Cover for "decrypt_kv" in "default" value of the schema

PR #4709

Author: VineeshJain

st2common/st2common/util/pack.py

@@ -104,14 +104,6 @@ def validate_config_against_schema(config_schema, config_object, config_path,
 
     pack_name = pack_name or 'unknown'
 
-    for key in config_object:
-        if (jinja_utils.is_jinja_expression(value=config_object.get(key)) and
-                "decrypt_kv" in config_object.get(key) and config_schema.get(key).get('secret')):
-            raise ValueValidationException('Values specified as "secret: True" in config schema '
-                                           'are automatically decrypted by default. Use of '
-                                           '"decrypt_kv" jinja filter is not allowed for such '
-                                           'values.')
-
     schema = util_schema.get_schema_for_resource_parameters(parameters_schema=config_schema,
                                                             allow_additional_properties=True)
     instance = config_object
@@ -120,6 +112,14 @@ def validate_config_against_schema(config_schema, config_object, config_path,
         cleaned = util_schema.validate(instance=instance, schema=schema,
                                        cls=util_schema.CustomValidator, use_default=True,
                                        allow_default_none=True)
+        for key in cleaned:
+            if (jinja_utils.is_jinja_expression(value=cleaned.get(key)) and
+                    "decrypt_kv" in cleaned.get(key) and config_schema.get(key).get('secret')):
+                raise ValueValidationException('Values specified as "secret: True" in config '
+                                               'schema are automatically decrypted by default. Use '
+                                               'of "decrypt_kv" jinja filter is not allowed for '
+                                               'such values. Please check the specified values in '
+                                               'the config or the default values in the schema.')
     except jsonschema.ValidationError as e:
         attribute = getattr(e, 'path', [])
 

st2common/tests/unit/test_configs_registrar.py

@@ -37,6 +37,7 @@
 PACK_6_PATH = os.path.join(fixturesloader.get_fixtures_packs_base_path(), 'dummy_pack_6')
 PACK_19_PATH = os.path.join(fixturesloader.get_fixtures_packs_base_path(), 'dummy_pack_19')
 PACK_11_PATH = os.path.join(fixturesloader.get_fixtures_packs_base_path(), 'dummy_pack_11')
+PACK_22_PATH = os.path.join(fixturesloader.get_fixtures_packs_base_path(), 'dummy_pack_22')
 
 
 class ConfigsRegistrarTestCase(CleanDbTestCase):
@@ -151,6 +152,9 @@ def test_register_all_configs_with_config_schema_validation_validation_failure_2
                                 base_dirs=packs_base_paths)
 
     def test_register_all_configs_with_config_schema_validation_validation_failure_3(self):
+        # This test checks for values containing "decrypt_kv" jinja filter in the config
+        # object where keys have "secret: True" set in the schema.
+
         # Verify DB is empty
         pack_dbs = Pack.get_all()
         config_dbs = Config.get_all()
@@ -170,7 +174,38 @@ def test_register_all_configs_with_config_schema_validation_validation_failure_3
 
         expected_msg = ('Values specified as "secret: True" in config schema are automatically '
                         'decrypted by default. Use of "decrypt_kv" jinja filter is not allowed '
-                        'for such values.')
+                        'for such values. Please check the specified values in the config or '
+                        'the default values in the schema.')
+
+        self.assertRaisesRegexp(ValueError, expected_msg,
+                                registrar.register_from_packs,
+                                base_dirs=packs_base_paths)
+
+    def test_register_all_configs_with_config_schema_validation_validation_failure_4(self):
+        # This test checks for default values containing "decrypt_kv" jinja filter for
+        # keys which have "secret: True" set.
+
+        # Verify DB is empty
+        pack_dbs = Pack.get_all()
+        config_dbs = Config.get_all()
+
+        self.assertEqual(len(pack_dbs), 0)
+        self.assertEqual(len(config_dbs), 0)
+
+        registrar = ConfigsRegistrar(use_pack_cache=False, fail_on_failure=True,
+                                     validate_configs=True)
+        registrar._pack_loader.get_packs = mock.Mock()
+        registrar._pack_loader.get_packs.return_value = {'dummy_pack_22': PACK_22_PATH}
+
+        # Register ConfigSchema for pack
+        registrar._register_pack_db = mock.Mock()
+        registrar._register_pack(pack_name='dummy_pack_22', pack_dir=PACK_22_PATH)
+        packs_base_paths = content_utils.get_packs_base_paths()
+
+        expected_msg = ('Values specified as "secret: True" in config schema are automatically '
+                        'decrypted by default. Use of "decrypt_kv" jinja filter is not allowed '
+                        'for such values. Please check the specified values in the config or '
+                        'the default values in the schema.')
 
         self.assertRaisesRegexp(ValueError, expected_msg,
                                 registrar.register_from_packs,

st2tests/st2tests/fixtures/packs/configs/dummy_pack_22.yaml

@@ -0,0 +1,3 @@
+---
+  key_with_no_secret_and_no_default: "Any Value"
+

st2tests/st2tests/fixtures/packs/dummy_pack_22/config.schema.yaml

@@ -0,0 +1,9 @@
+---
+  wrong_key_with_invalid_default_value:
+    type: "string"
+    secret: true
+    required: true
+    default: "{{st2kv.user.api_key | decrypt_kv}}"
+  key_with_no_secret_and_no_default:
+    type: "string"
+

st2tests/st2tests/fixtures/packs/dummy_pack_22/pack.yaml

@@ -0,0 +1,6 @@
+---
+name : dummy_pack_22
+description : dummy pack
+version : 0.1.0
+author : st2-dev
+email : [email protected]