def test_secret_token_attributes(self): "grab attributes and compare to values" token_tag = '?{gpg:secret/sauce}' _token_tag, token, func = re.match(SECRET_TOKEN_TAG_PATTERN, token_tag).groups() self.assertEqual(_token_tag, token_tag) backend, token_path = secret_token_attributes(token) self.assertEqual((backend, token_path), ('gpg', 'secret/sauce'))
def _hash_token_tag(match_obj): token_tag, token, func = match_obj.groups() _, token_path = secret_token_attributes(token) secrets_path = self.kwargs.get("secrets_path", None) if secrets_path is None: raise ValueError('secrets_path not set') # if token secret func is defined and secret does not exist # write secret from func eval if func and not secret_gpg_exists(secrets_path, token_path): logger.info("Creating secret for %s:%s ...", token_path, func) self.target_secret_func_write(token_path, func) return self.hash_token_tag(token_tag)
def hash_token_tag(self, token_tag): """ suffixes a secret's hash to its tag: e.g: ?{gpg:app1/secret/1} gets replaced with ?{gpg:app1/secret/1:deadbeef} """ secrets_path = self.kwargs.get("secrets_path", None) if secrets_path is None: raise ValueError("secrets_path not set") token, func = secret_token_from_tag(token_tag) secret_raw_obj = secret_gpg_raw_read(secrets_path, token) backend, token_path = secret_token_attributes(token) sha256 = hashlib.sha256("%s%s".encode("UTF-8") % (token_path.encode("UTF-8"), secret_raw_obj["data"].encode("UTF-8"))).hexdigest() sha256 = sha256[:8] return "?{%s:%s:%s}" % (backend, token_path, sha256)