def render_template_with_system_and_user_context(value,
user,
context=None,
prefix=None):
"""
Render provided template with a default system context and user context for the provided user.
:param value: Template string.
:type value: ``str``
:param user: Name (PK) of the user for the user scope.
:type user: ``str``
:param context: Template context (optional).
:type context: ``dict``
:param prefix: Datastore key prefix (optional).
:type prefix: ``str``
:rtype: ``str``
"""
context = context or {}
context[SYSTEM_SCOPE] = KeyValueLookup(prefix=prefix, scope=SYSTEM_SCOPE)
context[USER_SCOPE] = UserKeyValueLookup(prefix=prefix,
user=user,
scope=USER_SCOPE)
context[DATASTORE_PARENT_SCOPE] = {
SYSTEM_SCOPE:
KeyValueLookup(prefix=prefix, scope=FULL_SYSTEM_SCOPE),
USER_SCOPE:
UserKeyValueLookup(prefix=prefix, user=user, scope=FULL_USER_SCOPE)
}
rendered = render_template(value=value, context=context)
return rendered
def test_lookup_with_key_prefix(self):
KeyValuePair.add_or_update(KeyValuePairDB(name='some:prefix:stanley:k5', value='v5',
scope=FULL_USER_SCOPE))
# No prefix provided, should return None
lookup = UserKeyValueLookup(user='******', scope=FULL_USER_SCOPE)
self.assertEqual(str(lookup.k5), '')
# Prefix provided
lookup = UserKeyValueLookup(prefix='some:prefix', user='******', scope=FULL_USER_SCOPE)
self.assertEqual(str(lookup.k5), 'v5')
def test_user_scope_lookups_user_sep_in_name(self):
KeyValuePair.add_or_update(KeyValuePairDB(name='stanley:r:i:p', value='v4',
scope=FULL_USER_SCOPE))
lookup = UserKeyValueLookup(scope=FULL_USER_SCOPE, user='******')
# This is the only way to lookup because USER_SEPARATOR (':') cannot be a part of
# variable name in Python.
self.assertEquals(str(lookup['r:i:p']), 'v4')
def test_filter_decrypt_kv_with_user_scope_value(self):
KeyValuePair.add_or_update(KeyValuePairDB(name='stanley:k8', value=self.secret_value,
scope=FULL_USER_SCOPE,
secret=True))
context = {}
context.update({USER_SCOPE: UserKeyValueLookup(user='******', scope=USER_SCOPE)})
context.update({
DATASTORE_PARENT_SCOPE: {
USER_SCOPE: UserKeyValueLookup(user='******', scope=FULL_USER_SCOPE)
}
})
template = '{{st2kv.user.k8 | decrypt_kv}}'
actual = self.env.from_string(template).render(context)
self.assertEqual(actual, self.secret)
def _create_graph(action_context, config):
'''
Creates a generic directed graph for depencency tree and fills it with basic context variables
'''
G = nx.DiGraph()
system_keyvalue_context = {
SYSTEM_SCOPE: KeyValueLookup(scope=FULL_SYSTEM_SCOPE)
}
# If both 'user' and 'api_user' are specified, this prioritize 'api_user'
user = action_context['user'] if 'user' in action_context else None
user = action_context['api_user'] if 'api_user' in action_context else user
if not user:
# When no user is not specified, this selects system-user's scope by default.
user = cfg.CONF.system_user.user
LOG.info(
'Unable to retrieve user / api_user value from action_context. Falling back '
'to and using system_user (%s).' % (user))
system_keyvalue_context[USER_SCOPE] = UserKeyValueLookup(
scope=FULL_USER_SCOPE, user=user)
G.add_node(DATASTORE_PARENT_SCOPE, value=system_keyvalue_context)
G.add_node(ACTION_CONTEXT_KV_PREFIX, value=action_context)
G.add_node(PACK_CONFIG_CONTEXT_KV_PREFIX, value=config)
return G
def test_user_scope_lookups_dot_in_user(self):
KeyValuePair.add_or_update(
KeyValuePairDB(name='first.last:r.i.p',
value='v4',
scope=FULL_USER_SCOPE))
lookup = UserKeyValueLookup(scope=FULL_USER_SCOPE, user='******')
self.assertEqual(str(lookup.r.i.p), 'v4')
self.assertEqual(str(lookup['r']['i']['p']), 'v4')
def test_missing_key_lookup(self):
lookup = KeyValueLookup(scope=FULL_SYSTEM_SCOPE)
self.assertEqual(str(lookup.missing_key), '')
self.assertTrue(lookup.missing_key, 'Should be not none.')
user_lookup = UserKeyValueLookup(scope=FULL_USER_SCOPE, user='******')
self.assertEqual(str(user_lookup.missing_key), '')
self.assertTrue(user_lookup.missing_key, 'Should be not none.')
