Merge pull request #6232 from ryanpetrello/jt_promptable_extra_creds

add prompting for JT.extra_credentials

awx/main/tests/functional/api/test_job_runtime_params.py

@@ -329,6 +329,70 @@ def test_job_launch_JT_with_validation(machine_credential, deploy_jobtemplate):
     assert job_obj.credential.id == machine_credential.id
 
 
+@pytest.mark.django_db
+@pytest.mark.parametrize('pks, error_msg', [
+    ([1], 'must be network or cloud'),
+    ([999], 'object does not exist'),
+])
+def test_job_launch_JT_with_invalid_extra_credentials(machine_credential, deploy_jobtemplate, pks, error_msg):
+    deploy_jobtemplate.ask_extra_credentials_on_launch = True
+    deploy_jobtemplate.save()
+
+    kv = dict(extra_credentials=pks, credential=machine_credential.id)
+    serializer = JobLaunchSerializer(
+        instance=deploy_jobtemplate, data=kv,
+        context={'obj': deploy_jobtemplate, 'data': kv, 'passwords': {}})
+    validated = serializer.is_valid()
+    assert validated is False
+
+
+@pytest.mark.django_db
+def test_job_launch_JT_enforces_unique_extra_credential_kinds(machine_credential, credentialtype_aws, deploy_jobtemplate):
+    """
+    JT launching should require that extra_credentials have distinct CredentialTypes
+    """
+    pks = []
+    for i in range(2):
+        aws = Credential.objects.create(
+            name='cred-%d' % i,
+            credential_type=credentialtype_aws,
+            inputs={
+                'username': 'test_user',
+                'password': 'pas4word'
+            }
+        )
+        aws.save()
+        pks.append(aws.pk)
+
+    kv = dict(extra_credentials=pks, credential=machine_credential.id)
+    serializer = JobLaunchSerializer(
+        instance=deploy_jobtemplate, data=kv,
+        context={'obj': deploy_jobtemplate, 'data': kv, 'passwords': {}})
+    validated = serializer.is_valid()
+    assert validated is False
+
+
+@pytest.mark.django_db
+def test_job_launch_JT_with_extra_credentials(machine_credential, credential, net_credential, deploy_jobtemplate):
+    deploy_jobtemplate.ask_extra_credentials_on_launch = True
+    deploy_jobtemplate.save()
+
+    kv = dict(extra_credentials=[credential.pk, net_credential.pk], credential=machine_credential.id)
+    serializer = JobLaunchSerializer(
+        instance=deploy_jobtemplate, data=kv,
+        context={'obj': deploy_jobtemplate, 'data': kv, 'passwords': {}})
+    validated = serializer.is_valid()
+    assert validated
+
+    prompted_fields, ignored_fields = deploy_jobtemplate._accept_or_ignore_job_kwargs(**kv)
+    job_obj = deploy_jobtemplate.create_unified_job(**prompted_fields)
+
+    extra_creds = job_obj.extra_credentials.all()
+    assert len(extra_creds) == 2
+    assert credential in extra_creds
+    assert net_credential in extra_creds
+
+
 @pytest.mark.django_db
 @pytest.mark.job_runtime_vars
 def test_job_launch_unprompted_vars_with_survey(mocker, survey_spec_factory, job_template_prompts, post, admin_user):

awx/main/tests/functional/api/test_job_template.py

@@ -452,6 +452,145 @@ def test_scan_jt_surveys(inventory):
     assert "survey_enabled" in serializer.errors
 
