From f5aed745037f150423250a7af7f300c2d54c00d0 Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 12:06:46 -0400 Subject: [PATCH 1/6] fill in network ssh password protected keys --- awx/main/tasks.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/awx/main/tasks.py b/awx/main/tasks.py index 28c11b13a2..8a3c7e8416 100644 --- a/awx/main/tasks.py +++ b/awx/main/tasks.py @@ -1119,6 +1119,18 @@ class RunJob(BaseTask): if value not in ('', 'ASK'): passwords[field] = value + ''' + Only 1 value can be provided for a unique prompt string. Prefer ssh + key unlock over network key unlock. + ''' + if 'ssh_key_unlock' not in passwords: + for cred in job.network_credentials: + if cred.inputs.get('ssh_key_unlock'): + passwords['ssh_key_unlock'] = kwargs.get( + 'ssh_key_unlock', + decrypt_field(cred, 'ssh_key_unlock') + ) + return passwords def build_env(self, job, **kwargs): From 3c2b18a9650b2536394cc6524eb7a31c6cb61912 Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 12:40:33 -0400 Subject: [PATCH 2/6] add pexpect test for net cred --- awx/main/tests/unit/test_tasks.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index 9ab613ae1a..e3e538bb3f 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -765,6 +765,22 @@ class TestJobCredentials(TestJobExecution): if expected_flag: assert expected_flag in ' '.join(args) + def test_net_password(self): + net = CredentialType.defaults['net']() + credential = Credential( + pk=1, + credential_type=net, + inputs = {'username': 'bob', 'ssh_key_unlock': 'secret'} + ) + credential.inputs['ssh_key_unlock'] = encrypt_field(credential, 'ssh_key_unlock') + self.instance.credentials.add(credential) + self.task.run(self.pk) + + assert self.run_pexpect.call_count == 1 + call_args, call_kwargs = self.run_pexpect.call_args_list[0] + + assert 'secret' in call_kwargs.get('expect_passwords').values() + def test_vault_password(self): vault = CredentialType.defaults['vault']() credential = Credential( From bc2b2214a88187e54d2cf019e6592ec86bbcc87f Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 12:51:40 -0400 Subject: [PATCH 3/6] add test for ssh over network ssh key password preference --- awx/main/tests/unit/test_tasks.py | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index e3e538bb3f..2962197e9c 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -765,12 +765,12 @@ class TestJobCredentials(TestJobExecution): if expected_flag: assert expected_flag in ' '.join(args) - def test_net_password(self): + def test_net_ssh_key_unlock(self): net = CredentialType.defaults['net']() credential = Credential( pk=1, credential_type=net, - inputs = {'username': 'bob', 'ssh_key_unlock': 'secret'} + inputs = {'ssh_key_unlock': 'secret'} ) credential.inputs['ssh_key_unlock'] = encrypt_field(credential, 'ssh_key_unlock') self.instance.credentials.add(credential) @@ -781,6 +781,32 @@ class TestJobCredentials(TestJobExecution): assert 'secret' in call_kwargs.get('expect_passwords').values() + def test_prefer_ssh_over_net_ssh_key_unlock(self): + net = CredentialType.defaults['net']() + net_credential = Credential( + pk=1, + credential_type=net, + inputs = {'ssh_key_unlock': 'net_secret'} + ) + net_credential.inputs['ssh_key_unlock'] = encrypt_field(net_credential, 'ssh_key_unlock') + + ssh = CredentialType.defaults['ssh']() + ssh_credential = Credential( + pk=1, + credential_type=ssh, + inputs = {'ssh_key_unlock': 'ssh_secret'} + ) + ssh_credential.inputs['ssh_key_unlock'] = encrypt_field(ssh_credential, 'ssh_key_unlock') + + self.instance.credentials.add(net_credential) + self.instance.credentials.add(ssh_credential) + self.task.run(self.pk) + + assert self.run_pexpect.call_count == 1 + call_args, call_kwargs = self.run_pexpect.call_args_list[0] + + assert 'ssh_secret' in call_kwargs.get('expect_passwords').values() + def test_vault_password(self): vault = CredentialType.defaults['vault']() credential = Credential( From 3960a72c8a92f116fff7f089b62316ac628f6c38 Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 13:25:15 -0400 Subject: [PATCH 4/6] first net password-protected ssh key wins --- awx/main/tasks.py | 1 + 1 file changed, 1 insertion(+) diff --git a/awx/main/tasks.py b/awx/main/tasks.py index 8a3c7e8416..3690c52f45 100644 --- a/awx/main/tasks.py +++ b/awx/main/tasks.py @@ -1130,6 +1130,7 @@ class RunJob(BaseTask): 'ssh_key_unlock', decrypt_field(cred, 'ssh_key_unlock') ) + break return passwords From 45f2fe7f90b58f01316601c46549dafa3792af15 Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 13:32:42 -0400 Subject: [PATCH 5/6] add test for first net cred ssh password protected wins --- awx/main/tests/unit/test_tasks.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index 2962197e9c..05cfce132e 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -781,6 +781,23 @@ class TestJobCredentials(TestJobExecution): assert 'secret' in call_kwargs.get('expect_passwords').values() + def test_net_first_ssh_key_unlock_wins(self): + for i in range(3): + net = CredentialType.defaults['net']() + credential = Credential( + pk=1, + credential_type=net, + inputs = {'ssh_key_unlock': 'secret{}'.format(i)} + ) + credential.inputs['ssh_key_unlock'] = encrypt_field(credential, 'ssh_key_unlock') + self.instance.credentials.add(credential) + self.task.run(self.pk) + + assert self.run_pexpect.call_count == 1 + call_args, call_kwargs = self.run_pexpect.call_args_list[0] + + assert 'secret0' in call_kwargs.get('expect_passwords').values() + def test_prefer_ssh_over_net_ssh_key_unlock(self): net = CredentialType.defaults['net']() net_credential = Credential( From c7c9620f032c4630ff88a8973b618a99433925b9 Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 15:44:59 -0400 Subject: [PATCH 6/6] vary the pk --- awx/main/tests/unit/test_tasks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index 05cfce132e..ffdc79a505 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -785,7 +785,7 @@ class TestJobCredentials(TestJobExecution): for i in range(3): net = CredentialType.defaults['net']() credential = Credential( - pk=1, + pk=i, credential_type=net, inputs = {'ssh_key_unlock': 'secret{}'.format(i)} ) @@ -809,7 +809,7 @@ class TestJobCredentials(TestJobExecution): ssh = CredentialType.defaults['ssh']() ssh_credential = Credential( - pk=1, + pk=2, credential_type=ssh, inputs = {'ssh_key_unlock': 'ssh_secret'} )