class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
"""
A credential contains information about how to talk to a remote resource
Usually this is a SSH key location, and possibly an unlock password.
If used with sudo, a sudo password should be set if required.
"""
class Meta:
app_label = 'main'
ordering = ('name',)
unique_together = ('organization', 'name', 'credential_type')
PASSWORD_FIELDS = ['inputs']
FIELDS_TO_PRESERVE_AT_COPY = ['input_sources']
credential_type = models.ForeignKey(
'CredentialType',
related_name='credentials',
null=False,
on_delete=models.CASCADE,
help_text=_('Specify the type of credential you want to create. Refer ' 'to the Ansible Tower documentation for details on each type.'),
)
managed_by_tower = models.BooleanField(default=False, editable=False)
organization = models.ForeignKey(
'Organization',
null=True,
default=None,
blank=True,
on_delete=models.CASCADE,
related_name='credentials',
)
inputs = CredentialInputField(
blank=True, default=dict, help_text=_('Enter inputs using either JSON or YAML syntax. ' 'Refer to the Ansible Tower documentation for example syntax.')
)
admin_role = ImplicitRoleField(
parent_role=[
'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
'organization.credential_admin_role',
],
)
use_role = ImplicitRoleField(
parent_role=[
'admin_role',
]
)
read_role = ImplicitRoleField(
parent_role=[
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
'organization.auditor_role',
'use_role',
'admin_role',
]
)
@property
def kind(self):
return self.credential_type.namespace
@property
def cloud(self):
return self.credential_type.kind == 'cloud'
@property
def kubernetes(self):
return self.credential_type.kind == 'kubernetes'
def get_absolute_url(self, request=None):
return reverse('api:credential_detail', kwargs={'pk': self.pk}, request=request)
#
# TODO: the SSH-related properties below are largely used for validation
# and for determining passwords necessary for job/ad-hoc launch
#
# These are SSH-specific; should we move them elsewhere?
#
@property
def needs_ssh_password(self):
return self.credential_type.kind == 'ssh' and self.inputs.get('password') == 'ASK'
@property
def has_encrypted_ssh_key_data(self):
try:
ssh_key_data = self.get_input('ssh_key_data')
except AttributeError:
return False
try:
pem_objects = validate_ssh_private_key(ssh_key_data)
for pem_object in pem_objects:
if pem_object.get('key_enc', False):
return True
except ValidationError:
pass
return False
@property
def needs_ssh_key_unlock(self):
if self.credential_type.kind == 'ssh' and self.inputs.get('ssh_key_unlock') in ('ASK', ''):
return self.has_encrypted_ssh_key_data
return False
@property
def needs_become_password(self):
return self.credential_type.kind == 'ssh' and self.inputs.get('become_password') == 'ASK'
@property
def needs_vault_password(self):
return self.credential_type.kind == 'vault' and self.inputs.get('vault_password') == 'ASK'
@property
def passwords_needed(self):
needed = []
for field in ('ssh_password', 'become_password', 'ssh_key_unlock'):
if getattr(self, 'needs_%s' % field):
needed.append(field)
if self.needs_vault_password:
if self.inputs.get('vault_id'):
needed.append('vault_password.{}'.format(self.inputs.get('vault_id')))
else:
needed.append('vault_password')
return needed
@cached_property
def dynamic_input_fields(self):
return [obj.input_field_name for obj in self.input_sources.all()]
def _password_field_allows_ask(self, field):
return field in self.credential_type.askable_fields
def save(self, *args, **kwargs):
self.PASSWORD_FIELDS = self.credential_type.secret_fields
if self.pk:
cred_before = Credential.objects.get(pk=self.pk)
inputs_before = cred_before.inputs
# Look up the currently persisted value so that we can replace
# $encrypted$ with the actual DB-backed value
for field in self.PASSWORD_FIELDS:
if self.inputs.get(field) == '$encrypted$':
self.inputs[field] = inputs_before[field]
super(Credential, self).save(*args, **kwargs)
def mark_field_for_save(self, update_fields, field):
