def test_transform_obj_k8s_secret_base64_encoding(self):
# base64 tag with encoding: base64 - needs kapitan 0.28+
ref_tag = ("?{base64:eyJkYXRhIjogIllVZFdjMkpIT0QwPSIsICJlbmNvZGluZyI"
"6ICJiYXNlNjQiLCAidHlwZSI6ICJiYXNlNjQifQ==:embedded}")
k8s_obj = {
"apiVersion": "v1",
"kind": "Secret",
"metadata": {
"name": "some-secret",
"labels": {
"tesoro.kapicorp.com": "enabled"
},
},
"type": "Opaque",
"data": {
"file1": b64encode(bytes(ref_tag.encode())),
},
}
transformations = prepare_obj("request_uid", k8s_obj)
# reveal base64_ref
ref_obj = REF_CONTROLLER[ref_tag]
ref_obj_revealed = ref_obj.reveal()
k8s_obj["data"]["file1"] = ref_obj_revealed
transform_obj(k8s_obj, transformations)
self.assertEqual(k8s_obj["data"]["file1"], ref_obj_revealed)
def test_transform_obj_k8s_secret_original_encoding(self):
# base64 tag with encoding: original
ref_tag = ("?{base64:eyJkYXRhIjogImNtVm1JREVnWkdGMFlRP"
"T0iLCAiZW5jb2RpbmciOiAib3JpZ2luYWwiLCAidHl"
"wZSI6ICJiYXNlNjQifQ==:embedded}")
k8s_obj = {
"apiVersion": "v1",
"kind": "Secret",
"metadata": {
"name": "some-secret",
"labels": {
"tesoro.kapicorp.com": "enabled"
},
},
"type": "Opaque",
"data": {
"file1": b64encode(bytes(ref_tag.encode())),
},
}
transformations = prepare_obj("request_uid", k8s_obj)
# reveal base64_ref
ref_obj = REF_CONTROLLER[ref_tag]
ref_obj_revealed = ref_obj.reveal()
k8s_obj["data"]["file1"] = ref_obj_revealed
transform_obj(k8s_obj, transformations)
self.assertEqual(k8s_obj["data"]["file1"],
b64encode(ref_obj_revealed.encode()).decode())
async def mutate_handler(request, log_redact_patch=True):
TESORO_COUNTER.inc()
req_obj = {}
req_uid = None
req_namespace: None
req_kind: None
req_resource: None
try:
req_json = await request.json()
req_uid = req_json["request"]["uid"]
req_namespace = req_json["request"]["namespace"]
req_kind = req_json["request"]["kind"]
req_resource = req_json["request"]["resource"]
req_obj = req_json["request"]["object"]
req_obj_name = req_obj["metadata"]["name"]
except json.decoder.JSONDecodeError:
TESORO_FAILED_COUNTER.inc()
logger.error("message=\"Invalid JSON on request\"")
return web.Response(status=500, reason="Request not JSON")
except KeyError as e:
TESORO_FAILED_COUNTER.inc()
logger.error("message=\"Missing JSON objects on request\", request_uid=%s, missing_key=%s", req_uid, e)
return web.Response(status=500, reason="Invalid JSON request")
labels = kapicorp_labels(req_uid, req_obj)
logger.info("message=\"New request\", request_uid=%s, object_name=%s, namespace=%s, kind=%s",
req_uid, req_obj_name, req_namespace, req_kind)
if labels.get("tesoro.kapicorp.com", None) == "enabled":
try:
logger.debug(
"message=\"Request detail\", request_uid=%s, namespace=%s, kind=\"%s\", object_name=%s, resource=\"%s\"",
req_uid,
req_namespace,
req_kind,
req_obj_name,
req_resource,
)
req_copy = deepcopy(req_obj)
transformations = prepare_obj(req_uid, req_copy)
logger.debug("message=\"Transformations\", request_uid=%s, transformations=\"%s\"",
req_uid, transformations)
reveal_req_func = lambda: kapitan_reveal_json(req_uid, req_copy)
req_revealed = await run_blocking(reveal_req_func)
if req_revealed is None:
raise KapitanRevealFail("revealed object is None")
transform_obj(req_revealed, transformations)
patch = make_patch(req_uid, req_obj, req_revealed)
annotate_patch(patch)
REVEAL_COUNTER.inc()
if log_redact_patch:
logger.debug("message=\"Kapitan reveal successful\", request_uid=%s, patch=\"%s\"", req_uid, redact_patch(patch))
else:
logger.debug("message=\"Kapitan reveal successful\", request_uid=%s, allowed with patch=\"%s\"", req_uid, patch)
logger.info("message=\"Kapitan reveal successful\", request_uid=%s", req_uid)
return make_response(req_uid, patch, allow=True)
except Exception as e:
exc_type, exc_value, _ = exc_info()
logger.error("message=\"Kapitan reveal failed\", request_uid=%s, exception_type=%s, exception=%s", req_uid, exc_type, exc_value)
REVEAL_FAILED_COUNTER.inc()
return make_response(req_uid, [], allow=False, message="Kapitan reveal failed")
else:
# not labelled, default allow
logger.info('message=\"Tesoro label not found\", request_uid=%s', req_uid)
return make_response(req_uid, [], allow=True)
TESORO_FAILED_COUNTER.inc()
logger.error("message=\"Unknown error\", request_uid=%s", req_uid)
return web.Response(status=500, reason="Unknown error")