-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Separates CredentialProvider from OutputDispatcher #875
Conversation
Per @ryandeivert 's comment worth keeping #240 in mind |
9340d27
to
8180c71
Compare
720a2db
to
5ffadd5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you for the work on this @Ryxias !! looking good so far, a handful of comments :)
"""Get the local tmp directory for caching the encrypted service credentials | ||
OutputDispatcher implementations may require credentials to authenticate with an external | ||
gateway. All credentials for OutputDispatchers are to be stored in a single bucket on AWS S3 | ||
and are encrypted with AWS KMS. When the OutputDispatchers are booted, this these encrypted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: this these
also 'booted' might not be the right verbiage :P
703db22
to
f241094
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great work so far @Ryxias - leaving a handful of comments/questions for you
@ryandeivert I've added a Fixup that addresses your comments, PTAL (I also added |
OH no i Messed up i put it on the wrong branch... hold on.. |
96cdd52
to
f104123
Compare
* Working? Draft of new driver-based credentials storage * Higher quality refactor; needs tests * Kinks ironed out with good tests this time * First maybe working try * Adds lots of tests for the Drivers * Add more tests. Not final; still need to remove deprecated methods * Rename method to reduce confusion * Remove deprecated method load_encrypted_credentials_from_s3 * Removes deprecated method get_local_credentials_temp_dir * Remove deprecated method get_formatted_output_credentials_name * Removes deprecated method kms_decrypt * Removes extraneous imports * Extract globally injected REGION so the handler can be implemented properly * Pylint` * Pylint is my nemesis * Remove extraneous method * Use default_config for boto clients * Code coverage. PR feedback. * Add missing __init__.py file causing poor code coverage * Fixes the tests to get past pylint garbage
f104123
to
92da1c5
Compare
There we go @ryandeivert I fixed it, PTAL |
stream_alert_cli/outputs/helpers.py
Outdated
from botocore.exceptions import ClientError | ||
|
||
from stream_alert.shared.logger import get_logger | ||
from stream_alert.shared.helpers.aws_api_client import AwsS3, AwsKms |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this import should go before the previous line (h
< l
)
stream_alert_cli/outputs/helpers.py
Outdated
client.put_object(Body=blob_data, Bucket=bucket, Key=key) | ||
|
||
return True | ||
return AwsS3.put_object(blob_data, bucket=bucket, key=key, region=region) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice changes - if this function (send_creds_to_s3
) is in fact not being anywhere else, you can freely remove it
Done; I removed the deprecated code and added tests to replace the old ones that are gone |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚢 👍 thank you @Ryxias !
to: @ryandeivert
cc: @airbnb/streamalert-maintainers
Background
Implementing a new
OutputDispatcher
requires a lot of in-depth understanding of how the base class is implemented, and testing it has dependencies on AWS S3, AWS KMS,os
, and the filesystem. To write a good test, you will need to know how to mock all three of these out which is lot of boilerplate.Example:
TestPagerDutyOutput.setup/teardown
Changes
I refactored
OutputDispatcher
and decoupled the credentials logic out of the base class and into a new class,OutputCredentialsProvider
. This class now becomes solely responsible for providing_load_creds()
functionality to the parent class.Benefit?
Now, when writing unit tests, instead of having to mock out many different things as boilerplate, we can simply use mock to
patch
theOutputCredentialsProvider
class to always return stub credentials.Example: Commit showing before/after
This reduces the amount of code slightly, and makes it slightly easier to understand.
Additionally, this PR contains all changes in #878, with the new notion of
Drivers
. This opens up an easier path in the future to build an integration with SSM (#240).Other (Unrelated?) Changes
I DRY'd out some code here and there, and removed some private (?) methods from
OutputDispatcher
that I didn't see being used in production code, in order to simplify the class's interface and its inheritance model.Testing
I'm not quite done yet but I'm adding new unit tests which are passing. Will paste results here shortly.
tests/scripts/unit_tests.sh
tests/scripts/rule_test.sh