From 85fdcd497afecc1274cebaeb07ab9384c3afdf15 Mon Sep 17 00:00:00 2001 From: Alexander Hughes Date: Fri, 4 Oct 2019 16:00:09 +0000 Subject: [PATCH] Revert "Update storage policy on decrypt" Barbican is being enabled, as such the metadata field should not be modified by Pegleg. If it says encrypted, then Barbican will encrypt. If it says cleartext, Barbican won't. All pegleg needs to do is decrypt the document prior to bundling it which exists already without this change. This reverts commit 2d88f48989031442f8bdae5221f7359948ebd10d. Change-Id: I8900f910f9816508a8ec5c23932252bb9d1fde09 --- pegleg/engine/util/pegleg_managed_document.py | 1 - tests/unit/engine/test_secrets.py | 6 ++++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/pegleg/engine/util/pegleg_managed_document.py b/pegleg/engine/util/pegleg_managed_document.py index 71d12f18..76b3fa2f 100644 --- a/pegleg/engine/util/pegleg_managed_document.py +++ b/pegleg/engine/util/pegleg_managed_document.py @@ -174,7 +174,6 @@ class PeglegManagedSecretsDocument(object): def set_decrypted(self): """Mark the pegleg managed document as un-encrypted.""" self.data.pop(ENCRYPTED) - self._embedded_document[METADATA][STORAGE_POLICY] = 'cleartext' def set_secret(self, secret): self._embedded_document['data'] = secret diff --git a/tests/unit/engine/test_secrets.py b/tests/unit/engine/test_secrets.py index 4fe1702d..0d6374d2 100644 --- a/tests/unit/engine/test_secrets.py +++ b/tests/unit/engine/test_secrets.py @@ -177,8 +177,8 @@ data: {0}-password "site/cicd/secrets/passphrases/" "cicd-passphrase-encrypted.yaml")) decrypted = secrets.decrypt(encrypted_path) - assert yaml.safe_load(decrypted[encrypted_path])['data'] == yaml.safe_load( - passphrase_doc)['data'] + assert yaml.safe_load( + decrypted[encrypted_path]) == yaml.safe_load(passphrase_doc) @mock.patch.dict( @@ -297,6 +297,8 @@ def test_encrypt_decrypt_using_docs(tmpdir): assert test_data[0]['schema'] == decrypted_data[0]['schema'] assert test_data[0]['metadata']['name'] == decrypted_data[0]['metadata'][ 'name'] + assert test_data[0]['metadata']['storagePolicy'] == decrypted_data[0][ + 'metadata']['storagePolicy'] @pytest.mark.skipif(