class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin): """ A credential contains information about how to talk to a remote resource Usually this is a SSH key location, and possibly an unlock password. If used with sudo, a sudo password should be set if required. """ class Meta: app_label = 'main' ordering = ('name',) unique_together = ('organization', 'name', 'credential_type') PASSWORD_FIELDS = ['inputs'] FIELDS_TO_PRESERVE_AT_COPY = ['input_sources'] credential_type = models.ForeignKey( 'CredentialType', related_name='credentials', null=False, on_delete=models.CASCADE, help_text=_('Specify the type of credential you want to create. Refer ' 'to the Ansible Tower documentation for details on each type.'), ) managed_by_tower = models.BooleanField(default=False, editable=False) organization = models.ForeignKey( 'Organization', null=True, default=None, blank=True, on_delete=models.CASCADE, related_name='credentials', ) inputs = CredentialInputField( blank=True, default=dict, help_text=_('Enter inputs using either JSON or YAML syntax. ' 'Refer to the Ansible Tower documentation for example syntax.') ) admin_role = ImplicitRoleField( parent_role=[ 'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, 'organization.credential_admin_role', ], ) use_role = ImplicitRoleField( parent_role=[ 'admin_role', ] ) read_role = ImplicitRoleField( parent_role=[ 'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, 'organization.auditor_role', 'use_role', 'admin_role', ] ) @property def kind(self): return self.credential_type.namespace @property def cloud(self): return self.credential_type.kind == 'cloud' @property def kubernetes(self): return self.credential_type.kind == 'kubernetes' def get_absolute_url(self, request=None): return reverse('api:credential_detail', kwargs={'pk': self.pk}, request=request) # # TODO: the SSH-related properties below are largely used for validation # and for determining passwords necessary for job/ad-hoc launch # # These are SSH-specific; should we move them elsewhere? # @property def needs_ssh_password(self): return self.credential_type.kind == 'ssh' and self.inputs.get('password') == 'ASK' @property def has_encrypted_ssh_key_data(self): try: ssh_key_data = self.get_input('ssh_key_data') except AttributeError: return False try: pem_objects = validate_ssh_private_key(ssh_key_data) for pem_object in pem_objects: if pem_object.get('key_enc', False): return True except ValidationError: pass return False @property def needs_ssh_key_unlock(self): if self.credential_type.kind == 'ssh' and self.inputs.get('ssh_key_unlock') in ('ASK', ''): return self.has_encrypted_ssh_key_data return False @property def needs_become_password(self): return self.credential_type.kind == 'ssh' and self.inputs.get('become_password') == 'ASK' @property def needs_vault_password(self): return self.credential_type.kind == 'vault' and self.inputs.get('vault_password') == 'ASK' @property def passwords_needed(self): needed = [] for field in ('ssh_password', 'become_password', 'ssh_key_unlock'): if getattr(self, 'needs_%s' % field): needed.append(field) if self.needs_vault_password: if self.inputs.get('vault_id'): needed.append('vault_password.{}'.format(self.inputs.get('vault_id'))) else: needed.append('vault_password') return needed @cached_property def dynamic_input_fields(self): return [obj.input_field_name for obj in self.input_sources.all()] def _password_field_allows_ask(self, field): return field in self.credential_type.askable_fields def save(self, *args, **kwargs): self.PASSWORD_FIELDS = self.credential_type.secret_fields if self.pk: cred_before = Credential.objects.get(pk=self.pk) inputs_before = cred_before.inputs # Look up the currently persisted value so that we can replace # $encrypted$ with the actual DB-backed value for field in self.PASSWORD_FIELDS: if self.inputs.get(field) == '$encrypted$': self.inputs[field] = inputs_before[field] super(Credential, self).save(*args, **kwargs) def mark_field_for_save(self, update_fields, field): if 'inputs' not in update_fields: update_fields.append('inputs') def encrypt_field(self, field, ask): if field not in self.inputs: return None encrypted = encrypt_field(self, field, ask=ask) if encrypted: self.inputs[field] = encrypted elif field in self.inputs: del self.inputs[field] def display_inputs(self): field_val = self.inputs.copy() for k, v in field_val.items(): if force_text(v).startswith('$encrypted$'): field_val[k] = '$encrypted$' return field_val def unique_hash(self, display=False): """ Credential exclusivity is not defined solely by the related credential type (due to vault), so this produces a hash that can be used to evaluate exclusivity """ if display: type_alias = self.credential_type.name else: type_alias = self.credential_type_id if self.credential_type.kind == 'vault' and self.has_input('vault_id'): if display: fmt_str = '{} (id={})' else: fmt_str = '{}_{}' return fmt_str.format(type_alias, self.get_input('vault_id')) return str(type_alias) @staticmethod def unique_dict(cred_qs): ret = {} for cred in cred_qs: ret[cred.unique_hash()] = cred return ret def get_input(self, field_name, **kwargs): """ Get an injectable and decrypted value for an input field. Retrieves the value for a given credential input field name. Return values for secret input fields are decrypted. If the credential doesn't have an input value defined for the given field name, an AttributeError is raised unless a default value is provided. :param field_name(str): The name of the input field. :param default(optional[str]): A default return value to use. """ if self.credential_type.kind != 'external' and field_name in self.dynamic_input_fields: return self._get_dynamic_input(field_name) if field_name in self.credential_type.secret_fields: try: return decrypt_field(self, field_name) except AttributeError: for field in self.credential_type.inputs.get('fields', []): if field['id'] == field_name and 'default' in field: return field['default'] if 'default' in kwargs: return kwargs['default'] raise AttributeError if field_name in self.inputs: return self.inputs[field_name] if 'default' in kwargs: return kwargs['default'] for field in self.credential_type.inputs.get('fields', []): if field['id'] == field_name and 'default' in field: return field['default'] raise AttributeError(field_name) def has_input(self, field_name): if field_name in self.dynamic_input_fields: return True return field_name in self.inputs and self.inputs[field_name] not in ('', None) def has_inputs(self, field_names=()): for name in field_names: if name in self.inputs: if self.inputs[name] in ('', None): return False else: raise ValueError('{} is not an input field'.format(name)) return True def _get_dynamic_input(self, field_name): for input_source in self.input_sources.all(): if input_source.input_field_name == field_name: return input_source.get_input_value() else: raise ValueError('{} is not a dynamic input field'.format(field_name))
class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin): ''' A credential contains information about how to talk to a remote resource Usually this is a SSH key location, and possibly an unlock password. If used with sudo, a sudo password should be set if required. ''' class Meta: app_label = 'main' ordering = ('name', ) unique_together = (('organization', 'name', 'credential_type')) PASSWORD_FIELDS = ['inputs'] credential_type = models.ForeignKey( 'CredentialType', related_name='credentials', null=False, help_text=_( 'Specify the type of credential you want to create. Refer ' 'to the Ansible Tower documentation for details on each type.')) organization = models.ForeignKey( 'Organization', null=True, default=None, blank=True, on_delete=models.CASCADE, related_name='credentials', ) inputs = CredentialInputField( blank=True, default={}, help_text=_('Enter inputs using either JSON or YAML syntax. Use the ' 'radio button to toggle between the two. Refer to the ' 'Ansible Tower documentation for example syntax.')) admin_role = ImplicitRoleField(parent_role=[ 'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, 'organization.admin_role', ], ) use_role = ImplicitRoleField(parent_role=[ 'admin_role', ]) read_role = ImplicitRoleField(parent_role=[ 'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, 'organization.auditor_role', 'use_role', 'admin_role', ]) def __getattr__(self, item): if item != 'inputs': if item in V1Credential.FIELDS: return self.inputs.get(item, V1Credential.FIELDS[item].default) elif item in self.inputs: return self.inputs[item] raise AttributeError(item) def __setattr__(self, item, value): if item in V1Credential.FIELDS and item in self.credential_type.defined_fields: if value: self.inputs[item] = value elif item in self.inputs: del self.inputs[item] return super(Credential, self).__setattr__(item, value) @property def kind(self): # TODO 3.3: remove the need for this helper property by removing its # usage throughout the codebase type_ = self.credential_type if type_.kind != 'cloud': return type_.kind for field in V1Credential.KIND_CHOICES: kind, name = field if name == type_.name: return kind @property def cloud(self): return self.credential_type.kind == 'cloud' def get_absolute_url(self, request=None): return reverse('api:credential_detail', kwargs={'pk': self.pk}, request=request) # # TODO: the SSH-related properties below are largely used for validation # and for determining passwords necessary for job/ad-hoc launch # # These are SSH-specific; should we move them elsewhere? # @property def needs_ssh_password(self): return self.credential_type.kind == 'ssh' and self.password == 'ASK' @property def has_encrypted_ssh_key_data(self): if self.pk: ssh_key_data = decrypt_field(self, 'ssh_key_data') else: ssh_key_data = self.ssh_key_data try: pem_objects = validate_ssh_private_key(ssh_key_data) for pem_object in pem_objects: if pem_object.get('key_enc', False): return True except ValidationError: pass return False @property def needs_ssh_key_unlock(self): if self.credential_type.kind == 'ssh' and self.ssh_key_unlock in ( 'ASK', ''): return self.has_encrypted_ssh_key_data return False @property def needs_become_password(self): return self.credential_type.kind == 'ssh' and self.become_password == 'ASK' @property def needs_vault_password(self): return self.credential_type.kind == 'vault' and self.vault_password == 'ASK' @property def passwords_needed(self): needed = [] for field in ('ssh_password', 'become_password', 'ssh_key_unlock', 'vault_password'): if getattr(self, 'needs_%s' % field): needed.append(field) return needed def _password_field_allows_ask(self, field): return field in self.credential_type.askable_fields def save(self, *args, **kwargs): self.PASSWORD_FIELDS = self.credential_type.secret_fields if self.pk: cred_before = Credential.objects.get(pk=self.pk) inputs_before = cred_before.inputs # Look up the currently persisted value so that we can replace # $encrypted$ with the actual DB-backed value for field in self.PASSWORD_FIELDS: if self.inputs.get(field) == '$encrypted$': self.inputs[field] = inputs_before[field] super(Credential, self).save(*args, **kwargs) def encrypt_field(self, field, ask): encrypted = encrypt_field(self, field, ask=ask) if encrypted: self.inputs[field] = encrypted elif field in self.inputs: del self.inputs[field] def mark_field_for_save(self, update_fields, field): if field in self.credential_type.secret_fields: # If we've encrypted a v1 field, we actually want to persist # self.inputs field = 'inputs' super(Credential, self).mark_field_for_save(update_fields, field) def display_inputs(self): field_val = self.inputs.copy() for k, v in field_val.items(): if force_text(v).startswith('$encrypted$'): field_val[k] = '$encrypted$' return field_val