remove obscure functionality (#819)

* remove obscure functionality * changelog
ethyca · Jul 28, 2022 · 2929353 · 2929353
1 parent 6b9c748
commit 2929353
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 78 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -37,6 +37,9 @@ The types of changes are:
 * Datasets without the `third_country_transfer` will not cause the editing dataset form to not render.
 * Fixed a build issue causing an `unknown` version of `fidesctl` to be installed in published Docker images [#836](https://github.com/ethyca/fides/pull/836)
 
+### Changed
+* Remove the `obscure` requirement from the `generate` endpoint [#819](https://github.com/ethyca/fides/pull/819)
+
 ## [1.7.0](https://github.com/ethyca/fides/compare/1.6.1...1.7.0) - 2022-06-23
 
 ### Added

diff --git a/src/fidesapi/routes/generate.py b/src/fidesapi/routes/generate.py
@@ -10,11 +10,7 @@
 from pydantic import BaseModel, root_validator
 
 from fidesapi.routes.crud import get_resource
-from fidesapi.routes.util import (
-    API_PREFIX,
-    route_requires_aws_connector,
-    unobscure_aws_config,
-)
+from fidesapi.routes.util import API_PREFIX, route_requires_aws_connector
 from fidesapi.sql_models import sql_model_map
 from fidesctl.connectors.models import (
     AWSConfig,
@@ -114,9 +110,6 @@ async def generate(
     * Okta: Systems
     * Snowflake: Datasets
 
-    All config secrets should be encoded as a minor security precaution, using the
-    `obscure_string` function in `fidesapi.routes.util`
-
     All production deployments should implement HTTPS for security purposes
     """
     organization = await get_resource(
@@ -138,11 +131,10 @@ def generate_aws(
     Returns a list of Systems found in AWS.
     """
     log.info("Setting config for AWS")
-    unobscured_config = unobscure_aws_config(aws_config=aws_config)
     try:
         log.info("Generating systems from AWS")
         aws_systems = generate_aws_systems(
-            organization=organization, aws_config=unobscured_config
+            organization=organization, aws_config=aws_config
         )
     except ConnectorAuthFailureException as error:
         raise HTTPException(

diff --git a/src/fidesapi/routes/util.py b/src/fidesapi/routes/util.py
@@ -1,13 +1,9 @@
-import zlib
-from base64 import urlsafe_b64decode as b64d
-from base64 import urlsafe_b64encode as b64e
 from functools import update_wrapper
 from pathlib import Path
 from typing import Any, Callable
 
 from fastapi import APIRouter, HTTPException, status
 
-from fidesctl.connectors.models import AWSConfig, OktaConfig
 from fidesctl.core.utils import API_PREFIX as _API_PREFIX
 
 API_PREFIX = _API_PREFIX
@@ -27,41 +23,6 @@ def get_resource_type(router: APIRouter) -> str:
     return router.prefix.replace(f"{API_PREFIX}/", "", 1)
 
 
-def obscure_string(plaintext: str) -> str:
-    "obscures a string as a minor security measure"
-
-    return b64e(zlib.compress(plaintext.encode())).decode()
-
-
-def unobscure_string(obscured: str) -> str:
-    "unobscures a string as a minor security measure"
-    return zlib.decompress(b64d(obscured.encode())).decode()
-
-
-def unobscure_aws_config(aws_config: AWSConfig) -> AWSConfig:
-    """
-    Given an aws config unobscures the access key id and
-    access key using the unobscure_string function.
-    """
-    unobscured_config = AWSConfig(
-        region_name=aws_config.region_name,
-        aws_access_key_id=unobscure_string(aws_config.aws_access_key_id),
-        aws_secret_access_key=unobscure_string(aws_config.aws_secret_access_key),
-    )
-    return unobscured_config
-
-
-def unobscure_okta_config(okta_config: OktaConfig) -> OktaConfig:
-    """
-    Given an okta config unobscures the token using the
-    unobscure_string function.
-    """
-    unobscured_config = OktaConfig(
-        orgUrl=okta_config.orgUrl, token=unobscure_string(okta_config.token)
-    )
-    return unobscured_config
-
-
 def route_requires_aws_connector(func: Callable) -> Callable:
     """
     Function decorator raises a bad request http exception if

diff --git a/src/fidesapi/routes/validate.py b/src/fidesapi/routes/validate.py
@@ -11,8 +11,6 @@
     API_PREFIX,
     route_requires_aws_connector,
     route_requires_okta_connector,
-    unobscure_aws_config,
-    unobscure_okta_config,
 )
 from fidesctl.connectors.models import (
     AWSConfig,
@@ -104,8 +102,7 @@ async def validate_aws(aws_config: AWSConfig) -> None:
     """
     import fidesctl.connectors.aws as aws_connector
 
