External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-19 12:10:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1193 from AlanCoding/no_sneaking_credential_in

Browse Source 
Validation clause for WFJT node to follow credential prompt rule
This commit is contained in:
Alan Rominger
2018-02-12 12:46:12 -05:00
committed by GitHub
parent 56d01cda6b 02ac139d5c
commit 0268d575f8
2 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
awx/api/serializers.py
View File

@@ -3254,6 +3254,9 @@ class WorkflowJobTemplateNodeSerializer(LaunchConfigurationBaseSerializer):
cred = deprecated_fields['credential'] cred = deprecated_fields['credential']
attrs['credential'] = cred attrs['credential'] = cred
if cred is not None: if cred is not None:
if not ujt_obj.ask_credential_on_launch:
raise serializers.ValidationError({"credential": _(
"Related template is not configured to accept credentials on launch.")})
cred = Credential.objects.get(pk=cred) cred = Credential.objects.get(pk=cred)
view = self.context.get('view', None) view = self.context.get('view', None)
if (not view) or (not view.request) or (view.request.user not in cred.use_role): if (not view) or (not view.request) or (view.request.user not in cred.use_role):

16
awx/main/tests/functional/api/test_workflow_node.py
View File

@@ -108,14 +108,20 @@ class TestOldCredentialField:
TODO: remove tests when JT vault_credential / credential / other stuff TODO: remove tests when JT vault_credential / credential / other stuff
is removed is removed
''' '''
@pytest.fixture
def job_template_ask(self, job_template):
job_template.ask_credential_on_launch = True
job_template.save()
return job_template
def test_credential_accepted_create(self, workflow_job_template, post, admin_user, def test_credential_accepted_create(self, workflow_job_template, post, admin_user,
job_template, machine_credential): job_template_ask, machine_credential):
r = post( r = post(
reverse( reverse(
'api:workflow_job_template_workflow_nodes_list', 'api:workflow_job_template_workflow_nodes_list',
kwargs = {'pk': workflow_job_template.pk} kwargs = {'pk': workflow_job_template.pk}
), ),
data = {'credential': machine_credential.pk, 'unified_job_template': job_template.pk}, data = {'credential': machine_credential.pk, 'unified_job_template': job_template_ask.pk},
user = admin_user, user = admin_user,
expect = 201 expect = 201
) )
@@ -128,17 +134,17 @@ class TestOldCredentialField:
['read_role', 403] ['read_role', 403]
]) ])
def test_credential_rbac(self, role, code, workflow_job_template, post, rando, def test_credential_rbac(self, role, code, workflow_job_template, post, rando,
job_template, machine_credential): job_template_ask, machine_credential):
role_obj = getattr(machine_credential, role) role_obj = getattr(machine_credential, role)
role_obj.members.add(rando) role_obj.members.add(rando)
job_template.execute_role.members.add(rando) job_template_ask.execute_role.members.add(rando)
workflow_job_template.admin_role.members.add(rando) workflow_job_template.admin_role.members.add(rando)
post( post(
reverse( reverse(
'api:workflow_job_template_workflow_nodes_list', 'api:workflow_job_template_workflow_nodes_list',
kwargs = {'pk': workflow_job_template.pk} kwargs = {'pk': workflow_job_template.pk}
), ),
data = {'credential': machine_credential.pk, 'unified_job_template': job_template.pk}, data = {'credential': machine_credential.pk, 'unified_job_template': job_template_ask.pk},
user = rando, user = rando,
expect = code expect = code
) )