Missing error handler in ApiV2AttachView

[cjeanner]

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that AWX is open source software provided for free and that I might not receive a timely response.
• I am NOT reporting a (potential) security vulnerability. (These should be emailed to [email protected] instead.)

Bug Summary

Hello,

When trying to attach a subscription using cURL, the API returns a 500 error due to a missing check (see bellow).

After some digging, it seems the culprit is nested in awx/api/views/root.py in ApiV2AttachView method, especially this block:

if pool_id and user and pw:
  data = request.data.copy()
  try:
    with set_environ(**settings.AWX_TASK_ENV):
    validated = get_licenser().validate_rh(user, pw)
[...]
for sub in validated:
  if sub['pool_id'] == pool_id:
    sub['valid_key'] = True
    settings.LICENSE = sub
    return Response(sub)

I'd expect to get an proper handling in case either user or pw aren't properly set (the code is looking into the ENV for that, maybe it should check if we didn't nudge it in the settings mapping instead? That's another story)

Adding a else block with proper error raising would ensure we're not facing that 500 error while, maybe, providing the needed bits to ensure user and password are properly set in order to get the subscription?

Cheers,

C.

Reported error from the controller-web logs:

2024-12-11 14:40:21,480 ERROR    [4fc068319bcf44d69dff4b0b184895b2] django.request Internal Server Error: /api/controller/v2/config/attach/
Traceback (most recent call last):
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)
^^^^^^^^^^^^^^^^^^^^^
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/contextlib.py", line 81, in inner
return func(*args, **kwds)
^^^^^^^^^^^^^^^^^^^
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/views/decorators/csrf.py", line 56, in wrapper_view
return view_func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/django/views/generic/base.py", line 104, in view
return self.dispatch(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/awx/api/generics.py", line 373, in dispatch
return super(APIView, self).dispatch(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/rest_framework/views.py", line 509, in dispatch                                                                                 response = self.handle_exception(exc)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/rest_framework/views.py", line 469, in handle_exception                                                                         self.raise_uncaught_exception(exc)
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
raise exc
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/rest_framework/views.py", line 506, in dispatch                                                                                 response = handler(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/awx/api/views/root.py", line 259, in post                                                                                       for sub in validated:
^^^^^^^^^
UnboundLocalError: cannot access local variable 'validated' where it is not associated with a value

AWX version

stable-2.5

Select the relevant components

• UI
• UI (tech preview)
• API
• Docs
• Collection
• CLI
• Other

Installation method

kubernetes

Modifications

no

Ansible version

No response

Operating system

No response

Web browser

No response

Steps to reproduce

1. Deploy AAP Controller
2. Create an Automation Platform (either via the UI, or via CRs)
3. Try to attach a subscription using the API instead of the UI:

export AWXKIT_API_BASE_PATH='/api/controller/'
POOL_ID=<my pool ID>
PASSWORD=$(oc -n aap get secret infra-gitops-admin-password -o jsonpath='{.data.password}' | base64 -d)
TOKEN=$(awx login --conf.host https://infra-gitops-aap.apps-crc.testing --conf.username admin --conf.password $PASSWORD -k | jq -r '.token')
awx --conf.host https://infra-gitops-aap.apps-crc.testing --conf.token ${TOKEN} -k settings modify REDHAT_USERNAME 'rhsm_username'
awx --conf.host https://infra-gitops-aap.apps-crc.testing --conf.token ${TOKEN} -k settings modify REDHAT_PASSWORD 'rhsm_password'
curl -XPOST -H "Authorization: Bearer ${TOKEN}" -k \
https://infra-gitops-aap.apps-crc.testing${AWXKIT_API_BASE_PATH}/v2/config/attach/ --json '{"pool_id": "'${POOL_ID}'"}'

Expected results

It should either properly find the credentials, or at least fails with a proper error, not a generic 500 due to uncaught condition

Actual results

It fails with a 500 error, meaning we have to get logs and find out the actually issue by comparing the code.

Additional information

I've deployed a single replicas onto a CRC (OpenShift Local) instance to do some testings.

[cjeanner]

Small addition:

• as said, I'm setting REDHAT_USERNAME and REDHAT_PASSWORD beforehand using awx settings modify
• apparently the endpoint is looking for another setting name: SUBSCRIPTIONS_USERNAME and SUBSCRIPTIONS_PASSWORD

If I set those two, it seems to work. Thing is, I saw mention of "migrating" one name to the other:

conf/migrations/_subscriptions.py:    _migrate_setting(apps, 'REDHAT_USERNAME', 'SUBSCRIPTIONS_USERNAME', encrypted=False)
conf/migrations/_subscriptions.py:    _migrate_setting(apps, 'REDHAT_PASSWORD', 'SUBSCRIPTIONS_PASSWORD', encrypted=True)

Maybe there's a need to raise a deprecation warning whenever we set the REDHAT_* parameters?