From 2d88f48989031442f8bdae5221f7359948ebd10d Mon Sep 17 00:00:00 2001
From: Alexander Hughes <Alexander.Hughes@att.com>
Date: Thu, 12 Sep 2019 09:30:41 -0500
Subject: [PATCH] Update storage policy on decrypt

Barbican expects storagePolicy:cleartext when accepting documents
from Pegleg. Once the document is decrypted updated storagePolicy to
cleartext.

During genesis bundle creation, the encrypted documents are
decrypted, then the whole bundle is encrypted.  Once the bundle gets
deployed the contained documents should all have the correct storage
policy of cleartext.

As a result, two unit tests are updated to no longer compare the
storagePolicy, as it is expected everything going to Barbican is
cleartext, but in order for Pegleg to know to encrypt the original
document is storagePolicy:encrypted

Change-Id: I5167ce6b3030d143d1ff0b789883529a6557eeca
---
 pegleg/engine/util/pegleg_managed_document.py | 1 +
 tests/unit/engine/test_secrets.py             | 6 ++----
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/pegleg/engine/util/pegleg_managed_document.py b/pegleg/engine/util/pegleg_managed_document.py
index eb16f164..ae0fac09 100644
--- a/pegleg/engine/util/pegleg_managed_document.py
+++ b/pegleg/engine/util/pegleg_managed_document.py
@@ -173,6 +173,7 @@ class PeglegManagedSecretsDocument(object):
     def set_decrypted(self):
         """Mark the pegleg managed document as un-encrypted."""
         self.data.pop(ENCRYPTED)
+        self._embedded_document[METADATA][STORAGE_POLICY] = 'cleartext'
 
     def set_secret(self, secret):
         self._embedded_document['data'] = secret
diff --git a/tests/unit/engine/test_secrets.py b/tests/unit/engine/test_secrets.py
index 69f347a4..7446af47 100644
--- a/tests/unit/engine/test_secrets.py
+++ b/tests/unit/engine/test_secrets.py
@@ -177,8 +177,8 @@ data: {0}-password
             "site/cicd/secrets/passphrases/"
             "cicd-passphrase-encrypted.yaml"))
     decrypted = secrets.decrypt(encrypted_path)
-    assert yaml.safe_load(
-        decrypted[encrypted_path]) == yaml.safe_load(passphrase_doc)
+    assert yaml.safe_load(decrypted[encrypted_path])['data'] == yaml.safe_load(
+        passphrase_doc)['data']
 
 
 @mock.patch.dict(
@@ -297,8 +297,6 @@ def test_encrypt_decrypt_using_docs(tmpdir):
     assert test_data[0]['schema'] == decrypted_data[0]['schema']
     assert test_data[0]['metadata']['name'] == decrypted_data[0]['metadata'][
         'name']
-    assert test_data[0]['metadata']['storagePolicy'] == decrypted_data[0][
-        'metadata']['storagePolicy']
 
 
 @pytest.mark.skipif(