From fb5d54fdb9e492f5365597c6fc40ca565abb0615 Mon Sep 17 00:00:00 2001 From: Alexander Hughes Date: Fri, 3 May 2019 12:21:26 -0500 Subject: [PATCH] Update decrypt command Decrypt command was previously requiring that specified files have in their paths the site name. This isn't necessarily always the case for example we can have global files that need to be decrypted and do not contain the site name in the filepath, but the site name is relevant in ensuring based on the site-definition.yaml file that pegleg uses the correct revision of the global repository. The end result should be that when decrypting a file, we specify the site name, pegleg ensures we're on correct revisions of the repos and if the file exists, decrypt and print to stdout This patch addresses this by: 1. Updating pegleg.engine.secrets.decrypt to no longer require a site name. 2. Updating pegleg.cli.decrypt to no longer pass a site name to pegleg.engine.secrets.decrypt 3. Updating documentation for CLI. 4. Updating unit tests for CLI and secrets. Change-Id: Ia97518b06a58b069a4d6c0b8d68a37f45e5d31bb --- doc/source/cli/cli.rst | 6 +++--- pegleg/cli.py | 2 +- pegleg/engine/secrets.py | 15 +++++---------- tests/unit/engine/test_secrets.py | 2 +- 4 files changed, 10 insertions(+), 15 deletions(-) diff --git a/doc/source/cli/cli.rst b/doc/source/cli/cli.rst index b8f43e54..2ea7209f 100644 --- a/doc/source/cli/cli.rst +++ b/doc/source/cli/cli.rst @@ -681,9 +681,9 @@ decrypt the encrypted secrets, and dump the cleartext secrets file to **site_name** (Required). Name of the ``site``. The ``site_name`` must match a ``site`` name in the site -repository folder structure. The ``decrypt`` command also validates that the -``site-name`` exists in the file path, before unwrapping and decrypting the -documents in the ``filename``. +repository folder structure. This is used to ensure the correct revision of +the site and global repositories are used, as specified in the site's +:file:`site-definition.yaml`. **-f / filename** (Required). diff --git a/pegleg/cli.py b/pegleg/cli.py index 23b8ebf9..685e8fef 100644 --- a/pegleg/cli.py +++ b/pegleg/cli.py @@ -694,7 +694,7 @@ def encrypt(*, save_location, author, site_name): def decrypt(*, file_name, save_location, site_name): engine.repository.process_repositories(site_name) - decrypted = engine.secrets.decrypt(file_name, site_name) + decrypted = engine.secrets.decrypt(file_name) if save_location is None: click.echo(decrypted) else: diff --git a/pegleg/engine/secrets.py b/pegleg/engine/secrets.py index 333cac18..af22e484 100644 --- a/pegleg/engine/secrets.py +++ b/pegleg/engine/secrets.py @@ -68,27 +68,22 @@ def encrypt(save_location, author, site_name): 'No secret documents were found for site: {}'.format(site_name)) -def decrypt(file_path, site_name): - """ - Decrypt one secrets file, and print the decrypted file to standard out. +def decrypt(file_path): + """Decrypt one secrets file, and print the decrypted file to standard out. - Search in secrets file of a site, identified by ``site_name``, for a file - named ``file_name``. - If the file is found and encrypted, unwrap and decrypt it, and print the + Search the specified file_path for a file. + If the file is found and encrypted, unwrap and decrypt it, and print the result to standard out. If the file is found, but it is not encrypted, print the contents of the file to standard out. Passphrase and salt for the decryption are read from environment variables. :param file_path: Path to the file to be unwrapped and decrypted. :type file_path: string - :param site_name: The name of the site to search for the file. - :type site_name: string :return: The decrypted secrets :rtype: list """ LOG.info('Started decrypting...') - if (os.path.isfile(file_path) and - [s for s in file_path.split(os.path.sep) if s == site_name]): + if os.path.isfile(file_path): return PeglegSecretManagement(file_path).decrypt_secrets() else: LOG.info('File: {} was not found. Check your file path and name, ' diff --git a/tests/unit/engine/test_secrets.py b/tests/unit/engine/test_secrets.py index 815eb439..4ef38071 100644 --- a/tests/unit/engine/test_secrets.py +++ b/tests/unit/engine/test_secrets.py @@ -116,7 +116,7 @@ data: {0}-password # for _file in encrypted_files: decrypted = secrets.decrypt(str(save_location.join( "site/cicd/secrets/passphrases/" - "cicd-passphrase-encrypted.yaml")), "cicd") + "cicd-passphrase-encrypted.yaml"))) assert yaml.load(decrypted) == yaml.load(passphrase_doc)