Merge branch 'jira-wdt-892-security-misc' into 'main'

robertpatrick · robertpatrick · commit d5583ae5fa3d · 2024-06-13T21:54:27.000Z
Argument check for discover security providers; ActiveContextHandlerEntry list alias fix

See merge request weblogic-cloud/weblogic-deploy-tooling!1707
diff --git a/core/src/main/python/discover.py b/core/src/main/python/discover.py
@@ -324,18 +324,26 @@ def __validate_discover_passwords_and_security_data_args(model_context, argument
         __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
         raise ex
 
-    if model_context.is_discover_passwords() and model_context.is_encrypt_discovered_passwords():
-        # With -discover_passwords, we always need the WDT encryption passphrase and JDK8 or above.
+    # check if any argument requires password discovery
+    passwords_argument = None
+    if model_context.is_discover_passwords():
+        passwords_argument = CommandLineArgUtil.DISCOVER_PASSWORDS_SWITCH
+    elif model_context.is_discover_security_provider_passwords():
+        passwords_argument = CommandLineArgUtil.DISCOVER_SECURITY_PROVIDER_DATA_SWITCH + " " \
+                             + model_context.get_discover_security_provider_data_types_label()
+
+    if passwords_argument and model_context.is_encrypt_discovered_passwords():
+        # To discover encrypted passwords, we always need the WDT encryption passphrase and JDK8 or above.
         if not is_encryption_supported:
             ex = exception_helper.create_cla_exception(ExitCode.ARG_VALIDATION_ERROR, 'WLSDPLY-06057',
-                                                       _program_name, CommandLineArgUtil.DISCOVER_PASSWORDS_SWITCH,
+                                                       _program_name, passwords_argument,
                                                        System.getProperty('java.version'))
             __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
             raise ex
 
         if model_context.get_encryption_passphrase() is None:
             ex = exception_helper.create_cla_exception(ExitCode.ARG_VALIDATION_ERROR, 'WLSDPLY-06051',
-                                                       _program_name, CommandLineArgUtil.DISCOVER_PASSWORDS_SWITCH,
+                                                       _program_name, passwords_argument,
                                                        CommandLineArgUtil.PASSPHRASE_ENV_SWITCH,
                                                        CommandLineArgUtil.PASSPHRASE_FILE_SWITCH,
                                                        CommandLineArgUtil.PASSPHRASE_PROMPT_SWITCH)
diff --git a/core/src/main/python/wlsdeploy/util/model_context.py b/core/src/main/python/wlsdeploy/util/model_context.py
@@ -1284,6 +1284,15 @@ def _is_discover_security_provider_data_type(self, scope):
                 result = True
         return result
 
+    def is_discover_security_provider_passwords(self):
+        # These security providers have model passwords
+        return self.is_discover_default_authenticator_data() or self.is_discover_default_credential_mapper_data()
+
+    def get_discover_security_provider_data_types_label(self):
+        # Result should only be used for display or logging
+        data_types = self._discover_security_provider_data or []
+        return ','.join(data_types)
+
     def is_discover_opss_wallet(self):
         return self._discover_opss_wallet
 
diff --git a/core/src/main/resources/oracle/weblogic/deploy/aliases/category_modules/SecurityConfiguration.json b/core/src/main/resources/oracle/weblogic/deploy/aliases/category_modules/SecurityConfiguration.json
@@ -117,7 +117,7 @@
                             "child_folders_type": "none",
                             "folders": {},
                             "attributes" : {
-                                "ActiveContextHandlerEntry":       [ {"version": "[10,)",       "wlst_mode": "both",    "wlst_name": "ActiveContextHandlerEntr${y:ies}", "wlst_path": "WP001", "default_value": null,                      "wlst_type": "string"  } ],
+                                "ActiveContextHandlerEntry":       [ {"version": "[10,)",       "wlst_mode": "both",    "wlst_name": "ActiveContextHandlerEntr${y:ies}", "wlst_path": "WP001", "default_value": null,                      "wlst_type": "${list:jarray}", "wlst_read_type": "delimited_string[semicolon]", "get_method": "${LSA:GET}", "preferred_model_type": "list" } ],
                                 "BeginMarker":                     [ {"version": "[10,)",       "wlst_mode": "both",    "wlst_name": "BeginMarker",                     "wlst_path": "WP001", "default_value": "#### Audit Record Begin",  "wlst_type": "string", "get_method": "${LSA:GET}"} ],
                                 "CompatibilityObjectName":         [ {"version": "[10,)",       "wlst_mode": "offline", "wlst_name": "CompatibilityObjectName",         "wlst_path": "WP001", "default_value": null,                       "wlst_type": "string"  } ],
                                 "Description":                     [ {"version": "[10,)",       "wlst_mode": "online",  "wlst_name": "Description",                     "wlst_path": "WP001", "default_value": null,                       "wlst_type": "string", "access": "IGNORED" } ],
diff --git a/core/src/test/python/wlsdeploy/util/model_context_test.py b/core/src/test/python/wlsdeploy/util/model_context_test.py
@@ -1,44 +1,47 @@
 """
-Copyright (c) 2020, 2023, Oracle and/or its affiliates.
+Copyright (c) 2020, 2024, Oracle and/or its affiliates.
 Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
 """
 import unittest
 
