fix a variety of bugs that break vault pass injection for playbook runs

see: #6924
2026-03-01 16:58:46 -03:30 · 2017-07-07 12:19:31 -04:00
parent 463ef9d4b0
commit 3c2fe5e6db
4 changed files with 56 additions and 15 deletions
--- a/awx/main/tests/functional/api/test_job_runtime_params.py
+++ b/awx/main/tests/functional/api/test_job_runtime_params.py
@@ -315,6 +315,22 @@ def test_job_launch_JT_enforces_unique_extra_credential_kinds(machine_credential
    assert validated is False


+@pytest.mark.django_db
+def test_job_launch_JT_with_default_vault_credential(machine_credential, vault_credential, deploy_jobtemplate):
+    deploy_jobtemplate.credential = machine_credential
+    deploy_jobtemplate.vault_credential = vault_credential
+    serializer = JobLaunchSerializer(
+        instance=deploy_jobtemplate, data={},
+        context={'obj': deploy_jobtemplate, 'data': {}, 'passwords': {}})
+    validated = serializer.is_valid()
+    assert validated
+
+    prompted_fields, ignored_fields = deploy_jobtemplate._accept_or_ignore_job_kwargs(**{})
+    job_obj = deploy_jobtemplate.create_unified_job(**prompted_fields)
+
+    assert job_obj.vault_credential.pk == vault_credential.pk
+
+
@pytest.mark.django_db
 def test_job_launch_JT_with_extra_credentials(machine_credential, credential, net_credential, deploy_jobtemplate):
    deploy_jobtemplate.ask_credential_on_launch = True
--- a/awx/main/tests/unit/test_tasks.py
+++ b/awx/main/tests/unit/test_tasks.py
@@ -4,6 +4,7 @@ from functools import partial
 import ConfigParser
 import json
 import os
+import re
 import shutil
 import tempfile

@@ -404,7 +405,6 @@ class TestJobCredentials(TestJobExecution):
            dict(field='password', password_name='ssh_password', expected_flag='--ask-pass'),
            dict(field='ssh_key_unlock', password_name='ssh_key_unlock', expected_flag=None),
            dict(field='become_password', password_name='become_password', expected_flag='--ask-become-pass'),
-            dict(field='vault_password', password_name='vault_password', expected_flag='--ask-vault-pass'),
        ]
    }

@@ -428,6 +428,26 @@ class TestJobCredentials(TestJobExecution):
        if expected_flag:
            assert expected_flag in ' '.join(args)

+    def test_vault_password(self):
+        vault = CredentialType.defaults['vault']()
+        credential = Credential(
+            pk=1,
+            credential_type=vault,
+            inputs={'vault_password': 'vault-me'}
+        )
+        credential.inputs['vault_password'] = encrypt_field(credential, 'vault_password')
+        self.instance.vault_credential = credential
+        self.task.run(self.pk)
+
+        assert self.run_pexpect.call_count == 1
+        call_args, call_kwargs = self.run_pexpect.call_args_list[0]
+        args, cwd, env, stdout = call_args
+
+        assert call_kwargs.get('expect_passwords')[
+            re.compile(r'Vault password:\s*?$', re.M)
+        ] == 'vault-me'
+        assert '--ask-vault-pass' in ' '.join(args)
+
    def test_ssh_key_with_agent(self):
        ssh = CredentialType.defaults['ssh']()
        credential = Credential(