Browse Source

Merge "Ensure SY gets redacted rendered documents"

changes/22/617722/5
Zuul 8 months ago
parent
commit
03d7269b6a

+ 1
- 0
charts/shipyard/values.yaml View File

@@ -370,6 +370,7 @@ conf:
370 370
     workflow_orchestrator:get_configdocs: rule:admin_read_access
371 371
     workflow_orchestrator:commit_configdocs: rule:admin_create
372 372
     workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
373
+    workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_read_access
373 374
     workflow_orchestrator:list_workflows: rule:admin_read_access
374 375
     workflow_orchestrator:get_workflow: rule:admin_read_access
375 376
     workflow_orchestrator:get_notedetails: rule:admin_read_access

+ 4
- 1
doc/source/API.rst View File

@@ -259,8 +259,11 @@ Returns the full set of configdocs in their rendered form.
259 259
 
260 260
 Query Parameters
261 261
 ''''''''''''''''
262
-version=committed | last_site_action | successful_site_action | **buffer**
262
+- version=committed | last_site_action | successful_site_action | **buffer**
263 263
   Return the documents for the version specified - buffer by default.
264
+- cleartext-secrets=true/**false**
265
+  If true then returns cleartext secrets in encrypted documents, otherwise
266
+  those values are redacted.
264 267
 
265 268
 Responses
266 269
 '''''''''

+ 5
- 0
doc/source/CLI.rst View File

@@ -726,6 +726,7 @@ applying Deckhand layering and substitution.
726 726
 
727 727
     shipyard get renderedconfigdocs
728 728
         [--committed | --last-site-action | --successful-site-action | --buffer]
729
+        [--cleartext-secrets]
729 730
 
730 731
     Example:
731 732
         shipyard get renderedconfigdocs
@@ -743,6 +744,10 @@ applying Deckhand layering and substitution.
743 744
   Retrieve the documents that have been loaded into Shipyard since the
744 745
   prior commit. (default)
745 746
 
747
+\--cleartext-secrets
748
+  Returns secrets as cleartext for encrypted documents if the user has the appropriate
749
+  permissions in the target environment.
750
+
746 751
 Sample
747 752
 ^^^^^^
748 753
 

+ 1
- 1
src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py View File

@@ -98,7 +98,7 @@ class ConfigDocsResource(BaseResource):
98 98
         Returns a collection of documents
99 99
         """
100 100
         version = (req.params.get('version') or 'buffer')
101
-        cleartext_secrets = req.get_param_as_bool('cleartext-secrets')
101
+        cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
102 102
         self._validate_version_parameter(version)
103 103
         helper = ConfigdocsHelper(req.context)
104 104
         # Not reformatting to JSON or YAML since just passing through

+ 12
- 3
src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/rendered_configdocs_api.py View File

@@ -43,11 +43,19 @@ class RenderedConfigDocsResource(BaseResource):
43 43
         Returns the whole set of rendered documents
44 44
         """
45 45
         version = (req.params.get('version') or 'buffer')
46
+        cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
46 47
         self._validate_version_parameter(version)
47 48
         helper = ConfigdocsHelper(req.context)
49
+
50
+        # Check access to cleartext_secrets
51
+        if cleartext_secrets:
52
+            policy.check_auth(req.context,
53
+                              policy.GET_RENDEREDCONFIGDOCS_CLRTXT)
54
+
48 55
         resp.body = self.get_rendered_configdocs(
49 56
             helper=helper,
50
-            version=version
57
+            version=version,
58
+            cleartext_secrets=cleartext_secrets
51 59
         )
52 60
         resp.append_header('Content-Type', 'application/x-yaml')
53 61
         resp.status = falcon.HTTP_200
@@ -64,8 +72,9 @@ class RenderedConfigDocsResource(BaseResource):
64 72
                 retry=False,
65 73
             )
66 74
 
67
-    def get_rendered_configdocs(self, helper, version='buffer'):
75
+    def get_rendered_configdocs(self, helper, version='buffer',
76
+                                cleartext_secrets=False):
68 77
         """
69 78
         Get and return the rendered configdocs from the helper/Deckhand
70 79
         """
71
-        return helper.get_rendered_configdocs(version)
80
+        return helper.get_rendered_configdocs(version, cleartext_secrets)

+ 2
- 1
src/bin/shipyard_airflow/shipyard_airflow/control/helpers/configdocs_helper.py View File

@@ -375,7 +375,7 @@ class ConfigdocsHelper(object):
375 375
             status=falcon.HTTP_404,
376 376
             retry=False)
377 377
 
378
-    def get_rendered_configdocs(self, version=BUFFER):
378
+    def get_rendered_configdocs(self, version=BUFFER, cleartext_secrets=False):
379 379
         """
380 380
         Returns the rendered configuration documents for the specified
381 381
         revision (by name BUFFER, COMMITTED, LAST_SITE_ACTION,
@@ -397,6 +397,7 @@ class ConfigdocsHelper(object):
397 397
 
398 398
             try:
399 399
                 return self.deckhand.get_rendered_docs_from_revision(
400
+                    cleartext_secrets=cleartext_secrets,
400 401
                     revision_id=revision_id)
401 402
             except DeckhandError as de:
402 403
                 raise ApiError(

+ 5
- 2
src/bin/shipyard_airflow/shipyard_airflow/control/helpers/deckhand_client.py View File

@@ -232,7 +232,8 @@ class DeckhandClient(object):
232 232
                                     response.text))})
233 233
         return errors
234 234
 
235
-    def get_rendered_docs_from_revision(self, revision_id, bucket_id=None):
235
+    def get_rendered_docs_from_revision(self, revision_id, bucket_id=None,
236
+                                        cleartext_secrets=False):
236 237
         """
237 238
         Returns the full set of rendered documents for a revision
238 239
         """
@@ -240,9 +241,11 @@ class DeckhandClient(object):
240 241
             DeckhandPaths.RENDERED_REVISION_DOCS
241 242
         ).format(revision_id)
242 243
 
243
-        query = None
244
+        query = {}
244 245
         if bucket_id is not None:
245 246
             query = {'status.bucket': bucket_id}
247
+        if cleartext_secrets is True:
248
+            query['cleartext-secrets'] = 'true'
246 249
         response = self._get_request(url, params=query)
247 250
         self._handle_bad_response(response)
248 251
         return response.text

+ 11
- 0
src/bin/shipyard_airflow/shipyard_airflow/policy.py View File

@@ -38,6 +38,7 @@ CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
38 38
 GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
39 39
 COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
40 40
 GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
41
+GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext'  # noqa
41 42
 LIST_WORKFLOWS = 'workflow_orchestrator:list_workflows'
42 43
 GET_WORKFLOW = 'workflow_orchestrator:get_workflow'
43 44
 GET_NOTEDETAILS = 'workflow_orchestrator:get_notedetails'
@@ -187,6 +188,16 @@ class ShipyardPolicy(object):
187 188
                 'method': 'GET'
188 189
             }]
189 190
         ),
191
+        policy.DocumentedRuleDefault(
192
+            GET_RENDEREDCONFIGDOCS_CLRTXT,
193
+            RULE_ADMIN_REQUIRED,
194
+            ('Retrieve the configuration documents with cleartext secrets '
195
+             'rendered by Deckhand into a complete design'),
196
+            [{
197
+                'path': '/api/v1.0/renderedconfigdocs',
198
+                'method': 'GET'
199
+            }]
200
+        ),
190 201
         policy.DocumentedRuleDefault(
191 202
             LIST_WORKFLOWS,
192 203
             RULE_ADMIN_REQUIRED,

+ 3
- 3
src/bin/shipyard_airflow/tests/unit/control/test_rendered_configdocs_api.py View File

@@ -52,7 +52,7 @@ def test_get_rendered_configdocs():
52 52
         helper = ConfigdocsHelper(CTX)
53 53
         rcdr.get_rendered_configdocs(helper, version='buffer')
54 54
 
55
-    mock_method.assert_called_once_with('buffer')
55
+    mock_method.assert_called_once_with('buffer', False)
56 56
 
57 57
 
58 58
 def test_get_rendered_last_site_action_configdocs():
@@ -68,7 +68,7 @@ def test_get_rendered_last_site_action_configdocs():
68 68
         helper = ConfigdocsHelper(CTX)
69 69
         rcdr.get_rendered_configdocs(helper, version='last_site_action')
70 70
 
71
-    mock_method.assert_called_once_with('last_site_action')
71
+    mock_method.assert_called_once_with('last_site_action', False)
72 72
 
73 73
 
74 74
 def test_get_rendered_successful_site_action_configdocs():
@@ -84,4 +84,4 @@ def test_get_rendered_successful_site_action_configdocs():
84 84
         helper = ConfigdocsHelper(CTX)
85 85
         rcdr.get_rendered_configdocs(helper, version='successful_site_action')
86 86
 
87
-    mock_method.assert_called_once_with('successful_site_action')
87
+    mock_method.assert_called_once_with('successful_site_action', False)

