-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to have gpg decrypt failures treated as errors #61418
Conversation
6d0df42
to
369e062
Compare
Something like the following in
|
71c1530
to
5068690
Compare
This is defaulted `false` for compatibility, and is controlled via a `gpg_decrypt_must_succeed` option. If this is true- and the ciphertext couldn't be decrypted- then it's treated as an error rather than just passing the raw ciphertext through. Sending the ciphertext through basically is *never* desired- the point of the gpg renderer is to decrypt the secret, not send the cipher text through.
Test that: 1. Pillar registers an error when `gpg_decrypt_must_succeed` is `True` and decryption fails 2. The GPG renderer fails silently when `gpg_decrypt_must_succeed` is `False` Also mock `__opts__["gpg_decrypt_must_succeed"]` for gpg renderer unit pytests.
- Normalize module-global data into pytest fixtures. It is not the least opaque option but we work within the constraints of pytest. - Also rescope gpg pillar fixtures to module. If they are needed in a larger context, they should be defined in an appropriately prominent file.
5068690
to
256ca9d
Compare
@Ch3LL anything else that needs to be done on this? |
Apologies for the delay, I was out sick most of last week. Thanks it looks good :) |
No problem, thanks for the review. |
I guess it is too late to fix, but Salt has two configuration namespaces for feature toggles:
This means that instead of a global
or
P.S. It would be nice to deprecate the non-strict way in future (or flip the default). These feature flags tend to accumulate in various master/minion bootstrap scripts I'm working on. I'm always torn between enabling better defaults ( |
@max-arnold, this was my intention. It's clearly the obvious thing to do. Let the option bake a couple of releases and then there's no reason to change the default behavior. You're welcome to submit the pull request, otherwise I will get around to actioning it from my backlog at some point.
Yes, change the default and burn the config. |
What does this PR do?
This is defaulted
false
for compatibility, and is controlled via agpg_decrypt_must_succeed
option.Previous Behavior
If this is
True
- and the ciphertext couldn't be decrypted- then it's treated as an error rather than just passing the raw ciphertext through.Sending the ciphertext through basically is never desired- the point of the gpg renderer is to decrypt the secret, not send the cipher text through.
New Behavior
Explicitly error if gpg does not decrypt the ciphertext.
Merge requirements satisfied?
Commits signed with GPG?
Yes