Issue#96 - Use dual-password methods to resolve attribute name issues

rakillen · rakillen · commit 42a63c0123d1 · 2018-06-08T17:49:37.000-05:00
diff --git a/core/src/main/python/wlsdeploy/aliases/alias_constants.py b/core/src/main/python/wlsdeploy/aliases/alias_constants.py
@@ -40,6 +40,7 @@
 WLST_PATH = 'wlst_path'
 WLST_PATHS = 'wlst_paths'
 WLST_READ_TYPE = 'wlst_read_type'
+WLST_SKIP_NAMES = '__wlst_skip_names__'
 WLST_SUBFOLDERS_PATH = 'wlst_subfolders_path'
 WLST_TYPE = 'wlst_type'
 
@@ -106,6 +107,7 @@
 ALIAS_DATA_TYPES.extend(ALIAS_LIST_TYPES)
 ALIAS_DATA_TYPES.extend(ALIAS_MAP_TYPES)
 
+
 def __build_security_provider_data_structures(name_map, base_path):
     """
     Populate the security provider data structures for the given provider type.
@@ -119,6 +121,7 @@ def __build_security_provider_data_structures(name_map, base_path):
         SECURITY_PROVIDER_MBEAN_NAME_MAP[mbean_name] = key
     return
 
+
 ADJUDICATION_PROVIDER_NAME_MAP = {
     'DefaultAdjudicator': 'weblogic.security.providers.authorization.DefaultAdjudicator'
 }
diff --git a/core/src/main/python/wlsdeploy/aliases/alias_entries.py b/core/src/main/python/wlsdeploy/aliases/alias_entries.py
@@ -11,12 +11,14 @@
 from oracle.weblogic.deploy.util import FileUtils
 
 import wlsdeploy.aliases.alias_utils as alias_utils
+from wlsdeploy.aliases import password_utils
 from wlsdeploy.aliases.alias_constants import ChildFoldersTypes
 from wlsdeploy.aliases.location_context import LocationContext
 from wlsdeploy.aliases.validation_codes import ValidationCodes
 from wlsdeploy.aliases.wlst_modes import WlstModes
 from wlsdeploy.exception import exception_helper
 from wlsdeploy.logging.platform_logger import PlatformLogger
+from wlsdeploy.util import dictionary_utils
 from wlsdeploy.util.weblogic_helper import WebLogicHelper
 
 from wlsdeploy.aliases.alias_constants import ATTRIBUTES
@@ -46,6 +48,7 @@
 from wlsdeploy.aliases.alias_constants import WLST_NAMES_MAP
 from wlsdeploy.aliases.alias_constants import WLST_PATH
 from wlsdeploy.aliases.alias_constants import WLST_PATHS
+from wlsdeploy.aliases.alias_constants import WLST_SKIP_NAMES
 from wlsdeploy.aliases.alias_constants import WLST_SUBFOLDERS_PATH
 from wlsdeploy.aliases.alias_constants import WLST_TYPE
 
@@ -730,7 +733,9 @@ def get_alias_attribute_entry_by_wlst_name(self, location, wlst_attribute_name):
 
         _logger.entering(str(location), class_name=_class_name, method_name=_method_name)
         folder_dict = self.__get_dictionary_for_location(location, False)
-        if folder_dict is not None and WLST_NAMES_MAP in folder_dict:
+        if self._is_wlst_attribute_skipped(folder_dict, wlst_attribute_name):
+            result = None
+        elif folder_dict is not None and WLST_NAMES_MAP in folder_dict:
             if wlst_attribute_name in folder_dict[WLST_NAMES_MAP]:
                 result = copy.deepcopy(folder_dict[WLST_NAMES_MAP][wlst_attribute_name])
                 if WLST_PATH in result:
@@ -1149,6 +1154,7 @@ def __apply_wlst_context_changes(self, path_name, alias_dict, parent_dict):
             result_model_attrs = dict()
             result_wlst_attrs = dict()
             unresolved_attrs = dict()
+            wlst_skip_attrs = list()
 
             model_attrs = alias_dict[ATTRIBUTES]
             for model_attr in model_attrs:
@@ -1184,9 +1190,15 @@ def __apply_wlst_context_changes(self, path_name, alias_dict, parent_dict):
                 result_model_attrs[model_attr] = model_attr_dict
                 result_wlst_attrs[wlst_name] = model_attr_dict
 
