Merge pull request #6305 from jangsutsr/6272_prevent_nested_encrypted_field_leak_in_activity_stream

Prevent nested encrypted field leak in activity stream
2026-02-25 15:06:02 -03:30 · 2017-05-24 09:55:29 -04:00
parent a15bc6d0f7 7f1f68ee28
commit b50820fa60
6 changed files with 119 additions and 30 deletions
--- a/awx/main/tests/functional/conftest.py
+++ b/awx/main/tests/functional/conftest.py
@@ -292,6 +292,15 @@ def notification_template(organization):
                                                                               headers={"Test": "Header"}))


+@pytest.fixture
+def notification_template_with_encrypt(organization):
+    return NotificationTemplate.objects.create(name='test-notification_template_with_encrypt',
+                                               organization=organization,
+                                               notification_type="slack",
+                                               notification_configuration=dict(channels=["Foo", "Bar"],
+                                                                               token="token"))
+
+
@pytest.fixture
 def notification(notification_template):
    return Notification.objects.create(notification_template=notification_template,
--- a/awx/main/tests/functional/utils/test_common.py
+++ b/awx/main/tests/functional/utils/test_common.py
@@ -0,0 +1,60 @@
+import pytest
+
+import copy
+import json
+
+from awx.main.utils.common import (
+    model_instance_diff,
+    model_to_dict,
+)
+
+
+@pytest.mark.django_db
+def test_model_to_dict_user(alice):
+    username = copy.copy(alice.username)
+    password = copy.copy(alice.password)
+    output_dict = model_to_dict(alice)
+    assert output_dict['username'] == username
+    assert output_dict['password'] == 'hidden'
+    assert alice.username == password
+    assert alice.password == password
+
+
+@pytest.mark.django_db
+def test_model_to_dict_credential(credential):
+    name = copy.copy(credential.name)
+    inputs = copy.copy(credential.inputs)
+    output_dict = model_to_dict(credential)
+    assert output_dict['name'] == name
+    assert output_dict['inputs'] == 'hidden'
+    assert credential.name == name
+    assert credential.inputs == inputs
+
+
+@pytest.mark.django_db
+def test_model_to_dict_notification_template(notification_template_with_encrypt):
+    old_configuration = copy.deepcopy(notification_template_with_encrypt.notification_configuration)
+    output_dict = model_to_dict(notification_template_with_encrypt)
+    new_configuration = json.loads(output_dict['notification_configuration'])
+    assert notification_template_with_encrypt.notification_configuration == old_configuration
+    assert new_configuration['token'] == '$encrypted$'
+    assert new_configuration['channels'] == old_configuration['channels']
+
+
+@pytest.mark.django_db
+def test_model_instance_diff(alice, bob):
+    alice_name = copy.copy(alice.username)
+    alice_pass = copy.copy(alice.password)
+    bob_name = copy.copy(bob.username)
+    bob_pass = copy.copy(bob.password)
+    output_dict = model_instance_diff(alice, bob)
+    assert alice_name == alice.username
+    assert alice_pass == alice.password
+    assert bob_name == bob.username
+    assert bob_pass == bob.password
+    assert output_dict['username'][0] == alice_name
+    assert output_dict['username'][1] == bob_name
+    assert output_dict['password'] == ('hidden', 'hidden')
+    assert hasattr(alice, 'is_superuser')
+    assert hasattr(bob, 'is_superuser')
+    assert 'is_superuser' not in output_dict