summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLev Morgan <lm734y@att.com>2019-02-13 19:06:22 -0600
committerLev Morgan <lm734y@att.com>2019-02-25 20:23:11 -0600
commit484772eb64dffdd72663499ab5aaf1a67ff5c3b3 (patch)
tree2ec7b60135691e19516c9287a18003f7b835de4b
parent1aa46d77af8b9eb0af42b2f6a4acf04ab64ec071 (diff)
Fix secrets linting error
Fix an error where secrets in global directories are erroneously flagged for being outside a secrets directory. Now, any file that is a child of a directory called secrets should be handled correctly. Change-Id: I827aa75110d761601dc65df64e1accf1b1a54544
Notes
Notes (review): Code-Review+1: Drew Walters <drewwalters96@gmail.com> Code-Review+1: Alexander Hughes <Alexander.Hughes@pm.me> Code-Review+2: Felipe Monteiro <felipe.monteiro@att.com> Code-Review+1: Evgeniy L <eli@mirantis.com> Code-Review+2: Aaron Sheffield <ajs@sheffieldfamily.net> Workflow+1: Aaron Sheffield <ajs@sheffieldfamily.net> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Fri, 01 Mar 2019 16:39:11 +0000 Reviewed-on: https://review.openstack.org/637981 Project: openstack/airship-pegleg Branch: refs/heads/master
-rw-r--r--doc/source/images/architecture-pegleg.pngbin37604 -> 37604 bytes
-rw-r--r--pegleg/engine/lint.py12
-rw-r--r--pegleg/engine/util/files.py12
-rw-r--r--tests/unit/engine/util/test_files.py7
4 files changed, 21 insertions, 10 deletions
diff --git a/doc/source/images/architecture-pegleg.png b/doc/source/images/architecture-pegleg.png
index c872f55..acdfa92 100644
--- a/doc/source/images/architecture-pegleg.png
+++ b/doc/source/images/architecture-pegleg.png
Binary files differ
diff --git a/pegleg/engine/lint.py b/pegleg/engine/lint.py
index 7b2f725..6f836ca 100644
--- a/pegleg/engine/lint.py
+++ b/pegleg/engine/lint.py
@@ -269,7 +269,8 @@ def _verify_document(document, schemas, filename):
269 'storagePolicy: "%s"' % (filename, name, 269 'storagePolicy: "%s"' % (filename, name,
270 storage_policy))) 270 storage_policy)))
271 271
272 if not _filename_in_section(filename, 'secrets/'): 272 # Check if the file is in a secrets directory
273 if not util.files.file_in_subdir(filename, 'secrets/'):
273 errors.append((SECRET_NOT_ENCRYPTED_POLICY, 274 errors.append((SECRET_NOT_ENCRYPTED_POLICY,
274 '%s (document %s) is a secret, is not stored in a ' 275 '%s (document %s) is a secret, is not stored in a '
275 'secrets path' % (filename, name))) 276 'secrets path' % (filename, name)))
@@ -330,12 +331,3 @@ def _load_schemas():
330 schemas[key] = util.files.slurp( 331 schemas[key] = util.files.slurp(
331 pkg_resources.resource_filename('pegleg', filename)) 332 pkg_resources.resource_filename('pegleg', filename))
332 return schemas 333 return schemas
333
334
335def _filename_in_section(filename, section):
336 directory = util.files.directory_for(path=filename)
337 if directory is not None:
338 rest = filename[len(directory) + 1:]
339 return rest is not None and rest.startswith(section)
340 else:
341 return False
diff --git a/pegleg/engine/util/files.py b/pegleg/engine/util/files.py
index 02cb33e..54ea38e 100644
--- a/pegleg/engine/util/files.py
+++ b/pegleg/engine/util/files.py
@@ -382,3 +382,15 @@ def collect_files_by_repo(site_name):
382 documents = util.files.read(filename) 382 documents = util.files.read(filename)
383 collected_files_by_repo[repo_name].extend(documents) 383 collected_files_by_repo[repo_name].extend(documents)
384 return collected_files_by_repo 384 return collected_files_by_repo
385
386
387def file_in_subdir(filename, _dir):
388 """
389 Check if a folder named _dir is in the path to the file
390
391 :return: Whether _dir is a parent of the file
392 :rtype: bool
393 """
394 file_path, file_name = os.path.split(
395 os.path.realpath(filename))
396 return _dir in file_path.split(os.path.sep)
diff --git a/tests/unit/engine/util/test_files.py b/tests/unit/engine/util/test_files.py
index b0938ee..5a9e696 100644
--- a/tests/unit/engine/util/test_files.py
+++ b/tests/unit/engine/util/test_files.py
@@ -36,3 +36,10 @@ class TestFileHelpers(object):
36 documents = files.read(path) 36 documents = files.read(path)
37 assert not documents, ("Documents returned should be empty for " 37 assert not documents, ("Documents returned should be empty for "
38 "site-definition.yaml") 38 "site-definition.yaml")
39
40def test_file_in_subdir():
41 assert files.file_in_subdir("aaa/bbb/ccc.txt", "aaa")
42 assert files.file_in_subdir("aaa/bbb/ccc.txt", "bbb")
43 assert not files.file_in_subdir("aaa/bbb/ccc.txt", "ccc")
44 assert not files.file_in_subdir("aaa/bbb/ccc.txt", "bb")
45 assert not files.file_in_subdir("aaa/bbb/../ccc.txt", "bbb")