External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-19 09:57:33 -02:30
Code Issues Packages Projects Releases Wiki Activity

properly validate SSH key data for SCM, Net, GCE, and Azure Classic

Browse Source 
see: #6384
This commit is contained in:
Ryan Petrello
2017-05-31 14:16:26 -04:00
parent ea32c3f0a5
commit ea0f4ce59d
2 changed files with 18 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
awx/main/models/credential.py
View File

@@ -644,6 +644,7 @@ def scm(cls):
'id': 'ssh_key_data', 'id': 'ssh_key_data',
'label': 'SCM Private Key', 'label': 'SCM Private Key',
'type': 'string', 'type': 'string',
'format': 'ssh_private_key',
'secret': True, 'secret': True,
'multiline': True 'multiline': True
}, { }, {
@@ -694,6 +695,7 @@ def net(cls):
'id': 'ssh_key_data', 'id': 'ssh_key_data',
'label': 'SSH Private Key', 'label': 'SSH Private Key',
'type': 'string', 'type': 'string',
'format': 'ssh_private_key',
'secret': True, 'secret': True,
'multiline': True 'multiline': True
}, { }, {
@@ -871,6 +873,7 @@ def gce(cls):
'id': 'ssh_key_data', 'id': 'ssh_key_data',
'label': 'RSA Private Key', 'label': 'RSA Private Key',
'type': 'string', 'type': 'string',
'format': 'ssh_private_key',
'secret': True, 'secret': True,
'multiline': True 'multiline': True
}] }]
@@ -893,6 +896,7 @@ def azure(cls):
'id': 'ssh_key_data', 'id': 'ssh_key_data',
'label': 'Management Certificate', 'label': 'Management Certificate',
'type': 'string', 'type': 'string',
'format': 'ssh_private_key',
'secret': True, 'secret': True,
'multiline': True 'multiline': True
}] }]

26
awx/main/tests/functional/api/test_credential.py
View File

@@ -5,6 +5,8 @@ from awx.main.models.credential import Credential, CredentialType
from awx.main.utils.common import decrypt_field from awx.main.utils.common import decrypt_field
from awx.api.versioning import reverse from awx.api.versioning import reverse
EXAMPLE_PRIVATE_KEY = '-----BEGIN PRIVATE KEY-----\nxyz==\n-----END PRIVATE KEY-----'
@pytest.mark.django_db @pytest.mark.django_db
@pytest.mark.parametrize('kind, total', [ @pytest.mark.parametrize('kind, total', [
@@ -664,7 +666,7 @@ def test_inputs_cannot_contain_extra_fields(get, post, organization, admin, cred
'name': 'Best credential ever', 'name': 'Best credential ever',
'username': 'some_username', 'username': 'some_username',
'password': 'some_password', 'password': 'some_password',
'ssh_key_data': 'some_key_data', 'ssh_key_data': EXAMPLE_PRIVATE_KEY,
'ssh_key_unlock': 'some_key_unlock', 'ssh_key_unlock': 'some_key_unlock',
}], }],
['v2', { ['v2', {
@@ -673,7 +675,7 @@ def test_inputs_cannot_contain_extra_fields(get, post, organization, admin, cred
'inputs': { 'inputs': {
'username': 'some_username', 'username': 'some_username',
'password': 'some_password', 'password': 'some_password',
'ssh_key_data': 'some_key_data', 'ssh_key_data': EXAMPLE_PRIVATE_KEY,
'ssh_key_unlock': 'some_key_unlock', 'ssh_key_unlock': 'some_key_unlock',
} }
}] }]
@@ -693,7 +695,7 @@ def test_scm_create_ok(post, organization, admin, version, params):
cred = Credential.objects.all()[:1].get() cred = Credential.objects.all()[:1].get()
assert cred.inputs['username'] == 'some_username' assert cred.inputs['username'] == 'some_username'
assert decrypt_field(cred, 'password') == 'some_password' assert decrypt_field(cred, 'password') == 'some_password'
assert decrypt_field(cred, 'ssh_key_data') == 'some_key_data' assert decrypt_field(cred, 'ssh_key_data') == EXAMPLE_PRIVATE_KEY
assert decrypt_field(cred, 'ssh_key_unlock') == 'some_key_unlock' assert decrypt_field(cred, 'ssh_key_unlock') == 'some_key_unlock'
@@ -796,7 +798,7 @@ def test_vault_create_ok(post, organization, admin, version, params):
'name': 'Best credential ever', 'name': 'Best credential ever',
'username': 'some_username', 'username': 'some_username',
'password': 'some_password', 'password': 'some_password',
'ssh_key_data': 'some_key_data', 'ssh_key_data': EXAMPLE_PRIVATE_KEY,
'ssh_key_unlock': 'some_key_unlock', 'ssh_key_unlock': 'some_key_unlock',
'authorize': True, 'authorize': True,
'authorize_password': 'some_authorize_password', 'authorize_password': 'some_authorize_password',
@@ -807,7 +809,7 @@ def test_vault_create_ok(post, organization, admin, version, params):
'inputs': { 'inputs': {
'username': 'some_username', 'username': 'some_username',
'password': 'some_password', 'password': 'some_password',
'ssh_key_data': 'some_key_data', 'ssh_key_data': EXAMPLE_PRIVATE_KEY,
'ssh_key_unlock': 'some_key_unlock', 'ssh_key_unlock': 'some_key_unlock',
'authorize': True, 'authorize': True,
'authorize_password': 'some_authorize_password', 'authorize_password': 'some_authorize_password',
@@ -829,7 +831,7 @@ def test_net_create_ok(post, organization, admin, version, params):
cred = Credential.objects.all()[:1].get() cred = Credential.objects.all()[:1].get()
assert cred.inputs['username'] == 'some_username' assert cred.inputs['username'] == 'some_username'
assert decrypt_field(cred, 'password') == 'some_password' assert decrypt_field(cred, 'password') == 'some_password'
assert decrypt_field(cred, 'ssh_key_data') == 'some_key_data' assert decrypt_field(cred, 'ssh_key_data') == EXAMPLE_PRIVATE_KEY
assert decrypt_field(cred, 'ssh_key_unlock') == 'some_key_unlock' assert decrypt_field(cred, 'ssh_key_unlock') == 'some_key_unlock'
assert decrypt_field(cred, 'authorize_password') == 'some_authorize_password' assert decrypt_field(cred, 'authorize_password') == 'some_authorize_password'
assert cred.inputs['authorize'] is True assert cred.inputs['authorize'] is True
@@ -885,7 +887,7 @@ def test_cloudforms_create_ok(post, organization, admin, version, params):
'name': 'Best credential ever', 'name': 'Best credential ever',
'username': 'some_username', 'username': 'some_username',
'project': 'some_project', 'project': 'some_project',
'ssh_key_data': 'XYZ' 'ssh_key_data': EXAMPLE_PRIVATE_KEY,
}], }],
['v2', { ['v2', {
'credential_type': 1, 'credential_type': 1,
@@ -893,7 +895,7 @@ def test_cloudforms_create_ok(post, organization, admin, version, params):
'inputs': { 'inputs': {
'username': 'some_username', 'username': 'some_username',
'project': 'some_project', 'project': 'some_project',
'ssh_key_data': 'XYZ' 'ssh_key_data': EXAMPLE_PRIVATE_KEY,
} }
}] }]
]) ])
@@ -912,7 +914,7 @@ def test_gce_create_ok(post, organization, admin, version, params):
cred = Credential.objects.all()[:1].get() cred = Credential.objects.all()[:1].get()
assert cred.inputs['username'] == 'some_username' assert cred.inputs['username'] == 'some_username'
assert cred.inputs['project'] == 'some_project' assert cred.inputs['project'] == 'some_project'
assert decrypt_field(cred, 'ssh_key_data') == 'XYZ' assert decrypt_field(cred, 'ssh_key_data') == EXAMPLE_PRIVATE_KEY
# #
@@ -924,14 +926,14 @@ def test_gce_create_ok(post, organization, admin, version, params):
'kind': 'azure', 'kind': 'azure',
'name': 'Best credential ever', 'name': 'Best credential ever',
'username': 'some_username', 'username': 'some_username',
'ssh_key_data': 'XYZ' 'ssh_key_data': EXAMPLE_PRIVATE_KEY
}], }],
['v2', { ['v2', {
'credential_type': 1, 'credential_type': 1,
'name': 'Best credential ever', 'name': 'Best credential ever',
'inputs': { 'inputs': {
'username': 'some_username', 'username': 'some_username',
'ssh_key_data': 'XYZ' 'ssh_key_data': EXAMPLE_PRIVATE_KEY
} }
}] }]
]) ])
@@ -949,7 +951,7 @@ def test_azure_create_ok(post, organization, admin, version, params):
assert Credential.objects.count() == 1 assert Credential.objects.count() == 1
cred = Credential.objects.all()[:1].get() cred = Credential.objects.all()[:1].get()
assert cred.inputs['username'] == 'some_username' assert cred.inputs['username'] == 'some_username'
assert decrypt_field(cred, 'ssh_key_data') == 'XYZ' assert decrypt_field(cred, 'ssh_key_data') == EXAMPLE_PRIVATE_KEY
# #