Merge pull request #593 from ryanpetrello/fix-7796

fix another encrypted survey password bug

awx/main/models/jobs.py

@@ -400,19 +400,24 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, SurveyJobTemplateMixin, Resour
                 else:
                     if field == 'extra_vars' and self.survey_enabled and self.survey_spec:
                         # Accept vars defined in the survey and no others
-                        survey_vars = [question['variable'] for question in self.survey_spec.get('spec', [])]
+                        survey_vars = [
+                            question['variable'] for question in self.survey_spec.get('spec', [])
+                        ]
                         extra_vars = parse_yaml_or_json(kwargs[field])
                         for key in extra_vars:
                             if key in survey_vars:
-                                if key in survey_password_variables:
-                                    prompted_fields[field][key] = encrypt_value(extra_vars[key])
-                                else:
-                                    prompted_fields[field][key] = extra_vars[key]
+                                prompted_fields[field][key] = extra_vars[key]
                             else:
                                 ignored_fields[field][key] = extra_vars[key]
                     else:
                         ignored_fields[field] = kwargs[field]
 
+        for key in prompted_fields.get('extra_vars', {}):
+            if key in survey_password_variables:
+                prompted_fields['extra_vars'][key] = encrypt_value(
+                    prompted_fields['extra_vars'][key]
+                )
+
         return prompted_fields, ignored_fields
 
     def _extra_job_type_errors(self, data):

awx/main/models/mixins.py

@@ -136,7 +136,7 @@ class SurveyJobTemplateMixin(models.Model):
         else:
             runtime_extra_vars = {}
 
-        # Overwrite with job template extra vars with survey default vars
+        # Overwrite job template extra vars with survey default vars
         if self.survey_enabled and 'spec' in self.survey_spec:
             for survey_element in self.survey_spec.get("spec", []):
                 default = survey_element.get('default')
@@ -145,7 +145,7 @@ class SurveyJobTemplateMixin(models.Model):
                 if survey_element.get('type') == 'password':
                     if variable_key in runtime_extra_vars and default:
                         kw_value = runtime_extra_vars[variable_key]
-                        if kw_value.startswith('$encrypted$') and kw_value != default:
+                        if kw_value == '$encrypted$' and kw_value != default:
                             runtime_extra_vars[variable_key] = default
 
                 if default is not None:

awx/main/tests/functional/api/test_survey_spec.py

@@ -93,13 +93,14 @@ def test_survey_spec_sucessful_creation(survey_spec_factory, job_template, post,
 
 @mock.patch('awx.api.views.feature_enabled', lambda feature: True)
 @pytest.mark.django_db
+@pytest.mark.parametrize('with_default', [True, False])
 @pytest.mark.parametrize('value, status', [
     ('SUPERSECRET', 201),
     (['some', 'invalid', 'list'], 400),
     ({'some-invalid': 'dict'}, 400),
     (False, 400)
 ])
-def test_survey_spec_passwords_are_encrypted_on_launch(job_template_factory, post, admin_user, value, status):
+def test_survey_spec_passwords_are_encrypted_on_launch(job_template_factory, post, admin_user, with_default, value, status):
     objects = job_template_factory('jt', organization='org1', project='prj',
                                    inventory='inv', credential='cred')
     job_template = objects.job_template
@@ -116,6 +117,8 @@ def test_survey_spec_passwords_are_encrypted_on_launch(job_template_factory, pos
         }],
         'name': 'my survey'
     }
+    if with_default:
+        input_data['spec'][0]['default'] = 'some-default'
     post(url=reverse('api:job_template_survey_spec', kwargs={'pk': job_template.id}),
          data=input_data, user=admin_user, expect=200)
     resp = post(reverse('api:job_template_launch', kwargs={'pk': job_template.pk}),