The field returned by barbican is secret_ref, not secret_href

Also, this accounts for the the resp.to_dict() call not absorbing the secret_ref key. This commit also adds type mapping for missing secret types to their barbican equivalents. Change-Id: Idd4895fd441443a3dc41a3358edf6bd3648be5c1
2018-02-07 08:01:20 -08:00 · 2018-02-07 08:01:20 -08:00 · 0fae4bec58
parent 879dfb6129
commit 0fae4bec58
4 changed files with 15 additions and 4 deletions
--- a/deckhand/barbican/driver.py
+++ b/deckhand/barbican/driver.py
@ -32,7 +32,7 @@ class BarbicanDriver(object):
        secret = self.barbicanclient.call("secrets.create", **kwargs)

        try:
-            secret.store()
+            secret_ref = secret.store()
        except (barbicanclient.exceptions.HTTPAuthError,
                barbicanclient.exceptions.HTTPClientError,
                barbicanclient.exceptions.HTTPServerError) as e:
@ -43,6 +43,7 @@ class BarbicanDriver(object):
        # NOTE(fmontei): The dictionary representation of the Secret object by
        # default has keys that are not snake case -- so make them snake case.
        resp = secret.to_dict()
-        for key in resp.keys():
+        for key in resp:
            resp[utils.to_snake_case(key)] = resp.pop(key)
+        resp['secret_ref'] = secret_ref
        return resp
--- a/deckhand/engine/secrets_manager.py
+++ b/deckhand/engine/secrets_manager.py
@ -73,7 +73,7 @@ class SecretsManager(object):
            }
            resp = self.barbican_driver.create_secret(**kwargs)

-            secret_ref = resp['secret_href']
+            secret_ref = resp['secret_ref']
            created_secret = secret_ref
        elif encryption_type == CLEARTEXT:
            created_secret = secret_doc['data']
@ -93,6 +93,12 @@ class SecretsManager(object):
        _schema = schema.split('/')[1].lower().strip()
        if _schema == 'certificatekey':
            return 'private'
+        elif _schema == 'certificateauthority':
+            return 'certificate'
+        elif _schema == 'certificateauthoritykey':
+            return 'private'
+        elif _schema == 'publickey':
+            return 'public'
        return _schema


--- a/deckhand/tests/unit/engine/test_secrets_manager.py
+++ b/deckhand/tests/unit/engine/test_secrets_manager.py
@ -30,7 +30,7 @@ class TestSecretsManager(test_base.TestDbBase):
            secrets_manager.SecretsManager, 'barbican_driver')
        self.secret_ref = 'https://path/to/fake_secret'
        self.mock_barbican_driver.create_secret.return_value = (
-            {'secret_href': self.secret_ref})
+            {'secret_ref': self.secret_ref})

        self.secrets_manager = secrets_manager.SecretsManager()
        self.factory = factories.DocumentSecretFactory()
--- a/requirements.txt
+++ b/requirements.txt
@ -35,4 +35,8 @@ oslo.policy>=1.23.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=1.10.0 # Apache-2.0
 oslo.utils>=3.20.0 # Apache-2.0

+# TODO(alanmeadows)
+# this must match the container service
+# likely this should be imported from a
+# container sidecar long-term
 python-barbicanclient>=4.0.0  # Apache-2.0