Disallow decrypt_kv jinja filter for fields marked as secret for pack config

st2common/st2common/util/pack.py

@@ -107,9 +107,10 @@ def validate_config_against_schema(config_schema, config_object, config_path,
     for key in config_object:
         if (jinja_utils.is_jinja_expression(value=config_object.get(key)) and
                 "decrypt_kv" in config_object.get(key) and config_schema.get(key).get('secret')):
-            raise ValueValidationException('Validation Error: decrypt_kv jinja filter'
-                                           ' specified for auto decrypted fields marked'
-                                           ' with `secret: True`')
+            raise ValueValidationException('Values specified as `secret: True` in config schema '
+                                           'are automatically decrypted by default. Use of '
+                                           '`decrypt_kv` jinja filter is not allowed for such '
+                                           'values')
 
     schema = util_schema.get_schema_for_resource_parameters(parameters_schema=config_schema,
                                                             allow_additional_properties=True)

st2common/tests/unit/test_configs_registrar.py

@@ -36,6 +36,7 @@
 PACK_1_PATH = os.path.join(fixturesloader.get_fixtures_packs_base_path(), 'dummy_pack_1')
 PACK_6_PATH = os.path.join(fixturesloader.get_fixtures_packs_base_path(), 'dummy_pack_6')
 PACK_19_PATH = os.path.join(fixturesloader.get_fixtures_packs_base_path(), 'dummy_pack_19')
+PACK_11_PATH = os.path.join(fixturesloader.get_fixtures_packs_base_path(), 'dummy_pack_11')
 
 
 class ConfigsRegistrarTestCase(CleanDbTestCase):
@@ -148,3 +149,30 @@ def test_register_all_configs_with_config_schema_validation_validation_failure_2
         self.assertRaisesRegexp(ValueError, expected_msg,
                                 registrar.register_from_packs,
                                 base_dirs=packs_base_paths)
+
+    def test_register_all_configs_with_config_schema_validation_validation_failure_3(self):
+        # Verify DB is empty
+        pack_dbs = Pack.get_all()
+        config_dbs = Config.get_all()
+
+        self.assertEqual(len(pack_dbs), 0)
+        self.assertEqual(len(config_dbs), 0)
+
+        registrar = ConfigsRegistrar(use_pack_cache=False, fail_on_failure=True,
+                                     validate_configs=True)
+        registrar._pack_loader.get_packs = mock.Mock()
+        registrar._pack_loader.get_packs.return_value = {'dummy_pack_11': PACK_11_PATH}
+
+        # Register ConfigSchema for pack
+        registrar._register_pack_db = mock.Mock()
+        registrar._register_pack(pack_name='dummy_pack_11', pack_dir=PACK_11_PATH)
+        packs_base_paths = content_utils.get_packs_base_paths()
+
+        expected_msg = ('Values specified as `secret: True` in config schema '
+                        'are automatically decrypted by default. Use of '
+                        '`decrypt_kv` jinja filter is not allowed for such '
+                        'values')
+
+        self.assertRaisesRegexp(ValueError, expected_msg,
+                                registrar.register_from_packs,
+                                base_dirs=packs_base_paths)

st2tests/st2tests/fixtures/packs/configs/dummy_pack_11.yaml

@@ -0,0 +1,2 @@
+---
+  api_key: "{{st2kv.user.api_key | decrypt_kv}}"

st2tests/st2tests/fixtures/packs/dummy_pack_11/config.schema.yaml

@@ -0,0 +1,5 @@
+---
+  api_key:
+    type: "string"
+    secret: true
+    required: true

st2tests/st2tests/fixtures/packs/dummy_pack_11/pack.yaml

@@ -0,0 +1,6 @@
+---
+name : dummy_pack_11
+description : dummy pack
+version : 0.1.0
+author : st2-dev
+email : [email protected]