From 1425021106b01a0332dc8a54d8ef16424e101544 Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Tue, 28 Nov 2017 16:52:47 -0500
Subject: [PATCH] fix another encrypted survey password bug

properly encrypt extra_vars that overlap with survey passwords when
`ask_variables_on_launch=true`

see: https://github.com/ansible/ansible-tower/issues/7796
---
 awx/main/models/jobs.py                           | 15 ++++++++++-----
 awx/main/models/mixins.py                         |  4 ++--
 awx/main/tests/functional/api/test_survey_spec.py |  5 ++++-
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/awx/main/models/jobs.py b/awx/main/models/jobs.py
index 249c051f20..6108085e72 100644
--- a/awx/main/models/jobs.py
+++ b/awx/main/models/jobs.py
@@ -400,19 +400,24 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, SurveyJobTemplateMixin, Resour
                 else:
                     if field == 'extra_vars' and self.survey_enabled and self.survey_spec:
                         # Accept vars defined in the survey and no others
-                        survey_vars = [question['variable'] for question in self.survey_spec.get('spec', [])]
+                        survey_vars = [
+                            question['variable'] for question in self.survey_spec.get('spec', [])
+                        ]
                         extra_vars = parse_yaml_or_json(kwargs[field])
                         for key in extra_vars:
                             if key in survey_vars:
-                                if key in survey_password_variables:
-                                    prompted_fields[field][key] = encrypt_value(extra_vars[key])
-                                else:
-                                    prompted_fields[field][key] = extra_vars[key]
+                                prompted_fields[field][key] = extra_vars[key]
                             else:
                                 ignored_fields[field][key] = extra_vars[key]
                     else:
                         ignored_fields[field] = kwargs[field]
 
+        for key in prompted_fields.get('extra_vars', {}):
+            if key in survey_password_variables:
+                prompted_fields['extra_vars'][key] = encrypt_value(
+                    prompted_fields['extra_vars'][key]
+                )
+
         return prompted_fields, ignored_fields
 
     def _extra_job_type_errors(self, data):
diff --git a/awx/main/models/mixins.py b/awx/main/models/mixins.py
index 563619a101..ba01ad8ce6 100644
--- a/awx/main/models/mixins.py
+++ b/awx/main/models/mixins.py
@@ -136,7 +136,7 @@ class SurveyJobTemplateMixin(models.Model):
         else:
             runtime_extra_vars = {}
 
-        # Overwrite with job template extra vars with survey default vars
+        # Overwrite job template extra vars with survey default vars
         if self.survey_enabled and 'spec' in self.survey_spec:
             for survey_element in self.survey_spec.get("spec", []):
                 default = survey_element.get('default')
@@ -145,7 +145,7 @@ class SurveyJobTemplateMixin(models.Model):
                 if survey_element.get('type') == 'password':
                     if variable_key in runtime_extra_vars and default:
                         kw_value = runtime_extra_vars[variable_key]
-                        if kw_value.startswith('$encrypted$') and kw_value != default:
+                        if kw_value == '$encrypted$' and kw_value != default:
                             runtime_extra_vars[variable_key] = default
 
                 if default is not None:
diff --git a/awx/main/tests/functional/api/test_survey_spec.py b/awx/main/tests/functional/api/test_survey_spec.py
index 0b9a16cea1..81ce167656 100644
--- a/awx/main/tests/functional/api/test_survey_spec.py
+++ b/awx/main/tests/functional/api/test_survey_spec.py
@@ -93,13 +93,14 @@ def test_survey_spec_sucessful_creation(survey_spec_factory, job_template, post,
 
 @mock.patch('awx.api.views.feature_enabled', lambda feature: True)
 @pytest.mark.django_db
+@pytest.mark.parametrize('with_default', [True, False])
 @pytest.mark.parametrize('value, status', [
     ('SUPERSECRET', 201),
     (['some', 'invalid', 'list'], 400),
     ({'some-invalid': 'dict'}, 400),
     (False, 400)
 ])
-def test_survey_spec_passwords_are_encrypted_on_launch(job_template_factory, post, admin_user, value, status):
+def test_survey_spec_passwords_are_encrypted_on_launch(job_template_factory, post, admin_user, with_default, value, status):
     objects = job_template_factory('jt', organization='org1', project='prj',
                                    inventory='inv', credential='cred')
     job_template = objects.job_template
@@ -116,6 +117,8 @@ def test_survey_spec_passwords_are_encrypted_on_launch(job_template_factory, pos
         }],
         'name': 'my survey'
     }
+    if with_default:
+        input_data['spec'][0]['default'] = 'some-default'
     post(url=reverse('api:job_template_survey_spec', kwargs={'pk': job_template.id}),
          data=input_data, user=admin_user, expect=200)
     resp = post(reverse('api:job_template_launch', kwargs={'pk': job_template.pk}),