fix a bug in /api/v1/credential detection of Vault payloads

see: #6390

awx/api/serializers.py

@@ -2036,6 +2036,7 @@ class CredentialSerializer(BaseSerializer):
         return ret
 
     def to_internal_value(self, data):
+        # TODO: remove when API v1 is removed
         if 'credential_type' not in data:
             # If `credential_type` is not provided, assume the payload is a
             # v1 credential payload that specifies a `kind` and a flat list
@@ -2050,6 +2051,21 @@ class CredentialSerializer(BaseSerializer):
                 {'credential_type': credential_type}.items() +
                 super(CredentialSerializer, self).to_internal_value(data).items()
             )
+
+            # Make a set of the keys in the POST/PUT payload
+            # - Subtract real fields (name, organization, inputs)
+            # - Subtract virtual v1 fields defined on the determined credential
+            #   type (username, password, etc...)
+            # - Any leftovers are invalid for the determined credential type
+            valid_fields = set(super(CredentialSerializer, self).get_fields().keys())
+            valid_fields.update(V2CredentialFields().get_fields().keys())
+            valid_fields.update(['kind', 'cloud'])
+
+            for field in set(data.keys()) - valid_fields - set(credential_type.defined_fields):
+                if data.get(field):
+                    raise serializers.ValidationError(
+                        {"detail": _("'%s' is not a valid field for %s") % (field, credential_type.name)}
+                    )
             value.pop('kind', None)
             return value
         return super(CredentialSerializer, self).to_internal_value(data)