Beispiel #1
0
    def test_transform_obj_k8s_secret_base64_encoding(self):
        # base64 tag with encoding: base64 - needs kapitan 0.28+
        ref_tag = ("?{base64:eyJkYXRhIjogIllVZFdjMkpIT0QwPSIsICJlbmNvZGluZyI"
                   "6ICJiYXNlNjQiLCAidHlwZSI6ICJiYXNlNjQifQ==:embedded}")
        k8s_obj = {
            "apiVersion": "v1",
            "kind": "Secret",
            "metadata": {
                "name": "some-secret",
                "labels": {
                    "tesoro.kapicorp.com": "enabled"
                },
            },
            "type": "Opaque",
            "data": {
                "file1": b64encode(bytes(ref_tag.encode())),
            },
        }
        transformations = prepare_obj("request_uid", k8s_obj)
        # reveal base64_ref
        ref_obj = REF_CONTROLLER[ref_tag]
        ref_obj_revealed = ref_obj.reveal()
        k8s_obj["data"]["file1"] = ref_obj_revealed

        transform_obj(k8s_obj, transformations)

        self.assertEqual(k8s_obj["data"]["file1"], ref_obj_revealed)
Beispiel #2
0
    def test_transform_obj_k8s_secret_original_encoding(self):
        # base64 tag with encoding: original
        ref_tag = ("?{base64:eyJkYXRhIjogImNtVm1JREVnWkdGMFlRP"
                   "T0iLCAiZW5jb2RpbmciOiAib3JpZ2luYWwiLCAidHl"
                   "wZSI6ICJiYXNlNjQifQ==:embedded}")
        k8s_obj = {
            "apiVersion": "v1",
            "kind": "Secret",
            "metadata": {
                "name": "some-secret",
                "labels": {
                    "tesoro.kapicorp.com": "enabled"
                },
            },
            "type": "Opaque",
            "data": {
                "file1": b64encode(bytes(ref_tag.encode())),
            },
        }
        transformations = prepare_obj("request_uid", k8s_obj)
        # reveal base64_ref
        ref_obj = REF_CONTROLLER[ref_tag]
        ref_obj_revealed = ref_obj.reveal()
        k8s_obj["data"]["file1"] = ref_obj_revealed

        transform_obj(k8s_obj, transformations)

        self.assertEqual(k8s_obj["data"]["file1"],
                         b64encode(ref_obj_revealed.encode()).decode())
Beispiel #3
0
    def test_prepare_obj_k8s_secret(self):
        ref_tag = ("?{base64:eyJkYXRhIjogImNtVm1JREVnWkdGMFlRP"
                   "T0iLCAiZW5jb2RpbmciOiAib3JpZ2luYWwiLCAidHl"
                   "wZSI6ICJiYXNlNjQifQ==:embedded}")
        k8s_obj = {
            "apiVersion": "v1",
            "kind": "Secret",
            "metadata": {
                "name": "some-secret",
                "labels": {
                    "tesoro.kapicorp.com": "enabled"
                },
            },
            "type": "Opaque",
            "data": {
                "file1": b64encode(bytes(ref_tag.encode())),
            },
        }
        transformations = prepare_obj("request_uid", k8s_obj)

        self.assertEqual(
            transformations,
            {"Secret": {
                "data": {
                    "file1": {
                        "encoding": "original"
                    }
                }
            }})
        self.assertEqual(k8s_obj["data"]["file1"], ref_tag)
Beispiel #4
0
    def test_prepare_obj_k8s_other_obj(self):
        k8s_obj = {
            "apiVersion": "v1",
            "kind": "NotAsecret",
        }
        transformations = prepare_obj("request_uid", k8s_obj)

        self.assertEqual(transformations, {})
Beispiel #5
0
async def mutate_handler(request, log_redact_patch=True):
    TESORO_COUNTER.inc()
    req_obj = {}
    req_uid = None
    req_namespace: None
    req_kind: None
    req_resource: None

    try:
        req_json = await request.json()
        req_uid = req_json["request"]["uid"]
        req_namespace = req_json["request"]["namespace"]
        req_kind = req_json["request"]["kind"]
        req_resource = req_json["request"]["resource"]
        req_obj = req_json["request"]["object"]
        req_obj_name = req_obj["metadata"]["name"]

    except json.decoder.JSONDecodeError:
        TESORO_FAILED_COUNTER.inc()
        logger.error("message=\"Invalid JSON on request\"")
        return web.Response(status=500, reason="Request not JSON")
    except KeyError as e:
        TESORO_FAILED_COUNTER.inc()
        logger.error("message=\"Missing JSON objects on request\", request_uid=%s, missing_key=%s", req_uid, e)
        return web.Response(status=500, reason="Invalid JSON request")

    labels = kapicorp_labels(req_uid, req_obj)
    logger.info("message=\"New request\", request_uid=%s, object_name=%s, namespace=%s, kind=%s",
                req_uid, req_obj_name, req_namespace, req_kind)

    if labels.get("tesoro.kapicorp.com", None) == "enabled":
        try:
            logger.debug(
                "message=\"Request detail\", request_uid=%s, namespace=%s, kind=\"%s\", object_name=%s, resource=\"%s\"",
                req_uid,
                req_namespace,
                req_kind,
                req_obj_name,
                req_resource,
            )
            req_copy = deepcopy(req_obj)

            transformations = prepare_obj(req_uid, req_copy)
            logger.debug("message=\"Transformations\", request_uid=%s, transformations=\"%s\"",
                         req_uid, transformations)

            reveal_req_func = lambda: kapitan_reveal_json(req_uid, req_copy)
            req_revealed = await run_blocking(reveal_req_func)
            if req_revealed is None:
                raise KapitanRevealFail("revealed object is None")

            transform_obj(req_revealed, transformations)
            patch = make_patch(req_uid, req_obj, req_revealed)
            annotate_patch(patch)
            REVEAL_COUNTER.inc()
            if log_redact_patch:
                logger.debug("message=\"Kapitan reveal successful\", request_uid=%s, patch=\"%s\"", req_uid, redact_patch(patch))
            else:
                logger.debug("message=\"Kapitan reveal successful\", request_uid=%s, allowed with patch=\"%s\"", req_uid, patch)
            logger.info("message=\"Kapitan reveal successful\", request_uid=%s", req_uid)

            return make_response(req_uid, patch, allow=True)
        except Exception as e:
            exc_type, exc_value, _ = exc_info()
            logger.error("message=\"Kapitan reveal failed\", request_uid=%s, exception_type=%s, exception=%s", req_uid, exc_type, exc_value)
            REVEAL_FAILED_COUNTER.inc()
            return make_response(req_uid, [], allow=False, message="Kapitan reveal failed")
    else:
        # not labelled, default allow
        logger.info('message=\"Tesoro label not found\", request_uid=%s', req_uid)
        return make_response(req_uid, [], allow=True)

    TESORO_FAILED_COUNTER.inc()
    logger.error("message=\"Unknown error\", request_uid=%s", req_uid)
    return web.Response(status=500, reason="Unknown error")