+ 3
- 1
src/bin/shipyard_client/shipyard_client/api_client/shipyard_api_client.py View File

@@ -96,7 +96,7 @@ class ShipyardClient(BaseClient):
96 96
         url = ApiPaths.GET_CONFIGDOCS.value.format(self.get_endpoint())
97 97
         return self.get_resp(url, query_params)
98 98
 
99
-    def get_rendereddocs(self, version='buffer'):
99
+    def get_rendereddocs(self, version='buffer', cleartext_secrets=False):
100 100
         """
101 101
         :param str version: committed|buffer|last_site_action|
102 102
                             successful_site_action
@@ -104,6 +104,8 @@ class ShipyardClient(BaseClient):
104 104
         :rtype: Response object
105 105
         """
106 106
         query_params = {"version": version}
107
+        if cleartext_secrets is True:
108
+            query_params['cleartext-secrets'] = 'true'
107 109
         url = ApiPaths.GET_RENDERED.value.format(
108 110
             self.get_endpoint()
109 111
         )

+ 4
- 2
src/bin/shipyard_client/shipyard_client/cli/get/actions.py View File

@@ -119,16 +119,18 @@ class GetConfigdocsStatus(CliAction):
119 119
 class GetRenderedConfigdocs(CliAction):
120 120
     """Action to Get Rendered Configdocs"""
121 121
 
122
-    def __init__(self, ctx, version):
122
+    def __init__(self, ctx, version, cleartext_secrets=False):
123 123
         """Sets parameters."""
124 124
         super().__init__(ctx)
125 125
         self.logger.debug("GetRenderedConfigdocs action initialized")
126 126
         self.version = version
127
+        self.cleartext_secrets = cleartext_secrets
127 128
 
128 129
     def invoke(self):
129 130
         """Calls API Client and formats response from API Client"""
130 131
         self.logger.debug("Calling API Client get_rendereddocs.")
131
-        return self.get_api_client().get_rendereddocs(version=self.version)
132
+        return self.get_api_client().get_rendereddocs(
133
+            version=self.version, cleartext_secrets=self.cleartext_secrets)
132 134
 
133 135
     # Handle 404 with default error handler for cli.
134 136
     cli_handled_err_resp_codes = [404]

+ 7
- 3
src/bin/shipyard_client/shipyard_client/cli/get/commands.py View File

@@ -100,7 +100,6 @@ SHORT_DESC_CONFIGDOCS = ("Retrieve documents loaded into Shipyard, either "
100 100
     'executed site action.')
101 101
 @click.option(
102 102
     '--cleartext-secrets',
103
-    '-t',
104 103
     help='Returns cleartext secrets in documents',
105 104
     is_flag=True)
106 105
 @click.pass_context
@@ -170,14 +169,19 @@ SHORT_DESC_RENDEREDCONFIGDOCS = (
170 169
     flag_value='successful_site_action',
171 170
     help='Holds the revision information for the most recent successfully '
172 171
     'executed site action.')
172
+@click.option(
173
+    '--cleartext-secrets',
174
+    help='Returns cleartext secrets in encrypted documents',
175
+    is_flag=True)
173 176
 @click.pass_context
174 177
 def get_renderedconfigdocs(ctx, buffer, committed, last_site_action,
175
-                           successful_site_action):
178
+                           successful_site_action, cleartext_secrets):
176 179
     # Get version
177 180
     _version = get_version(ctx, buffer, committed, last_site_action,
178 181
                            successful_site_action)
179 182
 
180
-    click.echo(GetRenderedConfigdocs(ctx, _version).invoke_and_return_resp())
183
+    click.echo(GetRenderedConfigdocs(ctx, _version,
184
+                                     cleartext_secrets).invoke_and_return_resp())
181 185
 
182 186
 
183 187
 DESC_WORKFLOWS = """

+ 1
- 1
src/bin/shipyard_client/tests/unit/cli/get/test_get_commands.py View File

@@ -88,7 +88,7 @@ def test_get_renderedconfigdocs(*args):
88 88
     runner = CliRunner()
89 89
     with patch.object(GetRenderedConfigdocs, '__init__') as mock_method:
90 90
         runner.invoke(shipyard, [auth_vars, 'get', 'renderedconfigdocs'])
91
-    mock_method.assert_called_once_with(ANY, 'buffer')
91
+    mock_method.assert_called_once_with(ANY, 'buffer', False)
92 92
 
93 93
 
94 94
 def test_get_renderedconfigdocs_negative(*args):

Loading…
Cancel
Save