fix: prevent multiple AAP credentials from being attached to activati…

…ons (ansible#1123)
jshimkus-rh · Oct 25, 2024 · 7ede6bc · 7ede6bc
1 parent 0fca9ae
commit 7ede6bc
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 2 deletions.
diff --git a/src/aap_eda/api/serializers/activation.py b/src/aap_eda/api/serializers/activation.py
@@ -411,7 +411,10 @@ class Meta:
         required=False,
         allow_null=True,
         child=serializers.IntegerField(),
-        validators=[validators.check_multiple_credentials],
+        validators=[
+            validators.check_multiple_credentials,
+            validators.check_single_aap_credential,
+        ],
     )
     k8s_service_name = serializers.CharField(
         required=False,

diff --git a/src/aap_eda/core/validators.py b/src/aap_eda/core/validators.py
@@ -17,6 +17,7 @@
 
 import yaml
 from django.conf import settings
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
 from aap_eda.core import enums, models
@@ -109,13 +110,37 @@ def check_credential_types_for_scm(eda_credential_id: int) -> int:
     return eda_credential_id
 
 
-def check_multiple_credentials(eda_credential_ids: list[int]) -> int:
+def check_multiple_credentials(
+    eda_credential_ids: list[int],
+) -> list[int]:
     for eda_credential_id in eda_credential_ids:
         check_credential_types_for_activation(eda_credential_id)
 
     return eda_credential_ids
 
 
+def check_single_aap_credential(
+    eda_credential_ids: list[int],
+) -> list[int]:
+    credentials = [
+        get_credential_if_exists(eda_credential_id)
+        for eda_credential_id in eda_credential_ids
+    ]
+    aap_credential_ids = [
+        credential.id
+        for credential in credentials
+        if credential.credential_type.name == enums.DefaultCredentialType.AAP
+    ]
+
+    if len(aap_credential_ids) > 1:
+        raise serializers.ValidationError(
+            _("%(number)d RH AAP credentials are provided instead of 1")
+            % {"number": len(aap_credential_ids)}
+        )
+
+    return eda_credential_ids
+
+
 def check_if_credential_type_exists(credential_type_id: int) -> int:
     try:
         models.CredentialType.objects.get(pk=credential_type_id)

diff --git a/tests/integration/api/test_activation_with_credential.py b/tests/integration/api/test_activation_with_credential.py
@@ -642,3 +642,67 @@ def test_create_activation_with_extra_vars_mix_credential(
     assert extra_var["custom_password"] == "password"
     for key, value in original_extra_var.items():
         assert value == extra_var[key]
+
+
+@pytest.mark.django_db
+def test_create_activation_with_multip_aap_credentials(
+    admin_client: APIClient,
+    default_decision_environment: models.DecisionEnvironment,
+    default_rulebook: models.Rulebook,
+    default_organization: models.Organization,
+    preseed_credential_types,
+):
+    aap_credential_type = models.CredentialType.objects.get(
+        name=enums.DefaultCredentialType.AAP
+    )
+    data = "secret"
+    aap_credentials = models.EdaCredential.objects.bulk_create(
+        [
+            models.EdaCredential(
+                name="aap-credential-1",
+                inputs=inputs_to_store(
+                    {
+                        "host": "https://eda_controller_url",
+                        "username": "adam",
+                        "password": data,
+                        "ssl_verify": "no",
+                        "oauth_token": "",
+                    }
+                ),
+                credential_type=aap_credential_type,
+                organization=default_organization,
+            ),
+            models.EdaCredential(
+                name="aap-credential-2",
+                inputs=inputs_to_store(
+                    {
+                        "host": "https://eda_controller_url",
+                        "username": "",
+                        "password": "",
+                        "ssl_verify": "no",
+                        "oauth_token": "xzy_token",
+                    }
+                ),
+                credential_type=aap_credential_type,
+                organization=default_organization,
+            ),
+        ]
+    )
+
+    test_activation = {
+        "name": "test_activation",
+        "decision_environment_id": default_decision_environment.id,
+        "rulebook_id": default_rulebook.id,
+        "extra_var": EXTRA_VAR,
+        "organization_id": default_organization.id,
+        "eda_credentials": [credential.id for credential in aap_credentials],
+    }
+
+    response = admin_client.post(
+        f"{api_url_v1}/activations/", data=test_activation
+    )
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert (
+        f"{len(aap_credentials)} RH AAP credentials"
+        " are provided instead of 1" in response.data["eda_credentials"]
+    )