Skip to content

Restore oauth_token backward compatibility for collection token auth#16500

Merged
TheRealHaoLiu merged 3 commits into
ansible:develfrom
TheRealHaoLiu:token-auth-46-compat
Jun 12, 2026
Merged

Restore oauth_token backward compatibility for collection token auth#16500
TheRealHaoLiu merged 3 commits into
ansible:develfrom
TheRealHaoLiu:token-auth-46-compat

Conversation

@TheRealHaoLiu

@TheRealHaoLiu TheRealHaoLiu commented Jun 12, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Member
SUMMARY

Follow-up to #16498. The aap_token rename restored module-level token auth, but two interfaces from earlier collection releases remained broken:

  1. Lookup/inventory plugin option oauth_token — earlier collection releases declared an option literally named oauth_token (its only spelling) in the auth_plugin doc fragment, used by the controller_api lookup (query(..., oauth_token=...)) and the controller inventory plugin (oauth_token: key in inventory YAML). The renamed option only carried the controller_oauthtoken/tower_oauthtoken aliases, so existing lookup/inventory usage failed with an invalid-option error. oauth_token is now an alias of aap_token in the doc fragment.

  2. Legacy oauth_token key in tower_cli.cfg-style config filesshort_params previously mapped the oauth_token ini key under [general]; after the rename it was silently ignored, quietly degrading auth (the same failure mode Make aap_token functional for collection token auth #16498 fixed). load_config() now also reads the legacy oauth_token key and maps it to aap_token, with the new aap_token key winning when both are present. aap_token remains the canonical attribute consumed by _parse_aap_token() and the Bearer-header logic.

Note on scope: oauth_token is also added to the aap_token aliases in AUTH_ARGSPEC (and documented in the module auth doc fragment). Unlike the two items above this is not a restoration — modules historically used controller_oauthtoken/tower_oauthtoken (both already aliased) — it just keeps the module and plugin option surfaces consistent. Happy to drop that hunk if reviewers prefer the strictly-compat scope.

Also makes the test helper compatible with ansible-core 2.21+, which requires a serialization profile alongside _ANSIBLE_ARGS — without this, the tests added in #16498 fail on 2.21.

No changelog fragment: awx_collection/changelogs/ does not exist on devel.

ISSUE TYPE
  • Bug, Docs Fix or other nominal change
COMPONENT NAME
  • Collection
AWX VERSION

devel

ADDITIONAL INFORMATION

Behavior verified against the pre-rename collection sources (awx_collection/plugins/doc_fragments/auth_plugin.py declared oauth_token; module_utils/controller_api.py had 'oauth_token': 'controller_oauthtoken' in short_params with config_name = 'tower_cli.cfg').

Tested with pytest awx_collection/test/awx/test_token_auth.py in the awx_devel image (ansible-core 2.21.0): 10 passed — the 6 pre-existing canonical aap_token cases (string and dict inputs) plus 4 new/extended compat cases (oauth_token alias on modules and lookup, legacy config-file key, aap_token precedence over the legacy key).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Recognizes the legacy token name "oauth_token" as an alias for the current authentication token and maps legacy entries to the current parameter for backward compatibility.

  • Documentation

    • Updated docs to list "oauth_token" alongside existing token aliases.

  • Tests

    • Expanded tests covering legacy alias handling, config-file compatibility, and precedence when both legacy and current tokens are present.

@github-actions github-actions Bot added the component:awx_collection issues related to the collection for controlling AWX label Jun 12, 2026
@coderabbitai

coderabbitai Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 71a0fede-c267-42f4-95ce-db9e51dec9ef

📥 Commits

Reviewing files that changed from the base of the PR and between ae8cd3c and 7207bcb.

📒 Files selected for processing (4)
  • awx_collection/plugins/doc_fragments/auth.py
  • awx_collection/plugins/doc_fragments/auth_plugin.py
  • awx_collection/plugins/module_utils/controller_api.py
  • awx_collection/test/awx/test_token_auth.py
✅ Files skipped from review due to trivial changes (2)
  • awx_collection/plugins/doc_fragments/auth.py
  • awx_collection/plugins/doc_fragments/auth_plugin.py
📝 Walkthrough

Walkthrough

Adds legacy oauth_token as an alias for aap_token: documentation and AUTH_ARGSPEC updated, INI config parsing reads oauth_token and maps it to aap_token when needed, and tests added/extended to validate option mapping and config-file precedence.

Changes

OAuth Token Backward Compatibility

Layer / File(s) Summary
Documentation and Argument Spec
awx_collection/plugins/doc_fragments/auth_plugin.py, awx_collection/plugins/doc_fragments/auth.py, awx_collection/plugins/module_utils/controller_api.py		 Documentation fragments and ControllerModule AUTH_ARGSPEC declare oauth_token as a legacy alias alongside controller_oauthtoken and tower_oauthtoken.
Config File Backward Compatibility
awx_collection/plugins/module_utils/controller_api.py		 INI config parsing reads the legacy oauth_token key; backward-compatibility logic maps oauth_tokenaap_token when aap_token is absent; aap_token takes precedence if both are present.
Test Harness and Coverage
awx_collection/test/awx/test_token_auth.py		 Test harness conditionally patches legacy ANSIBLE profile; legacy-alias tests now include oauth_token; new tests verify option mapping and config-file precedence rules.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: restoring oauth_token backward compatibility for the collection's token authentication.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 12, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
awx_collection/plugins/module_utils/controller_api.py (1)

301-302: 💤 Low value

Consider using starred unpacking for list concatenation.