def test_user_scope_lookups_dot_in_user(self):
KeyValuePair.add_or_update(
KeyValuePairDB(name="first.last:r.i.p",
value="v4",
scope=FULL_USER_SCOPE))
lookup = UserKeyValueLookup(scope=FULL_USER_SCOPE, user="******")
self.assertEqual(str(lookup.r.i.p), "v4")
self.assertEqual(str(lookup["r"]["i"]["p"]), "v4")
def test_lookups_older_scope_names_backward_compatibility(self):
k1 = KeyValuePair.add_or_update(KeyValuePairDB(name='a.b', value='v1',
scope=FULL_SYSTEM_SCOPE))
lookup = KeyValueLookup(scope=SYSTEM_SCOPE)
self.assertEquals(str(lookup['a']['b']), k1.value)
k2 = KeyValuePair.add_or_update(KeyValuePairDB(name='stanley:r.i.p', value='v4',
scope=FULL_USER_SCOPE))
user_lookup = UserKeyValueLookup(scope=USER_SCOPE, user='******')
self.assertEquals(str(user_lookup['r']['i']['p']), k2.value)
def test_lookups_older_scope_names_backward_compatibility(self):
k1 = KeyValuePair.add_or_update(
KeyValuePairDB(name="a.b", value="v1", scope=FULL_SYSTEM_SCOPE))
lookup = KeyValueLookup(scope=SYSTEM_SCOPE)
self.assertEqual(str(lookup["a"]["b"]), k1.value)
k2 = KeyValuePair.add_or_update(
KeyValuePairDB(name="stanley:r.i.p",
value="v4",
scope=FULL_USER_SCOPE))
user_lookup = UserKeyValueLookup(scope=USER_SCOPE, user="******")
self.assertEqual(str(user_lookup["r"]["i"]["p"]), k2.value)
def test_filter_decrypt_kv_with_user_scope_value_datastore_value_doesnt_exist(self):
context = {}
context.update({SYSTEM_SCOPE: KeyValueLookup(scope=SYSTEM_SCOPE)})
context.update({
DATASTORE_PARENT_SCOPE: {
USER_SCOPE: UserKeyValueLookup(user='******', scope=FULL_USER_SCOPE)
}
})
template = '{{st2kv.user.doesnt_exist | decrypt_kv}}'
expected_msg = ('Referenced datastore item "st2kv.user.doesnt_exist" doesn\'t exist or '
'it contains an empty string')
self.assertRaisesRegexp(ValueError, expected_msg, self.env.from_string(template).render,
context)
def test_non_hierarchical_lookup(self):
k1 = KeyValuePair.add_or_update(KeyValuePairDB(name='k1', value='v1'))
k2 = KeyValuePair.add_or_update(KeyValuePairDB(name='k2', value='v2'))
k3 = KeyValuePair.add_or_update(KeyValuePairDB(name='k3', value='v3'))
k4 = KeyValuePair.add_or_update(KeyValuePairDB(name='stanley:k4', value='v4',
scope=FULL_USER_SCOPE))
lookup = KeyValueLookup()
self.assertEquals(str(lookup.k1), k1.value)
self.assertEquals(str(lookup.k2), k2.value)
self.assertEquals(str(lookup.k3), k3.value)
# Scoped lookup
lookup = KeyValueLookup(scope=FULL_SYSTEM_SCOPE)
self.assertEquals(str(lookup.k4), '')
user_lookup = UserKeyValueLookup(scope=FULL_USER_SCOPE, user='******')
self.assertEquals(str(user_lookup.k4), k4.value)
def test_hierarchical_lookup_dict(self):
k1 = KeyValuePair.add_or_update(KeyValuePairDB(name='a.b', value='v1'))
k2 = KeyValuePair.add_or_update(KeyValuePairDB(name='a.b.c', value='v2'))
k3 = KeyValuePair.add_or_update(KeyValuePairDB(name='b.c', value='v3'))
k4 = KeyValuePair.add_or_update(KeyValuePairDB(name='stanley:r.i.p', value='v4',
scope=FULL_USER_SCOPE))
lookup = KeyValueLookup()
self.assertEquals(str(lookup['a']['b']), k1.value)
self.assertEquals(str(lookup['a']['b']['c']), k2.value)
self.assertEquals(str(lookup['b']['c']), k3.value)
self.assertEquals(str(lookup['a']), '')
# Scoped lookup
lookup = KeyValueLookup(scope=FULL_SYSTEM_SCOPE)
self.assertEquals(str(lookup['r']['i']['p']), '')
user_lookup = UserKeyValueLookup(scope=FULL_USER_SCOPE, user='******')
self.assertEquals(str(user_lookup['r']['i']['p']), k4.value)
def test_secret_lookup(self):
secret_value = '0055A2D9A09E1071931925933744965EEA7E23DCF59A8D1D7A3' + \
'64338294916D37E83C4796283C584751750E39844E2FD97A3727DB5D553F638'
k1 = KeyValuePair.add_or_update(
