Fix decrypting pack config keys under additionalProperties

[cognifloyd]

The pack config loader uses "secret: true" in a schema to trigger decrypting a key from the datastore. However, it does not look at the schema under additionalProperties, so those properties can't use encrypted keys.

This issue was first documented in StackStorm-Exchange/stackstorm-jira#19 (comment)

This PR fixes that so that the pack config loader handles additionalProperties when defined.

[cognifloyd]

All GHA tests are passing. CircleCI tests are broken due to a pbr+logshipper issue (known based on conversation in slack).

[Kami]

Nice work 👍

I will have a more detailed look later this week.

[cognifloyd]

Weird. I'm patching a v3.2 StackStorm running python2.7 and this delta was insufficient. afaik, the behavior of defaultdict should be the same under python3, so I'm not sure why the unit test is passing. In any case, I will push a commit with the fix momentarily.

[Kami]

If user wants that value in the config to actually be decrypted, they still need to use decrypt_kv Jinja filter, right?

[cognifloyd]

No. Config is automatically decrypted when the schema lists the key as secret: true

[cognifloyd]

See _get_datastore_value_for_expression() in config_loader.py

[Kami]

Thanks for clarification - I was just somewhat confused by the test case aka something didn't add up.

[Kami]

I pushed a fix for this test - 574034f.

That's the part which confused me a bit.

I assumed we don't do decryption because the value which was stored and the one which was retrieved was supposed to be the same (but the KVP model layer doesn't perform any encryption and we need to encrypt the value ourselves when storing it).

[cognifloyd]

Ah! That's why it seemed to be working before, but wasn't. Thanks for the fix!

[Kami]

Overall LGTM, just had some questions / comments on internal implementation details.

[Kami]

Thanks, if that works it should be much more straight forward to understand the code now - well, at least for me :)

[Kami]

And re - using copy - I actually verified, if we didn't use copy with defaultdict version, we also don't need to use it here - it's returning by reference version in both scenarios.

And since I believe we indeed never manipulate those values, only read / access them, copy is probably not needed.

[cognifloyd]

Yes. We modify the config object, but we don't modify (and probably should not modify) the schema itself. So, references are perfect in this case.

[Kami]

Some of those integration tests still seem to be failing quite often due to race / similar, quite annoying.

We should probably modify that job step to try to retry up to 2-3 times on failure to avoid annoying and manual re-run of the complete workflow.

[cognifloyd]

GHA is passing now. Hooray.
Circle failed. Could you restart https://app.circleci.com/pipelines/github/StackStorm/st2/1542/workflows/128ecfa9-04ff-4b05-b410-94541fb12be2/jobs/12968/parallel-runs/2

[cognifloyd]

All tests are green. Quick, let's merge before anything else gets merged into master. :)