fix a bug in ssh key unlock validation

see: #6553
2026-04-17 05:21:49 -05:00 · 2017-06-12 10:28:38 -04:00
parent 66c9139660
commit 240d629128
2 changed files with 140 additions and 0 deletions
--- a/awx/main/fields.py
+++ b/awx/main/fields.py
@@ -409,6 +409,8 @@ def format_ssh_private_key(value):
    # These end in a unicode-encoded final character that gets double
    # escaped due to being in a Python 2 bytestring, and that causes
    # Python's key parsing to barf. Detect this issue and correct it.
+    if value == '$encrypted$':
+        return value
    if r'\u003d' in value:
        value = value.replace(r'\u003d', '=')
    try:
@@ -505,6 +507,19 @@ class CredentialInputField(JSONSchemaField):
                model_instance.credential_type.managed_by_tower is True and
                'ssh_key_unlock' in model_instance.credential_type.defined_fields
        ):
+
+            # in order to properly test the necessity of `ssh_key_unlock`, we
+            # need to know the real value of `ssh_key_data`; for a payload like:
+            # {
+            #   'ssh_key_data': '$encrypted$',
+            #   'ssh_key_unlock': 'do-you-need-me?',
+            # }
+            # ...we have to fetch the actual key value from the database
+            if model_instance.pk and model_instance.ssh_key_data == '$encrypted$':
+                model_instance.ssh_key_data = model_instance.__class__.objects.get(
+                    pk=model_instance.pk
+                ).ssh_key_data
+
            if model_instance.has_encrypted_ssh_key_data and not value.get('ssh_key_unlock'):
                errors['ssh_key_unlock'] = [_('must be set when SSH key is encrypted.')]
            if not model_instance.has_encrypted_ssh_key_data and value.get('ssh_key_unlock'):