1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-30 22:21:13 +03:00

don't allow users to specify $encrypted$ for encrypted credential fields

this keyword only has value when you _update_ an existing credential
This commit is contained in:
Ryan Petrello 2020-07-01 15:53:09 -04:00
parent e3e69b4c6b
commit 1434e5812f
No known key found for this signature in database
GPG Key ID: F2AA5F2122351777
2 changed files with 24 additions and 0 deletions

View File

@ -637,6 +637,14 @@ class CredentialInputField(JSONSchemaField):
else:
decrypted_values[k] = v
# don't allow secrets with $encrypted$ on new object creation
if not model_instance.pk:
for field in model_instance.credential_type.secret_fields:
if value.get(field) == '$encrypted$':
raise serializers.ValidationError({
self.name: [f'$encrypted$ is a reserved keyword, and cannot be used for {field}.']
})
super(JSONSchemaField, self).validate(decrypted_values, model_instance)
errors = {}
for error in Draft4Validator(

View File

@ -1153,6 +1153,22 @@ def test_cloud_credential_type_mutability(patch, organization, admin, credential
assert response.status_code == 200
@pytest.mark.django_db
@pytest.mark.parametrize('field', ['password', 'ssh_key_data'])
def test_secret_fields_cannot_be_special_encrypted_variable(post, organization, admin, credentialtype_ssh, field):
params = {
'name': 'Best credential ever',
'credential_type': credentialtype_ssh.id,
'inputs': {
'username': 'joe',
field: '$encrypted$',
},
'organization': organization.id,
}
response = post(reverse('api:credential_list'), params, admin, status=400)
assert str(response.data['inputs'][0]) == f'$encrypted$ is a reserved keyword, and cannot be used for {field}.'
@pytest.mark.django_db
def test_ssh_unlock_needed(put, organization, admin, credentialtype_ssh):
params = {