+                # if attribute is dual-password, add its WLST skip name to the skip list
+                skip_name = password_utils.get_wlst_skip_name(model_attr_dict, self._wlst_mode)
+                if skip_name is not None:
+                    wlst_skip_attrs.append(skip_name)
+
             result[ATTRIBUTES] = result_model_attrs
             result[WLST_NAMES_MAP] = result_wlst_attrs
             result[UNRESOLVED_ATTRIBUTES_MAP] = unresolved_attrs
+            result[WLST_SKIP_NAMES] = wlst_skip_attrs
 
         return result
 
@@ -1364,6 +1376,12 @@ def __get_valid_version_range_for_folder(self, location):
         _logger.exiting(class_name=_class_name, method_name=_method_name, result=version_range)
         return version_range
 
+    def _is_wlst_attribute_skipped(self, folder_dict, wlst_attribute_name):
+        skip_names = dictionary_utils.get_element(folder_dict, WLST_SKIP_NAMES)  # type: list
+        if skip_names is not None:
+            return wlst_attribute_name in skip_names
+        return False
+
     def __get_path_for_location(self, location, path_type=WLST_ATTRIBUTES_PATH):
         """
         Get the tokenized path of the specified type for the location.  This method is used by all path-related methods.
diff --git a/core/src/main/python/wlsdeploy/aliases/aliases.py b/core/src/main/python/wlsdeploy/aliases/aliases.py
@@ -16,6 +16,7 @@
 from wlsdeploy.exception import exception_helper
 from wlsdeploy.logging.platform_logger import PlatformLogger
 from wlsdeploy.aliases import alias_utils
+from wlsdeploy.aliases import password_utils
 from wlsdeploy.util import string_utils
 from wlsdeploy.util.weblogic_helper import WebLogicHelper
 
@@ -340,7 +341,14 @@ def get_wlst_attribute_name_and_value(self, location, model_attribute_name, mode
         attribute_info = module_folder[ATTRIBUTES][model_attribute_name]
 
         if attribute_info and not self.__is_model_attribute_read_only(location, attribute_info):
-            wlst_attribute_name = attribute_info[WLST_NAME]
+            password_attribute_name = \
+                password_utils.get_wlst_attribute_name(attribute_info, model_attribute_value, self._wlst_mode)
+
+            if password_attribute_name is not None:
+                wlst_attribute_name = password_attribute_name
+            else:
+                wlst_attribute_name = attribute_info[WLST_NAME]
+
             if USES_PATH_TOKENS in attribute_info and string_utils.to_boolean(attribute_info[USES_PATH_TOKENS]):
                 model_attribute_value = self._model_context.replace_token_string(model_attribute_value)
 
