During Gabbi tests server returns one of
application/json
application/json; charset=UTF-8
in a Content-Type HTTP header, depending on which test is being run.
This might be related to different pip/pip3 versions and dependencies
installed being used during standalone vs. containerized tests.
This patch allows for both returned header's values to be accepted as
valid as a remediate solution until versions of packages and pip/pip3
usage is unified.
Change-Id: Ifb8f2d68e3474946b3df154cb016cc18cfc95d23
Under some circumstances, the payloads retrieved from Barbican do not
match what was stored. This primarily affects surrounding whitespace[0],
but the implications for passphrases are significant, and even for PEM
encoded data, a difference in whitespace in a configmap is enough to
trigger a chart upgrade.
In general, the effort to align Deckhand document types with Barbican
secret types adds complexity without tangible benefit. Barbican does no
enforcement of the contents of the data, and if it did, that could lead
to further incompatibilities.
This change uses the 'opaque' secret type for all secret document types.
Before storage (or caching), the payload is serialized using `repr`, and
base64 encoded. Upon retrieval, the payload is base64 decoded and parsed
back into an object with `ast.literal_eval`.
[0]: https://storyboard.openstack.org/#!/story/2007017
Change-Id: I9c2f3427f52a87aad718f95160cf688db35e1b83
- If a document has a storage policy of encrypted
- Redacts (sha256) the data section.
- Redacts (sha256) the substition paths.
- Uses the same /documents endpoint, adds a new query parameter
?cleartext-secrets=true to show the non-redacted values.
Change-Id: I42808901b97c667a1148c00fbb7717a0847c9981
This patchset adds Barbican validation/assertions to integration
tests by querying the Barbican API server where appropriate
and validating that the expected data is returned in order
to sanity-check the integration scenarios further.
Change-Id: If5d30712b289f09ac9712ee205673be4150cda16
This patchset fixes failing integration uwsgi jobs due to
recent schema changes here: [0]. Basically, some of the
YAMLs that are used for the integration tests are missing
storagePolicy or layeringDefinition properties; this
patch set corrects the issues to get the job passing
again.
[0] https://review.openstack.org/#/c/579023/6
Change-Id: I4fb48bb770aaa31539231046b3f0bd11af25f927
This patch set accomplishes 2 things:
1) Fixes an issue in Deckhand caused by improperly using the wrong
Barbican secret type for the PrivateKey Deckhand document type.
2) Tests all Deckhand secret types against Barbican via integration
testing.
The current error being raised is this: "Provided object does not match
schema 'Secret': u'privatekey' is not one of ['symmetric', 'passphrase',
'private', 'public', 'certificate', 'opaque']."
Change-Id: I8231c87782902850fe0632d0346c567c7481e95f
This patch set adds integration tests to Deckhand
where "integration" means the interaction between
Deckhand, Barbican and Keystone. OSH is used to
deploy Keystone and Barbican and Docker to deploy
PostgreSQL and Deckhand.
Unlike functional testing in Deckhand, all
integration tests use the default in-code policy
defaults and an admin token supplied by keystone
to validate authN and authZ.
The test scenarios consist of Deckhand secret
lifecycle management as well as document rendering
with secrets retrieved from Barbican.
Change-Id: Ib5ae1b345b2a4bd579671ec4ae9a232c2e3887dc
Roman Gorshunov