Add support for using credstash as a secret store #8494
Conversation
homeassistant/scripts/credstash.py
Outdated
| the_secret = getpass.getpass('Please enter the secret for {}: ' | ||
| .format(args.name)) | ||
| current_version = int(credstash.getHighestVersion(args.name, table=_SECRET_NAMESPACE)) | ||
| credstash.putSecret(args.name, the_secret, version=current_version+1, table=_SECRET_NAMESPACE) |
There was a problem hiding this comment.
line too long (102 > 79 characters)
homeassistant/scripts/credstash.py
Outdated
| if args.action == 'put': | ||
| the_secret = getpass.getpass('Please enter the secret for {}: ' | ||
| .format(args.name)) | ||
| current_version = int(credstash.getHighestVersion(args.name, table=_SECRET_NAMESPACE)) |
There was a problem hiding this comment.
line too long (94 > 79 characters)
homeassistant/scripts/credstash.py
Outdated
| def run(args): | ||
| """Handle credstash script.""" | ||
| parser = argparse.ArgumentParser( | ||
| description=("Modify Home-Assistant secrets in the default credstash store. " |
There was a problem hiding this comment.
line too long (85 > 79 characters)
homeassistant/scripts/credstash.py
Outdated
| @@ -0,0 +1,60 @@ | |||
| """Script to get, put and delete secrets stored in credstash.""" | |||
| import os | |||
|
So this uses the same syntax as for the yaml |
|
Correct, it uses the same syntax. I did forget to mention that here, I updated the PR comment to reflect that. As for the documentation, I kept it similar to the keyring one that already exists as it functions almost identically |
homeassistant/scripts/credstash.py
Outdated
|
|
||
| if args.action == 'list': | ||
| secrets = [i['name'] for i in credstash.listSecrets(table=table)] | ||
| deduped_secrets = list(dict.fromkeys(secrets)) |
There was a problem hiding this comment.
sorted(set(i['name'] for i in credstash.listSecrets(table=table)))
There was a problem hiding this comment.
Done (mostly). I kept it as 2 variables to keep the line length under 80 and also to make it a little bit more readable.
tests/util/test_yaml.py
Outdated
| @@ -372,6 +386,17 @@ def test_secrets_keyring(self): | |||
| _yaml = load_yaml(self._yaml_path, yaml_str) | |||
| self.assertEqual({'http': {'api_password': 'yeah'}}, _yaml) | |||
|
|
|||
| def test_secrets_credstash(self): | |||
| """Test credstash fallback & get_password.""" | |||
| yaml.credstash = None | |||
There was a problem hiding this comment.
Tests should not have any side effects, please use
from unittest.mock import patch
with patch.object(yaml, 'credstash', None):
…There was a problem hiding this comment.
Good point, I should've known better. I was just copying the test case directly above to keep in line with existing tests/formatting
tests/util/test_yaml.py
Outdated
| @@ -372,6 +386,17 @@ def test_secrets_keyring(self): | |||
| _yaml = load_yaml(self._yaml_path, yaml_str) | |||
| self.assertEqual({'http': {'api_password': 'yeah'}}, _yaml) | |||
|
|
|||
| def test_secrets_credstash(self): | |||
There was a problem hiding this comment.
It doesn't look like your test uses any of the setup in this class. Please move it to be a standalone function in this file.
There was a problem hiding this comment.
It uses the self._yaml_path from setup, which itself uses some other parts of the setup.
The path is needed to ensure fall-through when a secret isn't in the local file, that credstash.getSecret is called
|
Thanks 🐬 Ok to merge when tests pass. |
|
This PR is not mocking out credstash correctly during other tests and now we're doing I/O during unit tests + can no longer run tests offline. |
|
Hmm, how can I mock it out for all the other tests? should I just be adding it to the other test functions for the yaml parser? |
|
I'm fixing it like this right now: https://github.com/home-assistant/home-assistant/pull/8834/files#diff-0897a49ea1455f0a57774d651fec8d47R16 The credstash test still passes, so I guess that's good? |
Description:
Add support for using credstash to store secrets.
It is used by using the same
!secret foosyntax as the existingsecrets.yamlandkeyringmethods of storing secrets. The CLI script for managing secrets is very similar to the one for using a keyring. Examples can be seen in the documentation PR belowPull request in home-assistant.github.io with documentation (if applicable): home-assistant/home-assistant.io#2988
Checklist:
If user exposed functionality or configuration variables are added/changed:
If the code communicates with devices, web services, or third-party tools:
toxrun successfully. Your PR cannot be merged unless tests passREQUIREMENTSvariable ([example][ex-requir]).requirements_all.txtby runningscript/gen_requirements_all.py..coveragerc.If the code does not interact with devices:
toxrun successfully. Your PR cannot be merged unless tests pass