deckhand.engine.secrets_manager module¶

class deckhand.engine.secrets_manager.SecretsManager[source]¶

Bases: object

Internal API resource for interacting with Barbican.

Currently only supports Barbican.

barbican_driver = <deckhand.barbican.driver.BarbicanDriver object>¶

classmethod create(secret_doc)[source]¶

Securely store secrets contained in secret_doc.

Documents with metadata.storagePolicy == “clearText” have their secrets stored directly in Deckhand.

Documents with metadata.storagePolicy == “encrypted” are stored in Barbican directly. Deckhand in turn stores the reference returned by Barbican in its own DB.

Parameters:	secret_doc – A Deckhand document with a schema that belongs to `types.DOCUMENT_SECRET_TYPES`.
Returns:	Unecrypted data section from `secret_doc` if the document’s `storagePolicy` is “cleartext” or a Barbican secret reference if the `storagePolicy` is “encrypted’.

classmethod delete(document)[source]¶

Delete a secret from Barbican.

Parameters:	document (dict) – Document with secret_ref in `data` section with format: “https://{barbican_host}/v1/secrets/{secret_uuid}”
Returns:	None

classmethod get(secret_ref, src_doc)[source]¶

Retrieve a secret payload from Barbican.

Extracts {secret_uuid} from a secret reference and queries Barbican’s Secrets API with it.

Parameters:	secret_ref (str) – A string formatted like: “https://{barbican_host}/v1/secrets/{secret_uuid}”
Returns:	Secret payload from Barbican.

static requires_encryption(document)[source]¶

class deckhand.engine.secrets_manager.SecretsSubstitution(substitution_sources=None, fail_on_missing_sub_src=True, encryption_sources=None, cleartext_secrets=False)[source]¶

Bases: object

Class for document substitution logic for YAML files.

get_unencrypted_data(secret_ref, src_doc, dest_doc)[source]¶

static sanitize_potential_secrets(error, document)[source]¶

Sanitize all secret data that may have been substituted into the document or contained in the document itself (if the document has metadata.storagePolicy == ‘encrypted’). Uses references in document.substitutions to determine which values to sanitize. Only meaningful to call this on post-rendered documents.

Parameters:	error – Error message produced by `jsonschema`. document (DocumentDict) – Document to sanitize.

substitute_all(documents)[source]¶

Substitute all documents that have a metadata.substitutions field.

Concrete (non-abstract) documents can be used as a source of substitution into other documents. This substitution is layer-independent, a document in the region layer could insert data from a document in the site layer.

Parameters:	documents (dict or List[dict]) – List of documents that are candidates for substitution.
Returns:	List of fully substituted documents.
Return type:	Generator[`DocumentDict`]
Raises:	SubstitutionSourceNotFound – If a substitution source document is referenced by another document but wasn’t found. UnknownSubstitutionError – If an unknown error occurred during substitution.

update_substitution_sources(meta, data)[source]¶

Update substitution sources with rendered data so that future layering and substitution sources reference the latest rendered data rather than stale data.

Parameters:	meta (tuple) – Tuple of (schema, layer, name). data (dict) – Dictionary of just-rendered document data that belongs to the document uniquely identified by `meta`.
Returns:	None