From 164125f840ecd8b9c971867fe6a2887ad505245c Mon Sep 17 00:00:00 2001 From: Philipp Homberger Date: Mon, 25 Mar 2024 08:02:16 +0100 Subject: [PATCH 1/6] Update rule_enforcement_views.py Add a Secret Masking to the API Output. --- .../controllers/v1/rule_enforcement_views.py | 41 +++++++++++++++++-- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/st2api/st2api/controllers/v1/rule_enforcement_views.py b/st2api/st2api/controllers/v1/rule_enforcement_views.py index 75831a917b..3b9bc3cc4c 100644 --- a/st2api/st2api/controllers/v1/rule_enforcement_views.py +++ b/st2api/st2api/controllers/v1/rule_enforcement_views.py @@ -26,6 +26,9 @@ from st2api.controllers.resource import ResourceController +import json + + __all__ = ["RuleEnforcementViewController"] @@ -67,10 +70,24 @@ def get_all( raw_filters=raw_filters, requester_user=requester_user, ) - rule_enforcement_apis.json = self._append_view_properties( rule_enforcement_apis.json ) + + rule_enforcement_apis = eval(str(rule_enforcement_apis.json)) + i = 0 + for rule_enforcement_api in rule_enforcement_apis: + secret_parameter = [] + if "parameters" in str(rule_enforcement_apis[i]): + for parameter in rule_enforcement_api['execution']['action']['parameters']: + if "secret" in str(rule_enforcement_api['execution']['action']['parameters'][parameter]): + if rule_enforcement_api['execution']['action']['parameters'][parameter]['secret']: + secret_parameter.append(parameter) + for secret in rule_enforcement_api['execution']['parameters']: + if secret in str(secret_parameter): + rule_enforcement_api['execution']['parameters'][secret] = "*******" + rule_enforcement_apis[i] = rule_enforcement_api + i = i + 1 return rule_enforcement_apis def get_one(self, id, requester_user): @@ -84,6 +101,23 @@ def get_one(self, id, requester_user): rule_enforcement_api = self._append_view_properties( [rule_enforcement_api.__json__()] )[0] + input_string = str(rule_enforcement_api) + input_string = input_string.replace('**', '') + input_string = input_string.replace('TriggerInstanceAPI(', '') + input_string = input_string.replace('ActionExecutionAPI(', '') + input_string = input_string.replace('})', '}') + # Konvertiere den String in ein Python-Dictionary + data_dict = eval(input_string) + + rule_enforcement_api = data_dict + secret_parameter = [] + for parameter in rule_enforcement_api['execution']['action']['parameters']: + if "secret" in str(rule_enforcement_api['execution']['action']['parameters'][parameter]): + if rule_enforcement_api['execution']['action']['parameters'][parameter]['secret']: + secret_parameter.append(parameter) + for secret in rule_enforcement_api['execution']['parameters']: + if secret in str(secret_parameter): + rule_enforcement_api['execution']['parameters'][secret] = "*******" return rule_enforcement_api def _append_view_properties(self, rule_enforcement_apis): @@ -93,8 +127,9 @@ def _append_view_properties(self, rule_enforcement_apis): """ trigger_instance_ids = set([]) execution_ids = [] - + counter = 0 for rule_enforcement_api in rule_enforcement_apis: + counter = counter + 1 if rule_enforcement_api.get("trigger_instance_id", None): trigger_instance_ids.add( str(rule_enforcement_api["trigger_instance_id"]) @@ -118,14 +153,12 @@ def _append_view_properties(self, rule_enforcement_apis): execution_dbs = ActionExecution.query( id__in=execution_ids, only_fields=only_fields ) - execution_dbs_by_id = {} for execution_db in execution_dbs: execution_dbs_by_id[str(execution_db.id)] = execution_db # 2. Retrieve corresponding trigger instance objects trigger_instance_dbs = TriggerInstance.query(id__in=list(trigger_instance_ids)) - trigger_instance_dbs_by_id = {} for trigger_instance_db