The current concatenation works correctly, but starred unpacking is more idiomatic in modern Python.

♻️ Optional refactor 
-                    for honorred_setting in list(self.short_params) + ['oauth_token']:
+                    for honorred_setting in [*self.short_params, 'oauth_token']:
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@awx_collection/plugins/module_utils/controller_api.py` around lines 301 -
302, Replace the list concatenation in the for loop with starred unpacking:
change the iteration from for honorred_setting in list(self.short_params) +
['oauth_token'] to for honorred_setting in [*self.short_params, 'oauth_token']
so it uses idiomatic unpacking of self.short_params plus the 'oauth_token'
element.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@awx_collection/plugins/module_utils/controller_api.py`:
- Around line 301-302: Replace the list concatenation in the for loop with
starred unpacking: change the iteration from for honorred_setting in
list(self.short_params) + ['oauth_token'] to for honorred_setting in
[*self.short_params, 'oauth_token'] so it uses idiomatic unpacking of
self.short_params plus the 'oauth_token' element.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 93d9b2bd-136f-4008-8987-fd91c732a89a

📥 Commits

Reviewing files that changed from the base of the PR and between c8981e3 and b9412a7.

📒 Files selected for processing (3)
  • awx_collection/plugins/doc_fragments/auth_plugin.py
  • awx_collection/plugins/module_utils/controller_api.py
  • awx_collection/test/awx/test_token_auth.py

chrismeyersfsu
chrismeyersfsu requested changes Jun 12, 2026
View reviewed changes
Comment thread awx_collection/test/awx/test_token_auth.py Outdated
Comment thread awx_collection/test/awx/test_token_auth.py Outdated
Comment thread awx_collection/plugins/module_utils/controller_api.py Outdated
@TheRealHaoLiu TheRealHaoLiu force-pushed the token-auth-46-compat branch from 0f960eb to 2af94c7 Compare June 12, 2026 17:43
@TheRealHaoLiu TheRealHaoLiu changed the title Restore oauth_token 4.6.0 compatibility for collection token auth Restore oauth_token backward compatibility for collection token auth Jun 12, 2026
@TheRealHaoLiu TheRealHaoLiu enabled auto-merge (squash) June 12, 2026 17:54
TheRealHaoLiu and others added 3 commits June 12, 2026 14:13
@TheRealHaoLiu @claude
Restore oauth_token backward compatibility for collection token auth
1ddb123 
The aap_token rename (c8981e3) restored module-level token auth but
left two interfaces from earlier collection releases broken:

- The lookup (controller_api) and inventory (controller) plugins
  previously declared an oauth_token option. Add oauth_token as an
  alias of aap_token in the auth_plugin doc fragment and in
  AUTH_ARGSPEC so query(..., oauth_token=...) and inventory YAML keys
  keep working.

- tower_cli.cfg-style config files used an oauth_token key under
  [general]; it was silently ignored after the rename, quietly
  degrading auth. load_config() now also reads the legacy oauth_token
  key and maps it to aap_token, with the new aap_token key winning when
  both are present. aap_token remains the canonical attribute used by
  _parse_aap_token() and the Bearer header logic.

Also make the test helper compatible with ansible-core 2.21+, which
requires a serialization profile alongside _ANSIBLE_ARGS, and extend
the tests to cover the oauth_token alias and legacy config file key.

No changelog fragment added: awx_collection has no changelogs/
directory on devel.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
@TheRealHaoLiu @claude
Document oauth_token alias in module auth doc fragment
d3f2cd4 
The oauth_token alias was added to aap_token in AUTH_ARGSPEC but not to
the module doc fragment, failing the validate-modules sanity check
(undocumented argument alias).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
@TheRealHaoLiu @claude
Generalize version references in compat comments
7207bcb 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com>
@TheRealHaoLiu TheRealHaoLiu force-pushed the token-auth-46-compat branch from ae8cd3c to 7207bcb Compare June 12, 2026 18:14
@TheRealHaoLiu TheRealHaoLiu merged commit 849f5f7 into ansible:devel Jun 12, 2026
19 checks passed
@TheRealHaoLiu TheRealHaoLiu deleted the token-auth-46-compat branch June 12, 2026 18:34
@sonarqubecloud

sonarqubecloud Bot commented Jun 12, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
68.8% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@chrismeyersfsu chrismeyersfsu chrismeyersfsu approved these changes

@AlanCoding AlanCoding AlanCoding approved these changes

Assignees

No one assigned

Labels

component:awx_collection issues related to the collection for controlling AWX

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TheRealHaoLiu @chrismeyersfsu @AlanCoding