mirror of
https://github.com/ansible/awx.git
synced 2024-11-02 01:21:21 +03:00
Merge pull request #1613 from rooftopcellist/update_oauth2_filter
granularly prevent filtering oauth secrets
This commit is contained in:
Christian Adams
GitHub
commit
dab766239f
@ -121,8 +121,6 @@ def get_field_from_path(model, path):
|
|||||||
new_parts.append(name_alt)
|
new_parts.append(name_alt)
|
||||||
else:
|
else:
|
||||||
field = model._meta.get_field(name)
|
field = model._meta.get_field(name)
|
||||||
if 'auth' in name or 'token' in name:
|
|
||||||
raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
|
|
||||||
if isinstance(field, ForeignObjectRel) and getattr(field.field, '__prevent_search__', False):
|
if isinstance(field, ForeignObjectRel) and getattr(field.field, '__prevent_search__', False):
|
||||||
raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
|
raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
|
||||||
elif getattr(field, '__prevent_search__', False):
|
elif getattr(field, '__prevent_search__', False):
|
||||||
|
|||||||
@ -169,3 +169,9 @@ activity_stream_registrar.connect(OAuth2AccessToken)
|
|||||||
|
|
||||||
# prevent API filtering on certain Django-supplied sensitive fields
|
# prevent API filtering on certain Django-supplied sensitive fields
|
||||||
prevent_search(User._meta.get_field('password'))
|
prevent_search(User._meta.get_field('password'))
|
||||||
|
prevent_search(OAuth2AccessToken._meta.get_field('token'))
|
||||||
|
prevent_search(RefreshToken._meta.get_field('token'))
|
||||||
|
prevent_search(OAuth2Application._meta.get_field('client_secret'))
|
||||||
|
prevent_search(OAuth2Application._meta.get_field('client_id'))
|
||||||
|
prevent_search(Grant._meta.get_field('code'))
|
||||||
|
|
||||||
|
|||||||
@ -10,6 +10,7 @@ from awx.main.models import (AdHocCommand, ActivityStream,
|
|||||||
WorkflowJob, WorkflowJobTemplate,
|
WorkflowJob, WorkflowJobTemplate,
|
||||||
WorkflowJobOptions, InventorySource,
|
WorkflowJobOptions, InventorySource,
|
||||||
JobEvent)
|
JobEvent)
|
||||||
|
from awx.main.models.oauth import OAuth2Application
|
||||||
from awx.main.models.jobs import JobOptions
|
from awx.main.models.jobs import JobOptions
|
||||||
|
|
||||||
# Django
|
# Django
|
||||||
@ -82,7 +83,6 @@ def test_filter_on_password_field(password_field, lookup_suffix):
|
|||||||
(User, 'password__icontains'),
|
(User, 'password__icontains'),
|
||||||
(User, 'settings__value__icontains'),
|
(User, 'settings__value__icontains'),
|
||||||
(User, 'main_oauth2accesstoken__token__gt'),
|
(User, 'main_oauth2accesstoken__token__gt'),
|
||||||
(User, 'main_oauth2application__name__gt'),
|
|
||||||
(UnifiedJob, 'job_args__icontains'),
|
(UnifiedJob, 'job_args__icontains'),
|
||||||
(UnifiedJob, 'job_env__icontains'),
|
(UnifiedJob, 'job_env__icontains'),
|
||||||
(UnifiedJob, 'start_args__icontains'),
|
(UnifiedJob, 'start_args__icontains'),
|
||||||
@ -95,8 +95,8 @@ def test_filter_on_password_field(password_field, lookup_suffix):
|
|||||||
(JobTemplate, 'survey_spec__icontains'),
|
(JobTemplate, 'survey_spec__icontains'),
|
||||||
(WorkflowJobTemplate, 'survey_spec__icontains'),
|
(WorkflowJobTemplate, 'survey_spec__icontains'),
|
||||||
(CustomInventoryScript, 'script__icontains'),
|
(CustomInventoryScript, 'script__icontains'),
|
||||||
(ActivityStream, 'o_auth2_access_token__gt'),
|
(ActivityStream, 'o_auth2_application__client_secret__gt'),
|
||||||
(ActivityStream, 'o_auth2_application__gt')
|
(OAuth2Application, 'grant__code__gt')
|
||||||
])
|
])
|
||||||
def test_filter_sensitive_fields_and_relations(model, query):
|
def test_filter_sensitive_fields_and_relations(model, query):
|
||||||
field_lookup = FieldLookupBackend()
|
field_lookup = FieldLookupBackend()
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user