Omit placeholder vars with survey password defaults

WFJT nodes & schedules (launch configs) will accept POST/PATCH/PUT with variables in extra_data that have $encrypted$ for their value if a valid survey default exists. In this case, the variable is simply removed from the extra_data. This is done so that it does not affect pre-existing value substitution for $encrypted$ values from the config itself
2024-10-27 17:55:10 +03:00 · 2018-02-12 09:31:52 -05:00 · 2018-02-12 09:31:52 -05:00 · 58a94be428
commit 58a94be428
parent 605a2c7e01
3 changed files with 38 additions and 4 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -3150,19 +3150,27 @@ class LaunchConfigurationBaseSerializer(BaseSerializer):
        elif self.instance:
            ujt = self.instance.unified_job_template

-        # Insert survey_passwords to track redacted variables
+        # Replace $encrypted$ submissions with db value if exists
+        # build additional field survey_passwords to track redacted variables
        if 'extra_data' in attrs:
            extra_data = parse_yaml_or_json(attrs.get('extra_data', {}))
            if hasattr(ujt, 'survey_password_variables'):
+                # Prepare additional field survey_passwords for save
                password_dict = {}
                for key in ujt.survey_password_variables():
                    if key in extra_data:
                        password_dict[key] = REPLACE_STR
                if not self.instance or password_dict != self.instance.survey_passwords:
-                    attrs['survey_passwords'] = password_dict
+                    attrs['survey_passwords'] = password_dict.copy()
+                # Force dict type (cannot preserve YAML formatting if passwords are involved)
                if not isinstance(attrs['extra_data'], dict):
                    attrs['extra_data'] = parse_yaml_or_json(attrs['extra_data'])
+                # Encrypt the extra_data for save, only current password vars in JT survey
                encrypt_dict(attrs['extra_data'], password_dict.keys())
+                # For any raw $encrypted$ string, either
+                # - replace with existing DB value
+                # - raise a validation error
+                # - remove key from extra_data if survey default is present
                if self.instance:
                    db_extra_data = parse_yaml_or_json(self.instance.extra_data)
                else:
@ -3170,8 +3178,13 @@ class LaunchConfigurationBaseSerializer(BaseSerializer):
                for key in password_dict.keys():
                    if attrs['extra_data'].get(key, None) == REPLACE_STR:
                        if key not in db_extra_data:
-                            raise serializers.ValidationError(
-                                _('Provided variable {} has no database value to replace with.').format(key))
+                            element = ujt.pivot_spec(ujt.survey_spec)[key]
+                            if 'default' in element and element['default']:
+                                attrs['survey_passwords'].pop(key, None)
+                                attrs['extra_data'].pop(key, None)
+                            else:
+                                raise serializers.ValidationError(
+                                    {"extra_data": _('Provided variable {} has no database value to replace with.').format(key)})
                        else:
                            attrs['extra_data'][key] = db_extra_data[key]

--- a/awx/main/tests/unit/api/serializers/test_workflow_serializers.py
+++ b/awx/main/tests/unit/api/serializers/test_workflow_serializers.py
@ -215,6 +215,24 @@ class TestWorkflowJobTemplateNodeSerializerSurveyPasswords():
        assert 'var1' in attrs['survey_passwords']
        assert attrs['extra_data']['var1'] == '$encrypted$foooooo'

+    def test_accept_password_default(self, jt, mocker):
+        '''
+        If user provides "$encrypted$" without a corresponding DB value for the
+        node, but survey question has a default, then variables are accepted
+        with that particular var omitted so on launch time the default takes effect
+        '''
+        serializer = WorkflowJobTemplateNodeSerializer()
+        wfjt = WorkflowJobTemplate(name='fake-wfjt')
+        jt.survey_spec['spec'][0]['default'] = '$encrypted$bar'
+        attrs = serializer.validate({
+            'unified_job_template': jt,
+            'workflow_job_template': wfjt,
+            'extra_data': {'var1': '$encrypted$'}
+        })
+        assert 'survey_passwords' in attrs
+        assert attrs['survey_passwords'] == {}
+        assert attrs['extra_data'] == {}
+

@mock.patch('awx.api.serializers.WorkflowJobTemplateNodeSerializer.get_related', lambda x,y: {})
 class TestWorkflowJobNodeSerializerGetRelated():
--- a/docs/prompting.md
+++ b/docs/prompting.md
@ -240,6 +240,9 @@ of what happened.
 - survey password durability
   - schedule has survey password answers from WFJT survey
   - WFJT node has answers to different password questions from JT survey
+   - Saving with "$encrypted$" value will either
+     - become a no-op, removing the key if a valid question default exists
+     - replace with the database value if question was previously answered
   - final job it spawns has both answers encrypted
 - POST to associate credential to WFJT node
   - requires admin to WFJT and execute to JT