-    unobscured_config = unobscure_aws_config(aws_config=aws_config)
-    aws_connector.validate_credentials(aws_config=unobscured_config)
+    aws_connector.validate_credentials(aws_config=aws_config)
 
 
 @route_requires_okta_connector
@@ -116,5 +113,4 @@ async def validate_okta(okta_config: OktaConfig) -> None:
     """
     import fidesctl.connectors.okta as okta_connector
 
-    unobscured_config = unobscure_okta_config(okta_config=okta_config)
-    await okta_connector.validate_credentials(okta_config=unobscured_config)
+    await okta_connector.validate_credentials(okta_config=okta_config)
diff --git a/tests/api/test_generate.py b/tests/api/test_generate.py
@@ -6,14 +6,14 @@
 from starlette.testclient import TestClient
 
 from fidesapi.routes.generate import GenerateResponse
-from fidesapi.routes.util import API_PREFIX, obscure_string
+from fidesapi.routes.util import API_PREFIX
 from fidesctl.core.config import FidesctlConfig
 
 EXTERNAL_CONFIG_BODY = {
     "aws": {
         "region_name": getenv("AWS_DEFAULT_REGION", ""),
-        "aws_access_key_id": obscure_string(getenv("AWS_ACCESS_KEY_ID", "")),
-        "aws_secret_access_key": obscure_string(getenv("AWS_SECRET_ACCESS_KEY", "")),
+        "aws_access_key_id": getenv("AWS_ACCESS_KEY_ID", ""),
+        "aws_secret_access_key": getenv("AWS_SECRET_ACCESS_KEY", ""),
     }
 }
 

diff --git a/tests/api/test_util.py b/tests/api/test_util.py
diff --git a/tests/api/test_validate.py b/tests/api/test_validate.py
@@ -5,19 +5,19 @@
 import pytest
 from starlette.testclient import TestClient
 
-from fidesapi.routes.util import API_PREFIX, obscure_string
+from fidesapi.routes.util import API_PREFIX
 from fidesapi.routes.validate import ValidateResponse
 from fidesctl.core.config import FidesctlConfig
 
 EXTERNAL_CONFIG_BODY = {
     "aws": {
         "region_name": getenv("AWS_DEFAULT_REGION", ""),
-        "aws_access_key_id": obscure_string(getenv("AWS_ACCESS_KEY_ID", "")),
-        "aws_secret_access_key": obscure_string(getenv("AWS_SECRET_ACCESS_KEY", "")),
+        "aws_access_key_id": getenv("AWS_ACCESS_KEY_ID", ""),
+        "aws_secret_access_key": getenv("AWS_SECRET_ACCESS_KEY", ""),
     },
     "okta": {
         "orgUrl": "https://dev-78908748.okta.com",
-        "token": obscure_string(getenv("OKTA_CLIENT_TOKEN", "")),
+        "token": getenv("OKTA_CLIENT_TOKEN", ""),
     },
 }
 
@@ -50,12 +50,12 @@ def test_validate_success(
 EXTERNAL_FAILURE_CONFIG_BODY = {
     "aws": {
         "region_name": getenv("AWS_DEFAULT_REGION", ""),
-        "aws_access_key_id": obscure_string("ILLEGAL_ACCESS_KEY_ID"),
-        "aws_secret_access_key": obscure_string("ILLEGAL_SECRET_ACCESS_KEY_ID"),
+        "aws_access_key_id": "ILLEGAL_ACCESS_KEY_ID",
+        "aws_secret_access_key": "ILLEGAL_SECRET_ACCESS_KEY_ID",
     },
     "okta": {
         "orgUrl": "https://dev-78908748.okta.com",
-        "token": obscure_string("INVALID_TOKEN"),
+        "token": "INVALID_TOKEN",
     },
 }