PRD Hashicorp Vault Integration (#280)

Author: vitalie

lib/travis/scheduler/serialize/worker/config/decrypt.rb

@@ -9,12 +9,18 @@ def apply
                 config[key] = process_env(config[key]) if config[key]
               end
 
+              force_vault_to_be_secure!(config)
+              config[:vault] = decryptor.decrypt(config[:vault]) if config[:vault]
               config[:addons] = decryptor.decrypt(config[:addons]) if config[:addons]
               config
             end
 
             private
 
+              def force_vault_to_be_secure!(config)
+                config[:vault].delete(:token) if config.dig(:vault, :token).is_a?(String)
+              end
+
               def secure_env?
                 !!options[:secure_env]
               end

spec/travis/scheduler/serialize/worker/config_spec.rb

@@ -71,6 +71,16 @@ def encrypt(string)
       let(:env)    { [{ FOO: 'foo', BAR: 'bar' }, encrypt('BAZ=baz')] }
       it { should eql env: ['FOO=foo', 'BAR=bar', 'SECURE BAZ=baz'], global_env: ['FOO=foo', 'BAR=bar', 'SECURE BAZ=baz'] }
     end
+
+    describe 'decrypts vault secure token' do
+      let(:config) { { vault: { token: { secure: encrypt('my_key') } } } }
+      it { should eql vault: {token: 'my_key'} }
+    end
+
+    describe 'clears vault unsecure token' do
+      let(:config) { { vault: { token:  'my_key' } }  }
+      it { should eql vault: {} }
+    end
   end
 
   describe 'with secure env disabled' do