|
7 | 7 | import re |
8 | 8 |
|
9 | 9 | from java.io import File |
| 10 | +from oracle.weblogic.deploy.encrypt import EncryptionUtils |
10 | 11 | from oracle.weblogic.deploy.json import JsonException |
11 | 12 | from oracle.weblogic.deploy.util import FileUtils |
12 | 13 | from oracle.weblogic.deploy.util import PyOrderedDict |
|
23 | 24 | from wlsdeploy.exception import exception_helper |
24 | 25 | from wlsdeploy.json.json_translator import PythonToJson |
25 | 26 | from wlsdeploy.logging.platform_logger import PlatformLogger |
| 27 | +from wlsdeploy.tool.encrypt import encryption_utils |
26 | 28 | from wlsdeploy.tool.util import k8s_helper |
27 | 29 | from wlsdeploy.tool.util import variable_injector_functions |
28 | 30 | from wlsdeploy.tool.util.targets import additional_output_helper |
|
78 | 80 | K8S_SCRIPT_RESOURCE_PATH = 'oracle/weblogic/deploy/k8s/' + K8S_SCRIPT_NAME + file_template_helper.MUSTACHE_SUFFIX |
79 | 81 | RESULTS_FILE_NAME = 'results.json' |
80 | 82 |
|
| 83 | +PASSWORD_HASH_MARKER = "{ssha256}" |
| 84 | + |
81 | 85 |
|
82 | 86 | def process_target_arguments(argument_map): |
83 | 87 | """ |
@@ -149,10 +153,7 @@ def _prepare_k8s_secrets(model_context, token_dictionary, model_dictionary): |
149 | 153 | if secret_name not in secret_map: |
150 | 154 | secret_map[secret_name] = {} |
151 | 155 | secret_keys = secret_map[secret_name] |
152 | | - if secret_key in PASSWORD_SECRET_KEY_NAMES: |
153 | | - secret_keys[secret_key] = None |
154 | | - else: |
155 | | - secret_keys[secret_key] = value |
| 156 | + secret_keys[secret_key] = _get_output_value(secret_key, value, model_context) |
156 | 157 |
|
157 | 158 | # update the secrets hash |
158 | 159 |
|
@@ -267,10 +268,7 @@ def _build_json_secrets_result(model_context, token_dictionary): |
267 | 268 | secrets_map[secret_name] = {'keys': {}} |
268 | 269 |
|
269 | 270 | secret_keys = secrets_map[secret_name]['keys'] |
270 | | - if secret_key in PASSWORD_SECRET_KEY_NAMES: |
271 | | - secret_keys[secret_key] = '' |
272 | | - else: |
273 | | - secret_keys[secret_key] = value |
| 271 | + secret_keys[secret_key] = _get_output_value(secret_key, value, model_context) |
274 | 272 |
|
275 | 273 | # runtime encryption key is not included in token_dictionary |
276 | 274 | target_config = model_context.get_target_configuration() |
@@ -478,3 +476,24 @@ def _build_secret_hash(secret_name, secret_key_map): |
478 | 476 | message = exception_helper.get_message("WLSDPLY-01683", secret_name, ', '.join(update_keys)) |
479 | 477 |
|
480 | 478 | return {'secretName': secret_name, 'secretPairs': secret_pairs_text, 'comments': [{'comment': message}]} |
| 479 | + |
| 480 | + |
| 481 | +def _get_output_value(secret_key, value, model_context): |
| 482 | + """ |
| 483 | + Determine the secret value to be provided to the secrets script or results output JSON. |
| 484 | + Exclude password values unless they are one-way hashed values, such as those in LDIF files. |
| 485 | + :param secret_key: the key into the credentials map |
| 486 | + :param value: the value to be examined |
| 487 | + :param model_context: used to decrypt value |
| 488 | + :return: the value to be provided |
| 489 | + """ |
| 490 | + if secret_key in PASSWORD_SECRET_KEY_NAMES and value: |
| 491 | + if EncryptionUtils.isEncryptedString(value): |
| 492 | + value = encryption_utils.decrypt_one_password(model_context.get_encryption_passphrase(), value) |
| 493 | + |
| 494 | + if value.startswith(PASSWORD_HASH_MARKER): |
| 495 | + return value |
| 496 | + else: |
| 497 | + return None |
| 498 | + else: |
| 499 | + return value |
0 commit comments