From 48a0038f53462548a1b64b7f9b1fbe532a11f10a Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 12:06:46 -0400 Subject: [PATCH 1/6] fill in network ssh password protected keys --- awx/main/tasks.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/awx/main/tasks.py b/awx/main/tasks.py index 0a3fe95a442a..b68858e6b228 100644 --- a/awx/main/tasks.py +++ b/awx/main/tasks.py @@ -1153,6 +1153,18 @@ def build_passwords(self, job, **kwargs): if value not in ('', 'ASK'): passwords[field] = value + ''' + Only 1 value can be provided for a unique prompt string. Prefer ssh + key unlock over network key unlock. + ''' + if 'ssh_key_unlock' not in passwords: + for cred in job.network_credentials: + if cred.inputs.get('ssh_key_unlock'): + passwords['ssh_key_unlock'] = kwargs.get( + 'ssh_key_unlock', + decrypt_field(cred, 'ssh_key_unlock') + ) + return passwords def build_env(self, job, **kwargs): From 9a199b99ace041bca6268d63195fc89b8d41123b Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 12:40:33 -0400 Subject: [PATCH 2/6] add pexpect test for net cred --- awx/main/tests/unit/test_tasks.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index 830c3577fd68..c9270bc2c169 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -772,6 +772,22 @@ def test_ssh_passwords(self, field, password_name, expected_flag): if expected_flag: assert expected_flag in ' '.join(args) + def test_net_password(self): + net = CredentialType.defaults['net']() + credential = Credential( + pk=1, + credential_type=net, + inputs = {'username': 'bob', 'ssh_key_unlock': 'secret'} + ) + credential.inputs['ssh_key_unlock'] = encrypt_field(credential, 'ssh_key_unlock') + self.instance.credentials.add(credential) + self.task.run(self.pk) + + assert self.run_pexpect.call_count == 1 + call_args, call_kwargs = self.run_pexpect.call_args_list[0] + + assert 'secret' in call_kwargs.get('expect_passwords').values() + def test_vault_password(self): vault = CredentialType.defaults['vault']() credential = Credential( From 8d440acb0f1474072fd1c876b5170980789d22b9 Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 12:51:40 -0400 Subject: [PATCH 3/6] add test for ssh over network ssh key password preference --- awx/main/tests/unit/test_tasks.py | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index c9270bc2c169..235a38d2714d 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -772,12 +772,12 @@ def test_ssh_passwords(self, field, password_name, expected_flag): if expected_flag: assert expected_flag in ' '.join(args) - def test_net_password(self): + def test_net_ssh_key_unlock(self): net = CredentialType.defaults['net']() credential = Credential( pk=1, credential_type=net, - inputs = {'username': 'bob', 'ssh_key_unlock': 'secret'} + inputs = {'ssh_key_unlock': 'secret'} ) credential.inputs['ssh_key_unlock'] = encrypt_field(credential, 'ssh_key_unlock') self.instance.credentials.add(credential) @@ -788,6 +788,32 @@ def test_net_password(self): assert 'secret' in call_kwargs.get('expect_passwords').values() + def test_prefer_ssh_over_net_ssh_key_unlock(self): + net = CredentialType.defaults['net']() + net_credential = Credential( + pk=1, + credential_type=net, + inputs = {'ssh_key_unlock': 'net_secret'} + ) + net_credential.inputs['ssh_key_unlock'] = encrypt_field(net_credential, 'ssh_key_unlock') + + ssh = CredentialType.defaults['ssh']() + ssh_credential = Credential( + pk=1, + credential_type=ssh, + inputs = {'ssh_key_unlock': 'ssh_secret'} + ) + ssh_credential.inputs['ssh_key_unlock'] = encrypt_field(ssh_credential, 'ssh_key_unlock') + + self.instance.credentials.add(net_credential) + self.instance.credentials.add(ssh_credential) + self.task.run(self.pk) + + assert self.run_pexpect.call_count == 1 + call_args, call_kwargs = self.run_pexpect.call_args_list[0] + + assert 'ssh_secret' in call_kwargs.get('expect_passwords').values() + def test_vault_password(self): vault = CredentialType.defaults['vault']() credential = Credential( From 2f49dc774aef6b6d65c7c554fa90a3c432d43ffc Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 13:25:15 -0400 Subject: [PATCH 4/6] first net password-protected ssh key wins --- awx/main/tasks.py | 1 + 1 file changed, 1 insertion(+) diff --git a/awx/main/tasks.py b/awx/main/tasks.py index b68858e6b228..6dd14cce49a2 100644 --- a/awx/main/tasks.py +++ b/awx/main/tasks.py @@ -1164,6 +1164,7 @@ def build_passwords(self, job, **kwargs): 'ssh_key_unlock', decrypt_field(cred, 'ssh_key_unlock') ) + break return passwords From 40d6c763b3774fe1d7efe6e86a9c2ac116c4e8d5 Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 13:32:42 -0400 Subject: [PATCH 5/6] add test for first net cred ssh password protected wins --- awx/main/tests/unit/test_tasks.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index 235a38d2714d..2961ee6cfcbd 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -788,6 +788,23 @@ def test_net_ssh_key_unlock(self): assert 'secret' in call_kwargs.get('expect_passwords').values() + def test_net_first_ssh_key_unlock_wins(self): + for i in range(3): + net = CredentialType.defaults['net']() + credential = Credential( + pk=1, + credential_type=net, + inputs = {'ssh_key_unlock': 'secret{}'.format(i)} + ) + credential.inputs['ssh_key_unlock'] = encrypt_field(credential, 'ssh_key_unlock') + self.instance.credentials.add(credential) + self.task.run(self.pk) + + assert self.run_pexpect.call_count == 1 + call_args, call_kwargs = self.run_pexpect.call_args_list[0] + + assert 'secret0' in call_kwargs.get('expect_passwords').values() + def test_prefer_ssh_over_net_ssh_key_unlock(self): net = CredentialType.defaults['net']() net_credential = Credential( From 5bfe9bf228873f7909386ca295cc73ed60175419 Mon Sep 17 00:00:00 2001 From: chris meyers Date: Thu, 9 Aug 2018 15:44:59 -0400 Subject: [PATCH 6/6] vary the pk --- awx/main/tests/unit/test_tasks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py index 2961ee6cfcbd..91e3c3505d05 100644 --- a/awx/main/tests/unit/test_tasks.py +++ b/awx/main/tests/unit/test_tasks.py @@ -792,7 +792,7 @@ def test_net_first_ssh_key_unlock_wins(self): for i in range(3): net = CredentialType.defaults['net']() credential = Credential( - pk=1, + pk=i, credential_type=net, inputs = {'ssh_key_unlock': 'secret{}'.format(i)} ) @@ -816,7 +816,7 @@ def test_prefer_ssh_over_net_ssh_key_unlock(self): ssh = CredentialType.defaults['ssh']() ssh_credential = Credential( - pk=1, + pk=2, credential_type=ssh, inputs = {'ssh_key_unlock': 'ssh_secret'} )