KeyValuePairDB(name='k1', value=secret_value, secret=True))
k2 = KeyValuePair.add_or_update(KeyValuePairDB(name='k2', value='v2'))
k3 = KeyValuePair.add_or_update(
KeyValuePairDB(name='stanley:k3',
value=secret_value,
scope=FULL_USER_SCOPE,
secret=True))
lookup = KeyValueLookup()
self.assertEqual(str(lookup.k1), k1.value)
self.assertEqual(str(lookup.k2), k2.value)
self.assertEqual(str(lookup.k3), '')
user_lookup = UserKeyValueLookup(scope=FULL_USER_SCOPE, user='******')
self.assertEqual(str(user_lookup.k3), k3.value)
def test_non_hierarchical_lookup(self):
k1 = KeyValuePair.add_or_update(KeyValuePairDB(name="k1", value="v1"))
k2 = KeyValuePair.add_or_update(KeyValuePairDB(name="k2", value="v2"))
k3 = KeyValuePair.add_or_update(KeyValuePairDB(name="k3", value="v3"))
k4 = KeyValuePair.add_or_update(
KeyValuePairDB(name="stanley:k4",
value="v4",
scope=FULL_USER_SCOPE))
lookup = KeyValueLookup()
self.assertEqual(str(lookup.k1), k1.value)
self.assertEqual(str(lookup.k2), k2.value)
self.assertEqual(str(lookup.k3), k3.value)
# Scoped lookup
lookup = KeyValueLookup(scope=FULL_SYSTEM_SCOPE)
self.assertEqual(str(lookup.k4), "")
user_lookup = UserKeyValueLookup(scope=FULL_USER_SCOPE, user="******")
self.assertEqual(str(user_lookup.k4), k4.value)
def test_hierarchical_lookup_dotted(self):
k1 = KeyValuePair.add_or_update(KeyValuePairDB(name='a.b', value='v1'))
k2 = KeyValuePair.add_or_update(
KeyValuePairDB(name='a.b.c', value='v2'))
k3 = KeyValuePair.add_or_update(KeyValuePairDB(name='b.c', value='v3'))
k4 = KeyValuePair.add_or_update(
KeyValuePairDB(name='stanley:r.i.p', value='v4', scope=USER_SCOPE))
lookup = KeyValueLookup()
self.assertEquals(str(lookup.a.b), k1.value)
self.assertEquals(str(lookup.a.b.c), k2.value)
self.assertEquals(str(lookup.b.c), k3.value)
self.assertEquals(str(lookup.a), '')
# Scoped lookup
lookup = KeyValueLookup(scope=SYSTEM_SCOPE)
self.assertEquals(str(lookup.r.i.p), '')
user_lookup = UserKeyValueLookup(scope=USER_SCOPE, user='******')
self.assertEquals(str(user_lookup.r.i.p), k4.value)
def test_hierarchical_lookup_dict(self):
k1 = KeyValuePair.add_or_update(KeyValuePairDB(name="a.b", value="v1"))
k2 = KeyValuePair.add_or_update(
KeyValuePairDB(name="a.b.c", value="v2"))
k3 = KeyValuePair.add_or_update(KeyValuePairDB(name="b.c", value="v3"))
k4 = KeyValuePair.add_or_update(
KeyValuePairDB(name="stanley:r.i.p",
value="v4",
scope=FULL_USER_SCOPE))
lookup = KeyValueLookup()
self.assertEqual(str(lookup["a"]["b"]), k1.value)
self.assertEqual(str(lookup["a"]["b"]["c"]), k2.value)
self.assertEqual(str(lookup["b"]["c"]), k3.value)
self.assertEqual(str(lookup["a"]), "")
# Scoped lookup
lookup = KeyValueLookup(scope=FULL_SYSTEM_SCOPE)
self.assertEqual(str(lookup["r"]["i"]["p"]), "")
user_lookup = UserKeyValueLookup(scope=FULL_USER_SCOPE, user="******")
self.assertEqual(str(user_lookup["r"]["i"]["p"]), k4.value)
def test_secret_lookup(self):
secret_value = (
"0055A2D9A09E1071931925933744965EEA7E23DCF59A8D1D7A3" +
"64338294916D37E83C4796283C584751750E39844E2FD97A3727DB5D553F638")
k1 = KeyValuePair.add_or_update(
KeyValuePairDB(name="k1", value=secret_value, secret=True))
k2 = KeyValuePair.add_or_update(KeyValuePairDB(name="k2", value="v2"))
k3 = KeyValuePair.add_or_update(
KeyValuePairDB(
name="stanley:k3",
value=secret_value,
scope=FULL_USER_SCOPE,
secret=True,
))
lookup = KeyValueLookup()
self.assertEqual(str(lookup.k1), k1.value)
self.assertEqual(str(lookup.k2), k2.value)
self.assertEqual(str(lookup.k3), "")
user_lookup = UserKeyValueLookup(scope=FULL_USER_SCOPE, user="******")
self.assertEqual(str(user_lookup.k3), k3.value)
