Add cross-referencing file injection test for custom credentials by TheRealHaoLiu · Pull Request #16489 · ansible/awx

TheRealHaoLiu · 2026-06-08T13:12:11Z

Summary

Builds on @chrismeyersfsu's test from #16488 (credential association fix + simple file injection test) and adds a test case for cross-referencing between file templates.

What this tests

A credential type where one file template references another injected file's path:

file:
  template.key_file: '{{ key_data }}'
  template.config_file: |
    [DEFAULT]
    user={{ user_id }}
    key_file={{ tower.filename.key_file }}
env:
  KEY_FILE: '{{ tower.filename.key_file }}'
  CONFIG_FILE: '{{ tower.filename.config_file }}'

This is the pattern used by OCI and similar credential types — a config file that needs to contain the path to a key file. This is the pattern reported broken in AAP-78106.

Why this fails without the awx_plugins.interfaces fix

When inject_credential was moved to awx_plugins.interfaces (38f76f0f), the file injection loop was refactored to set tower.filename after the loop instead of incrementally inside it. This means {{ tower.filename.key_file }} is None when config_file is rendered, producing key_file= (blank) in the config file content.

Fix: ansible/awx_plugins.interfaces#42

Depends on

Add integration test for custom credential file injection #16488 — credentials parameter for run_job_from_playbook fixture
Fix custom credential file injectors awx_plugins.interfaces#42 — incremental tower.filename assignment fix

Test plan

test_custom_credential_type_file_injection — simple file injection (from Add integration test for custom credential file injection #16488)
test_custom_credential_type_file_cross_reference — config file references key file path (new)

Summary by CodeRabbit

Tests
- Added playbook-based tests that validate custom credential file injection, confirm injected files' decoded contents, and ensure environment variables point to rendered files.
- Added cross-reference playbook tests verifying referenced file paths and contents across injected templates.
- Updated test helper to allow supplying credentials when running jobs.

tower.filename is a namespace when using named file templates (template.X), so the env injector must reference the specific file attribute (tower.filename.custom_file) instead of tower.filename directly. Assisted-By: Claude Opus 4.6 <noreply@anthropic.com>

Two fixes to make the live test pass: 1. Credential association: credentials passed in jt_params are silently ignored by the JT creation API (not a writable serializer field). Use jt.credentials.add() to associate the credential with the JT before creating the job. 2. Remove | quote filter: the Jinja2 sandbox used for credential injection does not have the quote filter registered. Rendering {{ tower.filename.custom_file | quote }} would fail with a template error. The base file injection works without it.

coderabbitai · 2026-06-08T13:12:31Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 281d5f1f-9474-4467-9029-c088571b8d62

📥 Commits

Reviewing files that changed from the base of the PR and between 067b68a and ebabdd1.

📒 Files selected for processing (1)

awx/main/tests/data/projects/custom_cred_project/test_cred_cross_ref.yml

🚧 Files skipped from review as they are similar to previous changes (1)

awx/main/tests/data/projects/custom_cred_project/test_cred_cross_ref.yml

📝 Walkthrough

Walkthrough

Adds two Ansible playbooks and live tests that verify custom CredentialType file injection and cross-file referencing; updates the test job factory to accept and attach credentials to created JobTemplates.

Changes

Custom Credential Type Live Tests

Layer / File(s)	Summary
Fixture: enable credentials in run_job_from_playbook `awx/main/tests/live/tests/conftest.py`	The run_job_from_playbook inner factory (`_rf`) adds an optional `credentials` parameter and conditionally attaches those credentials to the created `JobTemplate` before starting the job.
Simple file-injection credential, playbook, and test `awx/main/tests/live/tests/test_custom_credential_type.py`, `awx/main/tests/data/projects/custom_cred_project/test_cred.yml`	Adds fixtures to create a custom cloud `CredentialType` and matching `Credential`, a playbook (`test_cred.yml`) that slurps the injected file path from `CUSTOM_FILE_PATH` and asserts file content, and a live test that runs the playbook and checks unified job stdout for injected content.
OCI-style cross-reference credential, playbook, and test `awx/main/tests/live/tests/test_custom_credential_type.py`, `awx/main/tests/data/projects/custom_cred_project/test_cred_cross_ref.yml`	Adds fixtures to create an OCI-oriented `CredentialType` and `Credential` with multiple file injectors and env vars referencing `tower.filename.*`, a playbook (`test_cred_cross_ref.yml`) that validates OCI env vars and cross-file `key_file=` content, and a live test that runs the playbook and asserts success.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change—adding a cross-referencing file injection test for custom credentials—which matches the primary objective of the PR.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Add a test that mirrors the customer's OCI credential type from AAP-78106 where oci_dummy_config contains key_file={{ tower.filename.ssh_keyfile }}. This test will fail without the fix in ansible/awx_plugins.interfaces#42 which restores incremental tower.filename assignment inside the file injection loop. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Remove Jinja2 braces from fail_msg so Ansible doesn't try to resolve tower.filename.ssh_keyfile as a playbook variable. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

AlanCoding · 2026-06-08T19:25:11Z

assertion seems pretty clear

E         TASK [Assert config file contains the key file path (cross-reference works)] ***
E         
E         fatal: [localhost]: FAILED! => {
E             "assertion": "lookup('env', 'OCI_USER_KEY_FILE') in config_content['content'] | b64decode",
E             "changed": false,
E             "evaluated_to": false,
E             "msg": "Config file does not contain the key file path. The key_file= line is blank, meaning tower.filename.ssh_keyfile was not available when the config file template was rendered."
E         }

AlanCoding and others added 3 commits June 5, 2026 15:54

Add integration test to verify custom files actually injected

c9419fb

github-actions Bot added the component:api label Jun 8, 2026

TheRealHaoLiu force-pushed the add-cross-ref-file-injection-test branch from 6e8bc24 to 067b68a Compare June 8, 2026 13:16

Fix Ansible templating error in test playbook fail_msg

ebabdd1

Remove Jinja2 braces from fail_msg so Ansible doesn't try to resolve tower.filename.ssh_keyfile as a playbook variable. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add cross-referencing file injection test for custom credentials#16489

Add cross-referencing file injection test for custom credentials#16489
TheRealHaoLiu wants to merge 5 commits into
ansible:develfrom
TheRealHaoLiu:add-cross-ref-file-injection-test

TheRealHaoLiu commented Jun 8, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented Jun 8, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

❌ Failed checks (1 warning)

Uh oh!

AlanCoding commented Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

TheRealHaoLiu commented Jun 8, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

What this tests

Why this fails without the awx_plugins.interfaces fix

Depends on

Test plan

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Jun 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

❌ Failed checks (1 warning)

Uh oh!

AlanCoding commented Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

TheRealHaoLiu commented Jun 8, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 8, 2026 •

edited

Loading