shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-02 01:21:21 +03:00
Code Releases Activity

Merge pull request #1613 from rooftopcellist/update_oauth2_filter

Browse Source 
granularly prevent filtering oauth secrets
This commit is contained in:
Christian Adams 2018-04-30 12:11:24 -04:00 committed by GitHub
commit dab766239f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
awx/api/filters.py
View File

@ -121,8 +121,6 @@ def get_field_from_path(model, path):
new_parts.append(name_alt)
else:
field = model._meta.get_field(name)
if 'auth' in name or 'token' in name:
raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
if isinstance(field, ForeignObjectRel) and getattr(field.field, '__prevent_search__', False):
raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
elif getattr(field, '__prevent_search__', False):

6
awx/main/models/__init__.py
View File

@ -169,3 +169,9 @@ activity_stream_registrar.connect(OAuth2AccessToken)
# prevent API filtering on certain Django-supplied sensitive fields
prevent_search(User._meta.get_field('password'))
prevent_search(OAuth2AccessToken._meta.get_field('token'))
prevent_search(RefreshToken._meta.get_field('token'))
prevent_search(OAuth2Application._meta.get_field('client_secret'))
prevent_search(OAuth2Application._meta.get_field('client_id'))
prevent_search(Grant._meta.get_field('code'))

6
awx/main/tests/unit/api/test_filters.py
View File

@ -10,6 +10,7 @@ from awx.main.models import (AdHocCommand, ActivityStream,
WorkflowJob, WorkflowJobTemplate,
WorkflowJobOptions, InventorySource,
JobEvent)
from awx.main.models.oauth import OAuth2Application
from awx.main.models.jobs import JobOptions
# Django
@ -82,7 +83,6 @@ def test_filter_on_password_field(password_field, lookup_suffix):
(User, 'password__icontains'),
(User, 'settings__value__icontains'),
(User, 'main_oauth2accesstoken__token__gt'),
(User, 'main_oauth2application__name__gt'),
(UnifiedJob, 'job_args__icontains'),
(UnifiedJob, 'job_env__icontains'),
(UnifiedJob, 'start_args__icontains'),
@ -95,8 +95,8 @@ def test_filter_on_password_field(password_field, lookup_suffix):
(JobTemplate, 'survey_spec__icontains'),
(WorkflowJobTemplate, 'survey_spec__icontains'),
(CustomInventoryScript, 'script__icontains'),
(ActivityStream, 'o_auth2_access_token__gt'),
(ActivityStream, 'o_auth2_application__gt')
(ActivityStream, 'o_auth2_application__client_secret__gt'),
(OAuth2Application, 'grant__code__gt')
])
def test_filter_sensitive_fields_and_relations(model, query):
field_lookup = FieldLookupBackend()