def test_ref_update_compile(self):
"check ref update and compile() output is valid"
tag = '?{ref:my/ref1}'
REF_CONTROLLER[tag] = Ref(b'ref 1 more data')
ref_obj = REF_CONTROLLER[tag]
compiled = ref_obj.compile()
self.assertEqual(compiled, '?{ref:my/ref1:ed438a62}')
def test_ref_reveal(self):
"check ref reveal() output is valid"
tag = '?{ref:my/ref2}'
REF_CONTROLLER[tag] = Ref(b'ref 2 data')
ref_obj = REF_CONTROLLER[tag]
revealed = ref_obj.reveal()
self.assertEqual(revealed, 'ref 2 data')
def test_ref_compile(self):
"check ref compile() output is valid"
tag = '?{ref:my/ref1}'
REF_CONTROLLER[tag] = Ref(b'ref 1 data')
ref_obj = REF_CONTROLLER[tag]
compiled = ref_obj.compile()
self.assertEqual(compiled, '?{ref:my/ref1:3342a45c}')
def test_reveal_subvars(self):
"write yaml secret, and access sub-variables in secrets"
tag_to_save = '?{ref:ref/subvars}'
yaml_secret = b"""
var1:
var2: hello
var3:
var4: world
"""
REF_CONTROLLER[tag_to_save] = Ref(yaml_secret)
self.assertTrue(os.path.isfile(os.path.join(REFS_HOME, 'ref/subvars')))
tag_subvar = '?{ref:ref/[email protected]}'
data = "message here: {}".format(tag_subvar)
revealed_data = REVEALER.reveal_raw(data)
self.assertEqual("message here: hello", revealed_data)
tag_subvar = '?{ref:ref/[email protected]}'
data = "message here: {}".format(tag_subvar)
revealed_data = REVEALER.reveal_raw(data)
self.assertEqual("message here: world", revealed_data)
with self.assertRaises(KeyError):
tag_subvar = '?{ref:ref/[email protected]}'
data = "message here: {}".format(tag_subvar)
revealed_data = REVEALER.reveal_raw(data)
def test_ref_path(self):
"check ref tag path is correct"
tag = '?{ref:my/ref6}'
tag, token, func_str = REF_CONTROLLER.tag_params(tag)
self.assertEqual(tag, '?{ref:my/ref6}')
self.assertEqual(token, 'ref:my/ref6')
self.assertEqual(func_str, None)
REF_CONTROLLER[tag] = Ref(b'ref 6 data')
ref_obj = REF_CONTROLLER[tag]
self.assertEqual(ref_obj.path, 'my/ref6')
def test_compile_subvars(self):
"""
test that refs with sub-variables compile properly,
and refs with different sub-variables stored in the same file has the same hash
"""
subvar_tag1 = '?{ref:ref/subvars@var1}'
subvar_tag2 = '?{ref:ref/subvars@var2}'
REF_CONTROLLER['?{ref:ref/subvars}'] = Ref(b'ref 1 data')
ref_obj1 = REF_CONTROLLER[subvar_tag1]
ref_obj2 = REF_CONTROLLER[subvar_tag2]
self.assertEqual(ref_obj1.compile(),
'?{ref:ref/subvars@var1:4357a29b}')
self.assertEqual(ref_obj2.compile(),
'?{ref:ref/subvars@var2:4357a29b}')
def test_reveal_subvars_raise_RefError(self):
"""
test that reveal with sub-variable fails should the secret not
be in valid yaml format
"""
tag_to_save = '?{ref:ref/subvars_error}'
yaml_secret = b"this is not yaml"
REF_CONTROLLER[tag_to_save] = Ref(yaml_secret)
self.assertTrue(
os.path.isfile(os.path.join(REFS_HOME, 'ref/subvars_error')))
with self.assertRaises(RefError):
tag_subvar = '?{ref:ref/[email protected]}'
data = "message here: {}".format(tag_subvar)
REVEALER.reveal_raw(data)
def secret_write(args, ref_controller):
"Write secret to ref_controller based on cli args"
token_name = args.write
file_name = args.file
data = None
if file_name is None:
fatal_error('--file is required with --write')
if file_name == '-':
data = ''
for line in sys.stdin:
data += line
else:
with open(file_name) as fp:
data = fp.read()
if token_name.startswith("gpg:"):
type_name, token_path = token_name.split(":")
recipients = [dict((("name", name), )) for name in args.recipients]
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][
args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in {}".format(
args.target_name))
recipients = kap_inv_params['secrets']['gpg']['recipients']
if not recipients:
raise KapitanError(
"No GPG recipients specified. Use --recipients or specify them in "
+ "parameters.kapitan.secrets.gpg.recipients and use --target")
secret_obj = GPGSecret(data, recipients, encode_base64=args.base64)
tag = '?{{gpg:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("gkms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][
args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in {}".format(
args.target_name))
key = kap_inv_params['secrets']['gkms']['key']
if not key:
raise KapitanError(
"No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.gkms.key and use --target"
)
secret_obj = GoogleKMSSecret(data, key, encode_base64=args.base64)
tag = '?{{gkms:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("awskms:"):
type_name, token_path = token_name.split(":")
key = args.key
if args.target_name:
inv = inventory_reclass(args.inventory_path)
kap_inv_params = inv['nodes'][
args.target_name]['parameters']['kapitan']
if 'secrets' not in kap_inv_params:
raise KapitanError(
"parameters.kapitan.secrets not defined in {}".format(
args.target_name))
key = kap_inv_params['secrets']['awskms']['key']
if not key:
raise KapitanError(
"No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.awskms.key and use --target"
)
secret_obj = AWSKMSSecret(data, key, encode_base64=args.base64)
tag = '?{{awskms:{}}}'.format(token_path)
ref_controller[tag] = secret_obj
elif token_name.startswith("ref:"):
type_name, token_path = token_name.split(":")
_data = data.encode()
encoding = 'original'
if args.base64:
_data = base64.b64encode(_data).decode()
_data = _data.encode()
encoding = 'base64'
ref_obj = Ref(_data, encoding=encoding)
tag = '?{{ref:{}}}'.format(token_path)
ref_controller[tag] = ref_obj
else:
fatal_error(
"Invalid token: {name}. Try using gpg/gkms/awskms/ref:{name}".
format(name=token_name))