Prevent modifying peers on managed node

Add validation to prevent any managed node from modifying "peers" through the API Peering from these nodes should be handled by setting peers_from_control_nodes only. Managed nodes are control nodes and ingress hop nodes. Signed-off-by: Seth Foster <[email protected]>
ansible · Jan 23, 2024 · 2f6e15d · 2f6e15d
1 parent 25b42f3
commit 2f6e15d
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 8 deletions.
diff --git a/awx/api/serializers.py b/awx/api/serializers.py
@@ -5680,13 +5680,11 @@ def check_peers_changed():
         if not self.instance and not settings.IS_K8S:
             raise serializers.ValidationError(_("Can only create instances on Kubernetes or OpenShift."))
 
-        node_type = get_field_from_model_or_attrs("node_type")
+        managed = get_field_from_model_or_attrs("managed")
 
-        if node_type in [Instance.Types.CONTROL, Instance.Types.HYBRID]:
+        if managed:
             if check_peers_changed():
-                raise serializers.ValidationError(
-                    _("Setting peers manually for control nodes is not allowed. Enable peers_from_control_nodes on the hop and execution nodes instead.")
-                )
+                raise serializers.ValidationError(_("Setting peers manually for managed nodes is not allowed."))
 
         if not settings.IS_K8S:
             if check_peers_changed():

diff --git a/awx/main/tests/functional/api/test_instance_peers.py b/awx/main/tests/functional/api/test_instance_peers.py
@@ -188,7 +188,7 @@ def test_changing_peers_control_nodes(self, node_type, admin_user, patch):
         for control nodes, peers field should not be
         modified directly via patch.
         """
-        control = Instance.objects.create(hostname='abc', node_type=node_type)
+        control = Instance.objects.create(hostname='abc', node_type=node_type, managed=True)
         hop1 = Instance.objects.create(hostname='hop1', node_type='hop')
         hop1addr = ReceptorAddress.objects.create(instance=hop1, address='hop1', peers_from_control_nodes=True, canonical=True)
         hop2 = Instance.objects.create(hostname='hop2', node_type='hop')
@@ -200,7 +200,7 @@ def test_changing_peers_control_nodes(self, node_type, admin_user, patch):
             user=admin_user,
             expect=400,  # cannot add peers manually
         )
-        assert 'Setting peers manually for control nodes is not allowed.' in str(resp.data)
+        assert 'Setting peers manually for managed nodes is not allowed.' in str(resp.data)
 
         patch(
             url=reverse('api:instance_detail', kwargs={'pk': control.pk}),
@@ -214,7 +214,7 @@ def test_changing_peers_control_nodes(self, node_type, admin_user, patch):
             user=admin_user,
             expect=400,  # cannot remove peers directly
         )
-        assert 'Setting peers manually for control nodes is not allowed.' in str(resp.data)
+        assert 'Setting peers manually for managed nodes is not allowed.' in str(resp.data)
 
         patch(
             url=reverse('api:instance_detail', kwargs={'pk': control.pk}),