+from wlsdeploy.aliases.model_constants import ALL
+from wlsdeploy.aliases.model_constants import DEFAULT_AUTHENTICATOR
+from wlsdeploy.aliases.model_constants import DEFAULT_CREDENTIAL_MAPPER
+from wlsdeploy.aliases.model_constants import XACML_AUTHORIZER
+from wlsdeploy.aliases.model_constants import XACML_ROLE_MAPPER
 from wlsdeploy.util.cla_utils import CommandLineArgUtil
 from wlsdeploy.util.model_context import ModelContext
 
 
-class ClaHelperTest(unittest.TestCase):
+class ModelContextTest(unittest.TestCase):
+    __program_name = 'ModelContextTest'
 
     def test_copy_model_context(self):
-        __program_name = 'model_context_test'
         __oracle_home = '/my/oracle/home'
         __model_file = 'my_model_file.yaml'
 
         arg_map = dict()
         arg_map[CommandLineArgUtil.ORACLE_HOME_SWITCH] = __oracle_home
-        model_context = ModelContext(__program_name, arg_map)
-        self.assertEquals(model_context.get_program_name(), __program_name)
+        model_context = ModelContext(self.__program_name, arg_map)
+        self.assertEquals(model_context.get_program_name(), self.__program_name)
         self.assertEquals(model_context.get_oracle_home(), __oracle_home)
         self.assertEquals(model_context.get_model_file(), None)
 
         arg_map = dict()
         arg_map[CommandLineArgUtil.MODEL_FILE_SWITCH] = __model_file
         model_context_copy = model_context.copy(arg_map)
-        self.assertEquals(model_context_copy.get_program_name(), __program_name)
+        self.assertEquals(model_context_copy.get_program_name(), self.__program_name)
         self.assertEquals(model_context_copy.get_oracle_home(), __oracle_home)
         self.assertEquals(model_context_copy.get_model_file(), __model_file)
 
     def test_password_is_tokenized(self):
-        __program_name = 'model_context_test'
-
         __no_token_value = 'Welcome1'
         __complex_no_token_value = 'Abc@@def@@ghi'
         __secret_value = '@@SECRET:foo:username@@'
         __env_value = '@@ENV:FOO@@'
         __complex_token_value = '@@SECRET:foo:@@ENV:BAR@@@@'
 
-        model_context = ModelContext(__program_name)
+        model_context = ModelContext(self.__program_name)
         self.assertEquals(model_context.password_is_tokenized(None), False)
         self.assertEquals(model_context.password_is_tokenized(__no_token_value), False)
         self.assertEquals(model_context.password_is_tokenized(__complex_no_token_value), False)
@@ -47,3 +50,25 @@ def test_password_is_tokenized(self):
         self.assertEquals(model_context.password_is_tokenized(__env_value), True)
         self.assertEquals(model_context.password_is_tokenized(__secret_value), True)
         self.assertEquals(model_context.password_is_tokenized(__complex_token_value), True)
+
+    def test_discover_security_provider_data_scopes(self):
+        # Some security provider types contain passwords, requiring extra configuration for discover
+        self._try_security_provider_data_scope(True, DEFAULT_AUTHENTICATOR)
+        self._try_security_provider_data_scope(True, DEFAULT_CREDENTIAL_MAPPER)
+        self._try_security_provider_data_scope(True, ALL)
+        self._try_security_provider_data_scope(False, XACML_AUTHORIZER, XACML_ROLE_MAPPER)
+        self._try_security_provider_data_scope(True, XACML_AUTHORIZER, DEFAULT_CREDENTIAL_MAPPER)
+        self._try_security_provider_data_scope(True, XACML_ROLE_MAPPER, DEFAULT_CREDENTIAL_MAPPER)
+
+    def _try_security_provider_data_scope(self, expected_result, *args):
+        scopes_text = ','.join(list(args))
+        arg_map = {
+            CommandLineArgUtil.DISCOVER_SECURITY_PROVIDER_DATA_SWITCH: scopes_text
+        }
+        model_context = ModelContext(self.__program_name, arg_map)
+
+        test_text = "should not"
+        if expected_result:
+            test_text = "should"
+        self.assertEquals(model_context.is_discover_security_provider_passwords(), expected_result,
+                          "Security provider data scope " + scopes_text + " " + test_text + " discover passwords")
