From a020222684a67f151c6f0730791eea96eceef81f Mon Sep 17 00:00:00 2001
From: Federico Capoano <f.capoano@openwisp.io>
Date: Sun, 25 Jul 2021 11:52:44 -0500
Subject: [PATCH] [change] Passphrase shall be only write only

---
 openwisp_controller/pki/api/serializers.py | 2 ++
 openwisp_controller/pki/tests/test_api.py  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/openwisp_controller/pki/api/serializers.py b/openwisp_controller/pki/api/serializers.py
index 005c8a2cc..48b6c2288 100644
--- a/openwisp_controller/pki/api/serializers.py
+++ b/openwisp_controller/pki/api/serializers.py
@@ -81,6 +81,7 @@ class Meta:
             'organization': {'required': True},
             'key_length': {'initial': '2048'},
             'digest': {'initial': 'sha256'},
+            'passphrase': {'write_only': True},
             'validity_start': {'default': default_validity_start()},
             'validity_end': {'default': default_ca_validity_end()},
         }
@@ -154,6 +155,7 @@ class Meta:
             'revoked_at': {'read_only': True},
             'key_length': {'initial': '2048'},
             'digest': {'initial': 'sha256'},
+            'passphrase': {'write_only': True},
             'validity_start': {'default': default_validity_start()},
             'validity_end': {'default': default_cert_validity_end()},
         }
diff --git a/openwisp_controller/pki/tests/test_api.py b/openwisp_controller/pki/tests/test_api.py
index 0f60c0c4d..d9c31724a 100644
--- a/openwisp_controller/pki/tests/test_api.py
+++ b/openwisp_controller/pki/tests/test_api.py
@@ -97,6 +97,7 @@ def test_ca_list_api(self):
         with self.assertNumQueries(4):
             r = self.client.get(path)
         self.assertEqual(r.status_code, 200)
+        self.assertNotIn('passphrase', r.content.decode('utf8'))
 
     def test_ca_detail_api(self):
         ca1 = self._create_ca(name='ca1', organization=self._get_org())
@@ -217,6 +218,7 @@ def test_cert_list_api(self):
             r = self.client.get(path)
         self.assertEqual(r.status_code, 200)
         self.assertEqual(Cert.objects.count(), 1)
+        self.assertNotIn('passphrase', r.content.decode('utf8'))
 
     def test_cert_detail_api(self):
         cert1 = self._create_cert(name='cert1')