Add some test cases which verify secrets masking works correctly for

rules API endpoint.
StackStorm · Oct 29, 2019 · 3400a76 · 3400a76
1 parent 70f960b
commit 3400a76
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 2 deletions.
diff --git a/st2api/tests/unit/controllers/v1/test_rules.py b/st2api/tests/unit/controllers/v1/test_rules.py
@@ -20,6 +20,7 @@
 
 from st2common.constants.rules import RULE_TYPE_STANDARD, RULE_TYPE_BACKSTOP
 from st2common.constants.pack import DEFAULT_PACK_NAME
+from st2common.constants.secrets import MASKED_ATTRIBUTE_VALUE
 from st2common.persistence.trigger import Trigger
 from st2common.models.system.common import ResourceReference
 from st2common.transport.publishers import PoolPublisher
@@ -185,10 +186,20 @@ def test_get_all_enabled(self):
         self.__do_delete(self.__get_rule_id(post_resp_rule_1))
         self.__do_delete(self.__get_rule_id(post_resp_rule_3))
 
-    def test_get_all_parameters_mask_with_include_parameters(self):
+    def test_get_all_action_parameters_secrets_masking(self):
         post_resp_rule_1 = self.__do_post(RulesControllerTestCase.RULE_1)
-        resp = self.app.get('/v1/rules?include_attributes=action')
+
+        # Verify parameter is masked by default
+        resp = self.app.get('/v1/rules')
+        self.assertEqual('action' in resp.json[0], True)
+        self.assertEqual(resp.json[0]['action']['parameters']['action_secret'],
+                         MASKED_ATTRIBUTE_VALUE)
+
+        # Verify ?show_secrets=true works
+        resp = self.app.get('/v1/rules?include_attributes=action&show_secrets=true')
         self.assertEqual('action' in resp.json[0], True)
+        self.assertEqual(resp.json[0]['action']['parameters']['action_secret'], 'secret')
+
         self.__do_delete(self.__get_rule_id(post_resp_rule_1))
 
     def test_get_all_parameters_mask_with_exclude_parameters(self):
@@ -197,6 +208,36 @@ def test_get_all_parameters_mask_with_exclude_parameters(self):
         self.assertEqual('action' in resp.json[0], False)
         self.__do_delete(self.__get_rule_id(post_resp_rule_1))
 
+    def test_get_all_parameters_mask_with_include_parameters(self):
+        post_resp_rule_1 = self.__do_post(RulesControllerTestCase.RULE_1)
+
+        # Verify parameter is masked by default
+        resp = self.app.get('/v1/rules?include_attributes=action')
+        self.assertEqual('action' in resp.json[0], True)
+        self.assertEqual(resp.json[0]['action']['parameters']['action_secret'],
+                         MASKED_ATTRIBUTE_VALUE)
+
+        # Verify ?show_secrets=true works
+        resp = self.app.get('/v1/rules?include_attributes=action&show_secrets=true')
+        self.assertEqual('action' in resp.json[0], True)
+        self.assertEqual(resp.json[0]['action']['parameters']['action_secret'], 'secret')
+
+        self.__do_delete(self.__get_rule_id(post_resp_rule_1))
+
+    def test_get_one_action_parameters_secrets_masking(self):
+        post_resp_rule_1 = self.__do_post(RulesControllerTestCase.RULE_1)
+
+        # Verify parameter is masked by default
+        resp = self.app.get('/v1/rules/%s' % (post_resp_rule_1.json['id']))
+        self.assertEqual(resp.json['action']['parameters']['action_secret'],
+                         MASKED_ATTRIBUTE_VALUE)
+
+        # Verify ?show_secrets=true works
+        resp = self.app.get('/v1/rules/%s?show_secrets=true' % (post_resp_rule_1.json['id']))
+        self.assertEqual(resp.json['action']['parameters']['action_secret'], 'secret')
+
+        self.__do_delete(self.__get_rule_id(post_resp_rule_1))
+
     def test_get_one_by_id(self):
         post_resp = self.__do_post(RulesControllerTestCase.RULE_1)
         rule_id = self.__get_rule_id(post_resp)

diff --git a/st2tests/st2tests/fixtures/generic/actions/action1.yaml b/st2tests/st2tests/fixtures/generic/actions/action1.yaml
@@ -18,6 +18,9 @@ parameters:
   async_test:
     default: false
     type: boolean
+  action_secret:
+     type: string
+     secret: true
   runnerdummy:
     default: actiondummy
     immutable: true

diff --git a/st2tests/st2tests/fixtures/generic/rules/rule1.yaml b/st2tests/st2tests/fixtures/generic/rules/rule1.yaml
@@ -3,6 +3,7 @@ action:
   parameters:
     ip1: '{{trigger.t1_p}}'
     ip2: '{{trigger}}'
+    action_secret: 'secret'
   ref: wolfpack.action-1
 criteria:
   trigger.t1_p: