feat(add-ons): configure full URL for Fedora Messaging (#20196)

Providing host and SSL flag is not enough in some situations, so allow
to configure the full URL.

Author: nijel

docs/changes.rst

@@ -58,7 +58,7 @@ Weblate 2026.7
 
 .. rubric:: Compatibility
 
-* :ref:`addon-weblate.fedora_messaging.publish` topics now include category path segments, making categorized same-named components distinguishable.
+* :ref:`addon-weblate.fedora_messaging.publish` topics now include category path segments, and broker settings are stored as an AMQP URL with existing host and SSL settings migrated automatically.
 
 .. rubric:: Upgrading
 

docs/security/threat-model.rst

@@ -86,8 +86,8 @@ Scope and intended use
        :doc:`/admin/management`)
    * - Machine translation and outbound integrations
      - Machine translation, avatars, status reporting, telemetry, error
-       reporting, VCS hosts, CDN add-on
-     - Outbound HTTP(S), provider APIs, logs
+       reporting, VCS hosts, CDN add-on, Fedora Messaging add-on
+     - Outbound HTTP(S), AMQP(S), provider APIs, logs
      - In scope for Weblate's enforcement of configured access and network
        restrictions. Provider behavior is out of scope. *(documented)* (source: :doc:`/admin/config`, :doc:`/admin/addons`)
    * - Add-ons
@@ -245,7 +245,8 @@ What Weblate does to its host:
 
 * It opens outbound network connections for configured VCS, identity-provider,
   avatar, machine-translation, backup, status-reporting, telemetry,
-  error-reporting, and add-on features.
+  error-reporting, and add-on features such as outbound webhooks and Fedora
+  Messaging AMQP delivery.
   *(documented)* (source: :doc:`/admin/config`, :doc:`/admin/code-hosting`,
   :doc:`/admin/backup`)
 * It runs VCS and backup-related helper commands as part of repository and
@@ -318,8 +319,9 @@ Build-time and configuration variants
        *(documented)*
    * - Private-target restrictions and allowlists for outbound URLs
      - User-configurable outbound URL surfaces documented with private-target
-       restriction settings reject internal or non-public targets by default.
-       *(documented)* (source: :setting:`ASSET_RESTRICT_PRIVATE`,
+       restriction settings, including Fedora Messaging AMQP broker URLs,
+       reject internal or non-public targets by default. *(documented)*
+       (source: :setting:`ASSET_RESTRICT_PRIVATE`,
        :setting:`PROJECT_WEB_RESTRICT_PRIVATE`,
        :setting:`WEBHOOK_RESTRICT_PRIVATE`, :setting:`VCS_RESTRICT_PRIVATE`)
      - Allowlist settings and privileged configuration can intentionally expand
@@ -530,8 +532,9 @@ Security properties Weblate provides
      - Default private-target checks are enabled and no trusted allowlist
        exemption applies.
      - A user-configurable screenshot URL, remote HTML URL, project website or
-       repository browser URL, outbound webhook URL, or VCS URL reaches an
-       internal or non-public target despite default controls.
+       repository browser URL, outbound webhook URL, Fedora Messaging AMQP
+       broker URL, or VCS URL reaches an internal or non-public target despite
+       default controls.
      - Security-critical when it exposes internal services or metadata.
    * - Weblate records security-relevant account, permission, and project or
        component setting changes in audit logs or history. *(documented)*

