From 61b3f7afb7cc8d4af5b676239d1f5e32fed6e4e4 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Tue, 2 May 2017 10:35:32 -0400
Subject: [PATCH] disallow `ask_at_runtime` fields for custom credential types

---
 awx/api/serializers.py                        |  7 ++++
 .../functional/api/test_credential_type.py    | 35 +++++++++++++++----
 2 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 8d974ad41f..3cbc070bfe 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1823,6 +1823,13 @@ class CredentialTypeSerializer(BaseSerializer):
         fields = ('*', 'kind', 'name', 'managed_by_tower', 'inputs',
                   'injectors')
 
+    def validate(self, attrs):
+        fields = attrs.get('inputs', {}).get('fields', [])
+        for field in fields:
+            if field.get('ask_at_runtime', False):
+                raise serializers.ValidationError({"detail": _("'ask_at_runtime' is not supported for custom credentials.")})
+        return super(CredentialTypeSerializer, self).validate(attrs)
+
 
 # TODO: remove when API v1 is removed
 @six.add_metaclass(BaseSerializerMetaclass)
diff --git a/awx/main/tests/functional/api/test_credential_type.py b/awx/main/tests/functional/api/test_credential_type.py
index aa40651edf..a0b18e966e 100644
--- a/awx/main/tests/functional/api/test_credential_type.py
+++ b/awx/main/tests/functional/api/test_credential_type.py
@@ -110,8 +110,7 @@ def test_create_with_valid_inputs(get, post, admin):
                 'id': 'api_token',
                 'label': 'API Token',
                 'type': 'string',
-                'secret': True,
-                'ask_at_runtime': True
+                'secret': True
             }]
         },
         'injectors': {}
@@ -124,7 +123,6 @@ def test_create_with_valid_inputs(get, post, admin):
     assert len(fields) == 1
     assert fields[0]['id'] == 'api_token'
     assert fields[0]['label'] == 'API Token'
-    assert fields[0]['ask_at_runtime'] is True
     assert fields[0]['secret'] is True
     assert fields[0]['type'] == 'string'
 
@@ -142,7 +140,8 @@ def test_create_with_invalid_inputs_xfail(post, admin):
 
 
 @pytest.mark.django_db
-def test_create_with_valid_injectors(get, post, admin):
+def test_ask_at_runtime_xfail(get, post, admin):
+    # ask_at_runtime is only supported by the built-in SSH and Vault types
     response = post(reverse('api:credential_type_list'), {
         'kind': 'cloud',
         'name': 'MyCloud',
@@ -161,6 +160,31 @@ def test_create_with_valid_injectors(get, post, admin):
             }
         }
     }, admin)
+    assert response.status_code == 400
+
+    response = get(reverse('api:credential_type_list'), admin)
+    assert response.data['count'] == 0
+
+
+@pytest.mark.django_db
+def test_create_with_valid_injectors(get, post, admin):
+    response = post(reverse('api:credential_type_list'), {
+        'kind': 'cloud',
+        'name': 'MyCloud',
+        'inputs': {
+            'fields': [{
+                'id': 'api_token',
+                'label': 'API Token',
+                'type': 'string',
+                'secret': True
+            }]
+        },
+        'injectors': {
+            'env': {
+                'ANSIBLE_MY_CLOUD_TOKEN': '{{api_token}}'
+            }
+        }
+    }, admin)
     assert response.status_code == 201
 
     response = get(reverse('api:credential_type_list'), admin)
@@ -193,8 +217,7 @@ def test_create_with_undefined_template_variable_xfail(post, admin):
                 'id': 'api_token',
                 'label': 'API Token',
                 'type': 'string',
-                'secret': True,
-                'ask_at_runtime': True
+                'secret': True
             }]
         },
         'injectors': {