From ab92c11f86def0158b5abc7d9d9636f884e7d2ad Mon Sep 17 00:00:00 2001
From: Andrew Burnes <andrew.burnes@gsa.gov>
Date: Thu, 13 Jun 2024 14:33:26 -0700
Subject: [PATCH] fix: Decrypt predefined keys in build params

---
 src/main.py | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/main.py b/src/main.py
index dd177c6..a525817 100644
--- a/src/main.py
+++ b/src/main.py
@@ -8,6 +8,15 @@
 from crypto.decrypt import decrypt
 
 
+KEYS_TO_DECRYPT = [
+    'STATUS_CALLBACK',
+    'GITHUB_TOKEN',
+    'AWS_ACCESS_KEY_ID',
+    'AWS_SECRET_ACCESS_KEY',
+    'BUCKET',
+]
+
+
 def load_vcap():
     vcap_application = json.loads(os.getenv('VCAP_APPLICATION', '{}'))
     vcap_services = json.loads(os.getenv('VCAP_SERVICES', '{}'))
@@ -25,7 +34,13 @@ def load_vcap():
     os.environ[uev_env_var] = uev_ups['credentials']['key']
 
 
-def decrypt_params(encrypted):
+def decrypt_key_value(k, v, encryption_key):
+    if k in KEYS_TO_DECRYPT:
+        return decrypt(v, encryption_key)
+    return v
+
+
+def decrypt_params(params):
     vcap_application = json.loads(os.getenv('VCAP_APPLICATION', '{}'))
     vcap_services = json.loads(os.getenv('VCAP_SERVICES', '{}'))
 
@@ -38,7 +53,9 @@ def decrypt_params(encrypted):
 
     encryption_key = encryption_ups['credentials']['key']
 
-    return decrypt(args.params, encryption_key)
+    params = {k: decrypt_key_value(k, v, encryption_key) for (k, v) in params.items()}
+
+    return params
 
 
 if __name__ == "__main__":
@@ -53,8 +70,8 @@ def decrypt_params(encrypted):
     args = parser.parse_args()
 
     if args.params:
-        decrypted = decrypt_params(args.params)
-        params = json.loads(decrypted)
+        params = json.loads(args.params)
+        params = decrypt_params(params)
     else:
         params = json.load(args.file)