From d540bd805ae250b0060292db525cf2b7b43d6510 Mon Sep 17 00:00:00 2001
From: Matthias Dellweg <mdellweg@redhat.com>
Date: Thu, 30 Apr 2026 14:09:55 +0200
Subject: [PATCH 1/2] Update CI

---
 .github/workflows/scripts/before_script.sh | 4 ++++
 .github/workflows/scripts/script.sh        | 9 +++++++--
 .github/workflows/test.yml                 | 5 +++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/scripts/before_script.sh b/.github/workflows/scripts/before_script.sh
index 4d1083e9ca..1c2557eadd 100755
--- a/.github/workflows/scripts/before_script.sh
+++ b/.github/workflows/scripts/before_script.sh
@@ -25,6 +25,10 @@ echo
 echo "# Pulp config:"
 tail -v -n +1 .ci/ansible/settings/settings.*
 
+echo
+echo "# Pulp CLI config"
+tail -v -n +1 "../pulp-cli/tests/cli.toml"
+
 echo
 echo "# Containerfile:"
 tail -v -n +1 .ci/ansible/Containerfile
diff --git a/.github/workflows/scripts/script.sh b/.github/workflows/scripts/script.sh
index e21bd830b8..f5cd920d35 100755
--- a/.github/workflows/scripts/script.sh
+++ b/.github/workflows/scripts/script.sh
@@ -170,8 +170,13 @@ export PULP_FIXTURES_URL="http://pulp-fixtures:8080"
 # some pulp-cli tests use the api root envvar
 export PULP_API_ROOT="$(EDITOR=cat pulp config edit 2>/dev/null | awk -F'"' '/api_root/{print $2; exit}')"
 pushd ../pulp-cli
-pip install -r test_requirements.txt
-pytest -v tests -m "pulpcore or pulp_file or pulp_certguard"
+if [[ -f "test_requirements.txt" ]]
+then
+  pip install -r test_requirements.txt
+  pytest -v tests -m "pulpcore or pulp_file or pulp_certguard"
+else
+  PULP_CA_BUNDLE="/usr/local/share/ca-certificates/pulp_webserver.crt" make livetest
+fi
 popd
 
 if [ -f "$POST_SCRIPT" ]; then
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b7b626d888..833c98e4f8 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -42,6 +42,11 @@ jobs:
         with:
           python-version: "3.11"
 
+      - name: "Install uv"
+        uses: "astral-sh/setup-uv@v7"
+        with:
+          enable-cache: true
+
       - name: "Download plugin package"
         uses: "actions/download-artifact@v8"
         with:

From 3a219cb5e2028fa130b6c32318ad6ad1783d357d Mon Sep 17 00:00:00 2001
From: Matthias Dellweg <mdellweg@redhat.com>
Date: Fri, 24 Apr 2026 11:24:49 +0200
Subject: [PATCH 2/2] WIP

---
 .github/workflows/scripts/before_install.sh |  5 +++++
 ci_requirements.txt                         |  2 +-
 pulpcore/app/settings.py                    | 21 +++++++++++++++++++++
 pulpcore/app/urls.py                        |  3 +++
 pyproject.toml                              |  1 +
 5 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scripts/before_install.sh b/.github/workflows/scripts/before_install.sh
index 2d8d709cae..cde52b40d5 100755
--- a/.github/workflows/scripts/before_install.sh
+++ b/.github/workflows/scripts/before_install.sh
@@ -79,6 +79,11 @@ services:
     image: "docker.io/pulp/pulp-fixtures:latest"
     env:
       BASE_URL: "http://pulp-fixtures:8080"
+  - name: "saml2-idp"
+    image: "ghcr.io/pfrest/mock-saml2-idp:latest"
+    env:
+      SP_ENTITY_ID: "http://pulp"
+      SP_ACS_LOCATION: "http://pulp/saml/acs/"
 VARSYAML
 
 if [ "$TEST" = "s3" ]; then
diff --git a/ci_requirements.txt b/ci_requirements.txt
index 8b13789179..268d042d87 100644
--- a/ci_requirements.txt
+++ b/ci_requirements.txt
@@ -1 +1 @@
-
+pulpcore[saml2]
diff --git a/pulpcore/app/settings.py b/pulpcore/app/settings.py
index a4411f50ea..458a511fb2 100644
--- a/pulpcore/app/settings.py
+++ b/pulpcore/app/settings.py
@@ -160,6 +160,27 @@
     "pulpcore.backends.ObjectRolePermissionBackend",
 ]
 
+with suppress(ImportError):
+    # TODO Move this in a hook depending on SAML_CONFIG's existance or so.
+    import_module("djangosaml2")
+    INSTALLED_APPS.append("djangosaml2")
+    MIDDLEWARE.append("djangosaml2.middleware.SamlSessionMiddleware")
+    AUTHENTICATION_BACKENDS.append("djangosaml2.backends.Saml2Backend")
+    LOGIN_URL = "/saml2/login/"
+    SESSION_EXPIRE_AT_BROWSER_CLOSE = True
+    SAML_CONFIG = {
+        "entityid": "http://localhost:5001/sp.xml",
+        "entity_category": [],
+        "service": {},
+        "key_file": "/etc/pki/tls/private/pulp_webserver.key",
+        "cert_file": "/etc/pki/tls/certs/pulp_webserver.crt",
+        "xmlsec_binary": "/usr/bin/xmlsec1",
+        "metadata": {
+            "local": [BASE_DIR / "remote_metadata.xml"],
+        },
+        "debug": 1,
+    }
+
 ROOT_URLCONF = "pulpcore.app.urls"
 
 TEMPLATES = [
diff --git a/pulpcore/app/urls.py b/pulpcore/app/urls.py
index 4742339248..1402589cc9 100644
--- a/pulpcore/app/urls.py
+++ b/pulpcore/app/urls.py
@@ -245,6 +245,9 @@ class NoSchema(p.callback.cls):
         path("", include("social_django.urls", namespace=settings.SOCIAL_AUTH_URL_NAMESPACE))
     )
 
+if "djangosaml2" in settings.INSTALLED_APPS:
+    urlpatterns.append(path("saml2/", include("djangosaml2.urls")))
+
 #: The Pulp Platform v3 API router, which can be used to manually register ViewSets with the API.
 root_router = PulpDefaultRouter()
 
diff --git a/pyproject.toml b/pyproject.toml
index c1d1aac8f7..0bd106eb9d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -73,6 +73,7 @@ s3 = ["django-storages[boto3]==1.14.6"]
 google = ["django-storages[google]==1.14.6"]
 azure = ["django-storages[azure]==1.14.6"]
 prometheus = ["django-prometheus"]
+saml2 = ["djangosaml2>=1.12.0,<1.13"]
 kafka = [
   # Pinned because project warns "things might (and will) break with every update"
   "cloudevents==1.11.0",