External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-20 07:17:40 -02:30
Code Issues Packages Projects Releases Wiki Activity

blacklist special env vars from being used in CredentialType injectors

Browse Source 
see: #5877
This commit is contained in:
Ryan Petrello
2017-04-20 12:44:14 -04:00
parent a36a53fe40
commit aff25c914e
2 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
awx/main/models/credential.py
View File

@@ -457,6 +457,14 @@ class CredentialType(CommonModelNameNotUnique):
defaults = OrderedDict() defaults = OrderedDict()
ENV_BLACKLIST = set((
'VIRTUAL_ENV', 'PATH', 'PYTHONPATH', 'PROOT_TMP_DIR', 'JOB_ID',
'INVENTORY_ID', 'INVENTORY_SOURCE_ID', 'INVENTORY_UPDATE_ID',
'AD_HOC_COMMAND_ID', 'REST_API_URL', 'REST_API_TOKEN', 'TOWER_HOST',
'MAX_EVENT_RES', 'CALLBACK_QUEUE', 'CALLBACK_CONNECTION', 'CACHE',
'JOB_CALLBACK_DEBUG', 'INVENTORY_HOSTVARS', 'FACT_QUEUE',
))
class Meta: class Meta:
app_label = 'main' app_label = 'main'
ordering = ('kind', 'name') ordering = ('kind', 'name')
@@ -613,6 +621,8 @@ class CredentialType(CommonModelNameNotUnique):
namespace['tower'].filename = path namespace['tower'].filename = path
for env_var, tmpl in self.injectors.get('env', {}).items(): for env_var, tmpl in self.injectors.get('env', {}).items():
if env_var.startswith('ANSIBLE_') or env_var in self.ENV_BLACKLIST:
continue
env[env_var] = Template(tmpl).render(**namespace) env[env_var] = Template(tmpl).render(**namespace)
safe_env[env_var] = Template(tmpl).render(**safe_namespace) safe_env[env_var] = Template(tmpl).render(**safe_namespace)

30
awx/main/tests/unit/test_tasks.py
View File

@@ -619,6 +619,36 @@ class TestJobCredentials(TestJobExecution):
assert env['MY_CLOUD_API_TOKEN'] == 'ABC123' assert env['MY_CLOUD_API_TOKEN'] == 'ABC123'
def test_custom_environment_injectors_with_reserved_env_var(self):
some_cloud = CredentialType(
kind='cloud',
name='SomeCloud',
managed_by_tower=False,
inputs={
'fields': [{
'id': 'api_token',
'label': 'API Token',
'type': 'string'
}]
},
injectors={
'env': {
'JOB_ID': 'reserved'
}
}
)
self.instance.cloud_credential = Credential(
credential_type=some_cloud,
inputs = {'api_token': 'ABC123'}
)
self.task.run(self.pk)
assert self.task.run_pexpect.call_count == 1
call_args, _ = self.task.run_pexpect.call_args_list[0]
job, args, cwd, env, passwords, stdout = call_args
assert env['JOB_ID'] == str(self.instance.pk)
def test_custom_environment_injectors_with_secret_field(self): def test_custom_environment_injectors_with_secret_field(self):
some_cloud = CredentialType( some_cloud = CredentialType(
kind='cloud', kind='cloud',