Secret values on object in an array are not masked inside a pack config.

[NikosVlagoidis]

ISSUE TYPE

• Bug Report

STACKSTORM VERSION

st2 2.8dev (0f1d9dc), on Python 2.7.6

OS / ENVIRONMENT / INSTALL METHOD

docker instalation

SUMMARY

When I mark a secret value on a pack config inside an array I get the values in plain text even if Ii don't make the request with parameter show_secret=true.

STEPS TO REPRODUCE

Pack config

---
  instance:
    type: "array"
    required: false
    items:
      type: "object"
      properties:
          alias:
              description: "an alias for this instance"
              type: "string"
              required: true
              secret: false
          base_url:
              description: "Base URL for a service"
              type: "string"
              secret: false
              required: true
          secret:
              description: "The api secret key"
              type: "string"
              secret: true
              required: true

when I make a request on : https://{{host}}/api/v1/configs/<pack_name>

{
    "values": {
        "instance": [
            {
                "alias": "alias1",
                "secret": "secret",
                "base_url": "10.10.10.1"
            },
            {
                "alias": "alias2",
                "secret": "secret23",
                "base_url": "10.10.10.2"
            }
        ]
    },
    "id": "5afadbb2b2c724049ee7e03c",
    "pack": "<pack_name>"
}

EXPECTED RESULTS

{
    "values": {
        "instance": [
            {
                "alias": "alias1",
                "secret": "****",
                "base_url": "10.10.10.1"
            },
            {
                "alias": "alias2",
                "secret": "*****",
                "base_url": "10.10.10.2"
            }
        ]
    },
    "id": "5afadbb2b2c724049ee7e03c",
    "pack": "<pack_name>"
}

ACTUAL RESULTS

{
    "values": {
        "instance": [
            {
                "alias": "alias1",
                "secret": "secret",
                "base_url": "10.10.10.1"
            },
            {
                "alias": "alias2",
                "secret": "secret23",
                "base_url": "10.10.10.2"
            }
        ]
    },
    "id": "5afadbb2b2c724049ee7e03c",
    "pack": "<pack_name>"
}

[nmaludy]

Probably related to #4122

Wonder if the secret masking process for the CLI / API needs the same modifications?

[Kami]

@NikosVlagoidis Thanks for reporting this.

@nmaludy Yeah, it's most likely related to that change, but not to that code directly (that code is used in places where decrypted values are expected, API follows a different code path - just retrieves object from the database and masks secrets).

We probably need to update BaseAPI class / PackConfigAPI class to correctly mask secrets for nested objects / lists.

Edit: st2common.models.db.pack.PackDB.mask_secrets is the method which needs to be updated.

That's also a good example which shows why it's important to think about all the various edge cases for tests when adding a new feature / similar and not just for simple "positive" test cases :)

@nmaludy Will you have time to look into it? Or want me to do it?

[nmaludy]

@Kami i'm checking it out now, looks like the affected functions are get_secret_parameters() and mask_secret_parameters() here https://github.com/StackStorm/st2/blob/master/st2common/st2common/util/secrets.py#L28-L61

[Kami]

@armab Thanks for assigning the "bug" label - I was actually thinking of doing it myself, but IIRC, since nested objects were not supported in stable versions prior to v2.8dev, it's not a bug in a stable release, just a bug in current dev version so I decided to leave it out for now.

Anyway, yeah, it's still a bug even though just in a dev release so it doesn't hurt to have that label.

[LindsayHill]

Looks like this is fixed in #4140/#4236