disallow ask_at_runtime fields for custom credential types

2026-01-13 19:10:07 -03:30 · 2017-05-02 10:35:32 -04:00 · 2017-05-02 10:35:32 -04:00 · 61b3f7afb7
commit 61b3f7afb7
parent bc20fa24f3
2 changed files with 36 additions and 6 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -1823,6 +1823,13 @@ class CredentialTypeSerializer(BaseSerializer):
        fields = ('*', 'kind', 'name', 'managed_by_tower', 'inputs',
                  'injectors')

+    def validate(self, attrs):
+        fields = attrs.get('inputs', {}).get('fields', [])
+        for field in fields:
+            if field.get('ask_at_runtime', False):
+                raise serializers.ValidationError({"detail": _("'ask_at_runtime' is not supported for custom credentials.")})
+        return super(CredentialTypeSerializer, self).validate(attrs)
+

 # TODO: remove when API v1 is removed
@six.add_metaclass(BaseSerializerMetaclass)
--- a/awx/main/tests/functional/api/test_credential_type.py
+++ b/awx/main/tests/functional/api/test_credential_type.py
@ -110,8 +110,7 @@ def test_create_with_valid_inputs(get, post, admin):
                'id': 'api_token',
                'label': 'API Token',
                'type': 'string',
-                'secret': True,
-                'ask_at_runtime': True
+                'secret': True
            }]
        },
        'injectors': {}
@ -124,7 +123,6 @@ def test_create_with_valid_inputs(get, post, admin):
    assert len(fields) == 1
    assert fields[0]['id'] == 'api_token'
    assert fields[0]['label'] == 'API Token'
-    assert fields[0]['ask_at_runtime'] is True
    assert fields[0]['secret'] is True
    assert fields[0]['type'] == 'string'

@ -142,7 +140,8 @@ def test_create_with_invalid_inputs_xfail(post, admin):


@pytest.mark.django_db
-def test_create_with_valid_injectors(get, post, admin):
+def test_ask_at_runtime_xfail(get, post, admin):
+    # ask_at_runtime is only supported by the built-in SSH and Vault types
    response = post(reverse('api:credential_type_list'), {
        'kind': 'cloud',
        'name': 'MyCloud',
@ -161,6 +160,31 @@ def test_create_with_valid_injectors(get, post, admin):
            }
        }
    }, admin)
+    assert response.status_code == 400
+
+    response = get(reverse('api:credential_type_list'), admin)
+    assert response.data['count'] == 0
+
+
+@pytest.mark.django_db
+def test_create_with_valid_injectors(get, post, admin):
+    response = post(reverse('api:credential_type_list'), {
+        'kind': 'cloud',
+        'name': 'MyCloud',
+        'inputs': {
+            'fields': [{
+                'id': 'api_token',
+                'label': 'API Token',
+                'type': 'string',
+                'secret': True
+            }]
+        },
+        'injectors': {
+            'env': {
+                'ANSIBLE_MY_CLOUD_TOKEN': '{{api_token}}'
+            }
+        }
+    }, admin)
    assert response.status_code == 201

    response = get(reverse('api:credential_type_list'), admin)
@ -193,8 +217,7 @@ def test_create_with_undefined_template_variable_xfail(post, admin):
                'id': 'api_token',
                'label': 'API Token',
                'type': 'string',
-                'secret': True,
-                'ask_at_runtime': True
+                'secret': True
            }]
        },
        'injectors': {