From 13366c1e75ee367de2a6f8985ca37bfd26f88f55 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Tue, 26 Feb 2019 17:45:26 -0500
Subject: [PATCH] Encrypt machine.ssh_public_key_data (in case users paste in
 signed data)

---
 awx/main/models/credential/__init__.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/awx/main/models/credential/__init__.py b/awx/main/models/credential/__init__.py
index f8597ba4dc..11578b397d 100644
--- a/awx/main/models/credential/__init__.py
+++ b/awx/main/models/credential/__init__.py
@@ -824,6 +824,7 @@ ManagedCredentialType(
             'label': ugettext_noop('Signed SSH Certificate'),
             'type': 'string',
             'multiline': True,
+            'secret': True,
         }, {
             'id': 'ssh_key_unlock',
             'label': ugettext_noop('Private Key Passphrase'),
@@ -1360,8 +1361,11 @@ class CredentialInputSource(PrimordialModel):
                 backend_kwargs[field_name] = value
 
         backend_kwargs.update(self.metadata)
+        raw = self.target_credential.inputs.get(self.input_field_name)
+        if self.input_field_name in self.target_credential.credential_type.secret_fields:
+            raw = decrypt_field(self.target_credential, self.input_field_name)
         return backend(
-            self.target_credential.inputs.get(self.input_field_name),
+            raw,
             **backend_kwargs
         )