Merge pull request #2810 from rooftopcellist/hide_app_client_secret

hide client_secret from API

awx/api/serializers.py

@@ -44,7 +44,7 @@ from awx.main.constants import (
     SCHEDULEABLE_PROVIDERS,
     ANSI_SGR_PATTERN,
     ACTIVE_STATES,
-    TOKEN_CENSOR,
+    CENSOR_VALUE,
     CHOICES_PRIVILEGE_ESCALATION_METHODS,
 )
 from awx.main.models import * # noqa
@@ -1021,7 +1021,7 @@ class BaseOAuth2TokenSerializer(BaseSerializer):
             if request.method == 'POST':
                 return obj.token
             else:
-                return TOKEN_CENSOR
+                return CENSOR_VALUE
         except ObjectDoesNotExist:
             return ''
             
@@ -1033,7 +1033,7 @@ class BaseOAuth2TokenSerializer(BaseSerializer):
             elif request.method == 'POST':
                 return getattr(obj.refresh_token, 'token', '')
             else:
-                return TOKEN_CENSOR
+                return CENSOR_VALUE
         except ObjectDoesNotExist:
             return None
 
@@ -1181,6 +1181,9 @@ class OAuth2ApplicationSerializer(BaseSerializer):
         
     def to_representation(self, obj):
         ret = super(OAuth2ApplicationSerializer, self).to_representation(obj)
+        request = self.context.get('request', None)
+        if request.method != 'POST' and obj.client_type == 'confidential':
+            ret['client_secret'] = CENSOR_VALUE
         if obj.client_type == 'public':
             ret.pop('client_secret', None)
         return ret
@@ -1201,7 +1204,7 @@ class OAuth2ApplicationSerializer(BaseSerializer):
         return obj.updated
 
     def _summary_field_tokens(self, obj):
-        token_list = [{'id': x.pk, 'token': TOKEN_CENSOR, 'scope': x.scope} for x in obj.oauth2accesstoken_set.all()[:10]]
+        token_list = [{'id': x.pk, 'token': CENSOR_VALUE, 'scope': x.scope} for x in obj.oauth2accesstoken_set.all()[:10]]
         if has_model_field_prefetched(obj, 'oauth2accesstoken_set'):
             token_count = len(obj.oauth2accesstoken_set.all())
         else:

awx/api/views.py

@@ -1601,6 +1601,10 @@ class OAuth2ApplicationDetail(RetrieveUpdateDestroyAPIView):
     serializer_class = OAuth2ApplicationSerializer
     swagger_topic = 'Authentication'
 
+    def update_raw_data(self, data):
+        data.pop('client_secret', None)
+        return super(OAuth2ApplicationDetail, self).update_raw_data(data)
+
 
 class ApplicationOAuth2TokenList(SubListCreateAPIView):
 

awx/main/constants.py

@@ -28,4 +28,4 @@ STANDARD_INVENTORY_UPDATE_ENV = {
 }
 CAN_CANCEL = ('new', 'pending', 'waiting', 'running')
 ACTIVE_STATES = CAN_CANCEL
-TOKEN_CENSOR = '************'
+CENSOR_VALUE = '************'

awx/main/signals.py

@@ -33,7 +33,7 @@ import six
 # AWX
 from awx.main.models import * # noqa
 from awx.api.serializers import * # noqa
-from awx.main.constants import TOKEN_CENSOR
+from awx.main.constants import CENSOR_VALUE
 from awx.main.utils import model_instance_diff, model_to_dict, camelcase_to_underscore, get_current_apps
 from awx.main.utils import ignore_inventory_computed_fields, ignore_inventory_group_removal, _inventory_updates
 from awx.main.tasks import update_inventory_computed_fields
@@ -428,7 +428,7 @@ def activity_stream_create(sender, instance, created, **kwargs):
             if 'extra_vars' in changes:
                 changes['extra_vars'] = instance.display_extra_vars()
         if type(instance) == OAuth2AccessToken:
-            changes['token'] = TOKEN_CENSOR
+            changes['token'] = CENSOR_VALUE
         activity_entry = get_activity_stream_class()(
             operation='create',
             object1=object1,
@@ -495,7 +495,7 @@ def activity_stream_delete(sender, instance, **kwargs):
     changes = model_to_dict(instance)
     object1 = camelcase_to_underscore(instance.__class__.__name__)
     if type(instance) == OAuth2AccessToken:
-        changes['token'] = TOKEN_CENSOR
+        changes['token'] = CENSOR_VALUE
     activity_entry = get_activity_stream_class()(
         operation='delete',
         changes=json.dumps(changes),