if 'inputs' not in update_fields:
update_fields.append('inputs')
def encrypt_field(self, field, ask):
if field not in self.inputs:
return None
encrypted = encrypt_field(self, field, ask=ask)
if encrypted:
self.inputs[field] = encrypted
elif field in self.inputs:
del self.inputs[field]
def display_inputs(self):
field_val = self.inputs.copy()
for k, v in field_val.items():
if force_text(v).startswith('$encrypted$'):
field_val[k] = '$encrypted$'
return field_val
def unique_hash(self, display=False):
"""
Credential exclusivity is not defined solely by the related
credential type (due to vault), so this produces a hash
that can be used to evaluate exclusivity
"""
if display:
type_alias = self.credential_type.name
else:
type_alias = self.credential_type_id
if self.credential_type.kind == 'vault' and self.has_input('vault_id'):
if display:
fmt_str = '{} (id={})'
else:
fmt_str = '{}_{}'
return fmt_str.format(type_alias, self.get_input('vault_id'))
return str(type_alias)
@staticmethod
def unique_dict(cred_qs):
ret = {}
for cred in cred_qs:
ret[cred.unique_hash()] = cred
return ret
def get_input(self, field_name, **kwargs):
"""
Get an injectable and decrypted value for an input field.
Retrieves the value for a given credential input field name. Return
values for secret input fields are decrypted. If the credential doesn't
have an input value defined for the given field name, an AttributeError
is raised unless a default value is provided.
:param field_name(str): The name of the input field.
:param default(optional[str]): A default return value to use.
"""
if self.credential_type.kind != 'external' and field_name in self.dynamic_input_fields:
return self._get_dynamic_input(field_name)
if field_name in self.credential_type.secret_fields:
try:
return decrypt_field(self, field_name)
except AttributeError:
for field in self.credential_type.inputs.get('fields', []):
if field['id'] == field_name and 'default' in field:
return field['default']
if 'default' in kwargs:
return kwargs['default']
raise AttributeError
if field_name in self.inputs:
return self.inputs[field_name]
if 'default' in kwargs:
return kwargs['default']
for field in self.credential_type.inputs.get('fields', []):
if field['id'] == field_name and 'default' in field:
return field['default']
raise AttributeError(field_name)
def has_input(self, field_name):
if field_name in self.dynamic_input_fields:
return True
return field_name in self.inputs and self.inputs[field_name] not in ('', None)
def has_inputs(self, field_names=()):
for name in field_names:
if name in self.inputs:
if self.inputs[name] in ('', None):
return False
else:
raise ValueError('{} is not an input field'.format(name))
return True
def _get_dynamic_input(self, field_name):
for input_source in self.input_sources.all():
if input_source.input_field_name == field_name:
return input_source.get_input_value()
else:
raise ValueError('{} is not a dynamic input field'.format(field_name))
class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
'''
A credential contains information about how to talk to a remote resource
Usually this is a SSH key location, and possibly an unlock password.
If used with sudo, a sudo password should be set if required.
'''
class Meta:
app_label = 'main'
ordering = ('name', )
unique_together = (('organization', 'name', 'credential_type'))
PASSWORD_FIELDS = ['inputs']
credential_type = models.ForeignKey(
'CredentialType',
related_name='credentials',
null=False,
help_text=_(
'Specify the type of credential you want to create. Refer '
'to the Ansible Tower documentation for details on each type.'))
organization = models.ForeignKey(
'Organization',
null=True,
default=None,
blank=True,
on_delete=models.CASCADE,
related_name='credentials',
)
inputs = CredentialInputField(
blank=True,
default={},
help_text=_('Enter inputs using either JSON or YAML syntax. Use the '
'radio button to toggle between the two. Refer to the '
'Ansible Tower documentation for example syntax.'))