 
+@pytest.mark.django_db
+def test_launch_with_extra_credentials(get, post, organization_factory,
+                                       job_template_factory, machine_credential,
+                                       credential, net_credential):
+    objs = organization_factory("org", superusers=['admin'])
+    jt = job_template_factory("jt", organization=objs.organization,
+                              inventory='test_inv', project='test_proj').job_template
+    jt.ask_extra_credentials_on_launch = True
+    jt.save()
+
+    resp = post(
+        reverse('api:job_template_launch', kwargs={'pk': jt.pk}),
+        dict(
+            credential=machine_credential.pk,
+            extra_credentials=[credential.pk, net_credential.pk]
+        ),
+        objs.superusers.admin, expect=201
+    )
+    job_pk = resp.data.get('id')
+
+    resp = get(reverse('api:job_extra_credentials_list', kwargs={'pk': job_pk}), objs.superusers.admin)
+    assert resp.data.get('count') == 2
+
+    resp = get(reverse('api:job_template_extra_credentials_list', kwargs={'pk': jt.pk}), objs.superusers.admin)
+    assert resp.data.get('count') == 0
+
+
+@pytest.mark.django_db
+def test_launch_with_extra_credentials_no_allowed(get, post, organization_factory,
+                                                  job_template_factory, machine_credential,
+                                                  credential, net_credential):
+    objs = organization_factory("org", superusers=['admin'])
+    jt = job_template_factory("jt", organization=objs.organization,
+                              inventory='test_inv', project='test_proj').job_template
+    jt.ask_extra_credentials_on_launch = False
+    jt.save()
+
+    resp = post(
+        reverse('api:job_template_launch', kwargs={'pk': jt.pk}),
+        dict(
+            credential=machine_credential.pk,
+            extra_credentials=[credential.pk, net_credential.pk]
+        ),
+        objs.superusers.admin, expect=201
+    )
+    assert 'extra_credentials' in resp.data['ignored_fields'].keys()
+    job_pk = resp.data.get('id')
+
+    resp = get(reverse('api:job_extra_credentials_list', kwargs={'pk': job_pk}), objs.superusers.admin)
+    assert resp.data.get('count') == 0
+
+
+@pytest.mark.django_db
+def test_launch_with_extra_credentials_from_jt(get, post, organization_factory,
+                                               job_template_factory, machine_credential,
+                                               credential, net_credential):
+    objs = organization_factory("org", superusers=['admin'])
+    jt = job_template_factory("jt", organization=objs.organization,
+                              inventory='test_inv', project='test_proj').job_template
+    jt.ask_extra_credentials_on_launch = True
+    jt.extra_credentials.add(credential)
+    jt.extra_credentials.add(net_credential)
+    jt.save()
+
+    resp = post(
+        reverse('api:job_template_launch', kwargs={'pk': jt.pk}),
+        dict(
+            credential=machine_credential.pk
+        ),
+        objs.superusers.admin, expect=201
+    )
+    job_pk = resp.data.get('id')
+
+    resp = get(reverse('api:job_extra_credentials_list', kwargs={'pk': job_pk}), objs.superusers.admin)
+    assert resp.data.get('count') == 2
+
+    resp = get(reverse('api:job_template_extra_credentials_list', kwargs={'pk': jt.pk}), objs.superusers.admin)
+    assert resp.data.get('count') == 2
+
+
+@pytest.mark.django_db
+def test_launch_with_empty_extra_credentials(get, post, organization_factory,
+                                             job_template_factory, machine_credential,
+                                             credential, net_credential):
+    objs = organization_factory("org", superusers=['admin'])
+    jt = job_template_factory("jt", organization=objs.organization,
+                              inventory='test_inv', project='test_proj').job_template
+    jt.ask_extra_credentials_on_launch = True
+    jt.extra_credentials.add(credential)
+    jt.extra_credentials.add(net_credential)
+    jt.save()
+
+    resp = post(
+        reverse('api:job_template_launch', kwargs={'pk': jt.pk}),
+        dict(
+            credential=machine_credential.pk,
+            extra_credentials=[],
+        ),
+        objs.superusers.admin, expect=201
+    )
+    job_pk = resp.data.get('id')
+
+    resp = get(reverse('api:job_extra_credentials_list', kwargs={'pk': job_pk}), objs.superusers.admin)
+    assert resp.data.get('count') == 0
+
+    resp = get(reverse('api:job_template_extra_credentials_list', kwargs={'pk': jt.pk}), objs.superusers.admin)
+    assert resp.data.get('count') == 2
+
+
+@pytest.mark.django_db
+def test_v1_launch_with_extra_credentials(get, post, organization_factory,
+                                          job_template_factory, machine_credential,
+                                          credential, net_credential):
+    # launch requests to `/api/v1/job_templates/N/launch/` should ignore
+    # `extra_credentials`, as they're only supported in v2 of the API.
+    objs = organization_factory("org", superusers=['admin'])
+    jt = job_template_factory("jt", organization=objs.organization,
+                              inventory='test_inv', project='test_proj').job_template
+    jt.ask_extra_credentials_on_launch = True
+    jt.save()
+
+    resp = post(
+        reverse('api:job_template_launch', kwargs={'pk': jt.pk, 'version': 'v1'}),
+        dict(
+            credential=machine_credential.pk,
+            extra_credentials=[credential.pk, net_credential.pk]
+        ),
+        objs.superusers.admin, expect=201
+    )
+    job_pk = resp.data.get('id')
+    assert resp.data.get('ignored_fields').keys() == ['extra_credentials']
+
+    resp = get(reverse('api:job_extra_credentials_list', kwargs={'pk': job_pk}), objs.superusers.admin)
+    assert resp.data.get('count') == 0
+
+    resp = get(reverse('api:job_template_extra_credentials_list', kwargs={'pk': jt.pk}), objs.superusers.admin)
+    assert resp.data.get('count') == 0
+
+
 @pytest.mark.django_db
 def test_jt_without_project(inventory):
     data = dict(name="Test", job_type="run",

awx/main/tests/functional/models/test_job_options.py

@@ -45,16 +45,3 @@ def test_clean_credential_with_custom_types(credentialtype_aws, credentialtype_n
     job_template.extra_credentials.add(aws)
     job_template.extra_credentials.add(net)
     job_template.full_clean()
-
-
-@pytest.mark.django_db
-def test_clean_credential_with_custom_types_xfail(credentialtype_ssh, job_template):
-    ssh = Credential(
-        name='SSH Credential',
-        credential_type=credentialtype_ssh
-    )
-    ssh.save()
-
-    with pytest.raises(ValidationError):
-        job_template.extra_credentials.add(ssh)
-        job_template.full_clean()