From b4d69cb5c71dab959d818a67e0db275f7c382958 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Fri, 4 Aug 2017 10:06:35 -0400
Subject: [PATCH] don't delete settings that are marked as `read_only`

---
 awx/conf/views.py                             |  2 ++
 .../tests/functional/api/test_settings.py     | 27 +++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/awx/conf/views.py b/awx/conf/views.py
index 70110453f5..54405f4477 100644
--- a/awx/conf/views.py
+++ b/awx/conf/views.py
@@ -148,6 +148,8 @@ class SettingSingletonDetail(RetrieveUpdateDestroyAPIView):
     def perform_destroy(self, instance):
         settings_change_list = []
         for setting in self.get_queryset().exclude(key='LICENSE'):
+            if settings_registry.get_setting_field(setting.key).read_only:
+                continue
             setting.delete()
             settings_change_list.append(setting.key)
         if settings_change_list and 'migrate_to_database_settings' not in sys.argv:
diff --git a/awx/main/tests/functional/api/test_settings.py b/awx/main/tests/functional/api/test_settings.py
index 1eed0100ab..7432101a40 100644
--- a/awx/main/tests/functional/api/test_settings.py
+++ b/awx/main/tests/functional/api/test_settings.py
@@ -5,6 +5,8 @@
 import pytest
 import os
 
+from django.conf import settings
+
 # Mock
 import mock
 
@@ -259,3 +261,28 @@ def test_isolated_job_setting_validation(get, patch, admin, setting_name):
 
     data = get(url, user=admin).data
     assert data[setting_name] != -1
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize('key, expected', [
+    ['AWX_ISOLATED_PRIVATE_KEY', '$encrypted$'],
+    ['AWX_ISOLATED_PUBLIC_KEY', 'secret'],
+])
+def test_isolated_keys_readonly(get, patch, delete, admin, key, expected):
+    Setting.objects.create(
+        key=key,
+        value='secret'
+    ).save()
+    assert getattr(settings, key) == 'secret'
+
+    url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'jobs'})
+    resp = get(url, user=admin)
+    assert resp.data[key] == expected
+
+    patch(url, user=admin, data={
+        key: 'new-secret'
+    })
+    assert getattr(settings, key) == 'secret'
+
+    delete(url, user=admin)
+    assert getattr(settings, key) == 'secret'