admin_role = ImplicitRoleField(parent_role=[
'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
'organization.admin_role',
], )
use_role = ImplicitRoleField(parent_role=[
'admin_role',
])
read_role = ImplicitRoleField(parent_role=[
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
'organization.auditor_role',
'use_role',
'admin_role',
])
def __getattr__(self, item):
if item != 'inputs':
if item in V1Credential.FIELDS:
return self.inputs.get(item, V1Credential.FIELDS[item].default)
elif item in self.inputs:
return self.inputs[item]
raise AttributeError(item)
def __setattr__(self, item, value):
if item in V1Credential.FIELDS and item in self.credential_type.defined_fields:
if value:
self.inputs[item] = value
elif item in self.inputs:
del self.inputs[item]
return
super(Credential, self).__setattr__(item, value)
@property
def kind(self):
# TODO 3.3: remove the need for this helper property by removing its
# usage throughout the codebase
type_ = self.credential_type
if type_.kind != 'cloud':
return type_.kind
for field in V1Credential.KIND_CHOICES:
kind, name = field
if name == type_.name:
return kind
@property
def cloud(self):
return self.credential_type.kind == 'cloud'
def get_absolute_url(self, request=None):
return reverse('api:credential_detail',
kwargs={'pk': self.pk},
request=request)
#
# TODO: the SSH-related properties below are largely used for validation
# and for determining passwords necessary for job/ad-hoc launch
#
# These are SSH-specific; should we move them elsewhere?
#
@property
def needs_ssh_password(self):
return self.credential_type.kind == 'ssh' and self.password == 'ASK'
@property
def has_encrypted_ssh_key_data(self):
if self.pk:
ssh_key_data = decrypt_field(self, 'ssh_key_data')
else:
ssh_key_data = self.ssh_key_data
try:
pem_objects = validate_ssh_private_key(ssh_key_data)
for pem_object in pem_objects:
if pem_object.get('key_enc', False):
return True
except ValidationError:
pass
return False
@property
def needs_ssh_key_unlock(self):
if self.credential_type.kind == 'ssh' and self.ssh_key_unlock in (
'ASK', ''):
return self.has_encrypted_ssh_key_data
return False
@property
def needs_become_password(self):
return self.credential_type.kind == 'ssh' and self.become_password == 'ASK'
@property
def needs_vault_password(self):
return self.credential_type.kind == 'vault' and self.vault_password == 'ASK'
@property
def passwords_needed(self):
needed = []
for field in ('ssh_password', 'become_password', 'ssh_key_unlock',
'vault_password'):
if getattr(self, 'needs_%s' % field):
needed.append(field)
return needed
def _password_field_allows_ask(self, field):
return field in self.credential_type.askable_fields
def save(self, *args, **kwargs):
self.PASSWORD_FIELDS = self.credential_type.secret_fields
if self.pk:
cred_before = Credential.objects.get(pk=self.pk)
inputs_before = cred_before.inputs
# Look up the currently persisted value so that we can replace
# $encrypted$ with the actual DB-backed value
for field in self.PASSWORD_FIELDS:
if self.inputs.get(field) == '$encrypted$':
self.inputs[field] = inputs_before[field]
super(Credential, self).save(*args, **kwargs)
def encrypt_field(self, field, ask):
encrypted = encrypt_field(self, field, ask=ask)
if encrypted:
self.inputs[field] = encrypted
elif field in self.inputs:
del self.inputs[field]
def mark_field_for_save(self, update_fields, field):
if field in self.credential_type.secret_fields:
# If we've encrypted a v1 field, we actually want to persist
# self.inputs
field = 'inputs'
super(Credential, self).mark_field_for_save(update_fields, field)
def display_inputs(self):
field_val = self.inputs.copy()
for k, v in field_val.items():
if force_text(v).startswith('$encrypted$'):
field_val[k] = '$encrypted$'
return field_val
