Disallow decrypt_kv jinja filter for fields marked as secret

This commit addresses the issue where in pack config if fields are marked as
secret: true and if user specifies jinja expression with filter decrypt_kv,
the values are not decrypted twice. This is due to the fact that for all fields
marked as secret, the values are auto decrypted. Specifying an additional
decrypt_kv filter causes issue.

The commit raises exceptions if decrypt_kv is specified for any fields marked secret.

Author: VineeshJain

st2api/st2api/controllers/v1/pack_configs.py

@@ -107,6 +107,8 @@ def put(self, pack_config_content, pack_ref, requester_user, show_secrets=False)
             config_api.validate(validate_against_schema=True)
         except jsonschema.ValidationError as e:
             raise ValueValidationException(six.text_type(e))
+        except ValueValidationException as e:
+            raise ValueValidationException(six.text_type(e))
 
         self._dump_config_to_disk(config_api)
 

st2common/st2common/util/pack.py

@@ -25,6 +25,8 @@
 from st2common.constants.pack import PACK_REF_WHITELIST_REGEX
 from st2common.content.loader import MetaLoader
 from st2common.persistence.pack import Pack
+from st2common.exceptions.apivalidation import ValueValidationException
+from st2common.util import jinja as jinja_utils
 
 __all__ = [
     'get_pack_ref_from_metadata',
@@ -102,6 +104,10 @@ def validate_config_against_schema(config_schema, config_object, config_path,
 
     pack_name = pack_name or 'unknown'
 
+    for key in config_object:
+        if jinja_utils.is_jinja_expression(value=config_object.get(key)) and "decrypt_kv" in config_object.get(key) and config_schema.get(key).get('secret'):
+            raise ValueValidationException("Validation Error: decrypt_kv jinja filter specified for auto decrypted fields marked with `secret: True`")
+
     schema = util_schema.get_schema_for_resource_parameters(parameters_schema=config_schema,
                                                             allow_additional_properties=True)
     instance = config_object