mirror of
https://github.com/ansible/awx.git
synced 2024-10-30 22:21:13 +03:00
don't allow users to specify $encrypted$ for encrypted credential fields
this keyword only has value when you _update_ an existing credential
This commit is contained in:
parent
e3e69b4c6b
commit
1434e5812f
@ -637,6 +637,14 @@ class CredentialInputField(JSONSchemaField):
|
||||
else:
|
||||
decrypted_values[k] = v
|
||||
|
||||
# don't allow secrets with $encrypted$ on new object creation
|
||||
if not model_instance.pk:
|
||||
for field in model_instance.credential_type.secret_fields:
|
||||
if value.get(field) == '$encrypted$':
|
||||
raise serializers.ValidationError({
|
||||
self.name: [f'$encrypted$ is a reserved keyword, and cannot be used for {field}.']
|
||||
})
|
||||
|
||||
super(JSONSchemaField, self).validate(decrypted_values, model_instance)
|
||||
errors = {}
|
||||
for error in Draft4Validator(
|
||||
|
@ -1153,6 +1153,22 @@ def test_cloud_credential_type_mutability(patch, organization, admin, credential
|
||||
assert response.status_code == 200
|
||||
|
||||
|
||||
@pytest.mark.django_db
|
||||
@pytest.mark.parametrize('field', ['password', 'ssh_key_data'])
|
||||
def test_secret_fields_cannot_be_special_encrypted_variable(post, organization, admin, credentialtype_ssh, field):
|
||||
params = {
|
||||
'name': 'Best credential ever',
|
||||
'credential_type': credentialtype_ssh.id,
|
||||
'inputs': {
|
||||
'username': 'joe',
|
||||
field: '$encrypted$',
|
||||
},
|
||||
'organization': organization.id,
|
||||
}
|
||||
response = post(reverse('api:credential_list'), params, admin, status=400)
|
||||
assert str(response.data['inputs'][0]) == f'$encrypted$ is a reserved keyword, and cannot be used for {field}.'
|
||||
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_ssh_unlock_needed(put, organization, admin, credentialtype_ssh):
|
||||
params = {
|
||||
|
Loading…
Reference in New Issue
Block a user