docs/snippets/addons-autogenerated.rst

@@ -433,22 +433,20 @@ Fedora Messaging
 .. versionadded:: 5.15
 
 :Add-on ID: ``weblate.fedora_messaging.publish``
-:Configuration: +------------------+-----------------------------+-------------------------------------------------------------------------------------------------+
-                | ``amqp_host``    | AMQP broker host            | The AMQP broker to connect to.                                                                  |
-                +------------------+-----------------------------+-------------------------------------------------------------------------------------------------+
-                | ``amqp_ssl``     | Use SSL for AMQP connection |                                                                                                 |
-                +------------------+-----------------------------+-------------------------------------------------------------------------------------------------+
-                | ``ca_cert``      | CA certificates             | Bundle of PEM encoded CA certificates used to validate the certificate presented by the server. |
-                +------------------+-----------------------------+-------------------------------------------------------------------------------------------------+
-                | ``client_key``   | Client SSL key              | PEM encoded client private SSL key.                                                             |
-                +------------------+-----------------------------+-------------------------------------------------------------------------------------------------+
-                | ``client_cert``  | Client SSL certificates     | PEM encoded client SSL certificate.                                                             |
-                +------------------+-----------------------------+-------------------------------------------------------------------------------------------------+
-                | ``event_filter`` | Change events to trigger    | Choose which change events should trigger this add-on.                                          |
-                |                  |                             | :ref:`addon-choice-event_filter`                                                                |
-                +------------------+-----------------------------+-------------------------------------------------------------------------------------------------+
-                | ``events``       | Selected change events      | :ref:`addon-choice-events`                                                                      |
-                +------------------+-----------------------------+-------------------------------------------------------------------------------------------------+
+:Configuration: +------------------+--------------------------+-------------------------------------------------------------------------------------------------+
+                | ``amqp_url``     | AMQP broker URL          | The AMQP broker URL to connect to.                                                              |
+                +------------------+--------------------------+-------------------------------------------------------------------------------------------------+
+                | ``ca_cert``      | CA certificates          | Bundle of PEM encoded CA certificates used to validate the certificate presented by the server. |
+                +------------------+--------------------------+-------------------------------------------------------------------------------------------------+
+                | ``client_key``   | Client SSL key           | PEM encoded client private SSL key.                                                             |
+                +------------------+--------------------------+-------------------------------------------------------------------------------------------------+
+                | ``client_cert``  | Client SSL certificates  | PEM encoded client SSL certificate.                                                             |
+                +------------------+--------------------------+-------------------------------------------------------------------------------------------------+
+                | ``event_filter`` | Change events to trigger | Choose which change events should trigger this add-on.                                          |
+                |                  |                          | :ref:`addon-choice-event_filter`                                                                |
+                +------------------+--------------------------+-------------------------------------------------------------------------------------------------+
+                | ``events``       | Selected change events   | :ref:`addon-choice-events`                                                                      |
+                +------------------+--------------------------+-------------------------------------------------------------------------------------------------+
 
 :Triggers: :ref:`addon-event-event-change`
 

weblate/addons/fedora_messaging.py

@@ -68,8 +68,7 @@ def change_event(
 
         # Apply configuration
         self.configure_fedora_messaging(
-            amqp_host=config["amqp_host"],
-            amqp_ssl=config.get("amqp_ssl", False),
+            amqp_url=config["amqp_url"],
             ca_cert=config.get("ca_cert"),
             client_key=config.get("client_key"),
             client_cert=config.get("client_cert"),
@@ -149,17 +148,13 @@ def get_change_headers(change: Change) -> dict[str, str]:
     @staticmethod
     def configure_fedora_messaging(
         *,
-        amqp_host: str,
-        amqp_ssl: bool,
+        amqp_url: str,
         ca_cert: str | None,
         client_key: str | None,
         client_cert: str | None,
         force_update: bool = False,
     ) -> None:
         """Configure Fedora Messaging."""
-        # Build AMQP URL, the parameters might be configurable
-        amqp_url = f"{'amqps' if amqp_ssl else 'amqp'}://{amqp_host}?connection_attempts=3&retry_delay=5"
-
         # Hash certificates to detect configuration changes
         cert_hash = siphash(
             "Fedora Messaging", f"CA:{ca_cert},KEY:{client_key},CERT:{client_cert}"

weblate/addons/forms.py

@@ -6,6 +6,7 @@
 
 from pathlib import Path
 from typing import TYPE_CHECKING, Any, ClassVar, cast
+from urllib.parse import urlparse
 
 import regex
 from crispy_forms.helper import FormHelper
@@ -43,7 +44,7 @@
 from weblate.utils.regex import compile_regex, regex_match, regex_sub
 from weblate.utils.render import validate_render, validate_render_translation
 from weblate.utils.validators import (
-    DomainOrIPValidator,
+    validate_fedora_messaging_url,
     validate_filename,
     validate_re,
     validate_re_nonempty,
@@ -1616,14 +1617,10 @@ class WebhooksAddonForm(BaseWebhooksAddonForm):
 