diff --git a/core/src/main/python/wlsdeploy/aliases/password_utils.py b/core/src/main/python/wlsdeploy/aliases/password_utils.py
@@ -0,0 +1,90 @@
+"""
+Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+The Universal Permissive License (UPL), Version 1.0
+
+Contains methods for special processing of dual-password attributes.
+Dual-password attributes follow a common pattern in WLST, with the following rules.
+These examples will use a prefix of Password*, but there are others throughout WLST.
+
+Offline:
+1. There is a single attribute name that includes the suffix, such as "PasswordEncrypted".
+2. The attribute can be set to an encrypted ("{AES}...") or unencrypted value.
+3. When the value is read, it is always encrypted.
+
+Online:
+1. There are two attributes, with and without the prefix, such as "Password" and "PasswordEncrypted". Both
+   represent the same underlying value.
+2. The encrypted attribute can only be set to an encrypted value.
+3. The unencrypted attribute can only be set to an unencrypted value.
+4. Only the unencrypted value can be read, and that value is encrypted.
+
+In the alias file, these fields are flagged with the "password" WLST type, and the WLST name ends with "Encrypted".
+
+The discovery code makes special provisions to skip the unencrypted online attribute.
+
+The create and deploy code makes special provisions to set either the encrypted unencrypted online attribute,
+depending on whether the model value is encrypted.
+"""
+
+from oracle.weblogic.deploy.encrypt import EncryptionUtils
+
+from wlsdeploy.aliases.alias_constants import WLST_NAME
+from wlsdeploy.aliases.alias_constants import WLST_TYPE
+from wlsdeploy.aliases.wlst_modes import WlstModes
+from wlsdeploy.logging.platform_logger import PlatformLogger
+from wlsdeploy.util import dictionary_utils
+
+_class_name = 'password_utils'
+_logger = PlatformLogger('wlsdeploy.aliases')
+_dual_password_suffix = 'Encrypted'
+
+
+def get_wlst_skip_name(attribute_info, wlst_mode):
+    """
+    Returns a WLST attribute name, derived from the the specified attribute information, that should be ignored.
+    For example, the model attribute PasswordEncrypted may indicate that the WLST attribute Password should be ignored.
+    :param attribute_info: the attribute information to be checked
+    :param wlst_mode: the offline or online type to be checked
+    :return: a single name to be skipped, or None
+    """
+    if _is_dual_password(attribute_info) and (wlst_mode == WlstModes.ONLINE):
+        return _get_non_encrypted_wlst_name(attribute_info)
+    return None
+
+
+def get_wlst_attribute_name(attribute_info, attribute_value, wlst_mode):
+    """
+    Returns the corrected WLST attribute name for the specified parameters.
+    The "Encrypted" suffix is removed from online dual-password attributes for use with unencrypted values.
+    :param attribute_info: the attribute information to be checked
+    :param attribute_value: the vaue to be checked for encryption
+    :param wlst_mode: the offline or online type to be checked
+    :return: the corrected value, or None if no correction was required
+    """
+    if _is_dual_password(attribute_info) and (wlst_mode == WlstModes.ONLINE) \
+            and not EncryptionUtils.isEncryptedString(attribute_value):
+        return _get_non_encrypted_wlst_name(attribute_info)
+    return None
+
+
+def _is_dual_password(attribute_info):
+    """
+    Returns true if the specified attribute information indicates a dual-password field.
+    This means the WLST type is password, and the WLST name ends with "Encrypted".
+    :param attribute_info: the attribute information to be checked
+    :return: True if this is a dual-password field, False otherwise
+    """
+    wlst_name = dictionary_utils.get_element(attribute_info, WLST_NAME)  # type: str
+    wlst_type = dictionary_utils.get_element(attribute_info, WLST_TYPE)
+    return (wlst_type == 'password') and wlst_name.endswith(_dual_password_suffix)
+
+
+def _get_non_encrypted_wlst_name(attribute_info):
+    """
+    Returns the prefix portion of the WLST name from the specified attribute information.
+    It is assumed that the attribute information is confirmed to be dual-password.
+    :param attribute_info: the attribute information to be checked
+    :return: the prefix portion of the WLST name
+    """
+    wlst_name = dictionary_utils.get_element(attribute_info, WLST_NAME)  # type: str
+    return wlst_name[0:-len(_dual_password_suffix)]
diff --git a/core/src/main/resources/oracle/weblogic/deploy/aliases/category_modules/JDBCSystemResource.json b/core/src/main/resources/oracle/weblogic/deploy/aliases/category_modules/JDBCSystemResource.json
@@ -103,8 +103,7 @@
                     "attributes": {
                         "DriverName":                 [ {"version": "[10,)",     "wlst_mode": "both",    "wlst_name": "DriverName",                 "wlst_path": "WP001", "value": {"default": "None" },  "wlst_type": "string"    } ],
                         "URL":                        [ {"version": "[10,)",     "wlst_mode": "both",    "wlst_name": "${URL:Url}",                 "wlst_path": "WP001", "value": {"default": "None" },  "wlst_type": "string"    } ],
-                        "Password":                   [ {"version": "[10,)",     "wlst_mode": "online",  "wlst_name": "Password",                   "wlst_path": "WP001", "value": {"default": "None" },  "wlst_type": "password", "access": "RO"} ],
-                        "PasswordEncrypted":          [ {"version": "[10,)",     "wlst_mode": "both",    "wlst_name": "Password${Encrypted:}",      "wlst_path": "WP001", "value": {"default": "None" },  "wlst_type": "password", "get_method": "GET"} ],
