blacklist certain sensitive fields and relations as search arguments

see: #5465
see: #5478

awx/main/tests/unit/api/test_filters.py

@@ -2,7 +2,11 @@ import pytest
 
 from rest_framework.exceptions import PermissionDenied
 from awx.api.filters import FieldLookupBackend
-from awx.main.models import Credential, JobTemplate
+from awx.main.models import (AdHocCommand, AuthToken, CustomInventoryScript,
+                             Credential, Job, JobTemplate, SystemJob,
+                             UnifiedJob, User, WorkflowJob,
+                             WorkflowJobTemplate, WorkflowJobOptions)
+from awx.main.models.jobs import JobOptions
 
 
 @pytest.mark.parametrize(u"empty_value", [u'', ''])
@@ -38,3 +42,28 @@ def test_filter_on_related_password_field(password_field, lookup_suffix):
     with pytest.raises(PermissionDenied) as excinfo:
         field, new_lookup = field_lookup.get_field_from_lookup(JobTemplate, lookup)
     assert 'not allowed' in str(excinfo.value)
+
+
+@pytest.mark.parametrize('model, query', [
+    (AuthToken, 'request_hash__icontains'),
+    (User, 'password__icontains'),
+    (User, 'auth_tokens__key__icontains'),
+    (User, 'settings__value__icontains'),
+    (UnifiedJob, 'job_args__icontains'),
+    (UnifiedJob, 'job_env__icontains'),
+    (UnifiedJob, 'start_args__icontains'),
+    (AdHocCommand, 'extra_vars__icontains'),
+    (JobOptions, 'extra_vars__icontains'),
+    (SystemJob, 'extra_vars__icontains'),
+    (WorkflowJobOptions, 'extra_vars__icontains'),
+    (Job, 'survey_passwords__icontains'),
+    (WorkflowJob, 'survey_passwords__icontains'),
+    (JobTemplate, 'survey_spec__icontains'),
+    (WorkflowJobTemplate, 'survey_spec__icontains'),
+    (CustomInventoryScript, 'script__icontains')
+])
+def test_filter_sensitive_fields_and_relations(model, query):
+    field_lookup = FieldLookupBackend()
+    with pytest.raises(PermissionDenied) as excinfo:
+        field, new_lookup = field_lookup.get_field_from_lookup(model, query)
+    assert 'not allowed' in str(excinfo.value)