External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-15 05:17:36 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1527 from ryanpetrello/oauth2-filter

Browse Source 
restrict API filtering on oauth-related fields
This commit is contained in:
Ryan Petrello
2018-03-12 09:43:05 -04:00
committed by GitHub
parent dcab97f94f a61187e132
commit 6d43b8c4dd
2 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
awx/api/filters.py
View File

@@ -131,6 +131,8 @@ class FieldLookupBackend(BaseFilterBackend):
new_parts.append(name_alt) new_parts.append(name_alt)
else: else:
field = model._meta.get_field(name) field = model._meta.get_field(name)
if 'auth' in name or 'token' in name:
raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
if isinstance(field, ForeignObjectRel) and getattr(field.field, '__prevent_search__', False): if isinstance(field, ForeignObjectRel) and getattr(field.field, '__prevent_search__', False):
raise PermissionDenied(_('Filtering on %s is not allowed.' % name)) raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
elif getattr(field, '__prevent_search__', False): elif getattr(field, '__prevent_search__', False):

16
awx/main/tests/unit/api/test_filters.py
View File

@@ -4,11 +4,11 @@ import pytest
from rest_framework.exceptions import PermissionDenied, ParseError from rest_framework.exceptions import PermissionDenied, ParseError
from awx.api.filters import FieldLookupBackend from awx.api.filters import FieldLookupBackend
from awx.main.models import (AdHocCommand, CustomInventoryScript, from awx.main.models import (AdHocCommand, ActivityStream,
Credential, Job, JobTemplate, SystemJob, CustomInventoryScript, Credential, Job,
UnifiedJob, User, WorkflowJob, JobTemplate, SystemJob, UnifiedJob, User,
WorkflowJobTemplate, WorkflowJobOptions, WorkflowJob, WorkflowJobTemplate,
InventorySource) WorkflowJobOptions, InventorySource)
from awx.main.models.jobs import JobOptions from awx.main.models.jobs import JobOptions
@@ -56,6 +56,8 @@ def test_filter_on_password_field(password_field, lookup_suffix):
@pytest.mark.parametrize('model, query', [ @pytest.mark.parametrize('model, query', [
(User, 'password__icontains'), (User, 'password__icontains'),
(User, 'settings__value__icontains'), (User, 'settings__value__icontains'),
(User, 'main_oauth2accesstoken__token__gt'),
(User, 'main_oauth2application__name__gt'),
(UnifiedJob, 'job_args__icontains'), (UnifiedJob, 'job_args__icontains'),
(UnifiedJob, 'job_env__icontains'), (UnifiedJob, 'job_env__icontains'),
(UnifiedJob, 'start_args__icontains'), (UnifiedJob, 'start_args__icontains'),
@@ -67,7 +69,9 @@ def test_filter_on_password_field(password_field, lookup_suffix):
(WorkflowJob, 'survey_passwords__icontains'), (WorkflowJob, 'survey_passwords__icontains'),
(JobTemplate, 'survey_spec__icontains'), (JobTemplate, 'survey_spec__icontains'),
(WorkflowJobTemplate, 'survey_spec__icontains'), (WorkflowJobTemplate, 'survey_spec__icontains'),
(CustomInventoryScript, 'script__icontains') (CustomInventoryScript, 'script__icontains'),
(ActivityStream, 'o_auth2_access_token__gt'),
(ActivityStream, 'o_auth2_application__gt')
]) ])
def test_filter_sensitive_fields_and_relations(model, query): def test_filter_sensitive_fields_and_relations(model, query):
field_lookup = FieldLookupBackend() field_lookup = FieldLookupBackend()