Uniquely name managed documents

When pegleg wraps documents, it uses the original document name as the
name of the managed document. This often results in duplicate documents
(i.e. identical in name and schema). For example, it is expected to have
identically named deckhand document pairs: Certificate & CertificateKey;
CertificateAuthority & CertificateAuthorityKey; PublicKey & PrivateKey.

However, this could also occur for unrelated document types that happen
to have the same name, and generally defeats the principle that each
document is identified by a schema top-level key and the metadata.name.

This change uses a combination of the original document schema and name
to build the name of the pegleg/PeglegManagedDocument/v1.

Change-Id: Iab186ae7e9d24a30cb413be89a17fad960e10bea
This commit is contained in:
Phil Sphicas 2019-12-07 11:52:36 -08:00 committed by Alexander Hughes
parent def3afff05
commit 417975b596
2 changed files with 7 additions and 2 deletions

View File

@ -80,7 +80,10 @@ class PeglegManagedSecretsDocument(object):
[('abstract', False), ('layer', layer)]) [('abstract', False), ('layer', layer)])
metadata = OrderedDict( metadata = OrderedDict(
[ [
('name', secrets_document['metadata']['name']), (
'name', '{}/{}'.format(
secrets_document['schema'],
secrets_document['metadata']['name'])),
('schema', 'metadata/Document/v1'), ('schema', 'metadata/Document/v1'),
('labels', secrets_document['metadata'].get('labels', {})), ('labels', secrets_document['metadata'].get('labels', {})),
('layeringDefinition', layering_definition), ('layeringDefinition', layering_definition),

View File

@ -279,7 +279,9 @@ class TestPKIGenerator(object):
wrapper_storage_policy = document['metadata']['storagePolicy'] wrapper_storage_policy = document['metadata']['storagePolicy']
# This document is owned by Pegleg so begins with pegleg. # This document is owned by Pegleg so begins with pegleg.
assert "pegleg/PeglegManagedDocument/v1" == wrapper_schema assert "pegleg/PeglegManagedDocument/v1" == wrapper_schema
assert expected_name == wrapper_name expected_wrapper_name = '{}/{}'.format(
wrapped_schema, expected_name)
assert expected_wrapper_name == wrapper_name
assert "cleartext" == wrapper_storage_policy assert "cleartext" == wrapper_storage_policy
def _validate_keypairs(self, documents): def _validate_keypairs(self, documents):