Merge pull request #4 from ocraviotto/fix-job-as-app

Fixed metronome task/app parsing
ocraviotto · Aug 3, 2018 · a72e8e5 · a72e8e5
2 parents 05e1b18 + ad95aed
commit a72e8e5
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 5 deletions.
diff --git a/client_test.go b/client_test.go
@@ -347,8 +347,9 @@ func TestDaemonDecryptionStrategy(t *testing.T) {
 		assert.Equal(t, "Failed to decrypt using daemon (HTTP 400 Error: Failed to decrypt plaintext secret, incorrect config or master key? (Failed to decrypt (incorrect keys?)))", err.Error())
 	}
 
-	// Mesos tests
-	appID, appVersion = "", ""
+	// Mesos tests - appID and appVersion have values that resamble metronome tasks
+	// but we also test with empty appID and appVersion
+	appID, appVersion = "/test-job/20180725075828m0Ezl", "1970-01-01T00:00:00.000Z"
 	taskID = "test-job_20180725075828m0Ezl.83c2ad68-8fe0-11e8-88f5-b2fbd5835ad5"
 	encryptedSecretEnvVarName := "NACL_SECRET"
 	kmsSecretEnvVarName := "KMS_SECRET"
@@ -381,6 +382,23 @@ func TestDaemonDecryptionStrategy(t *testing.T) {
 		assert.Equal(t, "secret", string(plaintext))
 	}
 
+	// Test Mesos decryption with empty appID and appVersion
+	{
+		crypto := newDaemonDecryptionStrategy(daemon.URL,
+			"", "", taskID,
+			pemRead("./resources/test/keys/master-public-key.pem"),
+			deployPrivateKey,
+			pemRead("./resources/test/keys/myservice-private-key.pem"))
+
+		plaintext, err := crypto.Decrypt(encryptedSecret, encryptedSecretEnvVarName)
+		assert.Nil(t, err)
+		assert.Equal(t, "secret", string(plaintext))
+
+		plaintext, err = crypto.Decrypt(kmsSecret, kmsSecretEnvVarName)
+		assert.Nil(t, err)
+		assert.Equal(t, "secret", string(plaintext))
+	}
+
 	// Test Mesos without a service key
 	{
 		crypto := newDaemonDecryptionStrategy(daemon.URL,
@@ -434,4 +452,18 @@ func TestDaemonDecryptionStrategy(t *testing.T) {
 		assert.Nil(t, plaintext)
 	}
 
+	// Test Mesos with bad app Version
+	{
+		crypto := newDaemonDecryptionStrategy(daemon.URL,
+			appID, "whatever", taskNonExistingID,
+			pemRead("./resources/test/keys/master-public-key.pem"),
+			deployPrivateKey,
+			pemRead("./resources/test/keys/myservice-private-key.pem"))
+
+		plaintext, err := crypto.Decrypt(encryptedSecret, encryptedSecretEnvVarName)
+		assert.NotNil(t, err)
+		assert.Nil(t, plaintext)
+		assert.Equal(t, "Failed to decrypt using daemon (HTTP 422 Error: Expected appVersion in valid RFC 3339. Wrong format given)", err.Error())
+	}
+
 }
diff --git a/daemon.go b/daemon.go
@@ -9,6 +9,8 @@ import (
 	"strings"
 )
 
+const unixTimeRFC3339Str string = "1970-01-01T00:00:00.000Z"
+
 // DaemonRequest is the request expected by the /v1/decrypt endpoint
 // RequestedSecret is the Secret encrypted with master key
 // Key is an optional Name (Enva Var key) of RequestedSecret
@@ -158,15 +160,33 @@ func decryptEndpointHandler(marathonURL, mesosLeaderURL string, masterKey *[32]b
 
 		var at *AppOrTask
 
-		if appID != "" && taskID != "" && appVersion != "" && serviceEnvelope != "" {
+		// Jobs use marathon under the hood, so the client will collect the same MARATHON_ variables
+		// We will need to distinguish by checking whether appVersion has a time string content
+		// and if it does, whether it is unix time
+		itIsAppVersion := false
+		if appVersion != "" {
+			unixTimeRFC3339, _ := strToTimeRFC3339(unixTimeRFC3339Str)
+			appVersionTimeRFC3339, errav := strToTimeRFC3339(appVersion)
+			if errav != nil {
+				log.Printf("App Version for taskID %s came in the wrong format, unable to parse it as time RFC3339. It was: %s", taskID, errav)
+				errorResponse(w, r, "Expected appVersion in valid RFC 3339. Wrong format given", http.StatusUnprocessableEntity)
+				return
+			} else if !unixTimeRFC3339.Equal(appVersionTimeRFC3339) {
+				itIsAppVersion = true
+			} else {
+				log.Printf("App Version for taskID %s is a unix timestamp", taskID)
+			}
+		}
+
+		if appID != "" && taskID != "" && itIsAppVersion && serviceEnvelope != "" {
 			log.Printf("Using marathon at %s for appID %s", marathonURL, appID)
 			at, err = getMarathonApp(marathonURL, appID, appVersion, taskID)
 			if err != nil {
 				errorResponse(w, r, err, http.StatusInternalServerError)
 				return
 			}
 
-		} else if taskID != "" && serviceEnvelope != "" {
+		} else if taskID != "" && serviceEnvelope != "" && !itIsAppVersion {
 			log.Printf("Using mesos at %s for task with ID %s", mesosLeaderURL, taskID)
 			at, err = getMesosTasks(mesosLeaderURL, taskID)
 			if err != nil {
@@ -175,7 +195,7 @@ func decryptEndpointHandler(marathonURL, mesosLeaderURL string, masterKey *[32]b
 			}
 
 		} else {
-			errorResponse(w, r, errors.New("Expected parameters {appid, appversion, taskid, envelope} missing"), http.StatusBadRequest)
+			errorResponse(w, r, errors.New("Expected parameters, one of {appid, appversion, taskid, envelope} missing"), http.StatusBadRequest)
 			return
 		}