decrypt_kv jinja filter fails if the key isn't in the kv store

StackStorm / orquesta

Orquesta is a graph based workflow engine for StackStorm. Questions? https://github.com/StackStorm/st2/discussions

https://docs.stackstorm.com/orquesta/

Apache License 2.0

100 stars 39 forks source link

decrypt_kv jinja filter fails if the key isn't in the kv store #178

Open jschoewe opened 5 years ago

jschoewe commented 5 years ago

An action file that has a secret parameter with a default value as follows:

action_param: type: string description: "This will fail the action" default: "{{ st2kv.system.test_param | decrypt_kv }}" secret: true

will fail with the following message if 'test_param' is not in the kv store:

ERROR: 400 Client Error: Bad Request MESSAGE: Failed to render parameter "test_param": Referenced datastore item "st2kv.system.test_param" doesn't exist or it contains an empty string

Alternatively, if I pass a value that doesn't exist in the kv store but I don't try to decrypt it, then a blank string gets passed into the action parameter. I would expect an encrypted value to pass a blank string as well instead of failing.

jinpingh commented 5 years ago

Which ST2 version are you installed? Could you please share a simple example that can duplicate issue? Thanks!

jschoewe commented 5 years ago

St2 version 3.1.0

action/test_workflow.yaml:

---
name: test_workflow
pack: test
description: Test workflow
runner_type: orquesta
entry_point: workflows/test_workflow.yaml
enabled: true
parameters:
  test_param1:
    type: string
    description: "This does not fail if test_param1 does not exist in the kv store"
    default: "{{ st2kv.system.test_param1 }}"
  test_param2:
    type: string
    description: "This fails if test_param2 does not exist in the kv store"
    default: "{{ st2kv.system.test_param2 | decrypt_kv }}"
    secret: true

action/workflows/test_workflow.yaml:

version: 1.0

description: Return the contents of test_param1

input:
  - test_param1
  - test_param2

output:
  - test_output: "{{ ctx().test_output }}"

tasks:
  test_task:
    action: core.noop
    next:
      - when: "{{ succeeded() }}"
        publish:
          - test_output: "{{ ctx().test_param1 }}"

userlocalhost commented 5 years ago

The processing of raising an exception when non-existing datastore item is passed to decrypt_kv seems to be intentional. (c.f. https://github.com/StackStorm/st2/pull/4634#issuecomment-483193902)

If you want to handle it as an empty string transparetly when a specified item is not registered in datastore, you can do it as below.

--- test1.yaml  2019-09-15 11:02:10.000000000 +0900
+++ test2.yaml  2019-09-15 11:02:54.000000000 +0900
@@ -1,5 +1,5 @@
 action_param:
   type: string
-  description: "This will fail the action"
-  default: "{{ st2kv.system.test_param | decrypt_kv }}"
+  description: "This will not fail the action"
+  default: "{% if st2kv.system.test_param|string %}{{ st2kv.system.test_param | decrypt_kv }}{% endif %}"
   secret: true

And here is an execution result.