84ab5c5096
This PS adds an integration test scenario for validating that encrypting a generic document type and using it as a substitution source during document rendering works. Deckhand will now submit all generic documents to be encrypted to Barbican with a 'secret_type' of 'passphrase'. No encoding is provided Deckhand-side (i.e. base64) because encoding is deprecated in Barbican since it lead to strange behavior; Barbican will figure out what to encode the payload as automatically. For more information, see [0] and [1]. In addition, this PS handles 2 edge cases around secret payloads that are rejected by Barbican if not handled correctly by Deckhand: empty payloads and non-string type payloads [2]. For the first case Deckhand forcibly changes the document to cleartext because there is no point in encrypting a document with an empty payload. For the second case Deckhand sets overrides any previously set secret_type to 'opaque' and encodes the payload to base64 -- when it goes to render the secret it decodes the payload also using base64. Integration tests have been added to handle both edge cases described above. [0] https://bugs.launchpad.net/python-barbicanclient/+bug/1419166 [1] |
||
|---|---|---|
| .. | ||
| schemas | ||
| __init__.py | ||
| document_validation.py | ||
| layering.py | ||
| secrets_manager.py | ||
| utils.py | ||