in trigger_instance_dbs: From 3a701c0a0a1f35ef5f95c1df22d91de4970c096c Mon Sep 17 00:00:00 2001 From: Philipp Homberger Date: Mon, 25 Mar 2024 08:08:59 +0100 Subject: [PATCH 2/6] Update rule_enforcement_views.py --- st2api/st2api/controllers/v1/rule_enforcement_views.py | 1 - 1 file changed, 1 deletion(-) diff --git a/st2api/st2api/controllers/v1/rule_enforcement_views.py b/st2api/st2api/controllers/v1/rule_enforcement_views.py index 3b9bc3cc4c..3436c84166 100644 --- a/st2api/st2api/controllers/v1/rule_enforcement_views.py +++ b/st2api/st2api/controllers/v1/rule_enforcement_views.py @@ -26,7 +26,6 @@ from st2api.controllers.resource import ResourceController -import json __all__ = ["RuleEnforcementViewController"] From f7363e00a4e05148b9561e1c801a75c417de4127 Mon Sep 17 00:00:00 2001 From: Philipp Homberger Date: Mon, 25 Mar 2024 08:12:12 +0100 Subject: [PATCH 3/6] Update CHANGELOG.rst --- CHANGELOG.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index bb04eb2e92..633780d52f 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -23,6 +23,8 @@ Added Contributed by @cognifloyd * Build of ST2 EL9 packages #6153 Contributed by @amanda11 +* Add Secret Masking to RuleEnforcementApiView Controller. #6170 + Contributed by @philipphomberger 3.8.1 - December 13, 2023 ------------------------- From 813ee04bf3c27d7f3c79e0ab9fb9282f7ec9c435 Mon Sep 17 00:00:00 2001 From: Philipp Homberger Date: Mon, 25 Mar 2024 08:16:18 +0100 Subject: [PATCH 4/6] Update rule_enforcement_views.py --- st2api/st2api/controllers/v1/rule_enforcement_views.py | 1 - 1 file changed, 1 deletion(-) diff --git a/st2api/st2api/controllers/v1/rule_enforcement_views.py b/st2api/st2api/controllers/v1/rule_enforcement_views.py index 3436c84166..d39b6f98a1 100644 --- a/st2api/st2api/controllers/v1/rule_enforcement_views.py +++ b/st2api/st2api/controllers/v1/rule_enforcement_views.py @@ -105,7 +105,6 @@ def get_one(self, id, requester_user): input_string = input_string.replace('TriggerInstanceAPI(', '') input_string = input_string.replace('ActionExecutionAPI(', '') input_string = input_string.replace('})', '}') - # Konvertiere den String in ein Python-Dictionary data_dict = eval(input_string) rule_enforcement_api = data_dict From a42fb52559b6cb2e1f27c3c0fd3016e49e786af8 Mon Sep 17 00:00:00 2001 From: Philipp Homberger Date: Mon, 25 Mar 2024 07:50:55 +0000 Subject: [PATCH 5/6] black --- .../controllers/v1/rule_enforcement_views.py | 59 +++++++++++-------- 1 file changed, 36 insertions(+), 23 deletions(-) diff --git a/st2api/st2api/controllers/v1/rule_enforcement_views.py b/st2api/st2api/controllers/v1/rule_enforcement_views.py index d39b6f98a1..0616847a18 100644 --- a/st2api/st2api/controllers/v1/rule_enforcement_views.py +++ b/st2api/st2api/controllers/v1/rule_enforcement_views.py @@ -27,7 +27,6 @@ from st2api.controllers.resource import ResourceController - __all__ = ["RuleEnforcementViewController"] @@ -73,20 +72,30 @@ def get_all( rule_enforcement_apis.json ) - rule_enforcement_apis = eval(str(rule_enforcement_apis.json)) + rule_enforcement_apis = eval(str(rule_enforcement_apis.json)) i = 0 for rule_enforcement_api in rule_enforcement_apis: secret_parameter = [] if "parameters" in str(rule_enforcement_apis[i]): - for parameter in rule_enforcement_api['execution']['action']['parameters']: - if "secret" in str(rule_enforcement_api['execution']['action']['parameters'][parameter]): - if rule_enforcement_api['execution']['action']['parameters'][parameter]['secret']: - secret_parameter.append(parameter) - for secret in rule_enforcement_api['execution']['parameters']: - if secret in str(secret_parameter): - rule_enforcement_api['execution']['parameters'][secret] = "*******" - rule_enforcement_apis[i] = rule_enforcement_api - i = i + 1 + for parameter in rule_enforcement_api["execution"]["action"][ + "parameters" + ]: + if "secret" in str( + rule_enforcement_api["execution"]["action"]["parameters"][ + parameter + ] + ): + if rule_enforcement_api["execution"]["action"]["parameters"][ + parameter + ]["secret"]: + secret_parameter.append(parameter) + for secret in rule_enforcement_api["execution"]["parameters"]: + if secret in str(secret_parameter): + rule_enforcement_api["execution"]["parameters"][ + secret + ] = "*******" + rule_enforcement_apis[i] = rule_enforcement_api + i = i + 1 return rule_enforcement_apis def get_one(self, id, requester_user): @@ -101,21 +110,25 @@ def get_one(self, id, requester_user): [rule_enforcement_api.__json__()] )[0] input_string = str(rule_enforcement_api) - input_string = input_string.replace('**', '') - input_string = input_string.replace('TriggerInstanceAPI(', '') - input_string = input_string.replace('ActionExecutionAPI(', '') - input_string = input_string.replace('})', '}') + input_string = input_string.replace("**", "") + input_string = input_string.replace("TriggerInstanceAPI(", "") + input_string = input_string.replace("ActionExecutionAPI(", "") + input_string = input_string.replace("})", "}") data_dict = eval(input_string) rule_enforcement_api = data_dict secret_parameter = [] - for parameter in rule_enforcement_api['execution']['action']['parameters']: - if "secret" in str(rule_enforcement_api['execution']['action']['parameters'][parameter]): - if rule_enforcement_api['execution']['action']['parameters'][parameter]['secret']: + for parameter in rule_enforcement_api["execution"]["action"]["parameters"]: + if "secret" in str( + rule_enforcement_api["execution"]["action"]["parameters"][parameter] + ): + if rule_enforcement_api["execution"]["action"]["parameters"][parameter][ + "secret" + ]: secret_parameter.append(parameter) - for secret in rule_enforcement_api['execution']['parameters']: + for secret in rule_enforcement_api["execution"]["parameters"]: if secret in str(secret_parameter): - rule_enforcement_api['execution']['parameters'][secret] = "*******" + rule_enforcement_api["execution"]["parameters"][secret] = "*******" return rule_enforcement_api def _append_view_properties(self, rule_enforcement_apis): @@ -160,9 +173,9 @@ def _append_view_properties(self, rule_enforcement_apis): trigger_instance_dbs_by_id = {} for trigger_instance_db in trigger_instance_dbs: - trigger_instance_dbs_by_id[ - str(trigger_instance_db.id) - ] = trigger_instance_db + trigger_instance_dbs_by_id[str(trigger_instance_db.id)] = ( + trigger_instance_db + ) # Ammend rule enforcement objects with additional data for rule_enforcement_api in rule_enforcement_apis: From eecc967598ea093deb156f86331fd668adfbf1f1 Mon Sep 17 00:00:00 2001 From: Philipp Homberger Date: Mon, 25 Mar 2024 08:54:49 +0100 Subject: [PATCH 6/6] Clean UP Stuff from debug --- st2api/st2api/controllers/v1/rule_enforcement_views.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/st2api/st2api/controllers/v1/rule_enforcement_views.py b/st2api/st2api/controllers/v1/rule_enforcement_views.py index 0616847a18..c3bc5b1180 100644 --- a/st2api/st2api/controllers/v1/rule_enforcement_views.py +++ b/st2api/st2api/controllers/v1/rule_enforcement_views.py @@ -138,9 +138,7 @@ def _append_view_properties(self, rule_enforcement_apis): """ trigger_instance_ids = set([]) execution_ids = [] - counter = 0 for rule_enforcement_api in rule_enforcement_apis: - counter = counter + 1 if rule_enforcement_api.get("trigger_instance_id", None): trigger_instance_ids.add( str(rule_enforcement_api["trigger_instance_id"])