Revert "Update storage policy on decrypt"

Barbican is being enabled, as such the metadata field should not be modified by Pegleg. If it says encrypted, then Barbican will encrypt. If it says cleartext, Barbican won't. All pegleg needs to do is decrypt the document prior to bundling it which exists already without this change. This reverts commit 2d88f48989. Change-Id: I8900f910f9816508a8ec5c23932252bb9d1fde09
2019-10-04 16:00:09 +00:00 · 2019-10-04 16:00:09 +00:00 · 85fdcd497a
commit 85fdcd497a
parent 4629009c96
2 changed files with 4 additions and 3 deletions
--- a/pegleg/engine/util/pegleg_managed_document.py
+++ b/pegleg/engine/util/pegleg_managed_document.py
@ -174,7 +174,6 @@ class PeglegManagedSecretsDocument(object):
    def set_decrypted(self):
        """Mark the pegleg managed document as un-encrypted."""
        self.data.pop(ENCRYPTED)
-        self._embedded_document[METADATA][STORAGE_POLICY] = 'cleartext'

    def set_secret(self, secret):
        self._embedded_document['data'] = secret
--- a/tests/unit/engine/test_secrets.py
+++ b/tests/unit/engine/test_secrets.py
@ -177,8 +177,8 @@ data: {0}-password
            "site/cicd/secrets/passphrases/"
            "cicd-passphrase-encrypted.yaml"))
    decrypted = secrets.decrypt(encrypted_path)
-    assert yaml.safe_load(decrypted[encrypted_path])['data'] == yaml.safe_load(
-        passphrase_doc)['data']
+    assert yaml.safe_load(
+        decrypted[encrypted_path]) == yaml.safe_load(passphrase_doc)


@mock.patch.dict(
@ -297,6 +297,8 @@ def test_encrypt_decrypt_using_docs(tmpdir):
    assert test_data[0]['schema'] == decrypted_data[0]['schema']
    assert test_data[0]['metadata']['name'] == decrypted_data[0]['metadata'][
        'name']
+    assert test_data[0]['metadata']['storagePolicy'] == decrypted_data[0][
+        'metadata']['storagePolicy']


@pytest.mark.skipif(