st2web icon indicating copy to clipboard operation
st2web copied to clipboard
verified publisher icon StackStorm

Re-run execution with secret parameters from UI is broken

Open lakshmi-kannan opened this issue 8 years ago • 3 comments

See https://github.com/StackStorm/st2/issues/3339

lakshmi-kannan avatar Jun 19 '17 14:06 lakshmi-kannan

This bug has reappeared.

blag avatar May 16 '19 02:05 blag

Successfully reproduced. The st2 CLI does not have this issue.

The current st2web sends off the following (non-working request):

POST https://<st2>/api/v1/executions/5defde39d436291ed48d7954/re_run?no_merge=true

Query string: no_merge=true

Request headers:
  Host: <st2>
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:70.0) Gecko/20100101 Firefox/70.0
  Accept: application/json, text/plain, */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate, br
  Content-Type: application/json
  x-auth-token: <redacted>
  Content-Length: 133
  Origin: https://<st2>
  DNT: 1
  Connection: keep-alive
  Referer: https://<st2>/
  Cookie: auth-token=<redacted>
  Pragma: no-cache
  Cache-Control: no-cache

Request body (expanded and formatted):

  {
    "parameters": {
      "can_client_connect": false,
      "host": "<redacted>",
      "rf_domain": "<redacted>",
      "username": "admin",
      "password": "********"  // <-- literal asterisks
    }
  }

I was able to tweak this request in the browser to successfully re-run the same execution, using s similar request body to that of which the CLI sends:

POST https://<st2>/api/v1/executions/5defde39d436291ed48d7954/re_run

No query string

Request headers:
  Host: <st2>
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:70.0) Gecko/20100101 Firefox/70.0
  Accept: application/json, text/plain, */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate, br
  Content-Type: application/json
  x-auth-token: <redacted>
  Content-Length: 56
  Origin: https://<st2>
  DNT: 1
  Connection: keep-alive
  Referer: https://<st2>/
  Cookie: auth-token=<redacted>
  Pragma: no-cache
  Cache-Control: no-cache

Request body (expanded and formatted):

  {
    "parameters": {},  // <-- empty object
    "tasks": [],
    "reset": [],
    "delay": 0
  }

blag avatar Dec 10 '19 19:12 blag

I was able to come up with a workaround. In the rerun dialog, you simply make the secret parameter blank. When the execution is requested, the secret parameter is left out of the parameters object and execution proceeds as normally.

So a short-term fix might be to remove secret parameters from the parameters object submitted to the re-run request. A side effect would be that users could not change the value of secret parameters during execution re-run requests.

A proper long-term fix should be to track changed fields in the re-run dialog, and if fields that are marked secret and their values are unchanged then the keys should be removed from the parameters submitted to the re-run request.

POST https://<st2>/api/v1/executions/5defde39d436291ed48d7954/re_run

Query string: no_merge=true

Request headers:
  Host: <st2>
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:70.0) Gecko/20100101 Firefox/70.0
  Accept: application/json, text/plain, */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate, br
  Content-Type: application/json
  x-auth-token: <redacted>
  Content-Length: 111
  Origin: https://<st2>
  DNT: 1
  Connection: keep-alive
  Referer: https://<st2>/
  Cookie: auth-token=<redacted>
  Pragma: no-cache
  Cache-Control: no-cache

Request body (expanded and formatted):

  {
    "parameters": {
      "can_client_connect": false,
      "host": "<redacted>",
      "rf_domain": "<redacted>",
      "username": "admin"
    }
    // ^ missing "password"
  }

blag avatar Dec 11 '19 00:12 blag