External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-09 10:27:37 -02:30
Code Issues Packages Projects Releases Wiki Activity

credential validation for execution envs to allow only registry credentials to be associated with them, also adding security precautions for authfile and password, also combined token & password into one term to align with Quay, and added handling to account for users not filling in credential data and add a has_inputs function to simplify checking if the host, username, and password are present in the credential

Browse Source
This commit is contained in:
Rebeccah
2021-03-26 10:27:08 -04:00
parent 7c57aebd46
commit e61d0c5cb7
3 changed files with 29 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
awx/api/serializers.py
View File

@@ -1412,6 +1412,11 @@ class ExecutionEnvironmentSerializer(BaseSerializer):
res['credential'] = self.reverse('api:credential_detail', kwargs={'pk': obj.credential.pk}) res['credential'] = self.reverse('api:credential_detail', kwargs={'pk': obj.credential.pk})
return res return res
def validate_credential(self, value):
if value and value.kind != 'registry':
raise serializers.ValidationError(_('Only Container Registry credentials can be associated with an Execution Environment'))
return value
def validate(self, attrs): def validate(self, attrs):
# prevent changing organization of ee. Unsetting (change to null) is allowed # prevent changing organization of ee. Unsetting (change to null) is allowed
if self.instance: if self.instance:

12
awx/main/models/credential/__init__.py
View File

@@ -295,6 +295,12 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
return True return True
return field_name in self.inputs and self.inputs[field_name] not in ('', None) return field_name in self.inputs and self.inputs[field_name] not in ('', None)
def has_inputs(self, field_names=()):
for name in field_names:
if name not in self.inputs:
return False
return True
def _get_dynamic_input(self, field_name): def _get_dynamic_input(self, field_name):
for input_source in self.input_sources.all(): for input_source in self.input_sources.all():
if input_source.input_field_name == field_name: if input_source.input_field_name == field_name:
@@ -1096,11 +1102,11 @@ ManagedCredentialType(
'type': 'string', 'type': 'string',
}, },
{ {
'id': 'password/token', 'id': 'password',
'label': ugettext_noop('Password/Token'), 'label': ugettext_noop('Password'),
'type': 'string', 'type': 'string',
'secret': True, 'secret': True,
'help_text': ugettext_noop('A token to use to authenticate with. ' 'This should not be set if username/password are being used.'), 'help_text': ugettext_noop('A password or token used to authenticate with'),
}, },
], ],
'required': ['host'], 'required': ['host'],

24
awx/main/tasks.py
View File

@@ -852,15 +852,21 @@ class BaseTask(object):
} }
if instance.execution_environment.credential: if instance.execution_environment.credential:
with open('/tmp/auth.json', 'w') as authfile: cred = instance.execution_environment.credential
host = instance.execution_environment.credential.get_input('host') if cred.has_inputs(field_names=('host', 'username', 'password')):
username = instance.execution_environment.credential.get_input('username') path = self.build_private_data_dir(instance)
password = instance.execution_environment.credential.get_input('password') with open(path + '/auth.json', 'w') as authfile:
token = "{}:{}".format(username, password) host = cred.get_input('host')
auth_data = {'auths': {host: {'auth': b64encode(token.encode('ascii')).decode()}}} username = cred.get_input('username')
authfile.write(json.dumps(auth_data, indent=4)) password = cred.get_input('password')
authfile.close() token = "{}:{}".format(username, password)
params["container_options"].append(f'--authfile={authfile.name}') auth_data = {'auths': {host: {'auth': b64encode(token.encode('ascii')).decode()}}}
authfile.write(json.dumps(auth_data, indent=4))
authfile.close()
os.chmod(authfile.name, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
params["container_options"].append(f'--authfile={authfile.name}')
else:
logger.exception('Please recheck that your host, username, and password fields are all filled.')
pull = instance.execution_environment.pull pull = instance.execution_environment.pull
if pull: if pull: