Merge pull request ManageIQ#168 from mkanoor/mask_automate_workspace_…

…passwords Mask password attributes from AutomateWorkspace
andyvesel · Nov 3, 2017 · 9a2767c · 9a2767c
2 parents 7969144 + a048b0f
commit 9a2767c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/app/controllers/api/automate_workspaces_controller.rb b/app/controllers/api/automate_workspaces_controller.rb
@@ -23,5 +23,10 @@ def decrypt(obj, data)
        'attribute' => data['attribute'],
        'value'     => obj.decrypt(data['object'], data['attribute'])}
     end
+
+    def normalize_attr(attr, value)
+      return "password::********" if value.kind_of?(String) && value.start_with?("password::")
+      super
+    end
   end
 end
diff --git a/spec/requests/automate_workspaces_spec.rb b/spec/requests/automate_workspaces_spec.rb
@@ -12,9 +12,10 @@
   let(:encrypted) { MiqAePassword.encrypt(password) }
   let(:var2v) { "password::#{encrypted}" }
   let(:input) do
-    { 'objects'           => {'root' => { 'var1' => '1', 'var2' => var2v }},
+    { 'objects'           => {'root' => { 'var1' => 1, 'var2' => var2v }},
       'method_parameters' => {'arg1' => "password::#{encrypted}"} }
   end
+  let(:masked_password) { "password::********" }
 
   describe 'GET' do
     it 'should not return resources when fetching the collection' do
@@ -40,6 +41,28 @@
       expect(response).to have_http_status(:ok)
     end
 
+    it 'should mask password attributes' do
+      api_basic_authorize action_identifier(:automate_workspaces, :read, :resource_actions, :get)
+      get(api_automate_workspace_url(nil, aw.guid))
+
+      expected = {
+        'input' => a_hash_including(
+          'objects'           => a_hash_including(
+            'root' => a_hash_including(
+              'var2' => masked_password,
+              'var1' => 1
+            )
+          ),
+          'method_parameters' => a_hash_including(
+            'arg1' => masked_password
+          )
+        )
+      }
+
+      expect(response).to have_http_status(:ok)
+      expect(response.parsed_body).to include(expected)
+    end
+
     it 'fetching by guid should return resources with guid based references' do
       api_basic_authorize action_identifier(:automate_workspaces, :read, :resource_actions, :get)
       get(api_automate_workspace_url(nil, aw.guid))