Fix decrypting pack config keys under additionalProperties by cognifloyd · Pull Request #5225 · StackStorm/st2

cognifloyd · 2021-04-08T18:15:55Z

The pack config loader uses "secret: true" in a schema to trigger decrypting a key from the datastore. However, it does not look at the schema under additionalProperties, so those properties can't use encrypted keys.

This issue was first documented in StackStorm-Exchange/stackstorm-jira#19 (comment)

This PR fixes that so that the pack config loader handles additionalProperties when defined.

cognifloyd · 2021-04-09T05:20:28Z

All GHA tests are passing. CircleCI tests are broken due to a pbr+logshipper issue (known based on conversation in slack).

Kami · 2021-04-09T12:59:28Z

Nice work 👍

I will have a more detailed look later this week.

cognifloyd · 2021-04-09T19:46:40Z

Weird. I'm patching a v3.2 StackStorm running python2.7 and this delta was insufficient. afaik, the behavior of defaultdict should be the same under python3, so I'm not sure why the unit test is passing. In any case, I will push a commit with the fix momentarily.

CHANGELOG.rst

st2common/st2common/util/config_loader.py

Kami · 2021-04-09T20:55:09Z

st2common/tests/unit/test_config_loader.py

+                    "host": "127.1.2.7",
+                    "port": 8282,
+                    # encrypted in datastore
+                    "token": "{{st2kv.system.k1_encrypted}}",


If user wants that value in the config to actually be decrypted, they still need to use decrypt_kv Jinja filter, right?

No. Config is automatically decrypted when the schema lists the key as secret: true

See _get_datastore_value_for_expression() in config_loader.py

Thanks for clarification - I was just somewhat confused by the test case aka something didn't add up.

I pushed a fix for this test - 574034f.

That's the part which confused me a bit.

I assumed we don't do decryption because the value which was stored and the one which was retrieved was supposed to be the same (but the KVP model layer doesn't perform any encryption and we need to encrypt the value ourselves when storing it).

Ah! That's why it seemed to be working before, but wasn't. Thanks for the fix!

Kami · 2021-04-09T21:16:49Z

Overall LGTM, just had some questions / comments on internal implementation details.

Kami · 2021-04-09T21:18:52Z

st2common/st2common/util/config_loader.py

-            for key in init_additional_properties:
-                property_schema.__missing__(key)
+            # ensure that these keys are present in the object
+            for key in additional_properties_keys:


Thanks, if that works it should be much more straight forward to understand the code now - well, at least for me :)

And re - using copy - I actually verified, if we didn't use copy with defaultdict version, we also don't need to use it here - it's returning by reference version in both scenarios.

And since I believe we indeed never manipulate those values, only read / access them, copy is probably not needed.

Yes. We modify the config object, but we don't modify (and probably should not modify) the schema itself. So, references are perfect in this case.

Kami · 2021-04-10T10:37:27Z

Some of those integration tests still seem to be failing quite often due to race / similar, quite annoying.

We should probably modify that job step to try to retry up to 2-3 times on failure to avoid annoying and manual re-run of the complete workflow.

quite often due to races, etc. on failure. This saves us a bunch of time manually re-running the whole workflow.

cognifloyd · 2021-04-10T11:14:28Z

GHA is passing now. Hooray.
Circle failed. Could you restart https://app.circleci.com/pipelines/github/StackStorm/st2/1542/workflows/128ecfa9-04ff-4b05-b410-94541fb12be2/jobs/12968/parallel-runs/2

cognifloyd · 2021-04-10T11:56:02Z

All tests are green. Quick, let's merge before anything else gets merged into master. :)

pull-request-size bot added the size/S PR that changes 10-29 lines. Very easy to review. label Apr 8, 2021

handle additionalProperties in pack config

bffccc5

copart-jafloyd force-pushed the pack-config-additionalproperties branch from 09b104b to bffccc5 Compare April 8, 2021 18:24

add pack config with additionalProperties test

46a892c

pull-request-size bot added size/L PR that changes 100-499 lines. Requires some effort to review. and removed size/S PR that changes 10-29 lines. Very easy to review. labels Apr 8, 2021

cognifloyd added 5 commits April 8, 2021 16:23

reformat with black

6e864f3

fix defaultdict usage

44e0436

handle defaults under additionalProperties

2354014

typo

9d7c1d5

mark props with default as not required

3543ad1

copart-jafloyd force-pushed the pack-config-additionalproperties branch from c5ecc71 to 3543ad1 Compare April 8, 2021 22:07

cognifloyd mentioned this pull request Apr 9, 2021

Multi profiles StackStorm-Exchange/stackstorm-jira#19

Open

init additionalProperties in schema for defaults

e1ef44b

copart-jafloyd force-pushed the pack-config-additionalproperties branch from 9378252 to e1ef44b Compare April 9, 2021 00:14

cognifloyd added this to the 3.5.0 milestone Apr 9, 2021

cognifloyd added the enhancement label Apr 9, 2021

clean up fixture schema

46ce281

cognifloyd requested a review from blag April 9, 2021 00:39

Changelog entry for pack config additionalProperties support

8bf7d2a

copart-jafloyd force-pushed the pack-config-additionalproperties branch from 585fa46 to 8bf7d2a Compare April 9, 2021 02:01

This comment has been minimized.

Sign in to view

cognifloyd requested a review from Kami April 9, 2021 16:14

Handle defaultdict schema correctly

a2644c2

copart-jafloyd force-pushed the pack-config-additionalproperties branch from 1bafc58 to a2644c2 Compare April 9, 2021 20:22