feat: allow EDA credential fields to link to external Secret Management Systems (SMS) (#1349)

AAP allows text fields in a Credential to be connected to an external
Secret Management System like Hashicorp Vault.
EDA was lacking this feature, this fix tries to address that by
providing

  * Test External SMS for connectivity and existence of secrets
  * Optionally link text fields to External SMS
  * Uses the awx-plugins-core to manage the connections to external SMS

New API end points added

* /api/eda/v1/credential-types/_nnn_/test/ (POST)
* /api/eda/v1/eda-credentials/_nnn_/test/ (POST)
* /api/eda/v1/eda-credentials/_nnn_/input_sources/ (GET)
* /api/eda/v1/credential_input_sources/ (CRUD)
  
The[ awx-plugins-core](https://pypi.org/project/awx-plugins-core/)
supports 10 different external systems, for parity we have added the
schema for all 10 of them

1. CyberArk Central Credential Provider Lookup
2. AWS Secrets Manager lookup
3. Microsoft Azure Key Vault
4. Centrify Vault Credential Provider Lookup
5. CyberArk Conjur Secrets Manager Lookup
6. HashiCorp Vault Secret Lookup
7. HashiCorp Vault Signed SSH
8. Thycotic DevOps Secrets Vault
9. Thycotic Secret Server
10. GitHub App Installation Access Token Lookup

https://issues.redhat.com/browse/AAP-46900

```mermaid
flowchart TD;
    A[EDA UI] -->|Create Credential| B(EDA API);
    B --> C{AWX Plugins};
    C -->|Fetch/Test| D[fa:fa-vault Hashicorp];
    C -->|Fetch/Test| E[fa:fa-vault CyberArk];
    C -->|Fetch/Text| F[fa:fa-vault Azure];
```

Author: mkanoor

poetry.lock

@@ -0,0 +1,4 @@
+[installer]
+# This is related to https://github.com/DelineaXPM/python-tss-sdk/issues/72
+# these packages get corrupted at times when installed in parallel.
+parallel = false

poetry.toml

@@ -71,6 +71,18 @@ django-flags = "^5.0.13"
 insights-analytics-collector = "^0.3.2"
 distro = "^1.9.0"
 dispatcherd = { version = "v2025.05.19", extras = ["pg_notify"] }
+awx-plugins-core = { version = "^0.0.1a10", extras = [
+                              "credentials-aim",
+                              "credentials-aws-secretsmanager-credential",
+                              "credentials-azure-kv",
+                              "credentials-centrify-vault-kv",
+                              "credentials-conjur",
+                              "credentials-github-app",
+                              "credentials-hashivault-kv",
+                              "credentials-hashivault-ssh",
+                              "credentials-thycotic-dsv",
+                              "credentials-thycotic-tss"
+                    ]}
 
 
 [tool.poetry.group.test.dependencies]

pyproject.toml

@@ -26,7 +26,7 @@
 from aap_eda.conf import application_settings
 from aap_eda.conf.registry import ANALYTICS_GATHER_INTERVAL
 from aap_eda.core import enums, models
-from aap_eda.core.utils.credentials import inputs_from_store
+from aap_eda.core.utils.credentials import get_resolved_secrets
 
 logger = logging.getLogger("aap_eda.analytics")
 
@@ -225,7 +225,7 @@ def generate_token() -> ServiceToken:
 def _get_credential_value(field: str, *setting_envs: Tuple[Any, str]) -> str:
     credentials = _get_analytics_credentials()
     for credential in credentials:
-        inputs = inputs_from_store(credential.inputs.get_secret_value())
+        inputs = get_resolved_secrets(credential)
         if value := inputs.get(field):
             return value
 
@@ -314,7 +314,7 @@ def get_analytics_interval() -> int:
 def get_analytics_interval_if_exist(credential: models.EdaCredential) -> int:
     if credential.credential_type.kind != get_auth_mode():
         return 0
-    inputs = inputs_from_store(credential.inputs.get_secret_value())
+    inputs = get_resolved_secrets(credential)
     return inputs.get("gather_interval", 0)
 
