From 4197a9fd35f64db4d249feabfe2c930481c97c7a Mon Sep 17 00:00:00 2001
From: adamscmRH <chadams@redhat.com>
Date: Fri, 27 Apr 2018 16:39:37 -0400
Subject: [PATCH] granularly prevent filtering oauth secrets

---
 awx/api/filters.py                      | 2 --
 awx/main/models/__init__.py             | 6 ++++++
 awx/main/tests/unit/api/test_filters.py | 6 +++---
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/awx/api/filters.py b/awx/api/filters.py
index c7425f5e75..81290c377b 100644
--- a/awx/api/filters.py
+++ b/awx/api/filters.py
@@ -121,8 +121,6 @@ def get_field_from_path(model, path):
                 new_parts.append(name_alt)
             else:
                 field = model._meta.get_field(name)
-            if 'auth' in name or 'token' in name:
-                raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
             if isinstance(field, ForeignObjectRel) and getattr(field.field, '__prevent_search__', False):
                 raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
             elif getattr(field, '__prevent_search__', False):
diff --git a/awx/main/models/__init__.py b/awx/main/models/__init__.py
index 0bbbc08254..7764655419 100644
--- a/awx/main/models/__init__.py
+++ b/awx/main/models/__init__.py
@@ -169,3 +169,9 @@ activity_stream_registrar.connect(OAuth2AccessToken)
 
 # prevent API filtering on certain Django-supplied sensitive fields
 prevent_search(User._meta.get_field('password'))
+prevent_search(OAuth2AccessToken._meta.get_field('token'))
+prevent_search(RefreshToken._meta.get_field('token'))
+prevent_search(OAuth2Application._meta.get_field('client_secret'))
+prevent_search(OAuth2Application._meta.get_field('client_id'))
+prevent_search(Grant._meta.get_field('code'))
+
diff --git a/awx/main/tests/unit/api/test_filters.py b/awx/main/tests/unit/api/test_filters.py
index 1a70b9716c..cc53234e97 100644
--- a/awx/main/tests/unit/api/test_filters.py
+++ b/awx/main/tests/unit/api/test_filters.py
@@ -10,6 +10,7 @@ from awx.main.models import (AdHocCommand, ActivityStream,
                              WorkflowJob, WorkflowJobTemplate,
                              WorkflowJobOptions, InventorySource,
                              JobEvent)
+from awx.main.models.oauth import OAuth2Application
 from awx.main.models.jobs import JobOptions
 
 # Django
@@ -82,7 +83,6 @@ def test_filter_on_password_field(password_field, lookup_suffix):
     (User, 'password__icontains'),
     (User, 'settings__value__icontains'),
     (User, 'main_oauth2accesstoken__token__gt'),
-    (User, 'main_oauth2application__name__gt'),
     (UnifiedJob, 'job_args__icontains'),
     (UnifiedJob, 'job_env__icontains'),
     (UnifiedJob, 'start_args__icontains'),
@@ -95,8 +95,8 @@ def test_filter_on_password_field(password_field, lookup_suffix):
     (JobTemplate, 'survey_spec__icontains'),
     (WorkflowJobTemplate, 'survey_spec__icontains'),
     (CustomInventoryScript, 'script__icontains'),
-    (ActivityStream, 'o_auth2_access_token__gt'),
-    (ActivityStream, 'o_auth2_application__gt')
+    (ActivityStream, 'o_auth2_application__client_secret__gt'),
+    (OAuth2Application, 'grant__code__gt')
 ])
 def test_filter_sensitive_fields_and_relations(model, query):
     field_lookup = FieldLookupBackend()