaults to 1.5 seconds.'),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+)
+
+register(
+    'OPA_REQUEST_RETRIES',
+    field_class=fields.IntegerField,
+    label=_('OPA request retry count'),
+    default=2,
+    help_text=_('The number of retry attempts for connecting to the OPA server. Default is 2.'),
+    category=('PolicyAsCode'),
+    category_slug='policyascode',
+)

awx/main/tasks/policy.py

@@ -8,7 +8,6 @@
 
 from django.conf import settings
 from django.utils.translation import gettext_lazy as _
-from flags.state import flag_enabled
 from opa_client import OpaClient
 from opa_client.base import BaseClient
 from requests import HTTPError
@@ -364,9 +363,6 @@ def opa_client(headers=None):
 
 def evaluate_policy(instance):
     # Policy evaluation for Policy as Code feature
-    if not flag_enabled("FEATURE_POLICY_AS_CODE_ENABLED"):
-        return
-
     if not settings.OPA_HOST:
         return
 

awx/main/tests/functional/test_policy.py

@@ -36,11 +36,9 @@ def _parse_exception_message(exception: PolicyEvaluationError):
 
 
 @pytest.fixture(autouse=True)
-def enable_flag():
+def setup_opa_settings():
     with override_settings(
         OPA_HOST='opa.example.com',
-        FLAGS={"FEATURE_POLICY_AS_CODE_ENABLED": [("boolean", True)]},
-        FLAG_SOURCES=('flags.sources.SettingsFlagsSource',),
     ):
         yield
 

awx/settings/defaults.py

@@ -1092,10 +1092,6 @@
 # Older records will be cleaned up
 INDIRECT_HOST_AUDIT_RECORD_MAX_AGE_DAYS = 7
 
-
-# setting for Policy as Code feature
-FEATURE_POLICY_AS_CODE_ENABLED = False
-
 OPA_HOST = ''  # The hostname used to connect to the OPA server. If empty, policy enforcement will be disabled.
 OPA_PORT = 8181  # The port used to connect to the OPA server. Defaults to 8181.
 OPA_SSL = False  # Enable or disable the use of SSL to connect to the OPA server. Defaults to false.
@@ -1113,7 +1109,6 @@
 FLAG_SOURCES = ('flags.sources.SettingsFlagsSource',)
 FLAGS = {
     'FEATURE_INDIRECT_NODE_COUNTING_ENABLED': [{'condition': 'boolean', 'value': False}],
-    'FEATURE_POLICY_AS_CODE_ENABLED': [{'condition': 'boolean', 'value': False}],
     'FEATURE_DISPATCHERD_ENABLED': [{'condition': 'boolean', 'value': False}],
 }
 

awx_collection/test/awx/test_completeness.py

@@ -93,6 +93,9 @@
 needs_param_development = {
     'host': ['instance_id'],
     'workflow_approval': ['description', 'execution_environment'],
+    'inventory': ['opa_query_path'],
+    'job_template': ['opa_query_path'],
+    'organization': ['opa_query_path'],
 }
 # -----------------------------------------------------------------------------------------------------------