 

src/aap_eda/analytics/utils.py

@@ -118,3 +118,10 @@ class InvalidEventStreamSource(APIException):
         "Configuration Error: Event Stream source could not be "
         "updated in ruleset"
     )
+
+
+class ExternalSMSError(APIException):
+    status_code = status.HTTP_503_SERVICE_UNAVAILABLE
+    default_detail = (
+        "External SMS Error: not able to fetch secrets from external SMS"
+    )

src/aap_eda/api/exceptions.py

@@ -17,6 +17,7 @@
     ActivationInstanceFilter,
     ActivationInstanceLogFilter,
 )
+from .credential_input_source import CredentialInputSourceFilter
 from .credential_type import CredentialTypeFilter
 from .decision_environment import DecisionEnvironmentFilter
 from .eda_credential import EdaCredentialFilter
@@ -35,6 +36,7 @@
     # credential type
     "CredentialTypeFilter",
     "EdaCredentialFilter",
+    "CredentialInputSourceFilter",
     # decision_environment
     "DecisionEnvironmentFilter",
     # activation instance

src/aap_eda/api/filters/__init__.py

@@ -0,0 +1,34 @@
+#  Copyright 2025 Red Hat, Inc.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+import django_filters
+
+from aap_eda.core import models
+
+
+class CredentialInputSourceFilter(django_filters.FilterSet):
+    source_credential = django_filters.NumberFilter(
+        field_name="source_credential",
+        lookup_expr="exact",
+        label="Filter by Source Credential ID.",
+    )
+    target_credential = django_filters.NumberFilter(
+        field_name="target_credential",
+        lookup_expr="exact",
+        label="Filter by Target Credential ID.",
+    )
+
+    class Meta:
+        model = models.CredentialInputSource
+        fields = ["target_credential", "source_credential"]

src/aap_eda/api/filters/credential_input_source.py

@@ -25,10 +25,18 @@
 )
 from .auth import JWTTokenSerializer, LoginSerializer, RefreshTokenSerializer
 from .config import ConfigSerializer
+from .credential_input_source import (
+    CredentialInputSourceCreateSerializer,
+    CredentialInputSourceReferenceSerializer,
+    CredentialInputSourceRefSerializer,
+    CredentialInputSourceSerializer,
+    CredentialInputSourceUpdateSerializer,
+)
 from .credential_type import (
     CredentialTypeCreateSerializer,
     CredentialTypeRefSerializer,
     CredentialTypeSerializer,
+    CredentialTypeTestSerializer,
 )
 from .decision_environment import (
     DecisionEnvironmentCreateSerializer,
@@ -40,6 +48,7 @@
     EdaCredentialCopySerializer,
     EdaCredentialCreateSerializer,
     EdaCredentialSerializer,
+    EdaCredentialTestSerializer,
     EdaCredentialUpdateSerializer,
 )
 from .event_stream import EventStreamInSerializer, EventStreamOutSerializer

src/aap_eda/api/serializers/__init__.py

@@ -27,7 +27,7 @@
     EDA_SERVER_VAULT_LABEL,
     SOURCE_MAPPING_ERROR_KEY,
 )
-from aap_eda.api.exceptions import InvalidEventStreamSource
+from aap_eda.api.exceptions import ExternalSMSError, InvalidEventStreamSource
 from aap_eda.api.serializers.decision_environment import (
     DecisionEnvironmentRefSerializer,
 )
@@ -46,8 +46,11 @@
 from aap_eda.api.vault import encrypt_string
 from aap_eda.core import models, validators
 from aap_eda.core.enums import DefaultCredentialType, ProcessParentType
-from aap_eda.core.exceptions import ParseError
-from aap_eda.core.utils.credentials import get_secret_fields
+from aap_eda.core.exceptions import CredentialPluginError, ParseError
+from aap_eda.core.utils.credentials import (
+    get_resolved_secrets,
+    get_secret_fields,
+)
 from aap_eda.core.utils.k8s_service_name import create_k8s_service_name
 from aap_eda.core.utils.rulebook import (
     build_source_list,
@@ -147,8 +150,10 @@ def _update_extra_vars_from_eda_credentials(
         schema_inputs = eda_credential.credential_type.inputs
         injectors = eda_credential.credential_type.injectors
         secret_fields = get_secret_fields(schema_inputs)
-
-        user_inputs = yaml.safe_load(eda_credential.inputs.get_secret_value())
+        try:
+            user_inputs = get_resolved_secrets(eda_credential)
+        except CredentialPluginError as err:
+            raise ExternalSMSError(str(err))
 
         if creating and any(key in user_inputs for key in secret_fields):
             vault_data.password_used = True