don't allow users to specify $encrypted$ for encrypted credential fields

this keyword only has value when you _update_ an existing credential
2026-05-13 04:17:36 -02:30 · 2020-07-01 15:53:09 -04:00
parent e3e69b4c6b
commit 1434e5812f
2 changed files with 24 additions and 0 deletions
--- a/awx/main/fields.py
+++ b/awx/main/fields.py
@@ -637,6 +637,14 @@ class CredentialInputField(JSONSchemaField):
            else:
                decrypted_values[k] = v

+        # don't allow secrets with $encrypted$ on new object creation
+        if not model_instance.pk:
+            for field in model_instance.credential_type.secret_fields:
+                if value.get(field) == '$encrypted$':
+                    raise serializers.ValidationError({
+                        self.name: [f'$encrypted$ is a reserved keyword, and cannot be used for {field}.']
+                    })
+
        super(JSONSchemaField, self).validate(decrypted_values, model_instance)
        errors = {}
        for error in Draft4Validator(