From 484772eb64dffdd72663499ab5aaf1a67ff5c3b3 Mon Sep 17 00:00:00 2001
From: Lev Morgan <lm734y@att.com>
Date: Wed, 13 Feb 2019 19:06:22 -0600
Subject: [PATCH] Fix secrets linting error

Fix an error where secrets in global directories are erroneously
flagged for being outside a secrets directory. Now, any file
that is a child of a directory called secrets should be handled
correctly.

Change-Id: I827aa75110d761601dc65df64e1accf1b1a54544
---
 doc/source/images/architecture-pegleg.png | Bin 37604 -> 37604 bytes
 pegleg/engine/lint.py                     |  12 ++----------
 pegleg/engine/util/files.py               |  12 ++++++++++++
 tests/unit/engine/util/test_files.py      |   7 +++++++
 4 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/doc/source/images/architecture-pegleg.png b/doc/source/images/architecture-pegleg.png
index c872f555983d52324326561ed642b2e8c74f417e..acdfa920f86ced228cd6e88229af967446ed356b 100644
GIT binary patch
delta 525
zcmV+o0`mRjr2^!o0+4TiU2obj6n(dp|8SKjcnAutY;7J;#YevuG&WQAfKcTmx2e^{
zMvlXVrv3L`lR&9dMY4Q9&hfb?_qwve*t#q{=01^HZNQ(-e2<~B((b{(TP_!8A^#bl
zMZfv&z3-6EMwCcMOkZDw%6$0eF@W_%D{FMIfnIL}>zT@>!i~p&{+~e>m=~BI0Zjyx
z_`b!oiBF+Fwy3xj=_^chxz&nPRY#(+Fo{fsYH2v81}$)!4`ED@09Cd*bbiNuW%WCG
zCag$A<)rD#<_6u!4J+LsfOXbR`IIF`kaNkEYUc<g+Y1E2==}wl%PcGKk1+1BPtym0
zgL=%Jj`HXsAzBxI8dehHawm%q$<x?W`Dk5JKlwPFK`{E@w;O}*<O>*?zgRc$bQZxB
zw}sx9WNu4^#w|eB^m^=?&cg<=MIn@ZoX4<3Q%S9$-y4Met6tdeaADyF69})MKa9Q%
zqVNJ9mlJUHF6-PbVyJX&QiM!a*2tu`M9^gqVkh8NP3u;FVgxSgEazR|vtyDp?WEDl
z>0=M8dD8@U+VZWohvu&r!C2D2M?<<`HE&2)jmC&Xe(Qx#gJF>Lhm2Or2rE?%oPG|L
z5yVo}f7ukDMO`=tQk_vbBK0@HC5wg1Ymt*SRBWP2li5>^vp3{|1jI-3J52xpfB;EE
PK~#9!?7a)KYXW(YW_ks-

delta 525
zcmV+o0`mRjr2^!o0+4TiO>f#j5WTPD|1k0i4z_?o+WLSZKAMEuDy<1UAQY|biL;8m
zi`HvWROP>C78^pO$kJ-(<Gp?JJlB=s+SFy?F#GY;C=Kpx?m7&m5#|8y?P|5W2;<-3
zMf5kmxpOV@QS%ZBiRtqbmzfLy9R{$ODrvMTw&43?*vw@vByJsl_Id$XVqRc=0yGg!
z!@CyKCO(D!+M$dMPoH6`%AJy=syY!(xK2dMWlIxds?k79^C3(K;-Sp8$IhR4sEm3i
z&$!_UudFmxnOvhCxnZRnc(BRZDIc=r1hOvKQf(cfWP1V68^6B*k;t+FU%0l9eVRT3
zEYxB4w3H_g3DLTL(6Evin>$;4OrFQ4%17&(`q{_X9K7)dzwH=wCtpB|{K?pXXY&AN
zxGU75By(FT)OG=~rq^NDbRIW|EekHqeH6kTbtRO9zCY;ozx%yjC$1$dIAy*-e-sR_
zg5dz}S5vU{F6-PZL#R}(Q-n-ZMvJ62M9^gmzUT0#rgbZSF#sENR#6w?`6)@7_ChOZ
z^|8e|YMS6ynRutnvH5D~O$7aW)T9g6QA4_JGzKK{tKWMVjJ%{jVzg448zFOu>E~b>
zKqzGWkInFr*M)T;RT-57QvbvI#zHRhn&+eqC7UYJqz_b!*&F?11mB`g)-V77fB;EE
PK~#9!?7a)KYXW(Yh!X~6

diff --git a/pegleg/engine/lint.py b/pegleg/engine/lint.py
index 7b2f7259..6f836cac 100644
--- a/pegleg/engine/lint.py
+++ b/pegleg/engine/lint.py
@@ -269,7 +269,8 @@ def _verify_document(document, schemas, filename):
                            'storagePolicy: "%s"' % (filename, name,
                                                     storage_policy)))
 
-        if not _filename_in_section(filename, 'secrets/'):
+        # Check if the file is in a secrets directory
+        if not util.files.file_in_subdir(filename, 'secrets/'):
             errors.append((SECRET_NOT_ENCRYPTED_POLICY,
                            '%s (document %s) is a secret, is not stored in a '
                            'secrets path' % (filename, name)))
@@ -330,12 +331,3 @@ def _load_schemas():
         schemas[key] = util.files.slurp(
             pkg_resources.resource_filename('pegleg', filename))
     return schemas
-
-
-def _filename_in_section(filename, section):
-    directory = util.files.directory_for(path=filename)
-    if directory is not None:
-        rest = filename[len(directory) + 1:]
-        return rest is not None and rest.startswith(section)
-    else:
-        return False
diff --git a/pegleg/engine/util/files.py b/pegleg/engine/util/files.py
index 02cb33ed..54ea38e9 100644
--- a/pegleg/engine/util/files.py
+++ b/pegleg/engine/util/files.py
@@ -382,3 +382,15 @@ def collect_files_by_repo(site_name):
         documents = util.files.read(filename)
         collected_files_by_repo[repo_name].extend(documents)
     return collected_files_by_repo
+
+
+def file_in_subdir(filename, _dir):
+    """
+    Check if a folder named _dir is in the path to the file
+
+    :return: Whether _dir is a parent of the file
+    :rtype: bool
+    """
+    file_path, file_name = os.path.split(
+        os.path.realpath(filename))
+    return _dir in file_path.split(os.path.sep)
diff --git a/tests/unit/engine/util/test_files.py b/tests/unit/engine/util/test_files.py
index b0938ee3..5a9e696c 100644
--- a/tests/unit/engine/util/test_files.py
+++ b/tests/unit/engine/util/test_files.py
@@ -36,3 +36,10 @@ class TestFileHelpers(object):
         documents = files.read(path)
         assert not documents, ("Documents returned should be empty for "
                                "site-definition.yaml")
+
+def test_file_in_subdir():
+    assert files.file_in_subdir("aaa/bbb/ccc.txt", "aaa")
+    assert files.file_in_subdir("aaa/bbb/ccc.txt", "bbb")
+    assert not files.file_in_subdir("aaa/bbb/ccc.txt", "ccc")
+    assert not files.file_in_subdir("aaa/bbb/ccc.txt", "bb")
+    assert not files.file_in_subdir("aaa/bbb/../ccc.txt", "bbb")