allow creation at /api/v2/credential_input_sources

2026-01-15 03:40:42 -03:30 · 2019-02-27 14:51:48 -05:00 · 2019-02-27 14:51:48 -05:00 · b911f8bf77
commit b911f8bf77
parent e727909a61
4 changed files with 45 additions and 6 deletions
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@ -1453,7 +1453,7 @@ class CredentialInputSourceDetail(RetrieveUpdateDestroyAPIView):
    serializer_class = serializers.CredentialInputSourceSerializer


-class CredentialInputSourceList(ListAPIView):
+class CredentialInputSourceList(ListCreateAPIView):

    view_name = _("Credential Input Sources")

--- a/awx/api/views/root.py
+++ b/awx/api/views/root.py
@ -101,6 +101,7 @@ class ApiVersionRootView(APIView):
        data['credentials'] = reverse('api:credential_list', request=request)
        if get_request_version(request) > 1:
            data['credential_types'] = reverse('api:credential_type_list', request=request)
+            data['credential_input_sources'] = reverse('api:credential_input_source_list', request=request)
            data['applications'] = reverse('api:o_auth2_application_list', request=request)
            data['tokens'] = reverse('api:o_auth2_token_list', request=request)
        data['inventory'] = reverse('api:inventory_list', request=request)
--- a/awx/main/models/credential/init.py
+++ b/awx/main/models/credential/init.py
@ -1343,8 +1343,13 @@ class CredentialInputSource(PrimordialModel):
        return self.source_credential

    def clean_input_field_name(self):
-        if self.input_field_name not in self.target_credential.credential_type.defined_fields:
-            raise ValidationError(_('Input field must be defined on target credential.'))
+        defined_fields = self.target_credential.credential_type.defined_fields
+        if self.input_field_name not in defined_fields:
+            raise ValidationError(_(
+                'Input field must be defined on target credential (options are {}).'.format(
+                    ', '.join(sorted(defined_fields))
+                )
+            ))
        return self.input_field_name

    def save(self, *args, **kwargs):
--- a/awx/main/tests/functional/api/test_credential_input_sources.py
+++ b/awx/main/tests/functional/api/test_credential_input_sources.py
@ -77,16 +77,18 @@ def test_associate_credential_input_source_with_invalid_metadata(get, post, admi


@pytest.mark.django_db
-def test_cannot_create_from_list(get, post, admin, vault_credential, external_credential):
+def test_create_from_list(get, post, admin, vault_credential, external_credential):
    params = {
        'source_credential': external_credential.pk,
        'target_credential': vault_credential.pk,
        'input_field_name': 'vault_password',
+        'metadata': {'key': 'some_example_key'},
    }
    assert post(reverse(
        'api:credential_input_source_list',
        kwargs={'version': 'v2'}
-    ), params, admin).status_code == 405
+    ), params, admin).status_code == 201
+    assert CredentialInputSource.objects.count() == 1


@pytest.mark.django_db
@ -207,6 +209,37 @@ def test_input_source_detail_rbac(get, post, patch, delete, admin, alice,
    assert CredentialInputSource.objects.count() == 0


+@pytest.mark.django_db
+def test_input_source_create_rbac(get, post, patch, delete, alice,
+                                  vault_credential, external_credential,
+                                  other_external_credential):
+    sublist_url = reverse(
+        'api:credential_input_source_list',
+        kwargs={'version': 'v2'}
+    )
+    params = {
+        'target_credential': vault_credential.pk,
+        'source_credential': external_credential.pk,
+        'input_field_name': 'vault_password',
+        'metadata': {'key': 'some_key'},
+    }
+
+    # alice can't create the inv source because she has access to neither credential
+    response = post(sublist_url, params, alice)
+    assert response.status_code == 403
+
+    # alice still can't because she can't use the source credential
+    vault_credential.admin_role.members.add(alice)
+    response = post(sublist_url, params, alice)
+    assert response.status_code == 403
+
+    # alice can create an input source if she has permissions on both credentials
+    external_credential.use_role.members.add(alice)
+    response = post(sublist_url, params, alice)
+    assert response.status_code == 201
+    assert CredentialInputSource.objects.count() == 1
+
+
@pytest.mark.django_db
 def test_input_source_rbac_swap_target_credential(get, post, put, patch, admin, alice,
                                                  machine_credential, vault_credential,
@ -278,7 +311,7 @@ def test_create_credential_input_source_with_undefined_input_returns_400(post, a
    }
    response = post(sublist_url, params, admin)
    assert response.status_code == 400
-    assert response.data['input_field_name'] == ['Input field must be defined on target credential.']
+    assert response.data['input_field_name'] == ['Input field must be defined on target credential (options are vault_id, vault_password).']


@pytest.mark.django_db