more survey password encryption bug squashing

the nature of this latest bug is that the WorkflowJob has a *different* implementation of _accept_or_ignore_job_kwargs, and it wasn't performing encryption for extra vars provided at launch time; this change places the encryption mechanism in UJT.create_unified_job so that it works the same for _all_ UJTs see: https://github.com/ansible/ansible-tower/issues/7798 see: https://github.com/ansible/ansible-tower/issues/7046
2026-05-22 08:17:39 -02:30 · 2017-11-29 14:09:25 -05:00
parent 91cc4689c9
commit 68ada92f3b
2 changed files with 17 additions and 9 deletions
--- a/awx/main/models/unified_jobs.py
+++ b/awx/main/models/unified_jobs.py
@@ -32,7 +32,7 @@ from awx.main.models.base import * # noqa
 from awx.main.models.schedules import Schedule
 from awx.main.models.mixins import ResourceMixin, TaskManagerUnifiedJobMixin
 from awx.main.utils import (
-    decrypt_field, _inventory_updates,
+    encrypt_value, decrypt_field, _inventory_updates,
    copy_model_by_class, copy_m2m_relationships,
    get_type_for_model, parse_yaml_or_json
 )
@@ -336,6 +336,22 @@ class UnifiedJobTemplate(PolymorphicModel, CommonModelNameNotUnique, Notificatio
        '''
        Create a new unified job based on this unified job template.
        '''
+
+        # automatically encrypt survey fields
+        if hasattr(self, 'survey_spec') and getattr(self, 'survey_enabled', False):
+            password_list = self.survey_password_variables()
+            for key in kwargs.get('extra_vars', {}):
+                if key in password_list:
+                    if kwargs['extra_vars'][key] == '$encrypted$':
+                        # If we get into this block, it means there's probably
+                        # a bug in the way we substitute default survey
+                        # passwords; the value we anticipate here is plaintext
+                        # that needs to be encrypted
+                        raise NotImplementedError('extra_var encryption failed (unexpected $encrypted$ value)')
+                    kwargs['extra_vars'][key] = encrypt_value(
+                        kwargs['extra_vars'][key]
+                    )
+
        unified_job_class = self._get_unified_job_class()
        fields = self._get_unified_job_field_names()
        unified_job = copy_model_by_class(self, unified_job_class, fields, kwargs)