+                        "PasswordEncrypted":          [ {"version": "[10,)",     "wlst_mode": "both",    "wlst_name": "PasswordEncrypted",          "wlst_path": "WP001", "value": {"default": "None" },  "wlst_type": "password", "get_method": "GET"} ],
                         "UsePasswordIndirection":     [ {"version": "[10,)",     "wlst_mode": "both",    "wlst_name": "UsePasswordIndirection",     "wlst_path": "WP001", "value": {"default": "false"},  "wlst_type": "boolean",  "get_method": "LSA"} ],
                         "UseXaDataSourceInterface":   [ {"version": "[10,)",     "wlst_mode": "both",    "wlst_name": "UseXaDataSourceInterface",   "wlst_path": "WP001", "value": {"default": "false"},  "wlst_type": "boolean",  "get_method": "LSA"} ]
                     },
diff --git a/core/src/test/python/alias_password_test.py b/core/src/test/python/alias_password_test.py
@@ -0,0 +1,92 @@
+"""
+Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+The Universal Permissive License (UPL), Version 1.0
+"""
+import jarray
+import unittest
+
+from wlsdeploy.aliases.aliases import Aliases
+from wlsdeploy.aliases.location_context import LocationContext
+from wlsdeploy.aliases.model_constants import JDBC_DRIVER_PARAMS
+from wlsdeploy.aliases.model_constants import JDBC_RESOURCE
+from wlsdeploy.aliases.model_constants import JDBC_SYSTEM_RESOURCE
+from wlsdeploy.aliases.model_constants import PASSWORD_ENCRYPTED
+from wlsdeploy.aliases.wlst_modes import WlstModes
+from wlsdeploy.logging.platform_logger import PlatformLogger
+from wlsdeploy.util.model_context import ModelContext
+
+
+class AliasPasswordTestCase(unittest.TestCase):
+
+    _logger = PlatformLogger('wlsdeploy.aliases')
+    _wls_version = '12.2.1.3'
+    _wlst_password_name = "Password"
+    _wlst_password_encrypted_name = "PasswordEncrypted"
+
+    _password = 'welcome1'
+    _encrypted_password = '{AES}BR5Lw+UuwM4ZmFcTu2GX5C2w0Jcr6E30uhZvhoyXjYU='
+    _encrypted_password_bytes = jarray.array(_encrypted_password, 'b')
+
+    def setUp(self):
+        model_context = ModelContext("test", {})
+        self.aliases = Aliases(model_context, wlst_mode=WlstModes.OFFLINE, wls_version=self._wls_version)
+        self.online_aliases = Aliases(model_context, wlst_mode=WlstModes.ONLINE, wls_version=self._wls_version)
+
+        self.location = LocationContext()
+        self.location.append_location(JDBC_SYSTEM_RESOURCE)
+        self.location.add_name_token(self.aliases.get_name_token(self.location), "Mine")
+        self.location.append_location(JDBC_RESOURCE)
+        self.location.append_location(JDBC_DRIVER_PARAMS)
+
+    def testOfflineModelNames(self):
+        # Using offline WLST, only PasswordEncrypted is an attribute, and its value is encrypted.
+        # The model name should be PasswordEncrypted.
+        model_name, model_value = \
+            self.aliases.get_model_attribute_name_and_value(self.location, self._wlst_password_encrypted_name,
+                                                            self._encrypted_password)
+        self.assertEquals(model_name, PASSWORD_ENCRYPTED)
+
+    def testOnlineModelNames(self):
+        # Using online WLST, both Password and PasswordEncrypted are WLST attributes.
+
+        # The PasswordEncrypted WLST attribute should translate to the PasswordEncrypted model attribute.
+        model_name, model_value = \
+            self.online_aliases.get_model_attribute_name_and_value(self.location, self._wlst_password_encrypted_name,
+                                                                   self._encrypted_password)
+        self.assertEqual(model_name, PASSWORD_ENCRYPTED)
+
+        # The Password WLST attribute should be skipped, since its value cannot be retrieved.
+        # This is accomplished by returning a model name of None.
+        model_name, model_value = \
+            self.online_aliases.get_model_attribute_name_and_value(self.location, self._wlst_password_name,
+                                                                   self._encrypted_password)
+        self.assertEquals(model_name, None)
+
+    def testOfflineWlstNames(self):
+        # Using offline WLST, the PasswordEncrypted model attribute should translate to the PasswordEncrypted WLST
+        # attribute, regardless of whether the password is encrypted.
+
+        # using encrypted password
+        wlst_name, wlst_value = \
+            self.aliases.get_wlst_attribute_name_and_value(self.location, PASSWORD_ENCRYPTED, self._encrypted_password)
+        self.assertEqual(wlst_name, self._wlst_password_encrypted_name)
+
+        # using unencrypted password
+        wlst_name, wlst_value = \
+            self.aliases.get_wlst_attribute_name_and_value(self.location, PASSWORD_ENCRYPTED, self._password)
+        self.assertEquals(wlst_name, self._wlst_password_encrypted_name)
+
+    def testOnlineWlstNames(self):
+        # Using online WLST, the PasswordEncrypted model attribute should translate to the PasswordEncrypted WLST
+        # attribute if the password is encrypted, otherwise to Password.
+
+        # using encrypted password
+        wlst_name, wlst_value = \
+            self.online_aliases.get_wlst_attribute_name_and_value(self.location, PASSWORD_ENCRYPTED,
+                                                                  self._encrypted_password)
+        self.assertEqual(wlst_name, self._wlst_password_encrypted_name)
+
+        # using unencrypted password
+        wlst_name, wlst_value = \
+            self.online_aliases.get_wlst_attribute_name_and_value(self.location, PASSWORD_ENCRYPTED, self._password)
+        self.assertEquals(wlst_name, self._wlst_password_name)
