more survey password encryption bug squashing

the nature of this latest bug is that the WorkflowJob has a *different* implementation of _accept_or_ignore_job_kwargs, and it wasn't performing encryption for extra vars provided at launch time; this change places the encryption mechanism in UJT.create_unified_job so that it works the same for _all_ UJTs see: https://github.com/ansible/ansible-tower/issues/7798 see: https://github.com/ansible/ansible-tower/issues/7046
2026-01-19 13:41:28 -03:30 · 2017-11-29 14:09:25 -05:00 · 2017-11-29 14:09:25 -05:00 · 68ada92f3b
commit 68ada92f3b
parent 91cc4689c9
2 changed files with 17 additions and 9 deletions
--- a/awx/main/models/jobs.py
+++ b/awx/main/models/jobs.py
@ -37,7 +37,6 @@ from awx.main.utils import (
    ignore_inventory_computed_fields,
    parse_yaml_or_json,
 )
-from awx.main.utils.encryption import encrypt_value
 from awx.main.fields import ImplicitRoleField
 from awx.main.models.mixins import ResourceMixin, SurveyJobTemplateMixin, SurveyJobMixin, TaskManagerJobMixin
 from awx.main.models.base import PERM_INVENTORY_SCAN
@ -386,7 +385,6 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, SurveyJobTemplateMixin, Resour
        # Sort the runtime fields allowed and disallowed by job template
        ignored_fields = {}
        prompted_fields = {}
-        survey_password_variables = self.survey_password_variables()

        ask_for_vars_dict = self._ask_for_vars_dict()

@ -412,12 +410,6 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, SurveyJobTemplateMixin, Resour
                    else:
                        ignored_fields[field] = kwargs[field]

-        for key in prompted_fields.get('extra_vars', {}):
-            if key in survey_password_variables:
-                prompted_fields['extra_vars'][key] = encrypt_value(
-                    prompted_fields['extra_vars'][key]
-                )
-
        return prompted_fields, ignored_fields

    def _extra_job_type_errors(self, data):
--- a/awx/main/models/unified_jobs.py
+++ b/awx/main/models/unified_jobs.py
@ -32,7 +32,7 @@ from awx.main.models.base import * # noqa
 from awx.main.models.schedules import Schedule
 from awx.main.models.mixins import ResourceMixin, TaskManagerUnifiedJobMixin
 from awx.main.utils import (
-    decrypt_field, _inventory_updates,
+    encrypt_value, decrypt_field, _inventory_updates,
    copy_model_by_class, copy_m2m_relationships,
    get_type_for_model, parse_yaml_or_json
 )
@ -336,6 +336,22 @@ class UnifiedJobTemplate(PolymorphicModel, CommonModelNameNotUnique, Notificatio
        '''
        Create a new unified job based on this unified job template.
        '''
+
+        # automatically encrypt survey fields
+        if hasattr(self, 'survey_spec') and getattr(self, 'survey_enabled', False):
+            password_list = self.survey_password_variables()
+            for key in kwargs.get('extra_vars', {}):
+                if key in password_list:
+                    if kwargs['extra_vars'][key] == '$encrypted$':
+                        # If we get into this block, it means there's probably
+                        # a bug in the way we substitute default survey
+                        # passwords; the value we anticipate here is plaintext
+                        # that needs to be encrypted
+                        raise NotImplementedError('extra_var encryption failed (unexpected $encrypted$ value)')
+                    kwargs['extra_vars'][key] = encrypt_value(
+                        kwargs['extra_vars'][key]
+                    )
+
        unified_job_class = self._get_unified_job_class()
        fields = self._get_unified_job_field_names()
        unified_job = copy_model_by_class(self, unified_job_class, fields, kwargs)