feat: handle binary files

For Kerberos we need to support a keytab file which is a binary file and its used for service accounts during authentication with Kerberos. This uses the format: binary_base64 in the field definition to let the UI know that the expected file is supposed to be binary and needs to be sent up as base64 You can create a credential with the following schema Inputs configuration ``` fields: - id: keytab type: string label: Kerberos Keytab file format: binary_base64 secret: true help_text: Please select a Kerberos Keytab file multiline: true ``` Injector Configuration ``` file: template.keytab_file: '{{ keytab }}' ``` No changes are needed to ansible-rulebook it already handles binary files. https://issues.redhat.com/browse/AAP-25518
ansible · Nov 22, 2024 · cc5a0d3 · cc5a0d3
1 parent 7f1fefb
commit cc5a0d3
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 15 deletions.
diff --git a/src/aap_eda/core/utils/strings.py b/src/aap_eda/core/utils/strings.py
@@ -41,6 +41,21 @@ def _render_string_or_return_value(value: Any, context: Dict) -> Any:
     return value
 
 
+def extract_variables(template_string: str) -> set[str]:
+    env = jinja2.Environment(autoescape=True)
+    ast = env.parse(template_string)
+    variables = set()
+
+    def _extract_variables(node):
+        if isinstance(node, jinja2.nodes.Name):
+            variables.add(node.name)
+        for child in node.iter_child_nodes():
+            _extract_variables(child)
+
+    _extract_variables(ast)
+    return variables
+
+
 def substitute_variables(
     value: Union[str, int, Dict, List], context: Dict
 ) -> Union[str, int, Dict, List]:

diff --git a/src/aap_eda/wsapi/consumers.py b/src/aap_eda/wsapi/consumers.py
@@ -22,7 +22,7 @@
 )
 from aap_eda.core.models.activation import ActivationStatus
 from aap_eda.core.utils.credentials import get_secret_fields
-from aap_eda.core.utils.strings import substitute_variables
+from aap_eda.core.utils.strings import extract_variables, substitute_variables
 from aap_eda.tasks import orchestrator
 
 from .messages import (
@@ -43,6 +43,8 @@
 
 logger = logging.getLogger(__name__)
 
+BINARY_FORMATS = {"binary_base64"}
+
 
 class MessageType(Enum):
     ACTION = "Action"
@@ -143,14 +145,11 @@ async def handle_workers(self, message: WorkerMessage):
             vault_collection = VaultCollection(data=eda_vault_data)
             await self.send(text_data=vault_collection.json())
 
-        templates = await self.get_file_contents_from_credentials(activation)
-        for template, contents in templates.items():
-            data = FileContentMessage(
-                template_key=template,
-                data=base64.b64encode(contents.encode()).decode(),
-                eof=True,
-            )
-            await self.send(text_data=data.json())
+        file_contents = await self.get_file_contents_from_credentials(
+            activation
+        )
+        for file_content in file_contents:
+            await self.send(text_data=file_content.json())
 
         env_var = await self.get_env_vars_from_credentials(activation)
         if env_var:
@@ -498,20 +497,32 @@ def _get_url(self, message: ActionMessage, inputs: dict) -> str:
     @database_sync_to_async
     def get_file_contents_from_credentials(
         self, activation: models.Activation
-    ) -> tp.Optional[dict]:
-        file_templates = {}
+    ) -> tp.Optional[list[FileContentMessage]]:
+        file_template_names = []
+        file_messages = []
         for eda_credential in activation.eda_credentials.all():
             inputs = yaml.safe_load(eda_credential.inputs.get_secret_value())
             injectors = eda_credential.credential_type.injectors
+            binary_fields = []
+            for field in eda_credential.credential_type.inputs.get(
+                "fields", []
+            ):
+                if field.get("format") in BINARY_FORMATS:
+                    binary_fields.append(field["id"])
+
             if "file" in injectors:
                 for template, value in injectors["file"].items():
-                    if template in file_templates:
+                    if template in file_template_names:
                         raise DuplicateFileTemplateKeyError(
                             f"{template} already exists"
                         )
-                    contents = substitute_variables(value, inputs)
-                    file_templates[template] = str(contents)
-        return file_templates
+                    file_template_names.append(template)
+                    file_messages.append(
+                        self.get_file_content_message(
+                            template, binary_fields, value, inputs
+                        )
+                    )
+        return file_messages
 
     @database_sync_to_async
     def get_env_vars_from_credentials(
@@ -575,3 +586,26 @@ def get_vault_password_and_id(
             vault_inputs = yaml.safe_load(vault_inputs.get_secret_value())
             return vault_inputs["vault_password"], vault_inputs["vault_id"]
         return None, None
+
+    @staticmethod
+    def get_file_content_message(
+        template: str, binary_fields: list[str], value: str, inputs: dict
+    ) -> FileContentMessage:
+        binary_file = False
+        for attr in extract_variables(value):
+            if attr in binary_fields:
+                binary_file = True
+
+        contents = str(substitute_variables(value, inputs))
+        if binary_file:
+            return FileContentMessage(
+                template_key=template,
+                data=contents,
+                data_format="binary",
+                eof=True,
+            )
+        return FileContentMessage(
+            template_key=template,
+            data=base64.b64encode(contents.encode()).decode(),
+            eof=True,
+        )
diff --git a/tests/integration/wsapi/test_consumer.py b/tests/integration/wsapi/test_consumer.py
@@ -1183,6 +1183,33 @@ def _create_event(data, uuid):
                 },
             ],
         ),
+        (
+            {
+                "fields": [
+                    {
+                        "id": "keytab",
+                        "label": "KeyTab",
+                        "format": "binary_base64",
+                        "secret": True,
+                    },
+                ]
+            },
+            {
+                "file": {
+                    "template.keytab_file": "{{ keytab }}",
+                },
+            },
+            {
+                "keytab": base64.b64encode(bytes([1, 2, 3, 4, 5])).decode(),
+            },
+            [
+                {
+                    "data": base64.b64encode(bytes([1, 2, 3, 4, 5])).decode(),
+                    "template_key": "template.keytab_file",
+                    "data_format": "binary",
+                },
+            ],
+        ),
     ],
 )
 @pytest.mark.django_db(transaction=True)