fix: do not include secret values in the credentials test endpoint and add a guard to make sure credentials are testable

2026-04-23 18:55:24 -02:30 · 2026-04-23 16:34:35 +02:00
parent 55ad29ac68
commit 9c72db39e7
2 changed files with 15 additions and 4 deletions
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@@ -1720,12 +1720,10 @@ class OIDCCredentialTestMixin:
        return {'details': {'sent_jwt_payload': self._decode_jwt_payload_for_display(jwt_token)}}

    def _call_backend_with_error_handling(self, plugin, backend_kwargs, response_body):
-        """Call credential backend and handle errors, adding secret_value to response if OIDC details present."""
+        """Call credential backend and handle errors."""
        try:
            with set_environ(**settings.AWX_TASK_ENV):
-                secret_value = plugin.backend(**backend_kwargs)
-                if 'details' in response_body:
-                    response_body['details']['secret_value'] = secret_value
+                plugin.backend(**backend_kwargs)
                return Response(response_body, status=status.HTTP_202_ACCEPTED)
        except requests.exceptions.HTTPError as exc:
            message = self._extract_http_error_message(exc)
@@ -1791,6 +1789,8 @@ class CredentialExternalTest(OIDCCredentialTestMixin, SubDetailAPIView):
        It does not support standard credential types such as Machine, SCM, and Cloud."""})
    def post(self, request, *args, **kwargs):
        obj = self.get_object()
+        if obj.credential_type.kind != 'external':
+            raise ParseError(_('Credential is not testable.'))
        backend_kwargs = {}
        for field_name, value in obj.inputs.items():
            backend_kwargs[field_name] = obj.get_input(field_name)
@@ -1858,6 +1858,8 @@ class CredentialTypeExternalTest(OIDCCredentialTestMixin, SubDetailAPIView):
    @extend_schema_if_available(extensions={"x-ai-description": "Test a complete set of input values for an external credential"})
    def post(self, request, *args, **kwargs):
        obj = self.get_object()
+        if obj.kind != 'external':
+            raise ParseError(_('Credential type is not testable.'))
        backend_kwargs = request.data.get('inputs', {})
        backend_kwargs.update(request.data.get('metadata', {}))

--- a/awx/main/tests/functional/api/test_oidc_credential_test.py
+++ b/awx/main/tests/functional/api/test_oidc_credential_test.py
@@ -257,3 +257,12 @@ def test_credential_type_test_success_returns_jwt_payload(mock_flag, post, admin
    assert response.status_code == 202
    assert 'details' in response.data
    assert 'sent_jwt_payload' in response.data['details']
+
+
+@pytest.mark.django_db
+def test_credential_external_test_returns_400_for_non_external_credential(post, admin, credential):
+    # credential fixture creates a non-external credential (e.g. SSH/vault kind)
+    url = reverse('api:credential_external_test', kwargs={'pk': credential.pk})
+    response = post(url, {'metadata': {}}, admin)
+    assert response.status_code == 400
+    assert 'not testable' in response.data.get('detail', '').lower()