feat: 38589 GitHub App Authentication (ansible#15807)

* feat: 38589 GitHub App Authentication

Allows both git@<personal-token> and x-access-token@<github-access-token> when authenticating using git.
This allows GitHub App tokens to work without interfering with existing authentication types.

---------

Co-authored-by: Jake Jackson <[email protected]>

Author: arrestle

awx/main/tests/unit/utils/test_common.py

@@ -240,15 +240,23 @@ def test_extract_ansible_vars():
         ('git', 'https://example.com/bar.git', 'user', 'pw', True, False, 'https://user:[email protected]/bar.git'),
         ('git', 'https://[email protected]/bar.git', False, 'something', True, False, 'https://example.com/bar.git'),
         # Special github/bitbucket cases
-        ('git', '[email protected]:ansible/awx.git', True, True, True, False, ValueError('Username must be "git" for SSH access to github.com.')),
+        (
+            'git',
+            '[email protected]:ansible/awx.git',
+            True,
+            True,
+            True,
+            False,
+            ValueError('Username must be "git" or "x-access-token" (for github app) for SSH access to github.com.'),
+        ),
         (
             'git',
             '[email protected]:does-not-exist/example.git',
             True,
             True,
             True,
             False,
-            ValueError('Username must be "git" for SSH access to bitbucket.org.'),
+            ValueError('Username must be "git" or "x-access-token" (for github app) for SSH access to bitbucket.org.'),
         ),
         (
             'git',
@@ -257,7 +265,7 @@ def test_extract_ansible_vars():
             True,
             True,
             False,
-            ValueError('Username must be "git" for SSH access to altssh.bitbucket.org.'),
+            ValueError('Username must be "git" or "x-access-token" (for github app) for SSH access to altssh.bitbucket.org.'),
         ),
         ('git', 'git:[email protected]:ansible/awx.git', True, True, True, False, 'git+ssh://[email protected]/ansible/awx.git'),
         # Disabling the special handling should not raise an error

awx/main/utils/common.py

@@ -329,12 +329,19 @@ def update_scm_url(scm_type, url, username=True, password=True, check_special_ca
 
     # Special handling for github/bitbucket SSH URLs.
     if check_special_cases:
-        special_git_hosts = ('github.com', 'bitbucket.org', 'altssh.bitbucket.org')
-        if scm_type == 'git' and parts.scheme.endswith('ssh') and parts.hostname in special_git_hosts and netloc_username != 'git':
-            raise ValueError(_('Username must be "git" for SSH access to %s.') % parts.hostname)
-        if scm_type == 'git' and parts.scheme.endswith('ssh') and parts.hostname in special_git_hosts and netloc_password:
-            # raise ValueError('Password not allowed for SSH access to %s.' % parts.hostname)
-            netloc_password = ''
+        special_hosts = ('github.com', 'bitbucket.org', 'altssh.bitbucket.org')
+        allowed_git_usernames = {'git', 'x-access-token'}
+
+        if scm_type == 'git' and parts.scheme.endswith('ssh'):
+            is_github_host = parts.hostname in special_hosts or parts.hostname.endswith('.github.com')
+            is_bitbucket_host = parts.hostname in special_hosts or parts.hostname.endswith('.bitbucket.com') or 'bitbucket' in parts.hostname
+
+            if is_github_host and netloc_username not in allowed_git_usernames:
+                raise ValueError(_('Username must be "git" or "x-access-token" (for github app) for SSH access to %s.') % parts.hostname)
+
+            if (is_github_host or is_bitbucket_host) and netloc_password:
+                # raise ValueError('Password not allowed for SSH access to %s.' % parts.hostname)
+                netloc_password = ''
 
     if netloc_username and parts.scheme != 'file' and scm_type not in ("insights", "archive"):
         netloc = u':'.join([urllib.parse.quote(x, safe='') for x in (netloc_username, netloc_password) if x])

requirements/requirements.in

@@ -1,3 +1,4 @@
+
 aiohttp>=3.9.4 # CVE-2024-30251
 ansi2html  # Used to format the stdout from jobs into html for display
 asciichartpy

requirements/requirements.txt

@@ -527,5 +527,4 @@ setuptools==70.3.0
     #   incremental
     #   setuptools-rust
     #   setuptools-scm
-    #   zope-interface
-
+    #   zope-interface

requirements/requirements_git.txt

@@ -3,4 +3,4 @@ git+https://github.com/ansible/system-certifi.git@devel#egg=certifi
 git+https://github.com/ansible/ansible-runner.git@devel#egg=ansible-runner
 django-ansible-base @ git+https://github.com/ansible/django-ansible-base@devel#egg=django-ansible-base[rest-filters,jwt_consumer,resource-registry,rbac,feature-flags]
 awx-plugins-core @ git+https://github.com/ansible/awx-plugins.git@devel#egg=awx-plugins-core
-awx_plugins.interfaces @ git+https://github.com/ansible/awx_plugins.interfaces.git
+awx_plugins.interfaces @ git+https://github.com/ansible/awx_plugins.interfaces.git