Merge branch 'model-encryption-secret' into 'main'

Add support for model encryption passphrase in an environment variable secret

See merge request weblogic-cloud/weblogic-deploy-tooling!1708

Author: robertpatrick

core/src/main/python/wlsdeploy/util/cla_helper.py

@@ -10,6 +10,7 @@
 from java.io import IOException
 from java.lang import IllegalArgumentException
 from java.lang import String
+from java.lang import System
 
 from oracle.weblogic.deploy.util import FileUtils
 from oracle.weblogic.deploy.util import TranslateException
@@ -25,17 +26,20 @@
 from wlsdeploy.util import cla_utils
 from wlsdeploy.util import env_helper
 from wlsdeploy.util import getcreds
+from wlsdeploy.util import model_config
 from wlsdeploy.util import model_helper
 from wlsdeploy.util import model_translator
 from wlsdeploy.util import path_helper
 from wlsdeploy.util import string_utils
+from wlsdeploy.util import unicode_helper as str_helper
 
 from wlsdeploy.util import variables
 from wlsdeploy.util.cla_utils import CommandLineArgUtil
 from wlsdeploy.util.exit_code import ExitCode
 from wlsdeploy.util.model_translator import FileToPython
 from wlsdeploy.exception.exception_helper import create_cla_exception
 
+MODEL_ENCRYPTION_SECRET_KEY = 'passphrase'
 
 __logger = PlatformLogger('wlsdeploy.util')
 _class_name = 'cla_helper'
@@ -149,18 +153,42 @@ def process_encryption_args(optional_arg_map, is_encryption_supported):
     """
     _method_name = '__process_encryption_args'
 
+    if is_encryption_supported and CommandLineArgUtil.PASSPHRASE_SWITCH not in optional_arg_map:
+        if CommandLineArgUtil.PASSPHRASE_PROMPT_SWITCH in optional_arg_map:
+            try:
+                passphrase = getcreds.getpass('WLSDPLY-20002')
+            except IOException, ioe:
+                ex = exception_helper.create_cla_exception(ExitCode.ARG_VALIDATION_ERROR,
+                                                           'WLSDPLY-20003', ioe.getLocalizedMessage(), error=ioe)
+                __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
+                raise ex
 
-    if is_encryption_supported and \
-            CommandLineArgUtil.PASSPHRASE_PROMPT_SWITCH in optional_arg_map and \
-            CommandLineArgUtil.PASSPHRASE_SWITCH not in optional_arg_map:
-        try:
-            passphrase = getcreds.getpass('WLSDPLY-20002')
-        except IOException, ioe:
-            ex = exception_helper.create_cla_exception(ExitCode.ARG_VALIDATION_ERROR,
-                                                       'WLSDPLY-20003', ioe.getLocalizedMessage(), error=ioe)
-            __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
-            raise ex
-        optional_arg_map[CommandLineArgUtil.PASSPHRASE_SWITCH] = String(passphrase)
+            optional_arg_map[CommandLineArgUtil.PASSPHRASE_SWITCH] = String(passphrase)
+            return
+
+        # the encryption passphrase may be in a secret specified by an environment variable.
+        # the variable uses the same naming prefix as tool.properties
+        env_variable_name = model_config.SYS_PROP_PREFIX + "model.encryption.secret"
+        secret_name = System.getProperty(env_variable_name, None)
+        if secret_name:
+            # we can't use similar methods in variable module, model context is not established,
+            # and we don't want to depend on strict/lax mode.
+            passphrase = None
+            locations = env_helper.getenv(str_helper.to_string(variables.SECRET_DIRS_VARIABLE))
+            if locations is not None:
+                for secret_dir in locations.split(","):
+                    secret_path = os.path.join(secret_dir, secret_name, MODEL_ENCRYPTION_SECRET_KEY)
+                    if os.path.isfile(secret_path):
+                        __logger.info('WLSDPLY-02300', secret_path)
+                        passphrase = cla_utils.get_from_file_value(secret_path)
+                        optional_arg_map[CommandLineArgUtil.PASSPHRASE_SWITCH] = passphrase
+                        break
+
+            if not passphrase:
+                ex = exception_helper.create_cla_exception(
+                    ExitCode.ARG_VALIDATION_ERROR, 'WLSDPLY-02301', secret_name, locations)
+                __logger.throwing(ex, class_name=_class_name, method_name=_method_name)
+                raise ex
 
 
 def validate_model(program_name, model_dictionary, model_context, aliases, wlst_mode,

