credential validation for execution envs to allow only registry credentials to be associated with them, also adding security precautions for authfile and password, also combined token & password into one term to align with Quay, and added handling to account for users not filling in credential data and add a has_inputs function to simplify checking if the host, username, and password are present in the credential

2026-05-12 20:07:37 -02:30 · 2021-03-26 10:27:08 -04:00
parent 7c57aebd46
commit e61d0c5cb7
3 changed files with 29 additions and 12 deletions
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -852,15 +852,21 @@ class BaseTask(object):
        }

        if instance.execution_environment.credential:
-            with open('/tmp/auth.json', 'w') as authfile:
-                host = instance.execution_environment.credential.get_input('host')
-                username = instance.execution_environment.credential.get_input('username')
-                password = instance.execution_environment.credential.get_input('password')
-                token = "{}:{}".format(username, password)
-                auth_data = {'auths': {host: {'auth': b64encode(token.encode('ascii')).decode()}}}
-                authfile.write(json.dumps(auth_data, indent=4))
-            authfile.close()
-            params["container_options"].append(f'--authfile={authfile.name}')
+            cred = instance.execution_environment.credential
+            if cred.has_inputs(field_names=('host', 'username', 'password')):
+                path = self.build_private_data_dir(instance)
+                with open(path + '/auth.json', 'w') as authfile:
+                    host = cred.get_input('host')
+                    username = cred.get_input('username')
+                    password = cred.get_input('password')
+                    token = "{}:{}".format(username, password)
+                    auth_data = {'auths': {host: {'auth': b64encode(token.encode('ascii')).decode()}}}
+                    authfile.write(json.dumps(auth_data, indent=4))
+                authfile.close()
+                os.chmod(authfile.name, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
+                params["container_options"].append(f'--authfile={authfile.name}')
+            else:
+                logger.exception('Please recheck that your host, username, and password fields are all filled.')

        pull = instance.execution_environment.pull
        if pull: