fix a permissions bug for credentials specified at JT launch time

hat tip to @alancoding for spotting this one
2026-01-27 00:21:30 -03:30 · 2017-11-14 16:21:05 -05:00 · 2017-11-14 16:21:05 -05:00 · eb140d9e69
commit eb140d9e69
parent 5852c16ba6
3 changed files with 36 additions and 5 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -2797,10 +2797,14 @@ class JobTemplateLaunch(RetrieveAPIView):
            if request.user not in use_role:
                raise PermissionDenied()

-        for cred in prompted_fields.get('credentials', []):
-            new_credential = get_object_or_400(Credential, pk=cred)
-            if request.user not in new_credential.use_role:
-                raise PermissionDenied()
+        # For credentials that are _added_ via launch parameters, ensure the
+        # launching user has access
+        current_credentials = set(obj.credentials.values_list('id', flat=True))
+        for new_cred in Credential.objects.filter(id__in=prompted_fields.get('credentials', [])):
+            if new_cred.pk not in current_credentials and request.user not in new_cred.use_role:
+                raise PermissionDenied(_(
+                    "You do not have access to credential {}".format(new_cred.name)
+                ))

        new_job = obj.create_unified_job(**prompted_fields)
        result = new_job.signal_start(**passwords)
--- a/awx/main/tests/functional/api/test_deprecated_credential_assignment.py
+++ b/awx/main/tests/functional/api/test_deprecated_credential_assignment.py
@ -338,3 +338,30 @@ def test_extra_creds_prompted_at_launch(get, post, job_template, admin, net_cred
 def test_invalid_mixed_credentials_specification(get, post, job_template, admin, net_credential):
    url = reverse('api:job_template_launch', kwargs={'pk': job_template.pk})
    post(url, {'credentials': [net_credential.pk], 'extra_credentials': [net_credential.pk]}, admin, expect=400)
+
+
+@pytest.mark.django_db
+def test_rbac_default_credential_usage(get, post, job_template, alice, machine_credential):
+    job_template.credentials.add(machine_credential)
+    job_template.execute_role.members.add(alice)
+    job_template.save()
+
+    # alice can launch; she's not adding any _new_ credentials, and she has
+    # execute access to the JT
+    url = reverse('api:job_template_launch', kwargs={'pk': job_template.pk})
+    post(url, {'credential': machine_credential.pk}, alice, expect=201)
+
+    # make (copy) a _new_ SSH cred
+    new_cred = machine_credential
+    new_cred.pk = None
+    new_cred.save()
+
+    # alice is attempting to launch with a *different* SSH cred, but
+    # she does not have access to it, so she cannot launch
+    url = reverse('api:job_template_launch', kwargs={'pk': job_template.pk})
+    post(url, {'credential': new_cred.pk}, alice, expect=403)
+
+    # if alice has gains access to the credential, she *can* launch
+    new_cred.use_role.members.add(alice)
+    url = reverse('api:job_template_launch', kwargs={'pk': job_template.pk})
+    post(url, {'credential': new_cred.pk}, alice, expect=201)
--- a/awx/main/tests/functional/api/test_job_runtime_params.py
+++ b/awx/main/tests/functional/api/test_job_runtime_params.py
@ -237,7 +237,7 @@ def test_job_launch_fails_without_credential_access(job_template_prompts, runtim
    response = post(reverse('api:job_template_launch', kwargs={'pk':job_template.pk}),
                    dict(credentials=runtime_data['credentials']), rando, expect=403)

-    assert response.data['detail'] == u'You do not have permission to perform this action.'
+    assert response.data['detail'] == u'You do not have access to credential runtime-cred'


@pytest.mark.django_db