Browse Source

Update storage policy on decrypt

Barbican expects storagePolicy:cleartext when accepting documents
from Pegleg. Once the document is decrypted updated storagePolicy to
cleartext.

During genesis bundle creation, the encrypted documents are
decrypted, then the whole bundle is encrypted.  Once the bundle gets
deployed the contained documents should all have the correct storage
policy of cleartext.

As a result, two unit tests are updated to no longer compare the
storagePolicy, as it is expected everything going to Barbican is
cleartext, but in order for Pegleg to know to encrypt the original
document is storagePolicy:encrypted

Change-Id: I5167ce6b3030d143d1ff0b789883529a6557eeca
changes/65/681765/3
Alexander Hughes 2 months ago
parent
commit
2d88f48989

+ 1
- 0
pegleg/engine/util/pegleg_managed_document.py View File

@@ -173,6 +173,7 @@ class PeglegManagedSecretsDocument(object):
def set_decrypted(self):
"""Mark the pegleg managed document as un-encrypted."""
self.data.pop(ENCRYPTED)
self._embedded_document[METADATA][STORAGE_POLICY] = 'cleartext'

def set_secret(self, secret):
self._embedded_document['data'] = secret

+ 2
- 4
tests/unit/engine/test_secrets.py View File

@@ -177,8 +177,8 @@ data: {0}-password
"site/cicd/secrets/passphrases/"
"cicd-passphrase-encrypted.yaml"))
decrypted = secrets.decrypt(encrypted_path)
assert yaml.safe_load(
decrypted[encrypted_path]) == yaml.safe_load(passphrase_doc)
assert yaml.safe_load(decrypted[encrypted_path])['data'] == yaml.safe_load(
passphrase_doc)['data']


@mock.patch.dict(
@@ -297,8 +297,6 @@ def test_encrypt_decrypt_using_docs(tmpdir):
assert test_data[0]['schema'] == decrypted_data[0]['schema']
assert test_data[0]['metadata']['name'] == decrypted_data[0]['metadata'][
'name']
assert test_data[0]['metadata']['storagePolicy'] == decrypted_data[0][
'metadata']['storagePolicy']


@pytest.mark.skipif(

Loading…
Cancel
Save