Handle initially missing secrets

e839ada6 · Charles Daniels · 430c8dc9 · e839ada6
Commit e839ada6 authored 2 months ago by Charles Daniels
--- a/notebooks/set-secrets.ipynb
+++ b/notebooks/set-secrets.ipynb
@@ -81,7 +81,7 @@
    "    from getpass import getpass\n",
    "    from IPython.display import clear_output\n",
    "\n",
-    "    masked_value = mask(value) if sensitive else value\n",
+    "    masked_value = mask(value) if value and sensitive else value\n",
    "    get_user_input = getpass if sensitive else input\n",
    "\n",
    "    try:\n",
@@ -196,7 +196,7 @@
    ")\n",
    "set_secret_interactively(\n",
    "    maap, prompt=\"Earthdata Login password\", name=\"EARTHDATA_PASSWORD\"\n",
-    ")"
+    ");"
   ]
  }
 ],

 %% Cell type:markdown id:331918b2-c03c-4d14-9737-d65b94ed7e73 tags:
 # Add MAAP Secrets for Earthdata Login Credentials
 Earthdata Login credentials are required for downloading files from NASA DAACs.  In order for a DPS job to be able to use such credentials in a safe manner, it looks for them in the MAAP Secrets store.  Therefore, you must add the necessary secrets before a DPS job that requires them is submitted, otherwise the job will fail due to the missing secrets.
 %% Cell type:code id:cbdb9c92-6219-4d58-b9f4-206ee507ce51 tags:
 ``` python
 from maap.maap import MAAP
 ```
 %% Cell type:code id:e2f0c041-646c-47e3-9c9f-4937ed9f7907 tags:
 ``` python
 def mask(value: str, *, show_last: int = 4) -> str:
    """Mask a value.
    Parameters
    ----------
    value:
        Value to mask.
    show_last:
        Number of trailing characters to leave unmasked.
    Returns
    -------
    Masked value, where all but `show_last` characters of the specified value are
    replaced with an asterisk (`*`).  If necessary, the value is further left-padded
    with asterisks to ensure there are at least as many asterisks as there are
    unmasked trailing characters.
    """
    # Make sure the returned value contains at least the same number of masked
    # characters as unmasked characters for a bit of added "security."
    n_masked = max(len(value), 2 * show_last) - show_last
    return f"{'*' * n_masked}{value[-show_last:]}"
 def prompt_user(
    prompt: str,
    *,
    value: str | None = None,
    sensitive: bool = True,
 ) -> str | None:
    """Prompt user for a possibly sensitive input value.
    Parameters
    ----------
    prompt:
        Human-readable prompt to present to the user, which is combined with `value`
        when prompting the user.
    value:
        Current value (if any) of what to prompt the user for, which is combined with
        `prompt` when prompting the user, and masked, if `senstive` is `True`.
    sensitive:
        If `True`, mask the current value (if any) when prompting the user, and also
        avoid echoing user input.  Otherwise, the current value is left unmasked and
        user input is echoed.
    Returns
    -------
    Value entered by the user at the prompt, or `None` if either the user pressed the
    Return or Enter key without supplying any input, or a KeyboardInterrupt occurred.
    """
    from getpass import getpass
    from IPython.display import clear_output
-    masked_value = mask(value) if sensitive else value
+    masked_value = mask(value) if value and sensitive else value
    get_user_input = getpass if sensitive else input
    try:
        return get_user_input(f"{prompt} [{masked_value}]:") or None
    except KeyboardInterrupt:
        clear_output()  # Remove prompt from cell output
        raise
 def get_secret(maap: MAAP, name: str) -> str | None:
    """Get the value of a MAAP secret, or `None` if the secret does not exist.
    Parameters
    ----------
    maap:
        MAAP instance to use for secrets management.
    name:
        Name of the secret to get the value of.
    Returns
    -------
    Value of the secret, if it exists; otherwise `None`.
    """
    # Calling maap.secrets.get_secret returns the value of the requested secret, if it
    # exists, but oddly returns an object with an error code if it does not exist,
    # rather than simply (and conveniently) returning `None`.
    return value if isinstance(value := maap.secrets.get_secret(name), str) else None
 def set_secret_interactively(
    maap: MAAP,
    *,
    prompt: str,
    name: str,
    sensitive: bool = True,
 ) -> str | None:
    """Set the value of a secret by prompting the user for a value.
    If the secret already exists, the user prompt will include the existing value,
    which will be masked if `sensitive` is `True` (showing only the last 4
    characters of the value).
    If an empty input is provided (i.e., either the Enter or Return key is pressed at
    the prompt, without any other input, or a KeyboardInterrupt occurs), the secret is
    not set and `None` is returned.  Otherwise, the secret is set to the user-supplied
    value and that value is returned.
    Parameters
    ----------
    maap:
        MAAP instance to use for secrets management.
    prompt:
        Human-readable prompt to display to user when prompting for input.
    name:
        Name of the secret.
    sensitive:
        If `True`, the prompt will mask the current secret value, if there is one.
        Further, user input will not be echoed.  Otherwise, the prompt will show the
        full secret value, if there is one, and user input will be echoed.
    Returns
    -------
    User-supplied input provided at the prompt, or `None` if the Enter or Return key
    was pressed without input.
    """
    if (value := prompt_user(prompt, value=get_secret(maap, name), sensitive=sensitive)):
        maap.secrets.add_secret(name, value)
        masked_value = mask(value) if sensitive else value
        print(f"The secret {name} was set to {masked_value}.")
        return value
    print(f"The value for secret {name} was left unchanged.")
 ```
 %% Cell type:markdown id:97611ae6-837e-4021-9e4e-bee447749d5e tags:
 ## Create MAAP Instance for Managing Secrets
 %% Cell type:code id:10612951-3392-4e32-983e-6e9a85c8c938 tags:
 ``` python
 maap = MAAP()
 ```
 %% Cell type:markdown id:98d52db0-7187-4aa3-a24a-7f3cbfce63c5 tags:
 ## Store Earthdata Login Credentials as MAAP Secrets
 %% Cell type:code id:986a47cb-0586-4f62-827b-6df6fcb609d4 tags:
 ``` python
 set_secret_interactively(
    maap, prompt="Earthdata Login username", name="EARTHDATA_USERNAME", sensitive=False
 )
 set_secret_interactively(
    maap, prompt="Earthdata Login password", name="EARTHDATA_PASSWORD"
-)
+);
 ```