Per-bucket settings are exposed as collections
glasserc opened this issue · comments
Ethan Glasser-Camp commented
The README says:
Settings can be prefixed with bucket id:
.. code-block:: ini
kinto.signer.signer_backend = kinto_signer.signer.autograph
kinto.signer.autograph.server_url = http://172.11.20.1:8888
kinto.signer.<bucket-id>.autograph.hawk_id = bob
kinto.signer.<bucket-id>.autograph.hawk_secret = a-secret
But if you do this, you end up with a setting like kinto.signer.sb2.ecdsa.public_key = /path/to/key
, which kinto-signer understands to mean "a public_key
setting for the collection sb2/ecdsa
", which is probably not what was intended.
Example test:
def test_includeme_sanitizes_exposed_settings(self):
settings = {
"signer.resources": (
"/buckets/sb1 -> /buckets/db1\n"
"/buckets/sb2 -> /buckets/db2\n"
),
"signer.signer_backend": "kinto_signer.signer.local_ecdsa",
"signer.ecdsa.public_key": "/path/to/key",
"signer.ecdsa.private_key": "/path/to/private",
"signer.sb2.signer_backend": "kinto_signer.signer.local_ecdsa",
"signer.sb2.ecdsa.public_key": "/path/to/key",
"signer.sb2.ecdsa.private_key": "/path/to/private",
}
config = self.includeme(settings)
all_capabilities = config.registry.api_capabilities
capabilities = all_capabilities["signer"]
for resource in capabilities["resources"]:
assert resource["source"]["collection"] != "ecdsa"