def test_secret_token_attributes(self):
"grab attributes and compare to values"
token_tag = '?{gpg:secret/sauce}'
_token_tag, token, func = re.match(SECRET_TOKEN_TAG_PATTERN,
token_tag).groups()
self.assertEqual(_token_tag, token_tag)
backend, token_path = secret_token_attributes(token)
self.assertEqual((backend, token_path), ('gpg', 'secret/sauce'))
def _hash_token_tag(match_obj):
token_tag, token, func = match_obj.groups()
_, token_path = secret_token_attributes(token)
secrets_path = self.kwargs.get("secrets_path", None)
if secrets_path is None:
raise ValueError('secrets_path not set')
# if token secret func is defined and secret does not exist
# write secret from func eval
if func and not secret_gpg_exists(secrets_path, token_path):
logger.info("Creating secret for %s:%s ...", token_path, func)
self.target_secret_func_write(token_path, func)
return self.hash_token_tag(token_tag)
def hash_token_tag(self, token_tag):
"""
suffixes a secret's hash to its tag:
e.g:
?{gpg:app1/secret/1} gets replaced with
?{gpg:app1/secret/1:deadbeef}
"""
secrets_path = self.kwargs.get("secrets_path", None)
if secrets_path is None:
raise ValueError("secrets_path not set")
token, func = secret_token_from_tag(token_tag)
secret_raw_obj = secret_gpg_raw_read(secrets_path, token)
backend, token_path = secret_token_attributes(token)
sha256 = hashlib.sha256("%s%s".encode("UTF-8") % (token_path.encode("UTF-8"),
secret_raw_obj["data"].encode("UTF-8"))).hexdigest()
sha256 = sha256[:8]
return "?{%s:%s:%s}" % (backend, token_path, sha256)
