From c333d0e82f2c1162cdc6b95bddcb4dfef309d341 Mon Sep 17 00:00:00 2001
From: Seth Foster <fosterbseth@gmail.com>
Date: Tue, 23 Jan 2024 15:50:16 -0500
Subject: [PATCH] Prevent modifying peers on managed node

Add validation to prevent any managed node
from modifying "peers" through the API

Peering from these nodes should be handled
by setting peers_from_control_nodes only.

Managed nodes are control nodes and
ingress hop nodes.

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
---
 awx/api/serializers.py                               | 8 +++-----
 awx/main/tests/functional/api/test_instance_peers.py | 6 +++---
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 43eac48bdf..c852e1b5a7 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -5680,13 +5680,11 @@ class InstanceSerializer(BaseSerializer):
         if not self.instance and not settings.IS_K8S:
             raise serializers.ValidationError(_("Can only create instances on Kubernetes or OpenShift."))
 
-        node_type = get_field_from_model_or_attrs("node_type")
+        managed = get_field_from_model_or_attrs("managed")
 
-        if node_type in [Instance.Types.CONTROL, Instance.Types.HYBRID]:
+        if managed:
             if check_peers_changed():
-                raise serializers.ValidationError(
-                    _("Setting peers manually for control nodes is not allowed. Enable peers_from_control_nodes on the hop and execution nodes instead.")
-                )
+                raise serializers.ValidationError(_("Setting peers manually for managed nodes is not allowed."))
 
         if not settings.IS_K8S:
             if check_peers_changed():
diff --git a/awx/main/tests/functional/api/test_instance_peers.py b/awx/main/tests/functional/api/test_instance_peers.py
index 6ba022a8d8..712a3902c0 100644
--- a/awx/main/tests/functional/api/test_instance_peers.py
+++ b/awx/main/tests/functional/api/test_instance_peers.py
@@ -188,7 +188,7 @@ class TestPeers:
         for control nodes, peers field should not be
         modified directly via patch.
         """
-        control = Instance.objects.create(hostname='abc', node_type=node_type)
+        control = Instance.objects.create(hostname='abc', node_type=node_type, managed=True)
         hop1 = Instance.objects.create(hostname='hop1', node_type='hop')
         hop1addr = ReceptorAddress.objects.create(instance=hop1, address='hop1', peers_from_control_nodes=True, canonical=True)
         hop2 = Instance.objects.create(hostname='hop2', node_type='hop')
@@ -200,7 +200,7 @@ class TestPeers:
             user=admin_user,
             expect=400,  # cannot add peers manually
         )
-        assert 'Setting peers manually for control nodes is not allowed.' in str(resp.data)
+        assert 'Setting peers manually for managed nodes is not allowed.' in str(resp.data)
 
         patch(
             url=reverse('api:instance_detail', kwargs={'pk': control.pk}),
@@ -214,7 +214,7 @@ class TestPeers:
             user=admin_user,
             expect=400,  # cannot remove peers directly
         )
-        assert 'Setting peers manually for control nodes is not allowed.' in str(resp.data)
+        assert 'Setting peers manually for managed nodes is not allowed.' in str(resp.data)
 
         patch(
             url=reverse('api:instance_detail', kwargs={'pk': control.pk}),