core/src/main/python/wlsdeploy/util/cla_utils.py

@@ -264,7 +264,7 @@ def process_args(self, args, tool_type=TOOL_TYPE_DEFAULT, trailing_arg_count=0):
                 self._add_arg(self.get_admin_pass_key(), value)
             elif self.is_admin_pass_file_key(key):
                 file_var, idx = self._get_arg_value(args, idx)
-                value = self._get_from_file_value(file_var)
+                value = get_from_file_value(file_var)
                 self._add_arg(self.get_admin_pass_key(), value)
             elif self.is_archive_file_key(key):
                 value, idx = self._get_arg_value(args, idx)
@@ -276,7 +276,7 @@ def process_args(self, args, tool_type=TOOL_TYPE_DEFAULT, trailing_arg_count=0):
                 self._add_arg(self.get_opss_passphrase_key(), value)
             elif self.is_opss_passphrase_file(key):
                 file_var, idx = self._get_arg_value(args, idx)
-                value = self._get_from_file_value(file_var)
+                value = get_from_file_value(file_var)
                 self._add_arg(self.get_opss_passphrase_key(), value)
             elif self.is_opss_passphrase_key(key):
                 value, idx = self._get_arg_value(args, idx)
@@ -307,7 +307,7 @@ def process_args(self, args, tool_type=TOOL_TYPE_DEFAULT, trailing_arg_count=0):
                 self._add_arg(self.get_passphrase_switch(), value)
             elif self.is_passphrase_file_switch(key):
                 file_var, idx = self._get_arg_value(args, idx)
-                value = self._get_from_file_value(file_var)
+                value = get_from_file_value(file_var)
                 self._add_arg(self.get_passphrase_switch(), value)
             elif self.is_one_pass_switch(key):
                 value, idx = self._get_arg_value(args, idx)
@@ -874,24 +874,6 @@ def _get_env_var_value(self, env_var):
             raise ex
         return value
 
-    # TODO - Improve the error handling to give the user better error messages.
-    def _get_from_file_value(self, file_var):
-        _method_name = '_get_from_file_value'
-        ifile = None
-        try:
-            stream = JFileUtils.getFileAsStream(file_var)
-            ifile = BufferedReader(InputStreamReader(stream))
-            value = ifile.readLine()
-            ifile.close()
-            return value
-        except IOException,ioe:
-            if ifile:
-                ifile.close()
-            ex = create_cla_exception(ExitCode.ARG_VALIDATION_ERROR, 'WLSDPLY-01651', file_var,
-                                      ioe.getLocalizedMessage(), error=ioe)
-            _logger.throwing(ex, class_name=self._class_name, method_name=_method_name)
-            raise ex
-
     def get_passphrase_switch(self):
         return self.PASSPHRASE_SWITCH
 
@@ -1378,3 +1360,21 @@ def validate_domain_home_arg(value):
 
     home_dir = JFile(value)
     return home_dir.getAbsolutePath()
+
+# TODO - Improve the error handling to give the user better error messages.
+def get_from_file_value(file_var):
+    _method_name = 'get_from_file_value'
+    ifile = None
+    try:
+        stream = JFileUtils.getFileAsStream(file_var)
+        ifile = BufferedReader(InputStreamReader(stream))
+        value = ifile.readLine()
+        ifile.close()
+        return value
+    except IOException,ioe:
+        if ifile:
+            ifile.close()
+        ex = create_cla_exception(ExitCode.ARG_VALIDATION_ERROR, 'WLSDPLY-01651', file_var,
+                                  ioe.getLocalizedMessage(), error=ioe)
+        _logger.throwing(ex, class_name=self._class_name, method_name=_method_name)
+        raise ex

core/src/main/python/wlsdeploy/util/variables.py

@@ -40,7 +40,7 @@
 # if this pattern is found, token substitution was incomplete
 _unresolved_token_pattern = re.compile("(@@(PROP|FILE|ENV|SECRET):)")
 
-_secret_dirs_variable = "WDT_MODEL_SECRETS_DIRS"
+SECRET_DIRS_VARIABLE = "WDT_MODEL_SECRETS_DIRS"
 _secret_dir_pairs_variable = "WDT_MODEL_SECRETS_NAME_DIR_PAIRS"
 
 _secret_token_map = None
@@ -444,12 +444,12 @@ def _init_secret_token_map(model_context):
 
     # add name/key pairs for files in sub-directories of directories in WDT_MODEL_SECRETS_DIRS.
 
-    locations = env_helper.getenv(str_helper.to_string(_secret_dirs_variable))
+    locations = env_helper.getenv(str_helper.to_string(SECRET_DIRS_VARIABLE))
     if locations is not None:
         for secret_dir in locations.split(","):
             if not os.path.isdir(secret_dir):
                 # log at WARN or INFO, but no exception is thrown
-                log_method('WLSDPLY-01738', _secret_dirs_variable, secret_dir, class_name=_class_name,
+                log_method('WLSDPLY-01738', SECRET_DIRS_VARIABLE, secret_dir, class_name=_class_name,
                            method_name=method_name)
                 continue
 

core/src/main/resources/oracle/weblogic/deploy/messages/wlsdeploy_rb.properties

@@ -398,8 +398,6 @@ WLSDPLY-00915=Specified discover security provider data scope was empty or null
 WLSDPLY-00916=Unrecognized scopes specified in discover security provider data scope ({0}): {1}
 WLSDPLY-00917=Using default configuration {0} for target {1}
 
-# wlsdeploy/util/cla_helper.py
-
 # wlsdeploy/util/target_configuration_helper.py
 # wlsdeploy/util/targets/*.py
 WLSDPLY-01660=Unknown additional output type "{0}" specified for target environment {1}, skipping
@@ -551,6 +549,9 @@ WLSDPLY-02107=Unable to get remote parent directory for relative path {0} since
 # wlsdeploy/util/structured_apps_helper.py
 WLSDPLY-02200=Application {0} with SourcePath {1} and combined PlanPath {2} appears to be a structured application but number of common path elements {3} is too small.
 
+# wlsdeploy/util/cla_helper.py
+WLSDPLY-02300=Using model encryption passphrase from secret file {0}
+WLSDPLY-02301=Model encryption passphrase secret {0} not found in any of these locations: {1}
 
 ###############################################################################
 #                    Encrypt Messages (04000 - 04999)                         #