From 1e77f909a5a306d76254587bc8907f166426c158 Mon Sep 17 00:00:00 2001
From: Aaron Tan <jangsutsr@gmail.com>
Date: Mon, 7 Aug 2017 11:44:06 -0400
Subject: [PATCH] Force providing TACACSPLUS_SECRET when TACACSPLUS_HOST is set

---
 awx/main/tests/functional/api/test_settings.py | 15 +++++++++++++++
 awx/sso/conf.py                                |  4 ++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/awx/main/tests/functional/api/test_settings.py b/awx/main/tests/functional/api/test_settings.py
index 7432101a40..f51b1f91f7 100644
--- a/awx/main/tests/functional/api/test_settings.py
+++ b/awx/main/tests/functional/api/test_settings.py
@@ -147,6 +147,21 @@ def test_radius_settings(get, put, patch, delete, admin, settings):
     assert settings.RADIUS_SECRET == ''
 
 
+@pytest.mark.django_db
+def test_tacacsplus_settings(get, put, patch, admin):
+    url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'tacacsplus'})
+    response = get(url, user=admin, expect=200)
+    put(url, user=admin, data=response.data, expect=200)
+    patch(url, user=admin, data={'TACACSPLUS_SECRET': 'mysecret'}, expect=200)
+    patch(url, user=admin, data={'TACACSPLUS_SECRET': ''}, expect=200)
+    patch(url, user=admin, data={'TACACSPLUS_HOST': 'localhost'}, expect=400)
+    patch(url, user=admin, data={'TACACSPLUS_SECRET': 'mysecret'}, expect=200)
+    patch(url, user=admin, data={'TACACSPLUS_HOST': 'localhost'}, expect=200)
+    patch(url, user=admin, data={'TACACSPLUS_HOST': '', 'TACACSPLUS_SECRET': ''}, expect=200)
+    patch(url, user=admin, data={'TACACSPLUS_HOST': 'localhost', 'TACACSPLUS_SECRET': ''}, expect=400)
+    patch(url, user=admin, data={'TACACSPLUS_HOST': 'localhost', 'TACACSPLUS_SECRET': 'mysecret'}, expect=200)
+
+
 @pytest.mark.django_db
 def test_ui_settings(get, put, patch, delete, admin):
     url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'ui'})
diff --git a/awx/sso/conf.py b/awx/sso/conf.py
index bccbdfd883..636b39daf0 100644
--- a/awx/sso/conf.py
+++ b/awx/sso/conf.py
@@ -1106,8 +1106,8 @@ def tacacs_validate(serializer, attrs):
     secret = serializer.instance.TACACSPLUS_SECRET
     if 'TACACSPLUS_SECRET' in attrs:
         secret = attrs['TACACSPLUS_SECRET']
-    if bool(host) ^ bool(secret):
-        errors.append('TACACSPLUS_HOST and TACACSPLUS_SECRET can only be both empty or both populated.')
+    if host and not secret:
+        errors.append('TACACSPLUS_SECRET is required when TACACSPLUS_HOST is provided.')
     if errors:
         raise serializers.ValidationError(_('\n'.join(errors)))
     return attrs