External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-24 06:26:00 -03:30
Code Issues Packages Projects Releases Wiki Activity

Prevent modifying peers on managed node

Browse Source 
Add validation to prevent any managed node
from modifying "peers" through the API

Peering from these nodes should be handled
by setting peers_from_control_nodes only.

Managed nodes are control nodes and
ingress hop nodes.

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
This commit is contained in:
Seth Foster
2024-01-23 15:50:16 -05:00
committed by Seth Foster
parent b093c89a84
commit c333d0e82f
2 changed files with 6 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
awx/api/serializers.py
View File

@@ -5680,13 +5680,11 @@ class InstanceSerializer(BaseSerializer):
if not self.instance and not settings.IS_K8S: if not self.instance and not settings.IS_K8S:
raise serializers.ValidationError(_("Can only create instances on Kubernetes or OpenShift.")) raise serializers.ValidationError(_("Can only create instances on Kubernetes or OpenShift."))
node_type = get_field_from_model_or_attrs("node_type") managed = get_field_from_model_or_attrs("managed")
if node_type in [Instance.Types.CONTROL, Instance.Types.HYBRID]: if managed:
if check_peers_changed(): if check_peers_changed():
raise serializers.ValidationError( raise serializers.ValidationError(_("Setting peers manually for managed nodes is not allowed."))
_("Setting peers manually for control nodes is not allowed. Enable peers_from_control_nodes on the hop and execution nodes instead.")
)
if not settings.IS_K8S: if not settings.IS_K8S:
if check_peers_changed(): if check_peers_changed():

6
awx/main/tests/functional/api/test_instance_peers.py
View File

@@ -188,7 +188,7 @@ class TestPeers:
for control nodes, peers field should not be for control nodes, peers field should not be
modified directly via patch. modified directly via patch.
""" """
control = Instance.objects.create(hostname='abc', node_type=node_type) control = Instance.objects.create(hostname='abc', node_type=node_type, managed=True)
hop1 = Instance.objects.create(hostname='hop1', node_type='hop') hop1 = Instance.objects.create(hostname='hop1', node_type='hop')
hop1addr = ReceptorAddress.objects.create(instance=hop1, address='hop1', peers_from_control_nodes=True, canonical=True) hop1addr = ReceptorAddress.objects.create(instance=hop1, address='hop1', peers_from_control_nodes=True, canonical=True)
hop2 = Instance.objects.create(hostname='hop2', node_type='hop') hop2 = Instance.objects.create(hostname='hop2', node_type='hop')
@@ -200,7 +200,7 @@ class TestPeers:
user=admin_user, user=admin_user,
expect=400, # cannot add peers manually expect=400, # cannot add peers manually
) )
assert 'Setting peers manually for control nodes is not allowed.' in str(resp.data) assert 'Setting peers manually for managed nodes is not allowed.' in str(resp.data)
patch( patch(
url=reverse('api:instance_detail', kwargs={'pk': control.pk}), url=reverse('api:instance_detail', kwargs={'pk': control.pk}),
@@ -214,7 +214,7 @@ class TestPeers:
user=admin_user, user=admin_user,
expect=400, # cannot remove peers directly expect=400, # cannot remove peers directly
) )
assert 'Setting peers manually for control nodes is not allowed.' in str(resp.data) assert 'Setting peers manually for managed nodes is not allowed.' in str(resp.data)
patch( patch(
url=reverse('api:instance_detail', kwargs={'pk': control.pk}), url=reverse('api:instance_detail', kwargs={'pk': control.pk}),