From 63567fcc52f711a38d200af35516e6cc5cff0ff7 Mon Sep 17 00:00:00 2001
From: Rick Elrod <rick@elrod.me>
Date: Thu, 8 Sep 2022 02:13:41 -0500
Subject: [PATCH] [sig validation] better error for job template run (#12735)

When launching a job template, if the last project update failed due to
signature validation, show an error that actually says that.

Signed-off-by: Rick Elrod <rick@elrod.me>
---
 awx/api/serializers.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index acb3144d15..cea444243c 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -4197,6 +4197,15 @@ class JobLaunchSerializer(BaseSerializer):
         elif template.project.status in ('error', 'failed'):
             errors['playbook'] = _("Missing a revision to run due to failed project update.")
 
+            latest_update = template.project.project_updates.last()
+            if latest_update is not None and latest_update.failed:
+                failed_validation_tasks = latest_update.project_update_events.filter(
+                    event='runner_on_failed',
+                    play="Perform project signature/checksum verification",
+                )
+                if failed_validation_tasks:
+                    errors['playbook'] = _("Last project update failed due to signature validation failure.")
+
         # cannot run a playbook without an inventory
         if template.inventory and template.inventory.pending_deletion is True:
             errors['inventory'] = _("The inventory associated with this Job Template is being deleted.")