feat: use token for websocket authentication

The cli expects to receive websocket-access-token, websocket-refresh-token, and websocket-token-address. It does not send the authentication header if above arguments are not provided, so it works with the old eda-server that does not authenticate incomming websocket connecitons. Linked AAP-17776: ansible-rulebook uses token for authentication
ansible · Dec 7, 2023 · c7494f9 · c7494f9
1 parent 8743f53
commit c7494f9
Show file tree

Hide file tree

Showing 5 changed files with 254 additions and 97 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@
 ### Added
 - ssl_verify option now also supports "true" or "false" values
 - Support for standalone boolean in conditions
+- Use token for websocket authentication
 
 ### Fixed
 

diff --git a/ansible_rulebook/app.py b/ansible_rulebook/app.py
@@ -67,9 +67,12 @@ async def run(parsed_args: argparse.Namespace) -> None:
     if parsed_args.worker and parsed_args.websocket_address and parsed_args.id:
         logger.info("Starting worker mode")
         startup_args = await request_workload(
-            parsed_args.id,
-            parsed_args.websocket_address,
-            parsed_args.websocket_ssl_verify,
+            activation_id=parsed_args.id,
+            websocket_address=parsed_args.websocket_address,
+            websocket_ssl_verify=parsed_args.websocket_ssl_verify,
+            websocket_token_address=parsed_args.websocket_token_address,
+            websocket_access_token=parsed_args.websocket_access_token,
+            websocket_refresh_token=parsed_args.websocket_refresh_token,
         )
         if not startup_args:
             logger.error("Error communicating with web socket server")
@@ -121,9 +124,12 @@ async def run(parsed_args: argparse.Namespace) -> None:
     if parsed_args.websocket_address:
         feedback_task = asyncio.create_task(
             send_event_log_to_websocket(
-                event_log,
-                parsed_args.websocket_address,
-                parsed_args.websocket_ssl_verify,
+                event_log=event_log,
+                websocket_address=parsed_args.websocket_address,
+                websocket_ssl_verify=parsed_args.websocket_ssl_verify,
+                websocket_token_address=parsed_args.websocket_token_address,
+                websocket_access_token=parsed_args.websocket_access_token,
+                websocket_refresh_token=parsed_args.websocket_refresh_token,
             )
         )
         tasks.append(feedback_task)

diff --git a/ansible_rulebook/cli.py b/ansible_rulebook/cli.py
@@ -105,6 +105,19 @@ def get_parser() -> argparse.ArgumentParser:
         "default to yes for wss connection.",
         default="yes",
     )
+    parser.add_argument(
+        "--websocket-access-token",
+        help="Token used to autheticate the websocket connection.",
+    )
+    parser.add_argument(
+        "--websocket-refresh-token",
+        help="Token used to renew a websocket access token.",
+    )
+    parser.add_argument(
+        "--websocket-token-address",
+        "--websocket-token-url",
+        help="Url to renew websocket access token.",
+    )
     parser.add_argument("--id", help="Identifier")
     parser.add_argument(
         "-w",