 
 class FedoraMessagingAddonForm(ChangeBaseAddonForm):
-    amqp_host = forms.CharField(
-        label=gettext_lazy("AMQP broker host"),
-        help_text=gettext_lazy("The AMQP broker to connect to."),
-        validators=[DomainOrIPValidator()],
-    )
-    amqp_ssl = forms.BooleanField(
-        label=gettext_lazy("Use SSL for AMQP connection"),
-        required=False,
+    amqp_url = forms.CharField(
+        label=gettext_lazy("AMQP broker URL"),
+        help_text=gettext_lazy("The AMQP broker URL to connect to."),
+        validators=[validate_fedora_messaging_url],
     )
     ca_cert = forms.CharField(
         widget=forms.Textarea(),
@@ -1648,8 +1645,7 @@ class FedoraMessagingAddonForm(ChangeBaseAddonForm):
     )
 
     field_order = [  # ruff: ignore[mutable-class-default]
-        "amqp_host",
-        "amqp_ssl",
+        "amqp_url",
         "ca_cert",
         "client_key",
         "client_cert",
@@ -1663,17 +1659,17 @@ def clean(self) -> None:
             FedoraMessagingAddon,
         )
 
-        amqp_ssl = self.cleaned_data.get("amqp_ssl")
-        if amqp_ssl is not None:
-            if amqp_ssl:
+        amqp_url = self.cleaned_data.get("amqp_url")
+        if amqp_url:
+            if urlparse(amqp_url).scheme == "amqps":
                 if (
                     not self.cleaned_data.get("ca_cert")
                     or not self.cleaned_data.get("client_key")
                     or not self.cleaned_data.get("client_cert")
                 ):
                     raise forms.ValidationError(
                         {
-                            "amqp_ssl": gettext(
+                            "amqp_url": gettext(
                                 "The SSL certificates have to be provided for SSL connection."
                             )
                         }
@@ -1686,17 +1682,16 @@ def clean(self) -> None:
             ):
                 raise forms.ValidationError(
                     {
-                        "amqp_ssl": gettext(
+                        "amqp_url": gettext(
                             "The SSL certificates are not used without a SSL connection."
                         )
                     }
                 )
 
-        if amqp_host := self.cleaned_data.get("amqp_host"):
+        if amqp_url:
             try:
                 FedoraMessagingAddon.configure_fedora_messaging(
-                    amqp_host=amqp_host,
-                    amqp_ssl=self.cleaned_data.get("amqp_ssl", False),
+                    amqp_url=amqp_url,
                     ca_cert=self.cleaned_data.get("ca_cert"),
                     client_key=self.cleaned_data.get("client_key"),
                     client_cert=self.cleaned_data.get("client_cert"),

weblate/addons/migrations/0021_migrate_fedora_messaging_amqp_url.py

@@ -0,0 +1,44 @@
+# Copyright © Michal Čihař <michal@weblate.org>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+from django.db import migrations
+
+FEDORA_MESSAGING_ADDON = "weblate.fedora_messaging.publish"
+
+
+def migrate_fedora_messaging_amqp_url(apps, _schema_editor) -> None:
+    Addon = apps.get_model("addons", "Addon")
+
+    for addon in Addon.objects.filter(name=FEDORA_MESSAGING_ADDON):
+        configuration = dict(addon.configuration or {})
+        original = configuration.copy()
+
+        if "amqp_url" not in configuration:
+            amqp_host = configuration.get("amqp_host")
+            if amqp_host:
+                amqp_scheme = "amqps" if configuration.get("amqp_ssl") else "amqp"
+                configuration["amqp_url"] = (
+                    f"{amqp_scheme}://{amqp_host}?connection_attempts=3&retry_delay=5"
+                )
+
+        configuration.pop("amqp_host", None)
+        configuration.pop("amqp_ssl", None)
+
+        if configuration != original:
+            Addon.objects.filter(pk=addon.pk).update(configuration=configuration)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("addons", "0020_remove_obsolete_cleanup_tasks"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            migrate_fedora_messaging_amqp_url,
+            migrations.RunPython.noop,
+        ),
+    ]