From c01c671642e2857f148c98200dfa33b2c958773c Mon Sep 17 00:00:00 2001 From: Jake McDermott Date: Thu, 17 Jan 2019 18:43:36 -0500 Subject: [PATCH] use credential input access methods in tasks.py --- awx/main/tasks.py | 110 ++++++++++++++++-------------- awx/main/tests/unit/test_tasks.py | 14 ++-- 2 files changed, 68 insertions(+), 56 deletions(-) diff --git a/awx/main/tasks.py b/awx/main/tasks.py index 61955b96ec..2967a4437d 100644 --- a/awx/main/tasks.py +++ b/awx/main/tasks.py @@ -54,7 +54,7 @@ from awx.main.queue import CallbackQueueDispatcher from awx.main.expect import run, isolated_manager from awx.main.dispatch.publish import task from awx.main.dispatch import get_local_queuename, reaper -from awx.main.utils import (get_ansible_version, get_ssh_version, decrypt_field, update_scm_url, +from awx.main.utils import (get_ansible_version, get_ssh_version, update_scm_url, check_proot_installed, build_proot_temp_dir, get_licenser, wrap_args_with_proot, OutputEventFilter, OutputVerboseFilter, ignore_inventory_computed_fields, ignore_inventory_group_removal, extract_ansible_vars, schedule_task_manager) @@ -1124,16 +1124,16 @@ class RunJob(BaseTask): for credential in job.credentials.all(): # If we were sent SSH credentials, decrypt them and send them # back (they will be written to a temporary file). - if credential.ssh_key_data not in (None, ''): - private_data['credentials'][credential] = decrypt_field(credential, 'ssh_key_data') or '' + if credential.has_input('ssh_key_data'): + private_data['credentials'][credential] = credential.get_input('ssh_key_data', default='') if credential.kind == 'openstack': - openstack_auth = dict(auth_url=credential.host, - username=credential.username, - password=decrypt_field(credential, "password"), - project_name=credential.project) - if credential.domain not in (None, ''): - openstack_auth['domain_name'] = credential.domain + openstack_auth = dict(auth_url=credential.get_input('host', default=''), + username=credential.get_input('username', default=''), + password=credential.get_input('password', default=''), + project_name=credential.get_input('project', default='')) + if credential.has_input('domain'): + openstack_auth['domain_name'] = credential.get_input('domain', default='') openstack_data = { 'clouds': { 'devstack': { @@ -1156,22 +1156,27 @@ class RunJob(BaseTask): for field in ('ssh_key_unlock', 'ssh_password', 'become_password'): value = kwargs.get( field, - decrypt_field(cred, 'password' if field == 'ssh_password' else field) + cred.get_input('password' if field == 'ssh_password' else field, default='') ) if value not in ('', 'ASK'): passwords[field] = value for cred in job.vault_credentials: field = 'vault_password' - if cred.inputs.get('vault_id'): - field = 'vault_password.{}'.format(cred.inputs['vault_id']) + vault_id = cred.get_input('vault_id', default=None) + if vault_id: + field = 'vault_password.{}'.format(vault_id) if field in passwords: raise RuntimeError( 'multiple vault credentials were specified with --vault-id {}@prompt'.format( - cred.inputs['vault_id'] + vault_id ) ) - value = kwargs.get(field, decrypt_field(cred, 'vault_password')) + + value = kwargs.get(field, None) + if value is None: + value = cred.get_input('vault_password', default='') + if value not in ('', 'ASK'): passwords[field] = value @@ -1181,10 +1186,10 @@ class RunJob(BaseTask): ''' if 'ssh_key_unlock' not in passwords: for cred in job.network_credentials: - if cred.inputs.get('ssh_key_unlock'): + if cred.has_input('ssh_key_unlock'): passwords['ssh_key_unlock'] = kwargs.get( 'ssh_key_unlock', - decrypt_field(cred, 'ssh_key_unlock') + cred.get_input('ssh_key_unlock', default='') ) break @@ -1240,17 +1245,17 @@ class RunJob(BaseTask): env['OS_CLIENT_CONFIG_FILE'] = cred_files.get(cloud_cred, '') for network_cred in job.network_credentials: - env['ANSIBLE_NET_USERNAME'] = network_cred.username - env['ANSIBLE_NET_PASSWORD'] = decrypt_field(network_cred, 'password') + env['ANSIBLE_NET_USERNAME'] = network_cred.get_input('username', default='') + env['ANSIBLE_NET_PASSWORD'] = network_cred.get_input('password', default='') ssh_keyfile = cred_files.get(network_cred, '') if ssh_keyfile: env['ANSIBLE_NET_SSH_KEYFILE'] = ssh_keyfile - authorize = network_cred.authorize + authorize = network_cred.get_input('authorize', default=False) env['ANSIBLE_NET_AUTHORIZE'] = six.text_type(int(authorize)) if authorize: - env['ANSIBLE_NET_AUTH_PASS'] = decrypt_field(network_cred, 'authorize_password') + env['ANSIBLE_NET_AUTH_PASS'] = network_cred.get_input('authorize_password', default='') return env @@ -1263,9 +1268,9 @@ class RunJob(BaseTask): ssh_username, become_username, become_method = '', '', '' if creds: - ssh_username = kwargs.get('username', creds.username) - become_method = kwargs.get('become_method', creds.become_method) - become_username = kwargs.get('become_username', creds.become_username) + ssh_username = kwargs.get('username', creds.get_input('username', default='')) + become_method = kwargs.get('become_method', creds.get_input('become_method', default='')) + become_username = kwargs.get('become_username', creds.get_input('become_username', default='')) else: become_method = None become_username = "" @@ -1490,8 +1495,8 @@ class RunProjectUpdate(BaseTask): private_data = {'credentials': {}} if project_update.credential: credential = project_update.credential - if credential.ssh_key_data not in (None, ''): - private_data['credentials'][credential] = decrypt_field(credential, 'ssh_key_data') + if credential.has_input('ssh_key_data'): + private_data['credentials'][credential] = credential.get_input('ssh_key_data', default='') return private_data def build_passwords(self, project_update, **kwargs): @@ -1502,9 +1507,9 @@ class RunProjectUpdate(BaseTask): passwords = super(RunProjectUpdate, self).build_passwords(project_update, **kwargs) if project_update.credential: - passwords['scm_key_unlock'] = decrypt_field(project_update.credential, 'ssh_key_unlock') - passwords['scm_username'] = project_update.credential.username - passwords['scm_password'] = decrypt_field(project_update.credential, 'password') + passwords['scm_key_unlock'] = project_update.credential.get_input('ssh_key_unlock', default='') + passwords['scm_username'] = project_update.credential.get_input('username', default='') + passwords['scm_password'] = project_update.credential.get_input('password', default='') return passwords def build_env(self, project_update, **kwargs): @@ -1828,12 +1833,13 @@ class RunInventoryUpdate(BaseTask): credential = inventory_update.get_cloud_credential() if inventory_update.source == 'openstack': - openstack_auth = dict(auth_url=credential.host, - username=credential.username, - password=decrypt_field(credential, "password"), - project_name=credential.project) - if credential.domain not in (None, ''): - openstack_auth['domain_name'] = credential.domain + openstack_auth = dict(auth_url=credential.get_input('host', default=''), + username=credential.get_input('username', default=''), + password=credential.get_input('password', default=''), + project_name=credential.get_input('project', default='')) + if credential.has_input('domain'): + openstack_auth['domain_name'] = credential.get_input('domain', default='') + private_state = inventory_update.source_vars_dict.get('private', True) # Retrieve cache path from inventory update vars if available, # otherwise create a temporary cache path only for this update. @@ -1909,9 +1915,9 @@ class RunInventoryUpdate(BaseTask): cp.add_section(section) cp.set('vmware', 'cache_max_age', '0') cp.set('vmware', 'validate_certs', str(settings.VMWARE_VALIDATE_CERTS)) - cp.set('vmware', 'username', credential.username) - cp.set('vmware', 'password', decrypt_field(credential, 'password')) - cp.set('vmware', 'server', credential.host) + cp.set('vmware', 'username', credential.get_input('username', default='')) + cp.set('vmware', 'password', credential.get_input('password', default='')) + cp.set('vmware', 'server', credential.get_input('host', default='')) vmware_opts = dict(inventory_update.source_vars_dict.items()) if inventory_update.instance_filters: @@ -1942,9 +1948,9 @@ class RunInventoryUpdate(BaseTask): cp.set(section, k, six.text_type(v)) if credential: - cp.set(section, 'url', credential.host) - cp.set(section, 'user', credential.username) - cp.set(section, 'password', decrypt_field(credential, 'password')) + cp.set(section, 'url', credential.get_input('host', default='')) + cp.set(section, 'user', credential.get_input('username', default='')) + cp.set(section, 'password', credential.get_input('password', default='')) section = 'ansible' cp.add_section(section) @@ -1963,9 +1969,9 @@ class RunInventoryUpdate(BaseTask): cp.add_section(section) if credential: - cp.set(section, 'url', credential.host) - cp.set(section, 'username', credential.username) - cp.set(section, 'password', decrypt_field(credential, 'password')) + cp.set(section, 'url', credential.get_input('host', default='')) + cp.set(section, 'username', credential.get_input('username', default='')) + cp.set(section, 'password', credential.get_input('password', default='')) cp.set(section, 'ssl_verify', "false") cloudforms_opts = dict(inventory_update.source_vars_dict.items()) @@ -2021,10 +2027,10 @@ class RunInventoryUpdate(BaseTask): credential = inventory_update.get_cloud_credential() if credential: for subkey in ('username', 'host', 'project', 'client', 'tenant', 'subscription'): - passwords['source_%s' % subkey] = getattr(credential, subkey) + passwords['source_%s' % subkey] = credential.get_input(subkey, default='') for passkey in ('password', 'ssh_key_data', 'security_token', 'secret'): k = 'source_%s' % passkey - passwords[k] = decrypt_field(credential, passkey) + passwords[k] = credential.get_input(passkey, default='') return passwords def build_env(self, inventory_update, **kwargs): @@ -2229,8 +2235,8 @@ class RunAdHocCommand(BaseTask): # back (they will be written to a temporary file). creds = ad_hoc_command.credential private_data = {'credentials': {}} - if creds and creds.ssh_key_data not in (None, ''): - private_data['credentials'][creds] = decrypt_field(creds, 'ssh_key_data') or '' + if creds and creds.has_input('ssh_key_data'): + private_data['credentials'][creds] = creds.get_input('ssh_key_data', default='') return private_data def build_passwords(self, ad_hoc_command, **kwargs): @@ -2243,9 +2249,9 @@ class RunAdHocCommand(BaseTask): if creds: for field in ('ssh_key_unlock', 'ssh_password', 'become_password'): if field == 'ssh_password': - value = kwargs.get(field, decrypt_field(creds, 'password')) + value = kwargs.get(field, creds.get_input('password', default='')) else: - value = kwargs.get(field, decrypt_field(creds, field)) + value = kwargs.get(field, creds.get_input(field, default='')) if value not in ('', 'ASK'): passwords[field] = value return passwords @@ -2282,9 +2288,9 @@ class RunAdHocCommand(BaseTask): creds = ad_hoc_command.credential ssh_username, become_username, become_method = '', '', '' if creds: - ssh_username = kwargs.get('username', creds.username) - become_method = kwargs.get('become_method', creds.become_method) - become_username = kwargs.get('become_username', creds.become_username) + ssh_username = kwargs.get('username', creds.get_input('username', default='')) + become_method = kwargs.get('become_method', creds.get_input('become_method', default='')) + become_username = kwargs.get('become_username', creds.get_input('become_username', default='')) else: become_method = None become_username = "" diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index d5256bf220..67f1d70096 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -108,13 +108,16 @@ def test_safe_env_returns_new_copy(): def test_openstack_client_config_generation(mocker): update = tasks.RunInventoryUpdate() - credential = mocker.Mock(**{ + credential_type = CredentialType.defaults['openstack']() + inputs = { 'host': 'https://keystone.openstack.example.org', 'username': 'demo', 'password': 'secrete', 'project': 'demo-project', 'domain': 'my-demo-domain', - }) + } + credential = Credential(pk=1, credential_type=credential_type, inputs=inputs) + cred_method = mocker.Mock(return_value=credential) inventory_update = mocker.Mock(**{ 'source': 'openstack', @@ -144,13 +147,16 @@ def test_openstack_client_config_generation(mocker): ]) def test_openstack_client_config_generation_with_private_source_vars(mocker, source, expected): update = tasks.RunInventoryUpdate() - credential = mocker.Mock(**{ + credential_type = CredentialType.defaults['openstack']() + inputs = { 'host': 'https://keystone.openstack.example.org', 'username': 'demo', 'password': 'secrete', 'project': 'demo-project', 'domain': None, - }) + } + credential = Credential(pk=1, credential_type=credential_type, inputs=inputs) + cred_method = mocker.Mock(return_value=credential) inventory_update = mocker.Mock(**{ 'source': 'openstack',