Merge pull request #6665 from ansible/fallback-test

Reencrypt during data migrations

awx/main/migrations/0039_v320_data_migrations.py

@@ -8,6 +8,7 @@ from django.db import migrations
 # AWX
 from awx.main.migrations import _inventory_source as invsrc
 from awx.main.migrations import _migration_utils as migration_utils
+from awx.main.migrations import _reencrypt
 
 
 class Migration(migrations.Migration):
@@ -22,4 +23,5 @@ class Migration(migrations.Migration):
         migrations.RunPython(invsrc.remove_rax_inventory_sources),
         migrations.RunPython(invsrc.remove_inventory_source_with_no_inventory_link),
         migrations.RunPython(invsrc.rename_inventory_sources),
+        migrations.RunPython(_reencrypt.replace_aesecb_fernet),
     ]

awx/main/migrations/0044_v320_reencrypt.py

@@ -1,16 +0,0 @@
-# -*- coding: utf-8 -*-
-from __future__ import unicode_literals
-
-from django.db import migrations
-from awx.main.migrations import _reencrypt
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('main', '0043_v320_instancegroups'),
-    ]
-
-    operations = [
-        migrations.RunPython(_reencrypt.replace_aesecb_fernet),
-    ]

awx/main/migrations/_reencrypt.py

@@ -1,6 +1,6 @@
+import logging
 from django.utils.translation import ugettext_lazy as _
 
-from awx.main import utils
 from awx.conf.migrations._reencrypt import (
     decrypt_field,
     should_decrypt_field,
@@ -13,7 +13,8 @@ from awx.main.notifications.pagerduty_backend import PagerDutyBackend
 from awx.main.notifications.hipchat_backend import HipChatBackend
 from awx.main.notifications.webhook_backend import WebhookBackend
 from awx.main.notifications.irc_backend import IrcBackend
-from awx.main.models.credential import Credential
+
+logger = logging.getLogger('awx.main.migrations')
 
 __all__ = ['replace_aesecb_fernet']
 
@@ -27,6 +28,10 @@ NOTIFICATION_TYPES = [('email', _('Email'), CustomEmailBackend),
                       ('irc', _('IRC'), IrcBackend)]
 
 
+PASSWORD_FIELDS = ('password', 'security_token', 'ssh_key_data', 'ssh_key_unlock',
+                   'become_password', 'vault_password', 'secret', 'authorize_password')
+
+
 def replace_aesecb_fernet(apps, schema_editor):
     _notification_templates(apps)
     _credentials(apps)
@@ -47,16 +52,16 @@ def _notification_templates(apps):
 
 
 def _credentials(apps):
-    # TODO: Try to not use the model directly imported from our
+    for credential in apps.get_model('main', 'Credential').objects.all():
-    # source (should use apps.get_model) to make the migration less britle.
+        for field_name in PASSWORD_FIELDS:
-    for credential in Credential.objects.all():
+            value = getattr(credential, field_name)
-        for field_name, value in credential.inputs.items():
             if should_decrypt_field(value):
                 value = decrypt_field(credential, field_name)
-                credential.inputs[field_name] = value
+                setattr(credential, field_name, value)
         credential.save()
 
 
+
 def _unified_jobs(apps):
     UnifiedJob = apps.get_model('main', 'UnifiedJob')
     for uj in UnifiedJob.objects.all():