Update decrypt command
Decrypt command was previously requiring that specified files have in their paths the site name. This isn't necessarily always the case for example we can have global files that need to be decrypted and do not contain the site name in the filepath, but the site name is relevant in ensuring based on the site-definition.yaml file that pegleg uses the correct revision of the global repository. The end result should be that when decrypting a file, we specify the site name, pegleg ensures we're on correct revisions of the repos and if the file exists, decrypt and print to stdout This patch addresses this by: 1. Updating pegleg.engine.secrets.decrypt to no longer require a site name. 2. Updating pegleg.cli.decrypt to no longer pass a site name to pegleg.engine.secrets.decrypt 3. Updating documentation for CLI. 4. Updating unit tests for CLI and secrets. Change-Id: Ia97518b06a58b069a4d6c0b8d68a37f45e5d31bb
This commit is contained in:
parent
498d5c078f
commit
fb5d54fdb9
@ -681,9 +681,9 @@ decrypt the encrypted secrets, and dump the cleartext secrets file to
|
|||||||
**site_name** (Required).
|
**site_name** (Required).
|
||||||
|
|
||||||
Name of the ``site``. The ``site_name`` must match a ``site`` name in the site
|
Name of the ``site``. The ``site_name`` must match a ``site`` name in the site
|
||||||
repository folder structure. The ``decrypt`` command also validates that the
|
repository folder structure. This is used to ensure the correct revision of
|
||||||
``site-name`` exists in the file path, before unwrapping and decrypting the
|
the site and global repositories are used, as specified in the site's
|
||||||
documents in the ``filename``.
|
:file:`site-definition.yaml`.
|
||||||
|
|
||||||
**-f / filename** (Required).
|
**-f / filename** (Required).
|
||||||
|
|
||||||
|
@ -694,7 +694,7 @@ def encrypt(*, save_location, author, site_name):
|
|||||||
def decrypt(*, file_name, save_location, site_name):
|
def decrypt(*, file_name, save_location, site_name):
|
||||||
engine.repository.process_repositories(site_name)
|
engine.repository.process_repositories(site_name)
|
||||||
|
|
||||||
decrypted = engine.secrets.decrypt(file_name, site_name)
|
decrypted = engine.secrets.decrypt(file_name)
|
||||||
if save_location is None:
|
if save_location is None:
|
||||||
click.echo(decrypted)
|
click.echo(decrypted)
|
||||||
else:
|
else:
|
||||||
|
@ -68,12 +68,10 @@ def encrypt(save_location, author, site_name):
|
|||||||
'No secret documents were found for site: {}'.format(site_name))
|
'No secret documents were found for site: {}'.format(site_name))
|
||||||
|
|
||||||
|
|
||||||
def decrypt(file_path, site_name):
|
def decrypt(file_path):
|
||||||
"""
|
"""Decrypt one secrets file, and print the decrypted file to standard out.
|
||||||
Decrypt one secrets file, and print the decrypted file to standard out.
|
|
||||||
|
|
||||||
Search in secrets file of a site, identified by ``site_name``, for a file
|
Search the specified file_path for a file.
|
||||||
named ``file_name``.
|
|
||||||
If the file is found and encrypted, unwrap and decrypt it, and print the
|
If the file is found and encrypted, unwrap and decrypt it, and print the
|
||||||
result to standard out.
|
result to standard out.
|
||||||
If the file is found, but it is not encrypted, print the contents of the
|
If the file is found, but it is not encrypted, print the contents of the
|
||||||
@ -81,14 +79,11 @@ def decrypt(file_path, site_name):
|
|||||||
Passphrase and salt for the decryption are read from environment variables.
|
Passphrase and salt for the decryption are read from environment variables.
|
||||||
:param file_path: Path to the file to be unwrapped and decrypted.
|
:param file_path: Path to the file to be unwrapped and decrypted.
|
||||||
:type file_path: string
|
:type file_path: string
|
||||||
:param site_name: The name of the site to search for the file.
|
|
||||||
:type site_name: string
|
|
||||||
:return: The decrypted secrets
|
:return: The decrypted secrets
|
||||||
:rtype: list
|
:rtype: list
|
||||||
"""
|
"""
|
||||||
LOG.info('Started decrypting...')
|
LOG.info('Started decrypting...')
|
||||||
if (os.path.isfile(file_path) and
|
if os.path.isfile(file_path):
|
||||||
[s for s in file_path.split(os.path.sep) if s == site_name]):
|
|
||||||
return PeglegSecretManagement(file_path).decrypt_secrets()
|
return PeglegSecretManagement(file_path).decrypt_secrets()
|
||||||
else:
|
else:
|
||||||
LOG.info('File: {} was not found. Check your file path and name, '
|
LOG.info('File: {} was not found. Check your file path and name, '
|
||||||
|
@ -116,7 +116,7 @@ data: {0}-password
|
|||||||
# for _file in encrypted_files:
|
# for _file in encrypted_files:
|
||||||
decrypted = secrets.decrypt(str(save_location.join(
|
decrypted = secrets.decrypt(str(save_location.join(
|
||||||
"site/cicd/secrets/passphrases/"
|
"site/cicd/secrets/passphrases/"
|
||||||
"cicd-passphrase-encrypted.yaml")), "cicd")
|
"cicd-passphrase-encrypted.yaml")))
|
||||||
assert yaml.load(decrypted) == yaml.load(passphrase_doc)
|
assert yaml.load(decrypted) == yaml.load(passphrase_doc)
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user