Include encrypted secrets from discover/prepare

Author: rakillen

core/src/main/python/wlsdeploy/tool/util/credential_injector.py

@@ -18,6 +18,9 @@
 from wlsdeploy.aliases.model_constants import JDBC_SYSTEM_RESOURCE
 from wlsdeploy.aliases.model_constants import MAIL_SESSION
 from wlsdeploy.aliases.model_constants import PROPERTIES
+from wlsdeploy.aliases.model_constants import REMOTE_RESOURCE
+from wlsdeploy.aliases.model_constants import USER
+from wlsdeploy.aliases.model_constants import WLS_USER_PASSWORD_CREDENTIAL_MAPPINGS
 from wlsdeploy.logging.platform_logger import PlatformLogger
 from wlsdeploy.tool.util.variable_injector import REGEXP
 from wlsdeploy.tool.util.variable_injector import REGEXP_PATTERN
@@ -45,6 +48,7 @@ class CredentialInjector(VariableInjector):
 
     # used for user token search
     JDBC_PROPERTIES_PATH = '%s.%s.%s.%s' % (JDBC_SYSTEM_RESOURCE, JDBC_RESOURCE, JDBC_DRIVER_PARAMS, PROPERTIES)
+    REMOTE_CREDENTIAL_MAPPING_PATH = '%s.%s' % (WLS_USER_PASSWORD_CREDENTIAL_MAPPINGS, REMOTE_RESOURCE)
 
     # regex for tokenizing MailSession.Properties passwords and retaining the value
     PASSWORD_COMMANDS = {
@@ -126,6 +130,15 @@ def check_and_tokenize(self, model_dict, attribute, location):
                 injector_commands.update({VARIABLE_VALUE: model_value})
                 self.custom_injection(model_dict, attribute, location, injector_commands)
 
+        elif folder_path.endswith(self.REMOTE_CREDENTIAL_MAPPING_PATH) and (attribute == USER):
+            # this attribute is a list type, it needs to be tokenized as a comma-separated string
+            value = model_dict[attribute]
+            if isinstance(value, list):
+                value = ','.join(value)
+            variable_name = self.get_variable_name(location, attribute)
+            model_dict[attribute] = self.get_variable_token(attribute, variable_name)
+            self.add_to_cache(dictionary={variable_name: value})
+
         elif folder_path.endswith(MAIL_SESSION) and (attribute == PROPERTIES):
             # users and passwords are property assignments
             value = model_dict[attribute]

core/src/main/python/wlsdeploy/util/default_credential_mapper_ldift_helper.py

@@ -348,6 +348,7 @@ def _get_remote_resource_model_entry(self, credential_map_ldift_entry, resource_
             location.add_name_token(name_token, entry_name)
             self._credential_injector.check_and_tokenize(result, REMOTE_USER, location)
             self._credential_injector.check_and_tokenize(result, REMOTE_PASSWORD, location)
+            self._credential_injector.check_and_tokenize(result, USER, location)
 
         _logger.exiting(class_name=self.__class_name, method_name=_method_name, result=result)
         return result

core/src/main/python/wlsdeploy/util/target_configuration_helper.py

@@ -153,7 +153,7 @@ def _prepare_k8s_secrets(model_context, token_dictionary, model_dictionary):
             if secret_name not in secret_map:
                 secret_map[secret_name] = {}
             secret_keys = secret_map[secret_name]
-            secret_keys[secret_key] = _get_output_value(secret_key, value, model_context)
+            secret_keys[secret_key] = _get_output_value(secret_key, value, model_context, False)
 
     # update the secrets hash
 
@@ -268,7 +268,7 @@ def _build_json_secrets_result(model_context, token_dictionary):
                 secrets_map[secret_name] = {'keys': {}}
 
             secret_keys = secrets_map[secret_name]['keys']
-            secret_keys[secret_key] = _get_output_value(secret_key, value, model_context)
+            secret_keys[secret_key] = _get_output_value(secret_key, value, model_context, True)
 
     # runtime encryption key is not included in token_dictionary
     target_config = model_context.get_target_configuration()
@@ -478,17 +478,20 @@ def _build_secret_hash(secret_name, secret_key_map):
     return {'secretName': secret_name, 'secretPairs': secret_pairs_text, 'comments': [{'comment': message}]}
 
 
-def _get_output_value(secret_key, value, model_context):
+def _get_output_value(secret_key, value, model_context, include_encrypted_passwords):
     """
     Determine the secret value to be provided to the secrets script or results output JSON.
     Exclude password values unless they are one-way hashed values, such as those in LDIF files.
     :param secret_key: the key into the credentials map
     :param value: the value to be examined
     :param model_context: used to decrypt value
+    :param include_encrypted_passwords: whether to return encrypted passwords
     :return: the value to be provided
     """
     if secret_key in PASSWORD_SECRET_KEY_NAMES and value:
         if EncryptionUtils.isEncryptedString(value):
+            if include_encrypted_passwords:
+                return value
             value = encryption_utils.decrypt_one_password(model_context.get_encryption_passphrase(), value)
 
         if value.startswith(PASSWORD_HASH_MARKER):

core/src/main/resources/oracle/weblogic/deploy/aliases/category_modules/WLSUserPasswordCredentialMappings.json

@@ -32,7 +32,7 @@
                 "RemotePassword": [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemotePassword", "wlst_path": "WP001", "default_value": null,   "wlst_type": "password" } ],
                 "RemotePort":     [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemotePort",     "wlst_path": "WP001", "default_value": null,   "wlst_type": "integer" } ],
                 "RemoteUser":     [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "RemoteUser",     "wlst_path": "WP001", "default_value": null,   "wlst_type": "credential" } ],
-                "User":           [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "User",           "wlst_path": "WP001", "default_value": null,   "wlst_type": "list" } ]
+                "User":           [ {"version": "[10,)", "wlst_mode": "both", "wlst_name": "User",           "wlst_path": "WP001", "default_value": null,   "wlst_type": "list",  "secret_key": "localuser" } ]
             },
             "wlst_attributes_path": "WP001",
             "wlst_paths": {