migrate existing survey passwords to be encrypted

see: https://github.com/ansible/ansible-tower/issues/7046
2026-05-05 07:51:51 -05:00 · 2017-09-29 11:41:39 -04:00
parent 4be4e3db7f
commit f26bdb3e96
3 changed files with 109 additions and 1 deletions
--- a/awx/main/tests/functional/test_reencrypt_migration.py
+++ b/awx/main/tests/functional/test_reencrypt_migration.py
@@ -10,6 +10,8 @@ from django.apps import apps

 from awx.main.models import (
    UnifiedJob,
+    Job,
+    JobTemplate,
    NotificationTemplate,
    Credential,
 )
@@ -20,9 +22,10 @@ from awx.main.migrations._reencrypt import (
    _notification_templates,
    _credentials,
    _unified_jobs,
+    _encrypt_survey_passwords
 )

-from awx.main.utils import decrypt_field
+from awx.main.utils import decrypt_field, get_encryption_key, decrypt_value


@pytest.mark.django_db
@@ -93,3 +96,54 @@ def test_unified_job_migration(old_enc, new_enc, value):
    # Exception if the encryption type of AESCBC is not properly skipped, ensures
    # our `startswith` calls don't have typos
    _unified_jobs(apps)
+
+
+@pytest.mark.django_db
+def test_survey_default_password_encryption(job_template_factory):
+    jt = job_template_factory('jt', organization='org1', project='prj',
+                              inventory='inv', credential='cred').job_template
+    jt.survey_enabled = True
+    jt.survey_spec = {
+        'description': 'A survey',
+        'spec': [{
+            'index': 0,
+            'question_name': 'What is your password?',
+            'required': True,
+            'variable': 'secret_value',
+            'default': 'SUPERSECRET',
+            'type': 'password'
+        }],
+        'name': 'my survey'
+    }
+    jt.save()
+
+    _encrypt_survey_passwords(Job, JobTemplate)
+    spec = JobTemplate.objects.get(pk=jt.pk).survey_spec['spec']
+    assert decrypt_value(get_encryption_key('value', pk=None), spec[0]['default']) == 'SUPERSECRET'
+
+
+@pytest.mark.django_db
+def test_job_survey_vars_encryption(job_template_factory):
+    jt = job_template_factory('jt', organization='org1', project='prj',
+                              inventory='inv', credential='cred').job_template
+    jt.survey_enabled = True
+    jt.survey_spec = {
+        'description': 'A survey',
+        'spec': [{
+            'index': 0,
+            'question_name': 'What is your password?',
+            'required': True,
+            'variable': 'secret_value',
+            'default': '',
+            'type': 'password'
+        }],
+        'name': 'my survey'
+    }
+    jt.save()
+    job = jt.create_unified_job()
+    job.extra_vars = json.dumps({'secret_value': 'SUPERSECRET'})
+    job.save()
+
+    _encrypt_survey_passwords(Job, JobTemplate)
+    job = Job.objects.get(pk=job.pk)
+    assert json.loads(job.decrypted_extra_vars()) == {'secret_value': 'SUPERSECRET'}