Fix condition for checking whether substitution is secret

This is to fix the condition in secrets_manager used to determine whether the substitution is secret. It currently checks whether the potential secret reference contains the substring of 'key-manager/v1/secrets' but the environment-agnostic way of doing this is to check whether the secret reference contains the barbican endpoint registered under CONF.barbican.api_endpoint. Change-Id: I633021571255c8393e19ec60a614ede981a86d9f
2018-03-14 19:56:10 +00:00 · 2018-03-14 19:56:10 +00:00 · 116fafcec3
commit 116fafcec3
parent bf70a81ffa
3 changed files with 7 additions and 2 deletions
--- a/deckhand/conf/config.py
+++ b/deckhand/conf/config.py
@ -28,6 +28,7 @@ Barbican options for allowing Deckhand to communicate with Barbican.
 barbican_opts = [
    cfg.StrOpt(
        'api_endpoint',
+        default='http://127.0.0.1/key-manager',
        sample_default='http://barbican.example.org:9311/',
        help='URL override for the Barbican API endpoint.'),
 ]
--- a/deckhand/engine/secrets_manager.py
+++ b/deckhand/engine/secrets_manager.py
@ -15,6 +15,7 @@
 import copy
 import re

+from oslo_config import cfg
 from oslo_log import log as logging
 import six

@ -23,6 +24,7 @@ from deckhand.engine import document_wrapper
 from deckhand import errors
 from deckhand import utils

+CONF = cfg.CONF
 LOG = logging.getLogger(__name__)

 CLEARTEXT = 'cleartext'
@ -177,9 +179,8 @@ class SecretsSubstitution(object):
                    (document.schema, document.name), document)

    def _is_barbican_ref(self, src_secret):
-        # TODO(fmontei): Make this more robust.
        return (isinstance(src_secret, six.string_types) and
-                'key-manager/v1/secrets' in src_secret)
+                    src_secret.startswith(CONF.barbican.api_endpoint))

    def substitute_all(self, documents):
        """Substitute all documents that have a `metadata.substitutions` field.
--- a/deckhand/tests/unit/base.py
+++ b/deckhand/tests/unit/base.py
@ -23,6 +23,7 @@ from oslo_log import log as logging
 import testtools

 from deckhand.db.sqlalchemy import api as db_api
+from deckhand.tests.unit import fixtures as dh_fixtures

 CONF = cfg.CONF
 logging.register_options(CONF)
@ -34,6 +35,8 @@ class DeckhandTestCase(testtools.TestCase):
    def setUp(self):
        super(DeckhandTestCase, self).setUp()
        self.useFixture(fixtures.FakeLogger('deckhand'))
+        self.useFixture(dh_fixtures.ConfPatcher(
+            api_endpoint='http://127.0.0.1/key-manager', group='barbican'))

    def override_config(self, name, override, group=None):
        CONF.set_override(name, override, group)