Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option to have gpg decrypt failures treated as errors #61418

Merged
merged 3 commits into from
Feb 1, 2022

Conversation

jfindlay
Copy link
Contributor

@jfindlay jfindlay commented Jan 4, 2022

What does this PR do?

This is defaulted false for compatibility, and is controlled via a gpg_decrypt_must_succeed option.

Previous Behavior

If this is True- and the ciphertext couldn't be decrypted- then it's treated as an error rather than just passing the raw ciphertext through.

Sending the ciphertext through basically is never desired- the point of the gpg renderer is to decrypt the secret, not send the cipher text through.

New Behavior

Explicitly error if gpg does not decrypt the ciphertext.

Merge requirements satisfied?

Commits signed with GPG?

Yes

@jfindlay jfindlay requested a review from a team as a code owner January 4, 2022 19:23
@jfindlay jfindlay requested review from MKLeb and removed request for a team January 4, 2022 19:23
@jfindlay jfindlay force-pushed the jfindlay/SALT-450/gpg-fail branch 2 times, most recently from 6d0df42 to 369e062 Compare January 4, 2022 19:53
salt/renderers/gpg.py Outdated Show resolved Hide resolved
@MKLeb
Copy link
Contributor

MKLeb commented Jan 18, 2022

Something like the following in tests/pytest/unit/renderers/test_gpg.py may help with test failures...

@pytest.fixture
def configure_loader_modules():
    """
    GPG renderer configuration
    """
    return {
        gpg: {
            "__opts__": {
                "gpg_decrypt_must_succeed": True
            }
        }
    }

@jfindlay jfindlay force-pushed the jfindlay/SALT-450/gpg-fail branch 5 times, most recently from 71c1530 to 5068690 Compare January 19, 2022 07:54
@jfindlay jfindlay requested a review from MKLeb January 19, 2022 09:58
@MKLeb MKLeb requested review from twangboy and dwoz January 19, 2022 19:01
MKLeb
MKLeb previously approved these changes Jan 19, 2022
twangboy
twangboy previously approved these changes Jan 21, 2022
doc/ref/configuration/master.rst Outdated Show resolved Hide resolved
salt/renderers/gpg.py Outdated Show resolved Hide resolved
@Ch3LL Ch3LL added the Phosphorus v3005.0 Release code name and version label Jan 21, 2022
Brian Harring and others added 3 commits January 21, 2022 13:54
This is defaulted `false` for compatibility, and is controlled via
a `gpg_decrypt_must_succeed` option.

If this is true- and the ciphertext couldn't be decrypted- then it's
treated as an error rather than just passing the raw ciphertext through.

Sending the ciphertext through basically is *never* desired- the point
of the gpg renderer is to decrypt the secret, not send the cipher text
through.
Test that:
1. Pillar registers an error when `gpg_decrypt_must_succeed` is `True` and decryption fails
2. The GPG renderer fails silently when `gpg_decrypt_must_succeed` is `False`

Also mock `__opts__["gpg_decrypt_must_succeed"]` for gpg renderer unit pytests.
- Normalize module-global data into pytest fixtures.  It is not the
  least opaque option but we work within the constraints of pytest.
- Also rescope gpg pillar fixtures to module.  If they are needed in a
  larger context, they should be defined in an appropriately prominent
  file.
@jfindlay jfindlay dismissed stale reviews from twangboy and MKLeb via 256ca9d January 21, 2022 18:55
@jfindlay jfindlay requested a review from Ch3LL January 21, 2022 18:57
@jfindlay
Copy link
Contributor Author

@Ch3LL anything else that needs to be done on this?

@Ch3LL
Copy link
Contributor

Ch3LL commented Feb 1, 2022

Apologies for the delay, I was out sick most of last week. Thanks it looks good :)

@Ch3LL Ch3LL merged commit 9019262 into saltstack:master Feb 1, 2022
@jfindlay
Copy link
Contributor Author

jfindlay commented Feb 2, 2022

Apologies for the delay, I was out sick most of last week. Thanks it looks good :)

No problem, thanks for the review.

@max-arnold
Copy link
Contributor

max-arnold commented Apr 17, 2022

I guess it is too late to fix, but Salt has two configuration namespaces for feature toggles:

  1. features
  2. use_superseded

This means that instead of a global gpg_decrypt_must_succeed option, the toggle could be implemented as:

features:
  strict_gpg_decrypt
from salt.features import features
if features.get("strict_gpg_decrypt", False):
    ...

or

use_superseded:
  - module.foo
from salt.utils.decorators import with_deprecated

@with_deprecated(globals(), "Beryllium")
def foo():
    "This is a new function"

def _foo():
    "This is a deprecated function"

P.S. It would be nice to deprecate the non-strict way in future (or flip the default). These feature flags tend to accumulate in various master/minion bootstrap scripts I'm working on. I'm always torn between enabling better defaults (module.run, enable_slsvars_fixes, enable_legacy_startup_events: false, etc) and simpler bootstrap scripts.

@jfindlay
Copy link
Contributor Author

jfindlay commented Apr 21, 2022

It would be nice to deprecate the non-strict way in future (or flip the default).

@max-arnold, this was my intention. It's clearly the obvious thing to do. Let the option bake a couple of releases and then there's no reason to change the default behavior. You're welcome to submit the pull request, otherwise I will get around to actioning it from my backlog at some point.

These feature flags tend to accumulate.

Yes, change the default and burn the config.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Phosphorus v3005.0 Release code name and version
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants